Security In the News

Orange County CIO Roundtable

July 10, 2014

Jeff Hecht

Chief Compliance & Security Officer

Agenda

• We’re going to talk about 3 major security events that

have been in the news in the last 12 months.

• We’ll try to understand a little about what happened and

add some perspective about what those things mean for

CIOs and other executives going forward.

• The three events are:

o The Heartbleed vulnerability

o The regularity of massive data breaches, most

specifically the Target breach

o The revelations about the NSA as a result of documents

stolen and released by Edward Snowden

Heartbleed - What is it?

• Heatbleed is a vulnerability in the OpenSSL cryptographic

software library.

• This weakness allows stealing the information usually

protected by SSL/TLS encryption the primary tool

providing communication security and privacy over the

Internet.

• It’s called Heatbleed because the bug is in OpenSSL's

implementation of the TLS/DTLS heartbeat extension.

When it is exploited it leads to the leak of memory

contents from the server to the client and from the client

to the server.

Heartbleed – What does it do?

• The information that can be obtained through these

leaks is expansive.

• Not just an ability to intercept a particular exchange as

it’s happening (e.g. a web session that might include

confidential information), but user names and passwords

and most importantly the encryption keys themselves.

• Leaked secret keys allow the attacker to decrypt any

past and future traffic to the protected services and to

impersonate the service at will.

• Any protection given by the encryption and the

signatures in the certificates can be bypassed.

Heartbleed – How widespread?

• OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet.

• The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66%.

• OpenSSL is also used to protect email servers, chat servers, virtual private networks, network appliances and wide variety of client side software. Many versions of Linux also use OpenSSL.

• The bug was introduced to OpenSSL in December 2011 and has been out in the wild since March 2012. OpenSSL 1.0.1g released in April 2014 fixes the bug.

Heartbleed – How widespread?

• The vulnerable versions have been out there for over two years

now and an estimated 600,000 servers were affected.

• The list of major sites affected includes: o Google

o Facebook

o Twitter

o Instagram

o YouTube

o LinkedIn

o Yahoo

o Bank of America

o Chase

o Etrade

o TurboTax

o Amazon Web Services

o DropBox

o And many more…

Note that because this is primarily a

server side issue, it makes no

difference whether your client is

running Windows, an Apple OS,

Android, iOS or what browser or

browser version you have. Everyone

who might connect to any site using

OpenSSL is potentially vulnerable.

Heartbleed – Am I affected?

o Almost certainly you as an individual accessed an affected

server.

o It is pretty much impossible that you don’t have an account

somewhere that runs on an affected service, although it’s also

nearly impossible to know if your information was actually

compromised.

o At first there was little you could do until the services were

updated.

o Now most of the major sites have removed the bug, but you

must change your passwords as they may have already been

compromised.

o An estimated 300,000 servers have yet to be patched so your best defense is to regularly change your log in credentials for any

site that may have confidential information about you.

Heartbleed – Is my company

affected? o If you use Open Source tools to run web sites (like Linux, Apache, etc.)

your company very likely is affected.

o Even if you do not use those tools as primary software, you likely have devices attached to your network, like firewalls, routers and switches that use imbedded versions of Open Source software and may contain the OpenSSL library. Some of these may difficult or impossible to patch.

o You may be using hosting partners that expose you to risk.

o If you rely on cloud based services like Google Apps you will want to ensure all your users have recently changed their passwords.

o Recovery for exposure on your infrastructure takes several steps:

• Patch the vulnerability with the latest version of OpenSSL

• Revocation of compromised keys (may need the help of your Certificate Authority)

• Reissue and redistribute new keys

• Have all users change their passwords

Heartbleed – Is my company

affected?

• You can test your web servers at: https://www.ssllabs.com/ssltest/index.html

• Most likely through a malware process know as “RAM scrapping” 40 Million

credit and debit card numbers were stolen over a 3 week period in attack

on Target POS systems

• Also stolen were names, mailing addresses, phone numbers and email

addresses of up to 70 million individuals

• 46% drop in profits

• Stock drops

• $200M cost to banks and credit unions to reissue compromised cards

• Target CIO out

• Target CEO out

• Target to invest at least $100M in upgraded POS security (chip and pin)

• Neiman Marcus, Michaels, eBay, Sally Beauty, P.F. Chang’s, Paytime and

others have had breaches affecting millions

• An estimated one in four Americans have had credit card and other

sensitive information stolen

Changes in cards

• Chip and Pin technologies (also called smart cards or EMV) can have a positive affect on POS breaches and makes duplicating physical credit cards much harder

• Widely used in Europe for some time (ironically because their network infrastructure could not support real time verification processing until recently) chip technologies:

o Imbed a microchip on credit/debit cards that contains the card number, expiration, etc. in an encrypted format

o The decryption takes place with a sophisticated method that is good only for that specific transaction and requires the PIN

o That makes the card itself unusable at POS without the PIN and very difficult to duplicate

o UK and Canada have seen large drops in fraud through use of chip and pin

• Visa and MasterCard have mandated its use by 10/2015. 10/2017 the liability for fraudulent transactions will move to the entity in the chain that has the lowest level of technical security unless they are accepting chip and pin

Changes in cards • The resistance to adoption has been largely cost

o POS terminals must be replaced (roughly 10M of them)

o Cards containing the chips cost 6 to 8 times as much to make as

magnetic strip cards and programming each is expensive

o All told the cost goes from roughly 50 cents a card to $2.20 a card

o There are approximately 1 Billion cards in the US each year so the extra

cost of the cards alone is about $1.7B

• Some had hoped chip and pin would be skipped in favor of a jump to

directly to smartphones and NFC

• Although the technology is there and would seemly avoid many of the costs

associated with the chip and pin cards themselves it has not made much

penetration

Are they resolving the problem?

• Chip and Pin is a good step forward from magnetic based credit cards and makes duplicating physical cards much harder

• Target (and Walmart) are trying to get some positive spin by announcing their use but its really Visa/MasterCard who are forcing everyone’s adoption

• Whether executed at POS or not most breaches are the result of access through the Internet, perhaps through a third parties administration credentials

• It’s hacking, phishing, etc. that pose the biggest threats

• One technology that is available today that could help mitigate this is end-to-end encryption

o In RAM Scrapping exploits the malware takes advantage of the fact that the encrypted information has to be in clear text at some point in RAM to do the verifications, at this point it can be captured and stolen. With end-to-end encryption the data is never exposed except at the ultimate destination (the card processor) and it remains encrypted and unusable locally . Note that SQUARE is doing this today, for obvious reasons.

• But that’s going to be another expense and they are already being forced to spend the money on Chip and Pin so its not likely very soon

What does it mean to my

company?

• Obviously if you’re in the retail space, Chip and Pin and customer confidence are something you’re probably already dealing with

• For everyone else, its about general data security, the basics: o Employee training

• IBM Security Services 2014 Cyber Security Intelligence Index estimates 95% of security incidents are “human error” number one cause: phishing

o Active monitoring

o Updated patching and malware protection

o Encryption wherever possible

o Regular scanning and prompt remediation

o User identity management

o Adequate and enforced employee termination procedures

o Two factor authentication for remote admin access

NSA Leak

• Edward Snowden a former NSA employee released a large number of files he was able to remove from agency computer systems through his position as a Systems Administrator

• The information revealed:

• Mass-surveillance programs undertaken by the NSA directly accessing the information of US citizens as well as foreign nationals

• The agency’s ability to access information stored by major US technology companies, often without individual warrants, and mass-intercepting data from the fiber-optic backbone of global phone and internet networks

• They may have worked to undermine the security standards on which the internet, commerce and banking rely

• The revelations have raised concerns about growing domestic surveillance, the scale of global monitoring, trustworthiness of the technology sector, whether the agencies can keep their information secure, and the quality of the laws and oversight keeping the agencies in check

• The extent to which private companies are cooperating with intelligence agencies has been a source of concern for internet users as has the allegation that the NSA knew about Heartbleed and other vulnerabilities and rather than disclosed them, exploited them.

NSA Leak • Some pundits (notably Bruce Schneier) think these revelations show the NSA

has undermined everyone’s security and by forcing commercial companies to build in ways for them to get access make the world inherently less secure

• Many think direct access of US citizen’s communications represents warrantless search

• Others think spying on the general populace to potentially uncover terrorist activity is within the charter of the NSA, that this is simply moving to a more technologically sophisticated way to spy and that there is adequate (although not publicly shared) oversight

• There is no evidence that non-terrorism activities have been targeted or further investigated

NSA Leak – What does it mean to

my company?

• The issues about the spying itself are worthy of discussion and perhaps changes in

the controls around NSA activities – but not something most companies will be

able to directly influence

• Also unless your company is a provider of communications services you may be

unlikely to have to make a decision about cooperating to provide access to the

NSA

• The questions about whether the NSA or any entity can keep its’ data secure is of

interest to all of us and should make us all consider:

How is my company exposed to insider threats?

NSA Leak – Insider Threats

• Many companies discount insider threats as infrequent events

• While they may not be frequent they have the potential to be more

serious and devastating to the enterprise

• There multiple types of motivation for the insider stealing information:

• Someone who believes they are being a good faith whistle blower

• Someone with a grudge who wishes to harm the enterprise

• Someone interested in profiting – usually quietly and perhaps for a

long time – from the information

• Detection is difficult. These are users that are supposed to be there and

at some point need to access these systems to do their job. Either willfully

or by making an mistake insiders can expose an enterprise’s most critical

information

NSA Leak – Insider Threats

• The basic idea is defense in depth. Multiple rings of security to protect

not just the perimeter but the important parts of a network. Some

concepts:

• Islands of Security

• Prevent Unauthorized Copying

• Two-Factor Authentication

• Separation of Duties and Two-Person Authorization

• Creative Use of Encryption

• Prevent Removable Media from Leaving the Building

• Log Events, Monitor and Alert

• Plan for Break-in to Minimize Damage

• Periodic Security Audits

Questions & Discussion

Links of interest http://heartbleed.com/

https://www.ssllabs.com/ssltest/index.html (qualys heartbleed tester)

http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

http://www.eweek.com/security/slideshows/surprising-trends-emerge-in-threat-landscape.html?kc=EWWHNEMNL04232014STR5&dni=120299005&rni=32883247

http://www.zdnet.com/after-heartbleed-many-open-source-apps-remain-vulnerable-7000029205/?s_cid=e539&ttag=e539&ftag=TRE17cfd61

http://www.zdnet.com/mistaken-heartbleed-clean-up-efforts-accidentally-leaving-thousands-of-servers-vulnerable-7000029274/?s_cid=e539&ttag=e539&ftag=TRE17cfd61

http://www.eweek.com/security/slideshows/heartbleed-saga-continues-highlights-of-vulnerabilitys-first-30-days.html?kc=EWWHNEMNL05122014STR1&dni=125275543&rni=32883247

http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed

http://www.scmagazine.com/critical-openssl-vulnerability-heartbleed-bug-enables-ssltls-decryption/article/341846/

Links of interest http://www.scmagazine.com/target-leadership-changes-continue-with-resignation-of-ceo/article/345611/2/

https://corporate.target.com/about/payment-card-issue

http://finance.yahoo.com/news/sam-club-plans-safer-credit-020201727.html

http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry

http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/

http://www.scmagazine.com/cyber-security-tasks-that-could-have-saved-ebay-and-target/article/355060/?DCMP=EMC-SCUS_Newswire&spMailingID=8776889&spUserID=NzE4MTE4MjYyMAS2&spJobID=320939864&spReportId=MzIwOTM5ODY0S0

http://www.computerworld.com/s/article/9249037/Target_finally_gets_its_first_CISO?source=CTWNLE_nlt_mgmt_2014-06-12

http://www.smartcardalliance.org/ (lots of information on Chip & Pin, end to end encryption, etc.)

http://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf (IBM Cyber Security Index)

Links of interest http://www.scmagazine.com/house-committee-passes-bill-to-stop-unbridled-govt-access-to-phone-data/article/346186/?DCMP=EMC-SCUS_Newswire&spMailingID=8563079&spUserID=NzE4MTE4MjYyMAS2&spJobID=300934984&spReportId=MzAwOTM0OTg0S0

http://www.scmagazine.com/how-to-stop-the-next-edward-snowden/article/312257/

http://www.eweek.com/security/slideshows/steps-google-is-taking-to-protect-user-data-from-nsa-cyber-crime.html?kc=EWKNLNAV06062014STR1&dni=130701016&rni=32883247

http://www.businessweek.com/articles/2013-07-03/edward-snowden-and-the-nsa-a-lesson-in-the-insider-threat

http://www.computerworld.com/s/article/9243915/Snowden_serves_up_another_lesson_on_insider_threats

http://fcw.com/articles/2013/12/17/nsa-41-steps.aspx

http://www.tenable.com/blog/detecting-snowden-the-insider-threat

http://www.eweek.com/security/slideshows/the-snowden-leaks-one-year-later-key-lessons-cloud-providers-learned.html?kc=EWKNLCLD06122014STR1&dni=133759783&rni=32883247

http://cacm.acm.org/magazines/2014/5/174340-the-nsa-and-snowden/fulltext

http://www.zdnet.com/americans-as-vulnerable-to-nsa-surveillance-as-foreigners-despite-fourth-amendment-7000031045/?s_cid=e589&ttag=e589&ftag=TREc64629f