Resisting Comparison

​From Sophos Blog: Thoughts on Comparative Testing

Cylance itself has acquired access to many other vendors’ products, including Sophos, and has been using them in its own competitive testing in public demos, in violation of end user licenses. In fact, Cylance just renewed its licenses for Sophos products through one of our partners. When Cylance acquires our software we don’t threaten the reseller. Note that despite our efforts, to date, Cylance has been unwilling to allow us to license its products.

As long as there has been a marketplace for products, vendors of products have always sought to acquire the competition’s products to understand if they are better and how. Likewise, third party analyst firms acquire products from a number of vendors in a space to compare and contrast them. No matter what vendors might try to do, including End User License Agreements to restrict product uses, these activities will continue unabated.

It seems silly to me that organizations deploy products to protect their critical assets without doing due diligence to make sure the products do what their marketing claims it does. That said, information security departments in companies of all sizes are understaffed and barely have the time to operate the tools they have, much less evaluate the efficacy of new tools.

A quality information security product should stand up to reputable third party scrutiny. Even if you don’t do a direct comparison yourself, there are plenty of analyst firms who do these sorts of comparative evaluations and publish their results (usually for a fee). While it’s impossible for vendors to participate in all third party testing and not all third party evaluations are created equal, a dearth of third party evaluations for a particular vendor’s products should be a huge red flag.

The one sort of scrutiny that no vendor can ignore is the scrutiny of the bad guys. They are guaranteed to find the product flaws you didn’t find in testing or didn’t find documented in the third party evaluation reports that you didn’t read.

Disclaimer: My employer, Check Point, also recently called out a competitor on their marketing claims. These views, however, are my own.

​Good Password Hygiene Key To Protecting Social Media Accounts

​From Miscreants breach NFL’s Twitter account, reveal its weak password

Online miscreants took over the National Football League’s Twitter account and used it to falsely report the death of league commissioner Roger Goodell.

During the brief span that @NFL was taken over, it followed exactly one new Twitter account—specifically, @IDissEverything, which has now been suspended. Before the account was suspended, it claimed the password protecting the NFL Twitter feed was “olsen3culvercam88.” The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message.” It’s still not clear how the group got access to the e-mail account.

Between all the various password dumps that have taken place recently—32 million Twitter credentials, anyone?, generally poor password choices, and even poorer password hygiene, it seems a lot of social media accounts are getting hacked these days. Including those of Facebook CEO Mark Zuckerberg and Twitter co-founder Ev Williams.

Given how people are slow to change their habits, I don’t see this trend changing anytime soon. To make matters worse, social media services themselves can have security issues, too. My colleagues at Check Point helped Facebook find a pretty serious issue in their Messenger application.

Earlier this week, I was interviewed by reporter Annie Gaus for an article on these credential breaches. The advice I was quoted giving in the article shouldn’t be anything you haven’t heard before. Now might be a good time to implement it, especially if you happen to be a high-profile person or someone who manages the social media accounts of organizations.

Use Strong, Unique Passwords For Each Site

If there’s one thing these recent site hacks taught us, it’s that using the same password on every site is a bad idea. People still generally pick passwords that, in the immortal words of Spaceballs, an idiot would have on their luggage!

So, yes, use a unique password on each site. Also, make sure it’s not something simple. Complexity is good. Length is better. Long and complex is even better!

My favorite way to get a sense how good of a password I’ve chosen is to use the Password Haystack page from Gibson Research. It’s not a “password strength meter” but it gives you a good idea how long it would take for your password to be guessed via brute force. There’s also some good advice on this page on how to construct a password that is both easy to remember and strong enough to hold up to brute force guessing.

Use A Password Manager

While it is true a password manager creates a single point of attack—and failure—a good password manager has several benefits that outweigh the risks. This assumes you use it with a strong master password, of course.

  • Provides a way to securely sync password vaults across multiple computers and mobile devices.
  • Allows you to use more complex passwords without having to remember them.
  • Provides an indication of the last time you used a specific password.
  • Provides an indication of the last time you changed a specific password.
  • Provides a mechanism to tell you when you are using the same password on multiple sites.

LastPass is my password manager of choice. Other people like 1Password. I can’t speak for others that may exist, though I can assure you they are not all created equal.

Use Two Factor Authentication

Many services now offer Two Factor Authentication, either using SMS or the relatively standard TOTP/HOTP tokens implemented by Google Authenticator, Authy, and others. While it does prevent someone from brute-force guessing your password, it doesn’t prevent someone from phishing you. Be careful out there!

If You’re Not Using a Social Media Account, Close It

Given people’s propensity to use the same login and password everywhere, and the ever increasing odds of sites getting hack, close social media accounts you’re not using. That said, you might consider changing the password to something complex before you close it on the off chance the service doesn’t actually delete your data and the site later gets hacked.

Assume All Social Media Is Public, Act Accordingly

This is not necessarily a security issue, and wasn’t one of the items highlighted in the article I was quoted in, but it is a privacy issue and important none the less.

Personally, I don’t think Facebook and the like are intentionally trying to make everything you do public (though plenty have good reason to think that). I’m saying this because, like everything else, social media accounts can and will be hacked. Or are vulnerable to issues through their API. Also, people can easily screenshot any social media interaction—including and especially private ones—and make it public instantly.

You’re better off assuming anything you input into social media, SMS, iMessage, WhatsApp, Telegram, or whatever can and will be made public. Act and share accordingly.

If You Have To Share Social Media Passwords, Do It Securely

While it is generally bad practice to share any passwords, individuals in companies who maintain a corporate social media presence often end up having to share credentials as a practical matter. Twitter is one common example.

If you absolutely have to do this, then you should not share passwords over email, SMS, WhatsApp, and so on in plaintext. These mechanisms, or the device you run them on, could be compromised in some way.

An encrypted container of some kind is the way to go. For example, I use Microsoft Word documents protected with Check Point Capsule Docs, which encrypts the document and allows me to restict documents to specific individuals only. Only those individuals will be able to read the document. I can also restrict what they are able to do with the documents as well.

Another way to accomplish the same task: LastPass, which also has a password sharing feature.

Change Your Passwords Occasionally

Even if you use complex, unique passwords on every site, changing passwords occasionally is not a bad idea. Once a year is probably often enough, though some events may necessitate changing your password more often:

  • If it’s a shared password (see above), change it if someone no longer needs access to the account (e.g. when they leave the organization or change roles).
  • A breach is reported on a specific site.
  • If you got a password reset email that you didn’t request.

Changing your password will allow your password to be hashed with stronger algorithms, which sites will often switch to over time.

Disclaimer: If you don’t know by now, I work for Check Point Software Technologies. However, these are my own thoughts.

​Infosec-Related Insights From Flash Foresight

​One of the things I did not expect to get out of the recent Check Point Experience conference was: a book to read. That’s exactly what happened when, due to an encounter with Flash Foresight author Daniel Burrus on Twitter, a book showed up on my doorstep.

The Twitter encounter happened because Daniel Burrus spoke at Check Point Experience and I tweeted a few photos from his talk. Though he had about a half an hour slot, I could have listened to him for hours. Many of his insights could easily apply to the field of information security. In fact, plenty of the trends he discusses have immediate implications to the field.

Depending on how quick you read, you may be able to knock it out in an evening or two. This book is definitely a recommended read. Unlike many “business” books I’ve read, this was an easy read and found it to immediately resonate with my own experiences. I also found it to be very optimistic. Specifically, the problems we have today will be solved. The question is, by whom and how? If you apply some of the principles of Flash Foresight, maybe it could be you?

Walking Through the Seven Flash Foresight Principles

Daniel Burrus breaks down the process of Flash Foresight into seven principles. The application of one or more of these principles can be used to solve a variety of challenges. Surely, they can help us in infosec, no?

The first place to start: certainty. Specifically, what you know. That is largely reflected by trends:

The main difference between hard trends and soft trends is: level of certainty in the trend. They can sometimes be hard to tell apart, and people often make poor decisions because they can’t tell the difference.

A soft trend are “future maybes.” They can be changed. For example, your organization’s information security budget. The time it takes you to respond to the inevitable breach. You do have a response plan, right?

A hard trend cannot easily be changed. For example, the level of technological innovation, particularly in three key areas: processing power, storage, and bandwidth. The trends point to an ever increasing quantity of all three at ever decreasing costs.

Think that doesn’t have implications in information security? You bet it does, and I bet you’re already seeing it: more business information on more devices from more places in the world. The problems will only get worse.

It’s far easier to see the future when you start with what you know. If you look at the hard trends and know where innovation is taking us, it’s pretty easy to anticipate the future (the second principle).

As some of you probably know, I spent 10 years working for Nokia, which was, in those days, the largest mobile phone manufacturer in the world. They were also in the network security business, which is where I worked. That said, I was exposed to many of the mobile phones Nokia made and thus I saw these Pathways to Innovation play themselves out from a vantage point somewhat different from a typical consumer:

It was very obvious to me in the 2000s that smartphones would become our personal computing devices–personal computing devices that accessed websites and had data on them. Nokia, being in the handset business, the network infrastructure business, as well as the security business, was uniquely positioned to provide this security both on the handsets and within the network.

It was one of the many opportunities that Nokia did not have the foresight to take advantage of. Nokia, as mighty as it once was in the smartphone industry, lost out and lost big. Had they made a proper transformation from the inside out (the third principle) as they had done several times throughout their 152 year history, they might still be a household name. Instead, since they transformed largely as a result of external forces and trends, they are barely a blip on the radar.

Another thing Nokia failed to do: take their biggest problem and skip it (the fourth principle). At the time, one of their biggest challenges as far as breaking into the US market: working with the US mobile operators. They wanted nothing to do with Nokia’s products. Meanwhile, they could have easily marketed and sold the products to the US public directly, bypassing the operators.

To bring this back to information security for a moment, what is our biggest problem in information security? Surely it has to be all that data on all those devices connecting from everywhere with data hosted everywhere using our traditional information security tools. What if we could skip that problem and bake security into the data and/or the method used to access that data?

Sometimes, the solutions to your problems are also in the opposite direction everyone else is looking (the fifth principle). For example, I see a lot of newer security vendors focusing on detection of threats rather than prevention of threats. While I’ve said a few times this is not an either/or proposition, I openly wonder: as infrastructures grow more complex and more virtualized, all driven by hard trends, how helpful is detection by itself going to be in the long run? Unless it is followed by automatic remediation—or better, preventing the incident in the first place—it will be just one more signal that gets ignored.

Information security has no choice but to redefine and reinvent how and what it does (the sixth principle). The underlying infrastructure that supports our business is commoditizing and evolving rapidly at a rate that will only accelerate. Likewise, security vendors will have to find a way to continue to provide unique value in this environment else their products will be replaced.

Finally, the future is largely what we envision it to be (the seventh principle). Do we envision a future where the threats run rampant over our networks or do we envision remaining one step ahead and keeping the threats at bay (or at least contained)? You may need other resources to achieve it, but it starts with a clear future vision. To shape the future will require communication, collaboration, and trust—all something information security is in the critical path to ensure happens.

This diagram in the book I think illustrates something that I already lived:

I’ll ask those of you who used my FireWall-1 FAQ back in the day: what did that content represent to you? Data? Information? Knowledge? Wisdom? I’ll settle for knowledge since what I had there was largely product specific. Wisdom is probably stretching it.

But is it? I’ve had numerous people come up to me over the years thanking me for that FAQ as it helped them become information security professionals. Back in the 1990s, there wasn’t a whole lot of information out there. Rather than keep it locked up, I shared it with the Internet. I collaborated with people on the Internet to improve it. And, because the information was largely accurate, and I was accountable for mistakes, people ultimately trusted it.

Even though I haven’t operated that FAQ site in more than 10 years, I built a very nice career for myself as a result. Maybe if the information security industry would communicate better, truly collaborated with each other, and operated in a truly trustworthy matter, we could all be one step ahead.

How To Separate Security Solutions from Snake Oil

From Darwinism in IT Security, Pt. 3: Time to Deal with These No-Good Parasites:

[Detection] adoption has become the norm in the IT-security industry; and based on that, a whole ecosystem of parasites now successfully bullshits (successfully – i.e., keeps getting away with it!) the public. No, I am not making this up.

What all parasites agree on is their opposition to ‘traditional methods’ (the very same scanning methods they adopt via VirusTotal) and their love of all things ‘next generation’ (though what exactly is new about detection copy-and-pasting – and also AI – they don’t point out).

Conclusion: if you get approached by folks from an unknown company bandying about words like ‘next-gen’, ‘behavioral analysis’, ‘artificial intelligence’, etc., with no results of independent tests to make those words mean something real, watch out. The marketing materials of such companies show that the only artificial intelligence they use is that for peaking on real IT-security companies via the cloud.

It’s like I said before, you have to wonder about security vendors who do not willingly submit themselves to third party scrutiny. If their products are as good as their marketing claims, this will prove itself out in third party testing, or better yet, your own testing using objective criteria. Reputable security vendors are more than willing to support such an effort.

If you rely purely on marketing to make decisions about what security solutions to buy, you may be buying snake oil. Caveat emptor!

Old Password Breaches are New Again

In the past couple of weeks, a couple of old breaches of social media sites have come into the news again, mostly because the data from the breaches of MySpace, LinkedIn, Tumblr, and some site called Fling that I never heard of before, are for sale on the dark web. Aside from chatter on Twitter, the first thing that could be deemed a “formal” notification came from Troy Hunt’s site Have I Been Pwned, something I recommend everyone subscribe to as he seems to do a better job of notifying people than the providers do.

You might wonder why we who care about information security care about years-old breaches from social media sites. It’s pretty simple: most “normal” people use the same login and password everywhere they go on the web. It’s also quite possible they didn’t get the memo the first time these breaches occurred, either.

And let’s be honest, even if you changed your password when the breach was first announced, what are the odds you changed the password since then? Most likely, you haven’t and now is as good a time as any to change your password for these sites, if for no other reason than to leverage improved password hashing algorithms these sites are surely implementing.

Of course, a couple of other pieces of advice to implement:

  • Different Passwords on Every Site: As noted above, password re-use is what makes these older breaches relevant to a lot of people. You can mitigate this risk in the future by using unique passwords on each site you authenticate to.
  • Use Two Factor Authentication: Even if someone is able to crack your password, two factor authentication should slow down any determined hacker. That said, two factor authentication is still not something the majority of people do because it’s still not easy. Also, systems have a reliance on SMS (which itself can be compromised) or a token that operates only on a single smartphone. What happens when you lose your phone?
  • Use a Password Manager: The primary benefit of a password manager is the ability to use unique, complex passwords on all the sites without having to type or remember them. Yes, your password manager becomes a huge target, but the security benefits outweigh the risks.

LastPass is my password manager of choice. Works across all the platforms I use (Mac, PC, Linux, Android, and iOS). At $12/year, it’s an absolute no-brainer. Yes, I know a lot of people like 1Password, but I find their apps a much more expensive propopsition.

Perhaps one of my favorite features of LassPass is their Security Challenge. It evaluates all the passwords I have in my vault to see which passwords may have been compromised, ones that are weak, ones I’ve reused, and ones that haven’t been changed in more than a year. This allows me to quickly identify which accounts might need a new password–one I can make significantly more complex thanks to LastPass. Note that even without using the Security Challenge, I’m warned when I reuse a password–a very good thing.

Disclaimer: My employer Check Point Software Technologies might have a different point of view on passwords, these are my own.