Securitybeat Advisors LLC

Blog

  • Piracy or Privacy – Safe Harbor Ahead

    For over 5o years, privacy laws have called upon websites and applications to transparently state their policy for the collection, onward transfer, security, and access to sensitive personally identifiable information. Trustworthy organizations not only post their intent but also limit their collection and usage to strictly support and evolve the service. Most are questioning if Facebook is trustworthy given its aggressive collection strategy, onward transfer to the highest bidder, and lack of controls – both in technology and process. Ready to Cut the Cord on Facebook?

    NOTICE: Interestingly, clever observers saw the potential abuse over 3 years ago when the Messenger app was introduced and the extent of data collection and device control was announced. If a tree falls in the woods, does it make a sound??? 

    COLLECTION: Facebook did give notice of aggressive collection requirements. We cannot complain that they didn’t have the right to collect this information. The question remains, however, “did they honor the remaining privacy principles”?

    Well, as it turns out, the other privacy elements are not covered in the application-specific NOTICE which pops up at the time of install. The Facebook Messenger application instead has a Data Policy URL of https://m.facebook.com/privacy buried in the settings page. Let’s see what is covered and what isn’t.

    ONWARD TRANSFER: Facebook does not detail the third parties that have access to your personal information, nor do they define their process to ensure third parties have the necessary security if onward transfer is necessary.No mention of Global Science Research or Cambridge Analytica. How can the personal information of 50 million users disappear without a trace?

    ACCESS: Facebook does state what the application has access to, but not the extent of access their staff and authorized third parties have to the sensitive information being collected. Facebook also does not provide a means for users to access what is collected and correct any errors and omissions. 

    SECURITY: Facebook obfuscates its security responsibility to the users. After concerns have been raised, awareness material now details how to disable their default-open settings. IMO, you need to be a power user to apply the guidance and not break the app. One Facebook insider says that data harvesting was routine and controls were lax. The extent of misuse was up to the developer and Facebook had no visibility on how the data would be protected once it left Facebook’s servers.

    In conclusion, Facebook gets a “F” for implementing only couple privacy principals and leaving the user to defend themselves in this evolving wild-wild west. I sincerely doubt that Facebook can salvage its flawed technology platform or put enough process in place to restore our trust. Facebook needs more than a face lift. Where will my virtual family go next?

    References:

    1. https://www.huffingtonpost.com/sam-fiorella/the-insidiousness-of-face_b_4365645.html
    2. https://www.facebook.com/privacy/center/?entry_point=privacy_shortcuts_redirect
    3. https://www.theguardian.com/news/2018/mar/20/facebook-data-cambridge-analytica-sandy-parakilas?CMP=share_btn_url

  • Wild West of Cryptocurrency

    Criminals have ALWAYS Followed the Money…

    Financial transactions have always been a risk, both with criminals looking to steal the money when at rest or in transit, and criminals committing fraud or money laundering. We’ve had counterfeit currency, fake checks, ATM card skimming, and the like. Why wouldn’t we think that crime wouldn’t move to cryptocurrency?

    Few understand that consumers need assurances through trusted financial institutions with (security) certified processes and technologies. An awakening is needed in the recently emerged Cryptocurrency market. The value of your crypto coins depend upon it!

    Even within historically trusted encryption methods of the past, safety in e-Business has always a race against time. How long will it take to brute force a cypher through an off-line attack and can I do it before keys are rotated? How long will a given set of ciphers be considered strong and when will they need replacing?

    Weren’t countermeasures for such concerns designed into end-to-end cryptocurrency transactions?

    In a recent review of Cryptocurrency Mining by Malwarebytes, we see that in a mere 10 minutes an attacker can break a block in this gravy train. Blocks must be processed end-to-end within that timeframe.  Leave it to Coinhive to invent a miner and not keep it under control. Sophos researchers found Coinhive infestations in nineteen Android apps this past week (Computing). A zero-day flaw in Telegram, now patched, also installed a miner that pulled in Zcash and Monero (SecureList).  An attack is now in the wild in search of weak cryptocurrency implementations.

    Cryptocurrency is not without its share of fraud. Look no further than LoopX who recently disappeared, along with $4.5M in ICO (Naked Security).  It’s no wonder that the US SEC has recommended regulations.

    References:

    1. https://www.malwarebytes.com/blog/security-world/2017/12/how-cryptocurrency-mining-works-bitcoin-vs-monero
    2. https://www.computing.co.uk/ctg/news/3026552/researchers-find-javascript-cryptomining-code-in-19-android-apps
    3. https://securelist.com/zero-day-vulnerability-in-telegram/83800/
    4. https://nakedsecurity.sophos.com/2018/02/14/cryptocurrency-startup-loopx-exit-scams-with-4-5m-in-ico/

  • Baking Security In

    After decades of progressive responsibility in delivering and supporting IT services, I transitioned into Information Security in 2001. While evolving to master the needed skills and concepts in security, I was left wondering why security was positioned as its own silo. In my world, security is merely a quality of service which is baked in.

    As my security career continued, I’d constantly shared my vision to influence internal stakeholders and eventually the clients to which I consulted. In my perspective, security is merely contextual awareness which clarifies risk, influences management control objectives, defines service and service levels, and selectively positions security roles and functions to inject expertise, verify direction, and compensates for conflicts of interest.

    I now look to “Bake Security In” as a Senior Security Consultant in CGI’s New England business unit. With 8 SOCs across the globe, and over 1000 cyber professionals, I am not alone. CGI has had the 6th fastest growth in Cybersecurity Consulting and will always strive to be the very best in its industry.  It’s all about quality of service and client satisfaction, isn’t it?? 

    Anyone need a new partner in the kitchen??