Breach Preparedness , Data Breach , Endpoint Security

Executive Says Beware of Attack Techniques That Leave No Trace Jeremy Kirk (jeremy_kirk) • June 24, 2016    

The computer security firm CrowdStrike is one of a handful of data breach response and threat intelligence companies called upon by organizations when they suspect they've been hacked. Example: The company recently investigated the breach of the Democratic National Committee systems concluding that two Russian state-sponsored groups were likely responsible (See: After Russia Hacks DNC: Surprising Candor)

CrowdStrike is now moving into Asia Pacific, an expansion it signaled after it closed a $100 million funding round last year led by Google Capital. Information Security Media Group recently spoke with Michael Sentonas, vice president for technology strategy at CrowdStrike, ahead of the company's launch in the region. Before joining CrowdStrike, Sentonas was chief technology and strategy officer Asia Pacific at Intel Security. The following is an edited excerpt of the discussion.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Asia Pac's Unique Needs

Jeremy Kirk: What have you observed as far as the needs of organizations in Asia Pacific in computer security?

Michael Sentonas: The thing that has become clear to me, and I've been in the industry for a very long time now, is that organizations can't prevent 100 percent of breach attempts. A sophisticated adversary will eventually get in, and people are really starting to question the existing technologies that they use.

The big challenge is that the security industry traditionally focuses on dealing with malware. And it's a race to see who can provide the best signature or the best behavioral signature. Largely, the industry does the same thing: detect and prevent malware as quickly as possible. That's certainly really important, and prevention is always obviously an important thing to do. But you also need to see beyond malware. You need to be thinking about how you can detect and stop all attacks, even those that don't involve any malware. And I think many enterprises today don't have that awareness. They don't have that capability to proactively hunt and detect hackers on their networks. And I think this is one of the key value propositions.

Investing in the latest technology to keep pace with adversaries is not optional anymore. You have to do it to stay in business.

Beyond Malware

Kirk: It's interesting you mentioned that some of these attacks don't involve malware. I spoke the other day with Dmitri Alperovitch, who is the co-founder of CrowdStrike, and we were talking about what happened to the Democratic National Committee. He told me that there was not a lot of malware used in that attack. In fact, what was used were Windows administration tools like WMI and PowerShell, which was making the compromise difficult to detect.

Sentonas: That's a common technique. Every organization on the planet today has some form of endpoint security. People have a firewall. People have an IPS. Attackers know this. It's not rocket science to them that they're going to come up against these types of countermeasures. So they spend time to work out how to evade the countermeasures that are there, or they'll find techniques to use similar to the ones that you've talked about that don't involve malware at all, which means all of these countermeasures that an end user deploys simply are blind to these types of attacks, which we would call silent failure.

And I think that's something that we need to really talk more about. The industry has this huge argument about prevention versus detection. We're really debating the wrong things. When you can prevent and stop malware, we agree you should be doing that. But there's more to breaches than just your basic type of malware, and I think that's something that we just need to acknowledge and sort of take all the hype around it and say, end-to-end you need to understand how somebody's penetrated your network, defend where you can, and then just be aware and work out how to remove them when you don't have those tools in place.

What About Process?

Kirk: Companies use lots of different kinds of security technologies. Is it also an issue of process too? Do you advise companies about the need to know where sensitive information is kept and maybe segregating that in a stricter way?

Sentonas: That's a really great question, and for me it always starts off on the process side. I don't agree with buying technology because you went to the RSA Conference and people were excited about a particular product from a vendor. If you don't know what your valuable information is, if you don't know where it's stored, and you don't know the risks to your business if you were to lose that, how are you making decisions about how to protect it? You might be buying technology that is irrelevant given your specific environment and the architecture that you use.

So more and more, we need to pause and think about what it is that we're trying to solve. What problems are inside the organization? What could happen? Where is that information? And then start thinking about technology after the fact.

Common Mistakes

Kirk: What are some of the common weaknesses or mistakes do you see companies making when trying to defend their networks?

Sentonas: The biggest thing that I would say is pretty much everything that I see is largely the same strategy, where people are trying to put in many malware defense technologies. They're going out and buying a firewall, and the latest thing is talking about next-gen firewalls; they buy a new endpoint; they buy new sandboxes - but they're really designed to do the same thing, and that's stop malware as quickly as possible. It's a critical requirement, but we need to, as I said earlier, go beyond just that traditional 'whack-a-mole' approach of finding viruses and malware as quickly as possible and stopping them. That whole intelligence strategy to know your adversary, to know what's going on inside your network, to understand what could be going on is critically important. And a lot of people just simply don't have that skill, so that's a critically important piece of the strategy that needs to be focused on - especially in this part of the world.

The Problem with Passwords

Kirk: A traditional problem right now is just passwords. What do you see along the password front? Is that still one of the primary points of weakness for organizations?

Sentonas: I would say it certainly would be up there in the top. We saw the recent case of Mark Zuckerberg having an unfortunate incident where a couple of his accounts were taken over, and there were discussions in the media around password reuse. I'm not sure of the specifics behind that, but what we can see is that problem of password reuse is common. And, you know, people struggle with trying to maintain 20, 30 different passwords to all the different systems they use, so they just basically use one password or two or three passwords across every system. And then when there is a password breach - that's how attackers can log into other systems and other devices.

Logging into a system is a legitimate action, I should say, that your traditional security defenses aren't going to trigger on. They're not designed to alert you to that fact. But what happens after that could be very important. Somebody logs into the system and downloads a new version of Mimikatz that they customize to evade their desktop endpoint security, and then they suddenly dump all the administrative credentials off the network. That's a serious issue. As I mentioned, your traditional technologies may never see that, but we will expose that attempt and that potential compromise, and then we'll make our end users aware of that. We'll notify them. We'll work with them to solve that problem. So it's a very different approach.

Kirk: Do you see widespread use of password managers in enterprises these days?

Sentonas: I don't see widespread use, and I think there has to be widespread use. The promise over the last couple of years was that we would get to some form of platform where we used more and more hardware to solve this particular password problem, but unfortunately, for a number of reasons, we're not there yet. So I see the promise of doing away with passwords altogether. It's still a little ways out, but people need to start thinking about password managers and systems that can help them solve this particular problem. But it's a double-edged sword because as you know, password managers don't solve all problems. We've seen examples of vulnerabilities and compromises of nearly every password manager that's ever been released.

CrowdStrike in Asia Pac

Kirk: CrowdStrike is launching in Asia Pacific. Can you tell me why the company is making the move now and how your operations here are going to be structured?

Sentonas: CrowdStrike is seeing significant growth in Asia Pacific, and importantly in Australia. It's an important market for us and an important region. And what's important to say is that we're already deployed in more than 170 countries around the world, and that includes a number of countries within the Asia Pacific market. So for us we really want to maintain that growth, and we want to continue to acquire customers in this region.

Encryption , Technology

Comodo Accuses Let's Encrypt of Copying Business Model Jeremy Kirk (jeremy_kirk) • June 24, 2016    

A project designed to promote wider use of encryption, Let's Encrypt, is asking Comodo to withdraw three pending trademark applications that use its name.

See Also: Unlocking Software Innovation with Secure Data as a Service

The kerfuffle has drawn widespread criticism of Comodo, one of the largest sellers of digital certificates. Let's Encrypt, a nonprofit project, gives away its certificates.

Let's Encrypt has asked Comodo several times since March to withdraw its applications with the U.S. Patent and Trademark Office, but the company has refused, says Josh Aas, executive director of the Internet Security Research Group, which oversees the project.

"When we found out about this, we were pretty confused why [Comodo] would do that," Aas said in a phone interview. "We reached out but didn't get much of an explanation."

Viewed as a Competitor?

Let's Encrypt has not applied for a trademark with the USPTO, but plans to do so. Aas contends, however, that the organization has established a common law trademark through use of the term.

Aas wrote in a blog post on June 23 that Let's Encrypt will vigorously defend its brand, but that the organization has limited resources to fight Comodo.

Comodo filed on Oct. 16, 2015, for trademarks for three phrases: Let's Encrypt, Let's Encrypt with Comodo and Comodo Let's Encrypt, according to the USPTO.

Comodo's move could signify that it views Let's Encrypt as a competitor because Comodo has a large business selling Secure Sockets Layer/Transport Layer Security certificates.

SSL certificates create an encrypted connection between an application such as a web browser and a server, scrambling information that is exchanged. That's important because unencrypted data could be collected and read by someone with access to the same network. Encryption is active when a padlock is shown in a browser's URL window or "https" appears before a domain name.

The movement to encourage all websites to use SSL certificates gained steam after documents leaked by NSA contractor Edward Snowden in 2013 revealed wide-scale surveillance of the web by the U.S. and U.K. governments.

Strong Reaction

Let's Encrypt began its engineering work in October 2014 and issued its first certificates around July 2015. The project is supported by the Electronic Frontier Foundation, the Linux Foundation and vendors including Akamai, Cisco, Facebook, HP and Gemalto. ISRG is classified as a public benefit corporation in California, which relies on sponsors, and Let's Encrypt is a non-profit project.

Some observers have expressed dismay at Comodo. "This Comodo/Let's Encrypt craziness is a perfect case study on how to destroy your company in an afternoon," writes Benjamin Bradley, who runs the WordPress plugins site iThemes.com, on Twitter.

Ian Winter, head of technical operations for the media company Venntro, writes on Twitter that after reading of the conflict, he "will actively not choose Comodo moving forward."

Let's Encrypt's domain-validated SSL certificates are free. Comodo offers 90-day trials of SSL certificates, but most of its offerings are for sale.

Comodo officials did not respond to a request for comment. But in Comodo's forums, CEO Melih Abdulhayoglu alleges that Let's Encrypt copied the company's business model of offering a 90-day free trial.

"Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical," Abdulhayoglu writes. "They clearly wanted to leverage the market of free SSL users we had helped create."

Aas disagrees, saying that Abdulhayoglu is conflating his company's 90-day trial - which is a commercial offering - with a security decision made by Let's Encrypt to have its certificates expire after 90 days.

"I'm a bit confounded," Aas says. "I don't think under any interpretation you could say that Let's Encrypt and Comodo have the same business model."

Encrypting the Web

Certificates from Let's Encrypt expire after 90 days and must be renewed, but that renewal is still at no charge. Certificates with shorter lives offer better security because some browsers do not necessarily reject ones that have been revoked before they've expired, Aas says.

If a certificate expires, a web browser won't trust it and will display a warning. If an attacker has obtained a private key and certificate, it means there's a smaller window in which the certificate could be fraudulently used even if it has been revoked, Aas says.

Let's Encrypt has issued 5 million SSL certificates of which some 3.8 million certificates are still active. The organization's certificates can be used for more than one domain, and Aas says the active certificates protect more than 7 million domains.

In December, more than 39 percent of web pages were encrypted. Seven months later, that figure is about 45 percent, Aas says.

"That is a really rapid pace of change for the web," Aas says. "The real goal is to get the web to 100 percent encryption, regardless of where people's certs come from."

In this edition of the ISMG Security Report, HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee explains the steps the U.S. federal government took to nab 301 individuals - including physicians, pharmacists and nurses - for Medicare and Medicaid fraud.

You'll also hear (click on player beneath image to listen):

Gregory Wilshusen, Government Accountability Office information security issues director, discuss a new GAO report that faults four federal agencies for not taking proper steps secure highly sensitive data; DataBreachToday Executive Editor Mathew J. Schwartz explain how a British national allegedly hacked into the brokerage accounts of American investors to profit from a stock scheme; and U.S. Secretary of State John Kerry compare today's privacy rights to those that existed in the 1990s.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Please check out our June 17 and June 21 reports, which respectively analyze how the Watergate break-in of Democratic Party headquarters might have played out if today's information technology had been available in 1972 and the new ransomware threat posed by JavaScript. The next ISMG Security Report will be posted Tuesday, June 28.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.

Fraud , Payments Fraud

Chargeback Relief: Does It Go Far Enough? Visa, MasterCard, AmEx Take Steps to Limit Fraud Liability Tracy Kitten (FraudBlogger) • June 24, 2016    

Reacting to strong complaints from retailers, three major card brands have finally taken steps toward reducing the amount of counterfeit fraud chargebacks to U.S. merchants, which began as result of the EMV fraud liability shift last October.

See Also: 2016 Enterprise Security Study - the Results

Visa, MasterCard and American Express have launched plans to help merchants speed their deployment, activation and certification of EMV-compliant point-of-sale terminals in an effort to reduce chargebacks.

And Visa and AmEx took it a step further, both saying they will prevent issuers from holding merchants liable for counterfeit fraud chargebacks on transactions of less than $25. They also say that issuers will be limited to 10 chargebacks per card, with issuers assuming the liability for fraudulent transactions after the 10-chargeback limit.

Visa's block on chargebacks under $25 takes effect July 22; AmEx's takes effect at the end of August. Visa's 10-chargeback limit rule takes effect in October; AmEx's will go into effect by the end of the year.

Both card brand's new policies will remain effective until April 2018.

So far, Discover and JCB International, the other two major card brands, have made no announcements about EMV chargeback relief. But JCB, in an email dated June 24, tells me that it has not yet shifted fraud liability onto merchants in the U.S. in the wake of EMV. Once a liability shift takes effect, then JCB will review how liability for chargebacks should be adjusted, if at all.

Merchants' Cry for Help

The announcements from Visa, MasterCard and American Express come in the wake of numerous complaints from the U.S. retail community, arguing that the number of chargebacks issuers have been pushing back onto non-EMV-compliant U.S. merchants are unfair and, in some cases, not legitimate.

Are these announcements an admission by the card brands that U.S. merchants have, in fact, been treated unfairly? And are the card brands doing enough?

Merchant trade associations, including the Merchant Advisory Group, which represents the country's top retailers, and the Food Marketing Institute, which represents U.S. grocers, say they're pleased with the card brands' announcements. But they say the brands could provide more relief for merchants, especially those that have been absorbing high fees for months.

In a recent interview, Liz Garner, vice president of the Merchant Advisory Group, told me that chargebacks falling back onto non-EMV-compliant U.S. merchants since the October liability shift have averaged $10,000 to $15,000 per week for smaller merchants and as much as $1 million a week for some of the largest merchants.

Many merchants "are still waiting to get their terminals certified to accept EMV," she pointed out. "And while they wait on the payments industry to come around and do those certifications, they are being hit with very expensive chargebacks for counterfeit card fraud." (See EMV: Not Ready for Prime Time?)

In March, two small merchants in Florida filed an anti-trust suit against the card brands and leading U.S. banks, claiming they, and other retailers, have been unfairly forced to pay for chargebacks. Why? Because despite buying and installing EMV-compliant point-of-sale equipment before the October liability shift date, they were not able to get their terminals certified by the networks and turned on before chargebacks started rolling in (see Merchants Ask Court for Relief from EMV Liability Shift).

These two Florida merchants claim they racked up combined expenses to cover fraudulent transactions and fees totaling more than $10,000 for both merchants from Oct. 1 through Feb. 15.

Dave Matthews, executive vice president and general counsel of the National Restaurant Association, which represents more than 500,000 restaurants throughout the country, noted in a recent interview that quick-service restaurants have been pounded by chargebacks since the October shift. He also questioned whether those chargebacks are actually the result of counterfeit card fraud or something else.

"Part of the problem is that it's difficult to ascertain what the causes of those chargebacks are," Matthews told me. "When a charge is questioned by a consumer, that's lumped in a fraud category. When a counterfeit card is used, that's lumped into a fraud category. Frankly, when there's a coding error or a transaction error, that's lumped into a fraud category. ... We need some help from the [card] brands and from the issuing banks to ... understand what kind of charges we're actually seeing."

A Broken System

The card brands, by their recent announcements, appear to be just as concerned as merchants about EMV woes and are responding accordingly.

Their announcements concerning liability shift relief are an admission that the system is broken and that the chargebacks merchants have been dealing with since October are unfair.

Visa, in its June 16 announcement, notes that "smaller chargebacks generate a great deal of work and expense for merchants and acquirers, with limited financial impact for issuing banks."

Visa says its plans to eliminate small-dollar chargebacks and limit the number of chargebacks per account "will significantly reduce the number of chargebacks that merchants are seeing. Following these changes, merchants can expect to see 40 percent fewer counterfeit chargebacks, and a 15 percent reduction in U.S. counterfeit fraud dollars being charged back."

Garner tells me more immediate relief, such as a way to compensate merchants that have already absorbed excessive fees since October, would have been helpful. "We'd still be interested in seeing further remediation steps from the brands for damages and excessive penalties already borne by merchants via excessive chargebacks, including possibly some type of fund provided directly by the brands to help remediate these damages, since the certification delays began at the brand level with their unrealistic roadmap timelines," she says.

More to Come?

We'll likely see MasterCard come out with some more chargeback relief steps that resemble Visa's and AmEx's. Hopefully, Discover and JCB will follow suit.

It's clear that EMV migration has proven to be difficult, in part, because of the lengthy delays in getting equipment certified. And chargebacks to merchants who made good faith efforts to meet the EMV deadline are unfair.

But do the steps announced by the card brands go far enough? Or does more need to be done? Please share your views in the space below.