Daily Archives: August 7, 2020

Weekly Update 203

Weekly Update 203

What. A. Week. I've been absolutely non-stop publishing data breaches to HIBP whilst simultaneously putting in place the framework to start advising NordVPN on their cybers and open sourcing the HIBP code base at the same time (and a bunch of other more boring stuff that didn't make the cut). That's all explained in this week's update so I won't drill further into it here, there's obviously a couple of big announcements so if you have any questions, drop them in the comments below and I'll either answer them there or take them up in next week's update.

Weekly Update 203
Weekly Update 203
Weekly Update 203
Weekly Update 203

References

  1. Our state border to the south is now in a "hard" lockdown (that link is for the stats state by state)
  2. Breaches, breaches, breaches (have a look at just how much has gone into HIBP in the last couple of weeks)
  3. I'm genuinely excited about working with NordVPN as a strategic adviser (I'm still independent, I'll still be very candidly expressing my views, I just want to make a positive impact on the industry)
  4. Speaking of positive impacts, how about that HIBP open source stuff? 😎 (absolutely, emphatically, resoundingly positive feedback on this one!)
  5. Sponsored by Tines: Breaches are inevitable and early detection is crucial. Assure yourself what's next with security automation part 1.

Live from Black Hat: Breaking Brains, Solving Problems with Matt Wixey

Solving Puzzles has been a very popular pastime for InfoSec professionals for decades. I couldn???t imagine a DefCon without the badge challenge. At Black Hat 2020 Matt Wixey, Research Lead at PwC UK, didn???t disappoint as he presented on parallels between puzzle-solving and addressing InfoSec problems.

Puzzle (and problem) solving can be taught

Solving a puzzle and a problem is very similar. They usually involve two primary functions, which may feed into each other in a circular fashion:

  • Understanding the problem
  • Searching for a solution

Problem-solving is always thought of as an innate ability that you cannot teach, but that???s not true. You can teach comfort level with ambiguity and feeling around the edges of the solution of a problem.

Problem-solving does not require expertise, but it can help in some circumstances. Experts tend to know more schema of problems and can more easily chunk problems into smaller, manageable parts, so they can recognize that a problem follows the same pattern as a problem they???ve solved before. However, assumptions can also lead you astray. Puzzle makers may even purposefully take you astray, playing with your assumptions.

In a test where experts and novices were pitted against each other, experts took about as much time to solve problems, but they made fewer mistakes than the novices.

The role of bias in problem-solving

Problem-solving is subject to the same kind of challenges as decision-making. Biases come in many forms, which can hinder a person from solving a problem. You should be aware of the following biases that may impact your thinking:

Problem-Solving Bias???

Problem-solving in InfoSec

Problems in InfoSec are often knowledge-rich and ill-defined. Practitioners range from experts and, because of chronic skill shortage, many novices. There are ample schemas for these problems.

Wixey asserts that even if you change the "cover story??? of the problem, the problem space remains the same. Not telling your colleague the full story may actually be useful in solving the problem in some cases. He encourages diversity in background and expertise, and of course, applying your experience in solving puzzles to real-world problems.

Designing the perfect puzzle

Designing a puzzle can be difficult and time-consuming. The perfect puzzle has an interesting premise but very little explanation. Hidden ???trap door??? functions, red herrings, and easter eggs are optional but can add variety to a puzzle. Interesting puzzles may ask something completely unconnected to the premise, but the puzzle should have internal logic, where the answer can be obtained just from the question. It should not require specialist knowledge beyond what you can get from a quick search.

A personal lesson learned after generating my first puzzle was to have it field-tested by a few people. I thought that there was a direct, linear path to the solution for a puzzle I created, but there were actually several paths that led to dead ends, which was frustrating to some puzzle solvers.

Let???s solve some puzzles!

At Veracode, we have regular puzzle challenges as part of the Veracode Hackathons. We have people from around the company provide their puzzles based on themes, and then the whole project is curated by our puzzle masters. If you???d like to dip your brain into years of Veracode internal puzzle challenges, check out Vera.codes.

Global Payment Stats Every Business Should Be Aware of

It is important for businesses to be aware of what is happening in the industry as they impact companies on a micro level. You cannot reach a wider market without knowing what is happening around you.

The best way to be aware is to pay attention to the facts and figures. In this article, we will highlight some payment stats to help you understand the market landscape.

We have concentrated on global stats to explain the global landscape. Since ecommerce is ‘beyond borders’, it is important for businesses to know what the international audience wants so they can continue to serve them well.

#1 Cash Is On the Decline

Many countries around the world have gone cashless.

Only 77 percent of all transactions involve cash today. The figure was 89 percent about five years ago and is expected to fall even more due to the current situation that has forced buyers to use alternative methods including no contact payment solutions.

According to this report, e-wallets will have a 28 percent market share by 2022. However, cash isn’t going away anytime soon. In fact, the value of the euro in circulation has increased in the last few years.

Some countries are taking steps to remove cash, while some are still heavily dependent on paper money.

Cash is the second most widely used form of payment in the US after debit cards. Considering New York, San Francisco, and Philadelphia recently passed laws banning merchants from not accepting cash payments, it’s safe to say that cash will continue to prevail in the US.

Still, businesses need to be proactive as users prefer merchants who offer a variety of payment options including digital coins.

#2 Electronic Payments Are Rising

The global use of debit and credit cards (combined) grew from 5 percent to 9 percent between 2012 and 2017.

In recent times, debit cards have declined in popularity but the demand for credit cards has only increased due to new entrants like Apple Pay entering the market.

Apple Pay was originally marketed as an e-payment solution but the company’s decision to issue physical cards changed the game.

Consumers have a lot of faith in credit cards as they are easy to use and come with some other benefits including rewards. However, their dominance is being challenged now thanks to electronic payment options.

The global digital payments market is growing at a rate of 12.8 percent and is expected to continue to grow at this rate for the next three years.

About 50 percent of all transactions in North America are conducted electronically making it a global leader. Europe isn’t far behind either. The use of electronic payments is very common in most European countries.

About 47 percent of all European card transactions involve NFC technology. Asian countries including China, India, and Pakistan are also making use of electronic payments.

The Chinese electronic payments market is among the fastest – it increased 10x between 2012 and 2017. The introduction of Alipay and WeChat payment options can be given credit for the huge growth in the Chinese market.

The scenario is similar in African countries as well, especially Nigeria, which is ahead in the technological race.

These figures show the importance of electronic payments. It can be hard for businesses to sustain if they do not offer e-payments. Look for a payment partner that offers third-party integrations so that you do not have to use multiple providers.

 #3 Mobile Payments For the Future

Before moving ahead, let’s be clear that there’s a difference between mobile payments and electronic payments.

Mobile payments involve the use of mobile apps, whereas electronic payments can be made via credit and debit cards without using digital wallets or apps.

The use of mobile devices is on the rise and mobile commerce accounts for about 48 percent of digital sales.

Since many people carry smartphones, they find it easier to use mobile devices to make payments.

The use of mobile devices for making payments at the point of sale is expected to increase to 28 percent by 2022.

This option is more popular among the newer generations (Gen-Z and millennials). About 28 percent of millennials have used a digital wallet at the point of sale, about 8 percent higher than the general population.

Younger people use digital wallets about five times a month, according to Billtrust. Due to an aging population, the gap is expected to increase in the future as the newer generation is used to mobile devices.

The scenario, however, is not the same all around the world as mobile payments are still not very popular in developing countries.

Only 37 percent of global merchants support mobile payments at the point of sale. On the positive side, about 31.4 percent intend to introduce this feature soon.

Businesses must provide consumers the facilities they need to prevent them from going to competitors.

Conclusion

These stats highlight the diversity in the global payments landscape. Retailers must take steps to know what their customers need so they can bring changes to the payment ecosystem.

A lack of payment options is one of the major reasons why the average cart abandonment rate is as high as 69.56 percent.

Remember that today’s customers are spoiled for choice. They will not think twice before moving to another seller if you do not have the payment option that they prefer.

Look for a payment partner who understands your requirements and can offer the services that you need.

Bio:

Lou Honick is the CEO of Host Merchant Services. Prior to founding Host Merchant Services in 2010, Lou was the founder of HostMySite.com and received numerous awards including SBA Young Entrepreneur of the Year, Inc Magazine 30 under 30, and multiple listings on the Inc 500. As a serial entrepreneur, all of his companies have operated on a singular devotion to outstanding customer service and support. Lou is a respected expert on the topics of customer service, payments and fintech, Internet technology, and entrepreneurship.

The post Global Payment Stats Every Business Should Be Aware of appeared first on Hacker Combat.

Quick Heal Total Security certified as Top Product by AV-TEST

AV-TEST Product Review and Certification Report for May-June 2020 has recognized Quick Heal Total Security as a Top product for Windows with an outstanding rating of 17.5/18 in its latest evaluation. View results. The AV-Test is an independent research institute for IT security from Germany that evaluates and rates antivirus…

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Tweet
The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

I’m Open Sourcing the Have I Been Pwned Code Base

I'm Open Sourcing the Have I Been Pwned Code Base

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.

HIBP is a Community Project

I've been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that ended earlier this year right back where I'd started: with me being solely responsible for everything. The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me. Yet that's where we are today and if I disappear, HIBP quickly withers and dies.

As I've given further thought to the future since the M&A process, the significance of community contributions has really hit home. Every single byte of data that's been loaded into the system in recent years has come from someone who freely offered it in order to improve the security landscape for everyone. Many of the services that HIBP runs on are provided free by the likes of Cloudflare. Much of the code that's been written has drawn on community contributions either by virtue of content people have published publicly or support that's been provided to me directly.

I was reminded of this just yesterday when my friend from Cloudflare, Junade Ali, posted this:

This tweet isn't entirely accurate; it was all Junade's idea and he designed the k-anonymity implementation for HIBP's Pwned Passwords. For free, because he's a good bloke and Cloudflare supported him. LastPass has now employed that same model and they follow the other notable names Junade mentioned. I'm sure I speak for him as well when I say we couldn't be happier that other companies have taken the model we pioneered and applied it to their own services too because at the end of the day, that's in everyone's best interests.

The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP.

Open sourcing the code base is the most obvious way to do this. It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me. But this isn't just a philosophical decision based on a desire to offload work, it's also common sense for a number of reasons. Let me explain:

HIBP Has Always Been Open in Spirit

I've already written extensively about the architecture of the system across many of the 128 previous blog posts tagged as Have I Been Pwned. The very second blog post on that tag was about how I used Azure Table Storage to make it so fast and so cheap. As soon as it got popular, I wrote about how I optimised it for performance. When I started using Azure Functions, I wrote about the joy of serverless computing and how I'd implemented it in HIBP. I levelled that up even further when I wrote about using Cloudflare Workers to further optimise performance and drive down cost.

The point is that it was always the intention to be completely open about the design of HIBP, it's not like there's any proprietary secret sauce I've been trying to protect here.

Open Source is Everywhere

A heap of really amazing projects are open source these days. Visual Studio Code, for example, is open source. The platform this very blog runs on, Ghost, is open source. Most of the libraries HIBP uses are open source. And I'm not just talking open source in the "source open" kind of way where other people are free to read it, but I'm talking open source in terms of taking contributions as well.

It actually got me thinking - how many of the products and services I use every day are open source? I asked on Twitter earlier today, and it's, well, extensive:

I love also that Microsoft remains one of the largest corporate contributors to open source, maybe even the largest depending on how you want to define the metric. Open source is in the DNA of everything that HIBP is built on.

Because Transparency

Putting the code out there in public goes a long way to addressing concerns people have about the way the service operates. For example, people have often questioned whether I'm logging searches in order to build up a new list of email addresses. No, I'm not, but at present that assertion effectively just boils down to "trust me". Showing the code - the actual code - and demonstrating that things aren't logged is a very different proposition.

Transparency of code mirrors the ethos I've applied time and time again to the way I run HIBP. I'm transparent about how I verify data. I'm transparent about government usage of the service. I'm transparent when I screw up and have system outages. Being transparent with the code feels like the most natural thing ever!

It's (Almost) All About the Contributions

Open sourcing the HIBP code base gives me the opportunity to address that original problem I set out to solve with the M&A process: finding other people that can help sustain the project. All that backlog, all those bugs, all the great new ideas people have but I simply can't implement myself can, if the community is willing, finally be contributed back into the project.

And that's something that I'm adamant about; the goal here isn't just to say "hey, look at the code, it's not logging your searches", it's fundamentally about making HIBP a more sustainable, more robustly featured community service. Frankly, I can't think of a single good reason why I wouldn't do this. But that said, it's also not as trivial as it sounds so let me talk about the practicalities of the whole thing.

Practically, There's Work to be Done

I started writing HIBP on a plane to the Philippines in 2013 and finished up a bunch of it in a hotel room once I landed. In the near 7 years since then, I've chipped away at it in little bits and pieces, frequently from a laptop while travelling, jet lagged and preoccupied. I've taken shortcuts. I've hacked together some pretty messy stuff. I've probably checked in secrets before and when you're the only person touching a project you can get away with all that stuff, but not once you start opening up source.

HIBP isn't in a state to simply flick the visibility of it in GitHub, but it needs to get to that point. Instead, I need to choose the right parts of the project to open up in the right way at the right time. That exercise alone requires help and for a while now, I've been talking to some of the smartest people I know in this space. People who live and breathe open source, people who understand .NET and Azure inside and out, people who know HIBP well and above all, people I trust to expose my own shortcomings so that they can help me make this thing more sustainable. With their support, the transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that's both manageable and responsible. Let me be clear: I don't have a timeline for each step along the way yet as HIBP remains something I do in my spare time and I've always got a bunch of other stuff on my plate, but the process has already begun and I'll be sharing more on that as soon as I can.

I want to get to a point where everything possible is open. I want the infrastructure configuration to be open too and I want the whole thing to be self-sustaining by the community such that I make myself redundant. That's not to say I'm planning an exit (far from it), but it's not good for HIBP that I can't exit right now and frankly, it's not good for me either.

The point is that the goals outlined in this blog post will take time to reach and they're not as trivial as they may sound at face value. HIBP remains a pet project run when I have the chance and somewhere within there I need to make the commitment to get it to the point I'm aiming for in this blog post.

What About the Data?

I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There's no way to sugar coat this so I'll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that's ultimately ended up in my possession. Of course, the situation is a bit more nuanced than that with the vast bulk of data in HIBP already being in broad public circulation and passing through many hands. But be that as it may, even the legality of possessing it remains grey and whilst there are many internet armchair experts chiming in with their own opinions on the topic, here's what the legal guidance I've consistently been given boils down to:

We invite parties to form their own views on the legality of the data

Great, nice lawyer speak there guys. (And seriously, yes, that's what the KPMG lawyers from the M&A process I paid an eye-watering amount to advised.) Yet clearly, many of the world's largest companies do see value in it and conclude that holding the data is acceptable. Big tech companies, for example, pull down precisely the same breaches that go into HIBP and use them to identify credential reuse across their own platforms:

Then there's the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That's non-trivial. Doable, but non-trivial.

Summary

This is something I've given a lot of thought to for a long time now. The concept of open sourcing HIBP has been floated over and over again and it's taken a failed M&A process to help me realise that this was the best path forward, but now here we are.

I've used the word "community" a lot throughout this post and I can't understate the importance of the role other people have played in the project's success. Just to really drive that point home, look at how many breaches have gone into HIBP in the last two weeks. At the time of writing, that's 16 breaches encompassing 95,850,490 records and every single one of those has been a community contribution; someone selflessly standing up and trusting me to handle the data in the best interest of others. I focus on that short time frame in particular here because it also demonstrates the constant flood of data and the need to scale myself more efficiently.

So that's where HIBP is heading. I know this blog post will be met with much enthusiasm because that's what many of you have been telling me to do for a long time. I've listened, now it's time to make it a reality 😊