Rapid7 Blog

Breach Response News  

The Cloudflare (Cloudbleed) Proxy Service Vulnerability Explained

TL;DR This week a vulnerability was disclosed, which could result in sensitive data being leaked from websites using Cloudflare's proxy services. The vulnerability - referred to as "Cloudbleed" - does not affect Rapid7's solutions/services. This is a serious security issue, but…

TL;DR This week a vulnerability was disclosed, which could result in sensitive data being leaked from websites using Cloudflare's proxy services. The vulnerability - referred to as "Cloudbleed" - does not affect Rapid7's solutions/services. This is a serious security issue, but it's not a catastrophe. Out of an abundance of caution, we recommend you reset your passwords, starting with your most important accounts (especially admin accounts). A reasonable dose of skepticism and prudence will go a long way in effectively responding to this issue. What's the story on this Cloudflare vulnerability? On February 18, 2017 Tavis Ormandy, a vulnerability researcher with Google's Project Zero, uncovered sensitive data leaking from websites using Cloudflare's proxy services, which are used for their content delivery network (CDN) and distributed denial-of-service (DDoS) mitigation services. Cloudflare provides a variety of services to a lot of websites - a few million, in fact. Tavis notified Cloudflare immediately. A few features in Cloudflare's proxy services had been using a flawed HTML parser that leaked uninitialized memory from Cloudflare's edge servers in some of their HTTP responses. Vulnerable features in Cloudflare's service were disabled within hours of receiving Tavis' disclosure, and their services were fully patched with all vulnerable features fully re-enabled within three days. Cloudflare has a detailed write-up about Cloudbleed's underlying issue and their response to it - check it out! This Cloudflare memory leak issue is certainly serious, and it's great to see that Cloudflare is acting responsibly and rapidly after receiving a disclosure of Google's findings on a Friday night. Most companies require several weeks to respond to vulnerability disclosures, but Cloudflare mitigated the vulnerability within hours and appears to have done the majority of the work required to fully remediate the issue in well under a week, starting on a weekend, which itself is impressive. Why should I care? Your information may have been leaked. Any vendor's website using Cloudflare's proxy service could have exposed your passwords, session cookies, keys, tokens, and other sensitive data. If your organization used this Cloudflare proxy service between September 22, 2016 and February 18, 2017, your data and your customers' data could have been leaked and cached by search engines. As Ryan Lackey notes, “Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to act as if it were.” Who is affected by the Cloudflare vulnerability? Before Tavis' disclosure, data had been leaking for months. It's too soon to know the full scope of the data that was leaked and the sites and services that were affected (although we're off to a decent start). There is currently a fair amount of confusion and misalignment on the status of various services. For example, Tavis claims to have recovered cached 1Password API data, while 1Password claims users' password data could not be exposed by this bug. How bad is it, really? One of the most important things to consider right now is that understanding the full impact of this Cloudflare bug will take some time; it's too soon to know exactly how deep this goes. However, if we're using Heartbleed as our de facto “security bug severity measuring stick”, it looks at this point like the Cloudflare bug is not as disastrous. For starters, the Cloudflare bug was centralized in one place (i.e. Cloudflare's proxy service). While search engines like Google, Bing, and Yahoo cached leaked data from Cloudflare, they were quick to purge these caches with Cloudflare's help. Cloudflare stopped the bleeding and worked with Google and others to mop up the remaining mess very quickly. As of now, the scope of affected data seems relatively limited. According to Cloudflare, “The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.” On the other hand, Heartbleed existed for two years before it was disclosed. It also needed to be patched everywhere it existed - it was decentralized - and there are still systems vulnerable to Heartbleed today. There are known instances of attackers using Heartbleed to steal millions of records, months after a patch was released. At this point in time, there's no evidence of attackers exploiting Cloudbleed. Think about the “best case scenario” for users protecting themselves against the Cloudflare vulnerability vs. Heartbleed. To protect against Cloudbleed, users need to follow a few steps (which we've outlined below). To protect themselves from Heartbleed, users had to follow all of these same steps, reroll SSL/TLS certificates, and patch OpenSSL on all of their vulnerable systems. What do I do now? There are several steps you can take to protect yourself: Log out and log back into your accounts to inactivate your accounts' sessions, especially for sites/services that are known to have been impacted by this (e.g. Uber). Clear your browser cookies and cache. This is a great time to change your passwords, keys, and other potentially affected credentials - something you should be doing regularly anyway! While there was some talk of password manager data being exposed, this shouldn't scare you away from using these tools. For the vast majority of us, it is the most practical way to ensure we're using strong, unique passwords on every site with the ability to more easily update those passwords on a regular basis. Set up two-factor authentication on every one of your accounts that supports it, especially your password manager. If your website or services used services affected by the Cloudflare vulnerability during the time window mentioned above, force your users to reset all of their authentication credentials (passwords, OAuth tokens, API keys, etc.). Also reset credentials used for system and service accounts. Keep an eye out for notifications from your vendors, check their websites and blogs, and proactively contact them - especially those that handle your critical and sensitive data - about whether or not they were affected by this bug and how you can continue using their services securely if they were. If you're not sure if you're using an affected site or service, check out this tool: Does it use Cloudflare? Big thanks to my teammate Katie Ledoux for writing this post with me!

NCSAM: You Should Use a Password Manager

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA and the 30th anniversary of the CFAA - a problematic law that hinders beneficial…

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA and the 30th anniversary of the CFAA - a problematic law that hinders beneficial security research. Throughout the month, we will be sharing content that enhances understanding of what independent security research is, how it benefits the digital ecosystem, and the challenges that researchers face. This year, NCSAM is also focused on taking steps towards online safety, including how to have more secure accounts. In 2016, just like in most of the last 15 years, we learned new information about recent and not so recent data breaches at large organizations, during which sensitive account information was made public. Essentially, these breaches have unearthed data on what puts accounts at higher risk for a breach. Putting aside the concerns about non-password account information being made public, one of the factors that determines how bad a data breach is for users is the format of leaked passwords. Are they plaintext? Plaintext passwords are just the actual password that a user would type. For example, the password "taco" is stored as "taco" and when made public, can be used by an attacker right away. Have they been hashed? Hashed passwords are mathematical one way transformations of the original password, meaning that it is easy to transform the password into a hash, but given a hash, it's very difficult to recover the original password. For example, the password "taco" is stored as "f869ce1c8414a264bb11e14a2c8850ed" when hashed with the MD5 hash algorithm, and the attacker must recover the original password from this hash in order to use it. Have they been salted and hashed? Hashed passwords are good, but there are several tools and methods that can be used to try to reveal the original password. There are even dictionaries that connect hashes back to their original passwords. Submitting "f869ce1c8414a264bb11e14a2c8850ed" to http://md5.gromweb.com/ reveals that the word "taco" was used to generate that hash. Adding a "salt" to a password, means to add extra data to it before it gets hashed. For example, the password "taco" is combined with the word "salsa" before being hashed, and the resulting hash is stored as "6b8dc43f9be3051e994cafdabadc2398". Now, an attacker looking up the hash "6b8dc43f9be3051e994cafdabadc2398" in a dictionary won't find anything, and will be forced to create a new dictionary which ideally is time consuming. Have they been hashed with a well studied unbroken algorithm? The MD5 algorithm has known attacks against it, so it is a good idea to use another algorithm. Have they been hashed multiple times? Or with a computationally expensive algorithm? Or with a memory expensive algorithm? These and other questions get into the nitty gritty of how passwords can be stored scurely so that they are of little use to an attacker once they are made public. Luckily, there are plenty of resources for security engineers to follow in order to make their sites more secure, and in particular, their storage of passwords more secure even if they are disclosed. Dropbox has an interesting post about how they store passwords, and this talk by Alec Muffet from Facebook, which describes their methods for storing passwords, is really interesting. In fact, there is an entire conference dedicated to passwords and the engineering that goes into keeping them secure. This site tracks published details about password storage polices of various sites, and this presentation provides the motivation for doing so. That's great, but I'm not a security engineer, what do I need to know about passwords? There is an unending list of articles, blog posts, howto guides and comics written about passwords. Passwords are going away. Passwords will eventually go away. Passwords are here to stay. Passwords are insecure. Two factor authentication will save us all. Biometrics will save us all. Whatever your opinion you probably have multiple accounts with multiple websites and ideally you're using multiple passwords. It's a good idea to recognize that whether or not the sites you use are doing a good job of protecting your passwords, you too can take steps to make your password use more secure. If you take nothing else away from this post, remember to setup a password manager (there are many), actually use it to create different passwords for each account you have, routinely look into whether your account information has been leaked recently, and if it has, change the password associated with that account. What's the big deal? If you have an account with an online service, like an email provider, a social network, or an ecommerce site, then it is very likely that you have a password associated with that account. It's also likely that you have more than a few accounts, and having so many accounts you have most likely been tempted to use the same or similar usernames and passwords across accounts. While there are clear benefits (among some privacy / tracking drawbacks) to having a consistent identity across services (ironicjen182@gmail.com, ironicjen182@facebook.com, ironicjen182@totallylegitonlinebusiness.biz), there are clear drawbacks to using the same password across services, mainly that if one of these services is attacked and account information is leaked, your accounts with identical or similar usernames at the other services could be vulnerable to misuse by an attacker. Ok, but who cares? It's just my (hotmail | twitter | ebay | farmersonly) account. You should care, these accounts paint a very detailed picture of who you are and what you do. For instance, you email has a record of emails you have sent and of those sent to you, and from that an attacker can learn a surprising amount about you. With email providers that offer effectively unlimited email storage and provide little incentive for users to erase emails, it's nearly impossible for a user to be sure that nothing useful to an attacker is buried somewhere inside. Furthermore, your email (and social media accounts) are effectively an extension of you. When an attacker has control of your account, emails, tweets, snaps sent from your account are accepted as coming from you, and attackers can take advantage of those assumptions and the trust that you've built up with you contacts. For example, consider the Stranded Traveler Scam in which an attacker sends a message to one or more of your contacts claiming to be in a bad situation somewhere far away, and if they could just wire some money, things would surely work out. There are news reports about these types of scams all the time (2011, 2011, 2012. 2013, 2014, 2015, 2016) Because the email has come from your account and bears your name, your relatives, friends and coworkers are more likely to believe it is actually you writing the message than a scammer. Similar attacks involve sending malware in attachments and requesting wire transfers for family members or executives, or requesting w-2 forms for employees. None of these attacks require that takeover of your account, but are certainly strengthened by it. Really, how often does this happen? Can't I just deal with it when I hear about it on the news? You could do that, and it would be better than not doing anything at all, but breaches that leak account information happen surprisingly frequently and they don't always make the news that you read. Sometimes, we don't learn about them for weeks or years after they happen, meaning that passwords you used a long time ago may have been known to attackers for a while before you were made aware of a breach. Is my password really out there? Sometimes. Maybe. It's hard to say. Often, sites will hash passwords before they are stored. However, different sites use different hash methods which have different security characteristics, and some methods previously believed to be secure are no longer considered so. Shouldn't these sites be more secure? That would be nice, but data security is a difficult and quickly changing field and not every site prioritizes security as highly as you might like. Fine, what should I do? You should to a few things: Use a password manager There are many password managers available to you, like LastPass, 1Password, KeepassX or if you're into the command line, try out pass. Use a different password for every account you have Now that you have a password manager storing all your passwords, there's no need to reuse passwords Use complex passwords Most password managers can create long random strings of letters, numbers and symbols for you. Since the password manager stores these passwords and you don't have to remember them, there's no need to use simple or short passwords. Keep an eye on sites that catalog leaked account information. Have a look from time to time at sites that keep track of leaked accounts to see if your account has been leaked. haveibeenpwned.com is usually kept up to date and is easy to use.

Changing Threat Landscape Evolves IDR

This is part 2 of a 2-part blog series on how Incident Response is changing. Here's part one.The changing threat landscape forced an evolution in incident detection & response (IDR) that encompasses changes in tools, process, and people. While in 2005 we could get…

This is part 2 of a 2-part blog series on how Incident Response is changing. Here's part one.The changing threat landscape forced an evolution in incident detection & response (IDR) that encompasses changes in tools, process, and people. While in 2005 we could get away with basic detection and a “pave and re-image” approach, 2016 sees us needing complex detection methodologies enabled by powerful software and hardware to enable experts to drive the IDR lifecycle.One of my go-to analogies to help people understand the need to evolve cyber IDR programs is to point to the evolution of banks (yes, the paper money kind!). in the early days, you just needed a bandana to hide your identity and a six-shooter to be handed the cash. Banks could reasonably protect money using basic safes, little physical protection, and a tough sheriff in town. Today, the serious bank robber is an expert in electronics, locks, and deception. Banks have evolved to create layers upon layers of physical security, monitoring, alarms, and SWAT teams to help protect the valuables. That is exactly what happened between 2005 and 2016 in the IDR space, but we need to continue to evolve.When we look at the areas of importance for modern IDR programs, we speak of: preparation, detection, validation, response, containment, and recovery. Let's now examine these based on our 2005-to-2016 timeline.Breach preparation in 2005 vs. 2016In 2005, very little was done to proactively secure the attack surface as the focus was mostly on availability of systems and speeding business processes. Very few organizations proactively conducted breach response exercises, and even fewer thought that a cyber attack against them was a concern.In 2016, the best IDR programs have:Implemented defense in depth principles in their network infrastructureCataloged, organized, and restricted their data following least privilege principlesActively managed their exposure through attack surface managementRehearse technical, coordination, and communication aspects of breach detection and responseIncident detection and validation in 2005 vs. 2016The nature of the changes in incident detection and validation come from the changes in the number of organizations processing data of value to attackers, the expanding number of determine attackers, and the motivations behind the breaches. In 2005, most organizations didn't have to worry much about being the victim of a targeted breach using unknown vulnerabilities, malware, and tools.In 2016, you don't even need to have valuable data to experience a targeted breach, you just need to promote ideologies that are different than the bad guys'. In 2016, the best IDR programs have:Technology to detect threats across the entire ecosystem from the endpoint (including mobile devices) to the cloud based services and applications outside of the network wallsTechnology to validate machine driven threat detection on the endpoint and the networkThreat detection methodologies that include tailored and timely threat intelligence, behavior analytics, and data analyticsSubject matter expertise that covers attacker methodology, malware analysis, endpoint analysis, network analysis, data visualization, and automationDefined and rehearsed processes for threat detection, validation, and escalationMetrics to measure and improve performanceBreach response in 2005 vs. 2016One of the best aspects of breach response is that there is no typical day at the office. Attackers are constantly learning new techniques, creating new tools, devising new ways of persisting in victim environments. As such, incident response is in a constant state of change as investigative techniques adapt to attacker techniques.In 2016, the best IDR programs have:Technology that enables detailed analysis of endpoint, network, and logsSubject matter expertise that covers forensics analysis, incident management, incident coordination, and incident communications (in addition to the expertise from the incident detection and validation section)A breach response plan that covers all aspects of response activities ranging from technical analysis to restoring normal business operating processesBreach containment and recovery in 2005 vs. 2016The last, and least prepared for, aspect of IDR is how quickly can you contain a breach and restore normal business operating processes. In 2005, computers were a critical component of business, but today, they're a critical component of our entire lives. In 2005, containing a threat most often required removing a system from the network and recovery was difficult due to storage capacities and older technology.In 2016, containing a threat can be done remotely, help desk teams have system imagine processes and data restoration processes that can return a user's machine in a day. In 2016, the best IDR programs have:Technology to contain threats at the endpoint, on the network, and in the identity management systemSystem imaging and data backup/restore processes for servers and workstationsA tested and rehearsed disaster recovery programThe IDR industry is no different from any other industry (including law enforcement) aimed at thwarting criminals. We evolve based on the threat that we are facing. Today that threat has a massive footprint, cutting edge technology, and the ability to adapt to any challenge they encounter. As such, our approach to IDR must implement programs that are flexible and adaptive to keep up.

Trey's InfoSec SitRep [16 Nov 2015]

First, if you aren't listening to the Risky Business podcast, fix that. Patrick Gray is my go-to source for infosec news. In the News: The insight we get into breaches is sparse, so be armed with these stories. JPMorgan's 2014 Hack Tied to Largest Cyber…

First, if you aren't listening to the Risky Business podcast, fix that. Patrick Gray is my go-to source for infosec news. In the News: The insight we get into breaches is sparse, so be armed with these stories. JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever | Bloomberg Arrests in JP Morgan, eTrade, Scottrade Hacks | That Krebs Guy SecureDrop Leak Tool Produces a Massive Trove of Prison Docs | WIRED Every once in a while, we get an opportunity to use consumer goods for security and technology discussions- these articles should go in your quiver. This smart TV takes tracking to a new level | Washington Post Man-in-the-middle attack on Vizio TVs coughs up owners' viewing habits | Ars Technica Vizio Smart TVs spy on you by default - here's how to stop them | Graham Cluley Technically Relevant: Police Body Cameras Shipped with Pre-Installed Conficker Virus | Softpedia "Trusted Computing Base" is a concept that occasionally needs an example- this is a good one if you're tired of using the Lenovo stuff. HTTPS certificates with forbidden domains issued by “quite a few” CAs | Ars Technica Visibility into SSL Certs is an important thing, we will see more of this. Question for your management- do you have backup certificates, and run-books for that deployment process? 88 Percent of Networks Susceptible to Privileged Account Hacks | Threatpost Making your systems hard targets is one thing. Knowing who and what is being done on those boxes is a different thing entirely. KeeFarce – Extract KeePass Passwords (2.x) From Database November 2015 Patch Tuesday Brings 12 Updates, Four Critical | Threatpost November 2015 Adobe Flash Player Security Patches | Threatpost Apache Commons Collections Unserialize Java Vulnerability | Threatpost Of Interest to Management: Unicorns Dropping Like Flies | ZeroHedge Bubble? No bubble? What is happening in tech startups? This one is a conversation starter. What is a unicorn? | Divestopedia Security Budget Tips [PART 2], from CISOs, for CISOs I've been collecting guidance and points of performance from CISOs- if you are interested in contributing, drop me a line! For executive presentations, be aware of the colors you choose- a reminder from the NFL. Making data accessible is a thing- here is a fun reminder that people can't see what you see. FCC fines Cox for falling for Lizard Squad scam, exposing customer data | Ars Technica Strong proof point for identifying and responding to Social Engineering attacks. Man charged for bogus tweets that sent stocks plummeting | NakedSecurity via @Rsnake https://twitter.com/RSnake/status/664208007077621760 This reminds me of a recent Black List episode 3-01 The Troll Farmer Can you explain SQL Injection? We made this really easy for you, and it's totally accessible to executives. You could also try to explain it this way... but I'd recommend against it: Slightly Less Random The CIA's manual for how to be a terrible employee (if this sounds like some place you've worked or consulted ... I'd rather you not leave that in the comments.) As always, hope this is helpful! ~@treyford

Will the Data Security and Breach Notification Act Protect Consumers?

Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015. I'm a big fan of the principles at play here: as a consumer, I expect that if a…

Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015. I'm a big fan of the principles at play here: as a consumer, I expect that if a company I have entrusted with my personally identifiable information (PII) has reason to believe that information has been compromised on their watch, they will tell me.  I believe this kind of transparency is not only important, it should be a consumer right. I also support a single approach across all 50 US States. Having 47 different state laws to address breach notification is better than having none from a consumer protection standpoint, but it places a heavy burden on companies doing business in the US. It's time to simplify this approach with one consistent standard for the entire country. This is where the new bill proposal comes in, and it gets some things right in my opinion. But it also raises some questions and concerns, which I've outlined below.  As usual, please remember: I'm not a lawyer! Some Good Basics Typically when thinking about data breach notification requirements there are several key points to cover, and I like how this bill proposal deals with a couple of them: Thresholds for disclosure The original proposal published by the White House in January indicated that ANY compromise of personal information should trigger a disclosure. That concerned me, because it meant that a researcher uncovering a vulnerability and accidentally accessing PII would result in an organization needing to disclose, and my worry was that would lead to increased vendor defensiveness, and an even stronger approach taken against researchers. The bill proposal addresses this concern by stating that notification only occurs when: “the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud...” It should be noted that while that addresses my research disclosure concern, some consumer protections and privacy advocates will probably prefer this threshold not exist, and notification to occur whenever PII is accessed.  It will be interesting to see whether this stays in the bill or not. Considerations for impact on small businesses and non-profits There is a very valid concern that a data breach notification statute creates a crippling burden for small businesses and non-profits that have limited resources and staff.  These kinds of organizations may in many cases be the easiest targets for attackers, and the least able to deal with the fallout. We don't want to lose these kinds of organizations or stifle innovation and entrepreneurship. This proposal acknowledges this and makes appropriate allowances for these kinds of organizations. Generally it seems keen to make sure all requirements are proportionate to what can be reasonably expected of a business given its size and resources. Room for Improvement There are some parts that look to be going in the right direction, but could do with some tweaking. Before I get into them, I want to flag that this is a discussion draft of the proposal, and so I think the whole point is that people will read it and provide feedback and questions like the ones below. Hopefully going through this process will lead to a stronger eventual outcome. The definition of “Personal Information” This is lengthy, so I'm not going to reproduce it here, but it's on pages 20 and 21 of the proposal if you want to take a look. This covers a lot of the right things, but I think there are some important things missing – for example there's no reference to health or geo-location information. Timeline and means of communication for disclosure Here we see another departure from the White House proposal, which stated organizations would have up to 30 days to notify.  This was a concern as some states have more stringent requirements and it would be a miss to see a federal law worsen the situation for those already covered. This proposal addresses that concern by stating that disclosure must be made: “as expeditiously as possible and without unreasonable delay, not later than 30 days after such covered entity has taken the necessary measures to determine the scope of the breach of security and restore the reasonable integrity, security, and confidentiality of the data system.” In theory this brings the proposal in line with the most stringent state laws for breach notification timing. The wording on when the clock starts is a little vague though – on restoration of “reasonable integrity, security, and confidentiality.” I think the challenge for me here is the word “reasonable” feels too open to interpretation, and full clean up can take a very long time. In terms of breach notification, I think the crucial elements are that you need to have regained control over your network and assets, and determined who is impacted, and how. I'd tweak the wording to more specifically call that out as the point when clock starts. The piece around means of communication all seems pretty reasonable and straightforward, though I imagine companies won't like having to keep it posted on their site for 90 days. References to cybersecurity measures There are two areas that touch on this, one on the need for security measures and the other on the role of encryption. Let's start with the need for security measures: I work for a security company so it's not too shocking that I like that it pushes for security measures. My concern is that there are no real guidelines here to make this into a real requirement. I'd love to see some specifics on what the requirement should be or what “appropriate for the size and complexity” means. There are some conversations starting to happen on the Hill around what sane basic security hygiene requirements might look like and this could feed in here. If you have thoughts on the kind of basics that could be mandated, please share in the comments below. The part on encryption comes in the definitions section (I'm on page 19 for those following along). There is a definition for encryption which ties further in to the definition of personal information: Creating an exception for encryption makes sense, but I am concerned that the way this is worded is too broad to ensure stringent practices are being followed. Not all encryption standards are created equally after all. Beyond Breach Notification One thing that's interesting about this bill is that it's not JUST about breach notification. The title itself indicates that the bill seeks to go further and address broader data security concerns. It makes a start towards this with the section mentioned above where it sets a requirement for security measures to protect sensitive information. Hopefully some meat might be added to make that section more impactful. Another, more concerning area where we see the allusion to broader data security reach is in this section: This seems to indicate that the bill will trump any other state law relating to “the security of data in electronic form.”  I'm not sure whether this is intentional. I understand that the bill needs to pre-empt state breach notification bills if it's to alleviate the strain on businesses, and that makes sense to me. But also pre-empting other kinds of data security laws seems unnecessary and strange. My concern is that this bill could inadvertently establish a dangerous precedent in how we view the responsibility and role of organizations in protecting their customers from cybersecurity threats in the future. To give you an example, say a state had a law mandating certain security measures be taken by businesses, or perhaps a law pushing some form of liability for poor security practices and standards in code development, this bill could potentially nullify those laws given the way this section is currently worded. That would mean consumers couldn't benefit from the intended protections of such laws, which seems kind of at odds with the stated purpose of the bill, so I'm inclined to think this wording may be unintentionally broad. Hopefully we'll see it edited to focus more clearly on pre-emption for breach notification only. Will the Bill Protect Consumers? I think the bill has potential. Yes, in its current form it needs quite a bit of work, but I suppose that is the point of a discussion draft, and we will likely see some updates to the language currently being circulated. Tackling cybersecurity legislatively is never going to be simple, and this bill is effectively trying to do two things – mandate notification behavior AND address the need for security measures. I'm not sure it's able to do both well and also keep the bill simple and easy to apply. It will be interesting to see how the language evolves. Rapid7 will be providing feedback on the proposal to try to explain these concerns and get them addressed. If you're concerned about the potential outcome of this legislation, I encourage you to do likewise. It falls to those of us in the security community to take the lead on helping others understand our world and how best to navigate it. ~ @infosecjen

Top 3 Takeaways from the "Security in Retail: An Industry at a Crossroads" Webcast

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man, product marketing manager at Rapid7, and Wim Remes, manager of strategic services at Rapid7 (read his intro blog here), came together to discuss the challenges and future of…

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man, product marketing manager at Rapid7, and Wim Remes, manager of strategic services at Rapid7 (read his intro blog here), came together to discuss the challenges and future of retail security, and how organizations need to think about the balance between compliance and focusing on attack prevention and detection. Read on to learn the top 3 takeaways from the "Security in Retail: An Industry at a Crossroads" webcast: EMV: the silver bullet for retail security? – The EMV (Europay Mastercard Visa) method, slow to be adopted in US because of the cost to transition, is proving to be a huge step in the right direction for retail security. It stops magnetic strip skimming fraud and enables online fraud prevention protocols, so it is a great improvement and could limit the damage from major breaches. However, it should only be used as one piece of the larger retail security infrastructure puzzle. Stay above the Security Poverty Line! – Ever heard the saying “you don't have to run faster than the bear to get away, you just have to run faster than the guy next to you”? This same concept applies for security - organizations need to think about how to ensure they are not the path of least resistance to profit for attackers. Attackers are opportunistic and often driven by economic motivations, so maintaining a program that is costly to attack – and is more than just check box compliant – is a sure way to lower your risk. Compliance should be a byproduct of good security, not the other way around. Use Models to Build a Risk Driven Program – Jane and Wim talk through two possible approaches to switching from a compliance driven program to a risk driven program – the Security Maturity Approach, and the Threat Modelling Approach. Both methods are effective, depending on your needs: organizations primarily focused on risk may do better with the maturity level approach, while innovative organizations with a lot of in house development and system design would benefit more from the threat model approach. View the on-demand webinar now to learn more about EMV, the Security Poverty Line, and the Security Maturity and Threat Modelling approaches to security.

Managing the Impact of the Ebay Breach on You and Your Company

eBay announced earlier today that they were the victims of an attack that compromised the email address, encrypted password, physical address, phone number and date of birth of eBay customers.  It's important to note that the company indicated that they have not detected any…

eBay announced earlier today that they were the victims of an attack that compromised the email address, encrypted password, physical address, phone number and date of birth of eBay customers.  It's important to note that the company indicated that they have not detected any fraudulent network activity and that credit card information was not taken.Breached Credentials #1 Attack Vector and #1 Most Commonly Sold Information on Black MarketThe attack was based on compromising the credentials of a few key employees.  It took eBay several months to discover this since the attack took place in February and March.It's unsurprising to see that the attack took place through compromised credentials since we've seen the 2014 Verizon Data Breach Report and other sources highlight that stolen credentials are now the most common way of breaking into a network.  They are also the third most commonly sold piece of pirated information behind credit card and bank information.Disclosed Personal Information May Cause Rise in Identity Theft and Online FraudFrom both an individual and corporate point of view, users should be aware that the information which was compromised from eBay gives the foundation for a complete identity theft. Information like birth date is frequently used as part of an identification sequence from organizations like banks or part of a password reset sequence.Users should monitor for indications of eBay fraud such as false transactions, third-party site fraud such as unexpected account activity, and identity theft such as unexpected credit card applications. We recommend that you immediately change your eBay password and the password on any other sites where you reused those credentials.It's a good idea to use a password manager that makes it easy to avoid reusing passwords and ensure you have passwords of sufficient complexity.  As always, continue to be vigilant for signs of phishing, identity theft and spam. Because the attackers have phone numbers, you should also be aware of people calling you trying to social engineer information from you.Companies Should Prepare for Shared Credentials Abuse and Social Engineering AttacksWhile we don't know if the attackers will manage to decrypt the passwords, security teams at companies need to be aware that employees are statistically likely to reuse the same passwords on the corporate network that they use for online services such as eBay.Be alert for an increase in phishing and other social engineering attacks since physical address, phone number and birthday make it easy to create a very convincing phishing mail. Brazen attackers could also try to social engineer a password reset by phoning the helpdesk or compromise other information through the HR department.Rapid7 recently did a webcast entitled “Breaking the Kill Chain: How to Protect against user-based attacks.”   This webcast helps you detect some of the indications of a user-based attack and compromised credentials. You might also consider signing up for the free community edition of UserInsight that helps you detect and investigate these types of attacks.Communication with Users Is Key to Your Security ResponseIn the coming months, security teams will need to be extra vigilant for indications of attacks based around compromised credentials.  We've attached a short note to the bottom of this blog that you could send to employees giving them some best practices to follow to help secure their personal data and the corporate network.  However, we have to be aware that not all employees will follow this advice. It's important to monitor user activity to identify anomalies that could mark an intruder trying to get into the network or somebody moving laterally within the network.Here's a Short Email You Can Send Out to Your UsersTo All Employees,I would like to alert you to a third-party data breach to help you keep your personal, family and company data and finances safe.Earlier today, eBay announced that they have suffered a breach that involved compromising email address, encrypted password, physical address, phone number and date of birth of eBay members.  The company reports that no credit card or PayPal information was compromised but we wanted to make you aware of the attack and recommend a few specific actions.If you are an eBay customer, please make sure that you change your account password and monitor for any fraudulent account activity.If you have reused the same password on any other sites, including your corporate passwords, please change them immediately.  Hackers often use email addresses and passwords on many different sites, usually in an automated way.We recommend having a unique password for each site because not all password-related data breaches are made public, so you never know which passwords have been compromised.Please be alert for phishing attacks or fraudulent phone calls.  With information such as physical address and date of birth, attackers can craft very realistic looking phishing mails. If you spot any unusual account activity associated with your corporate account, please notify the help desk and IT staff.    Please let me know if you have any questions.

Cyber security around the world - 7/4/14 - Germany

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in Germany where officials have found the second mass user account hacking this…

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in Germany where officials have found the second mass user account hacking this year…GermanyLast week German officials confirmed that 18 million email address and passwords were hacked in a mass data breach. The details of the breach are still being investigated by the country's Federal Office for Information Security, but here is what we know:The breach was discovered while investigating a botnet used to send spam emails (see diagram on right).The stolen information is also being used to make online purchases where users are using the same email/password combination.The discovery originated from the north western German city of Verden, but the compromised accounts are from all over the world.It's likely that a mass malware attack was used to steal the credentials, meaning millions of computers are probably still infected.This is not the first time German authorities have found a mass data breach – just 3 months ago the BSI announced that 16 million German user accounts were compromised.  These attacks show the importance of not reusing passwords across multiple sites, and using encrypted password vaults like LastPass, 1Password, KeePassX, etc. to create  complex, unique credentials for all your online accounts.

Cyber security around the world - 11/2/14 - South Korea & Russia

With so much happening in cyber security around the world lately, we're going to start highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in South Korea and Russia…South KoreaA couple of…

With so much happening in cyber security around the world lately, we're going to start highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in South Korea and Russia…South KoreaA couple of weeks ago, South Korea's Financial Services Commission (FSC) announced that over 20 million credit cards in the country had been compromised – the country's entire population is only 50 million. As a result, the FSC is stepping up its investigations into data security, particularly data sharing between financial institutions and their subcontractors who were to blame for the major breach. Just this week, the FSC announced that insurance information was leaked from Prudential Life Insurance, also due to illegal data sharing between the insurance company and an outside firm.Under Korea's Personal Information Protection Act, personal data such as credit card and insurance information should be encrypted and secured. Whilst the offending companies didn't take security threats and data protection seriously enough, could lack of enforcement also be to blame? Currently, the maximum fine for personal information leakage in the financial industry is only 6 million won or just over $5,500 USD – loss of face and jobs is probably a greater penalty (CEOs of the credit card issuers have publicly apologized and offered their resignation). With such a low cost for failure, and a high price for the stolen information, the major credit card hack was inevitable.Side note: With Nexpose 5.8, you can now share critical asset, vulnerability and remediation information with your Korean-speaking security teams by using the new multi-language reporting features. Find out more at www.rapid7.com/products/nexposeRussiaNBC reporter Richard Engel described being hacked in Russia during the Sochi Olympic Games. Within a minute of connecting to the Internet, Engel received a phishing email addressed to him. After clicking on a link embedded in the message, Engel's computer was “hijacked” almost immediately. While Engel alludes to this being the work of “professional hackers” from Russia's “strong criminal underworld”, some security researchers have since questioned the accuracy of this story. These skeptics claim that Engel initiated the attack by visiting a fraudulent website and visitors are no more likely to get hacked while in Russia.We would like to get more technical details of the NBC experiment before picking a side but either way if you're at the Olympics, it's best to apply some basic security best practices:Don't connect to public Wi-Fi, particularly networks that you don't recognize, but if you absolutely need to, then connect using a VPN.Don't open emails from people you don't know, and more importantly, don't click on any links or open any files inside these emails.Keep your operating system, internet browsers, Flash, Java and Adobe Reader up-to-date with the latest software patches.

Shock and awe with gawker.com: How to test if you have been breached

   Google Fusion table listing the MD5 hashes of breached   email address from Gawker.com data breach  This weekend, the Web and back-end database of Gawker.com was published on Pirate Bay. If you had a personal email account registered at…

   Google Fusion table listing the MD5 hashes of breached   email address from Gawker.com data breach  This weekend, the Web and back-end database of Gawker.com was published on Pirate Bay. If you had a personal email account registered at Gawker or one of their associated web sites, such as Engaged, you may have been breached. This especially becomes a problem if you are using the same password across a number of sites because we expect that malicious hackers are already trying to use the same user name and password combination to log onto other sites, such as Paypal, Amazon, and online banking accounts. As a public service, we have put together an easy way for you to test if your password has been breached. Here is how you do it: Create an MD5 hash of your email address enter it as lowercase on this website.Search for the MD5 hash in this Google Fusion table to see if your account was breached. To do this, click on Show options, then set the condition to MD5 = YourHash, and click Apply. If you find an entry in the table that matches your MD5 hash, your Gawker account has been breached. If you don't see an entry below the gray header bar, you're fine.Note: The original database includes the email addresses in clear text. We have hashed the email addresses to protect the privacy of the individuals but to enable everyone to check if their own email addresses have been breached. In other words, the hashes do not constitute password hashes.  We recommend that you don't change your gawker.com password until the site has fixed the security issue that has led to this breach. Otherwise, your new password may be breached without your knowledge and give you a false sense of security.  If you have been breached and would like to audit if the compromised password is being used for any account within your network, including Windows, FTP, telnet accounts, download a trial version of Metasploit Pro and provide the user name and password as known credentials before launching a brute force attack on your network.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now