Featured content

Last time I talked about how cryptographic hash functions are used to scramble passwords. I also stressed why it is extremely important to not be able to take a hash value and work backwards to figure out the plain text input. That was Golden Rule #1 (pre-image resistance).

” Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” If you haven’t read Gizmodo writer Mat Honan’s gut-wrenching play-by-play of how his entire digital life was evaporated in the matter of hours, do yourself a favor and Instapaper it. Or, if you’re too busy to read the whole article, I’ve created a quick-and-dirty summary that retraces the hacker’s steps and highlights some steps we can take to protect ourselves from similar attacks. How It Happened 1.) Hacker targets @mat via Twitter Get the Free Pen Testing Active Directory Environments EBook “This really opened my eyes to AD security in a way defensive work never did.” 2.) Hacker browses to @mat’s personal website, which is linked from his Twitter profile 3.) Hacker sees @mat’s Gmail address on his website 4.) Hacker tries to login to Gmail using @mat’s (knowing he won’t get in) Hmm, if the hacker can’t break into @mat’s Gmail account, why is this important? When you tell Gmail that you’ve lost your password, it responds by showing you the partially obscured alternate email address it has on file for account recovery. This is a big hole. Why? Because m***n@me.com was enough information to know which service to attack next – iCloud, which, as you’ll see in a minute, is extremely vulnerable to social engineering. It’s worth noting that, as @mat mentions in Wired, if Gmail’s two-factor authentication was enabled, the nightmare ends here. Hopefully Google will figure out a better mechanism for securing your alternate email account other than blanking out a few characters (a security question would be a good start!). Email is the skeleton key to your online identity since so many services reset your account via a confirmation link sent to your email address. Guard it well. How can you protect your Gmail account? Go enable two-factor authentication for your gmail account…now! Jeff Atwood wrote an excellent tutorial for Gmail in his Make Your Email Hacker Proof post and Matt Cutts posted a video today. 5.) Hacker obtains @mat’s billing address by doing a simple WHOIS lookup on his website’s domain name I can’t really ding @mat here since, as he points out, most peoples’ billing addresses are obtainable via WhitePages or a similar service unless you’re unlisted, which isn’t a bad idea. If you own a domain name, think about paying the extra $20/year for private registration. 6.) Hacker obtains last 4 digits of @mat’s credit card Why was the hacker after the last 4 digits? Because this was the last piece of the iCloud-cracking puzzle. In order to verify your identity, AppleCare phone support requires: 1) name, 2) email, 3) billing address, and 4) the last 4 digits of the credit card on file. The hacker already had 3 of the 4. Where might someone’s credit card number be stored? Amazon! The hacker (correctly) assumed that @mat had an Amazon account that used one of his two known email addresses as the account name. But how did the hacker gain access? Hint: he didn’t crack the password. He used social engineering. The hacker placed a call to Amazon tech support claiming to be @mat. He provided his name, address, and email (yikes!), and then asked the tech support rep to add a new credit card number to the account. Then he hung up the phone and waited. Later, the hacker placed a subsequent call to Amazon saying he lost access to his account. Upon providing name, address, and the newly added fake credit card number, Amazon support let the hacker add a new email address to the account (e.g., hacker@danger.com). Game over. The hacker could now click “forgot password” on the Amazon login page and the subsequent password reset email would go to hacker@danger.com instead of @mat’s real email address. Having reset the password, the hacker then logged into the Amazon account and nabbed the last 4 digits of the real credit card on file. @mat notes: “And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’re giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.” How can you protect your Amazon account? Until Amazon rethinks their identity verification process, the only way to protect against this social engineering hack is to delete any credit card data you have on file with Amazon. Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen? Let’s recap: Hacker grabs public information: name, gmail address, billing address. Gmail’s login system reveals that @mat has an AppeID (m***n@me.com). The hacker knows that in order to own that AppleID the only missing piece is the last 4 digits of @mat’s credit card, which can be socially engineered from Amazon support. Whew. Still with me? Good. Here’s where it gets really ugly. 7.) Hacker calls AppleCare with the information required to infiltrate an iCloud account: name (public), email (public), billing address (public) and last 4 digits of a credit card (virtually public). How can you protect your AppleID? Apple requires you to have a credit card on file if you want to use iTunes and the App Store, so deleting your credit card data might not be a viable option. However, you could dedicate a single purpose credit card for Apple. If the card @mat stored with Amazon didn’t match the card stored with Apple, the attack would have stopped here. Regardless, Apple needs to seriously rethink their identity verification process. 8.) Hacker remote wipes @mat’s iPhone, iPad and Macbook Pro There are more security steps involved to opt into a MailChimp newsletter than to remotely decimate an entire laptop. The way iCloud’s remote wipe process was designed leads me to believe they didn’t even think through the possibility that an iCloud account could be hacked. How can you protect your data? Backup your data. No excuses. Have multiple backups and test your restores. You can get a 2TB external hard drive for $120 on (wait for it…) Amazon, and online backup services are a few bucks a month for unlimited data. (Anecdotally, the only hard drive failure I ever experienced was 1 day after my very first online backup completed. Most people aren’t so lucky.) So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder. Passwords are no longer good enough—not for the important stuff. If Apple, Amazon, and (too a much lesser extent) Google—companies with a combined market cap of 900B—can’t get security right, what are the lesser known providers doing?

Give me any message and I will create a secret code to obscure it.

In order to maintain proper access controls, it’s crucial to understand what every entity on an access control list (ACL) represents, including the implicit identities that are built into a Windows environment.

Complexity is dangerous in the security world. The harder something is to understand, the harder it is to protect. SharePoint falls squarely into this category. Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology. Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers Data classification is a critical piece of the data governance puzzle. In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

Journaling and Diagnostics Logging are services to monitor and audit activity on Microsoft Exchange servers. They provide basic auditing functionality for email activity (e.g. who sent which message to whom) and, if collected and analyzed, may help organizations answer basic questions about email, as well as comply with policies and regulations. (Note: Varonis DatAdvantage for Exchange does not require journaling or diagnostics to monitor Exchange activity.)

Big data is a very hot topic, and with the Splunk IPO last week seeing a 1999-style spike, the bandwagon is overflowing. We’re poised to see many businesses pivoting into the big data space or simply slapping a big data sticker on their products—accurate or not—just to ride the wave.

We’ve talked about giving away your passwords and how you should never do it. When a website wants to use the services of another—such as Bitly posting to your Twitter stream—instead of asking you to share your password, they should use a protocol called OAuth instead.

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation? Just a little.

I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone, Domain Users and Authenticated Users. After removing the everyone group from several folders, they began to receive help desk calls from people who had been actively accessing data through those global access groups prior to their removal, and were now unable to perform their daily activities because they had lost access. This went on for two weeks or so—each time someone called, they had to apologize for the disruption, and quickly add that user to a group on the folder’s ACL.

SharePoint permissions can be the stuff of nightmares. At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.