Apple vs. U.S. Government: An information security perspective

Information security is in the news again - this time for a completely different reason than normal. There's not a huge company that got hacked. There's no hacktivist group threatening to DDOS a company that threatens their beliefs. No - this is completely different. And it's far more important than many people realize.

In the aftermath of the San Bernardino shooting in December 2015, where 14 people were killed and 22 were seriously injured in a terrorist attack, the United States government has engaged in a legal battle with Apple. The government wants Apple to craft a new operating system for the iPhone of the terrorist responsible for the shootings in the name of threat intelligence. While this seems similar to a warrant for information, this is entirely different. Why? Because Apple doesn't own that information.

How Do Information Security Teams Work?

Have you ever wondered, “How do information security teams work?” You may know that they somehow they keep your information safe (as far as you know) and they might seem like wizards in doing so. While we like to think that’s true, there is a method to the madness that keeps cyber villains from stealing your social security number, salary information, and health records.

First, let’s make it clear that not ALL parts of the information security team are fighting off cyber criminals for 40 hours (or 80 hours) each week. However, for the team that focuses on defending company information online, there are three major components: Intelligence, Detection, and Response.

Security Basics: DNS Tunneling for Data Exfiltration

DNS tunneling is a method of data exfiltration through a protocol other than DNS. First, let's review what DNS is. DNS stands for the Domain Name System, which is used to translate the Uniform Resource Locator (URL) into an Internet Protocol address. Still too complicated? Basically, this means that when you type in "www.securitydelivered.com", a DNS server will understand that you want to come to my website at the IP address of 74.125.20.121, and tell your browser to download the content on my homepage.

With DNS tunneling, another protocol can be tunneled through DNS. Originally, tunneling tools were made for tunneling to bypass paid WiFi services. If a paid WiFi service allowed outbound DNS, a user could encode IP traffic into DNS traffic to allow internet access without paying for it. However, attackers learned that they could also tunnel data through the DNS protocol, which can be a fantastic tool when exfiltrating data out of a compromised network.

How Cyber War Could Kill Millions of Americans

Imagine this scenario: You wake up one morning to your cell phone alarm to see that your battery isn't fully charged as normal, but rather still holding onto the last 24% of charge from the previous night. Frustrated that you need to invest in a new charger, you move over to your desktop and turn it on, realizing that it's not working either. At least now you know that it was probably just a breaker that tripped over night, so you check your breaker box, only to discover that everything seems normal. So next to blame is the power company. Luckily your phone is still partially alive, so you try to give a call to the company, but can't connect to any cell towers. What's happening? You pull out your radio to try to listen to the news - once again, nothing. Every station that you normally listen to is all static.

Dick Marcinko - The Chuck Norris of Penetration Testers

Since I started my college education, I've always had genuine interest in penetration testing. Dick Marcinko was a penetration tester, but not in the way that the average information security professional would expect. In fact, Richard “Dick” Marcinko, excuse my French, was a badass outranking today’s badasses. With his wide range of knowledge, skill, and training, Dick Marcinko could be put into the ranks with Chuck Norris and Bruce Lee. His special operations team, Red Cell, was responsible for exposing a variety of vulnerabilities via controversial methods in a range of the United States’ vital security infrastructures. In my opinion, Dick Marcinko operated with merit by identifying crucial loopholes in our government’s physical security efforts.

Performance Metrics In Cyber Security

Performance metrics are standard, quantifiable measures that are reported to assess performance in a particular area. In an information security environment, it is crucial to collect and analyze metrics to ensure the continuity of growth for an organization's security capabilities.

There are a variety of benefits to the implementation of performance metrics. First, having quantifiable metrics provides the ability to view the impact of security processes and technologies over an extended period of time. In turn, this presents the opportunity to effectively communicate the state of information security to senior management. This communication can provide a more structured guidance when determining how to allocate an organization's resources and improve technologies and processes to achieve a security team's mission.

How Apple Could Have Prevented the iCloud Hack

This is a continuation from last week's blog:

One best practice that should be exercised is the adoption of a secure by design standard. Many environments and applications of the past have a design plan focused on accessibility. However, as we discussed earlier, confidentiality and integrity must also be strong influences on how an environment is designed, implemented, and maintained. The case study of Apple’s iCloud is a perfect example for secure by design. While it may look like a failure of the end users to secure their personal accounts on the user’s end, Apple certainly has some responsibility for weak security design. Many account management scripts used today are guilty of the same issue. However, more advanced scripts today use strict password requirements. This means that an account cannot be created or have its password changed without the new password meeting complexity requirements. These could include the password being a certain length, using special characters and numbers, or using a combination of these. For example, Microsoft uses a policy that passwords must meet 3 of the 5 complexity requirements. The five requirement categories that are provided are:

·         Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)

·         Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)

·         Base 10 digits (0 through 9)

·         Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

·         Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

Using these security requirements can largely improve the strength of a password and decrease the risk of the password being guessed of victim of an attack known as “brute force.” Brute force software tries every possible combination of numbers and letters to continue guessing a password until access is granted to an account. Using an average computer, Table 1 shows how long it might take the software to crack a password dependent on the number of characters in that password (See Table 1). The table ranges from a 5 character lowercase password being cracked in 12 seconds to a 14 character “all character” password taking 154 billion millennia to crack. This shows that having a larger variety of characters as well as a larger quantity of characters in a password helps protect accounts against brute force attacks.

Another form of brute forcing is called a dictionary attack. This attack is conducted similarly, except it uses words that are found in a password dictionary which is defined by the author of the software. This can also be used to guess common changes from letters to numbers (myp@55w0rd), include common phrases or quotes (takesonetoknowone), and use words that are commonly abbreviated or misspelled (ntmypsswrd). Another way to counter brute force attacks is for the account management software to limit the number of times that an account’s password can be invalid. For example, if the brute force software starts its attack by guessing some of the most common passwords such as “password”, “12345678”, and “qwerty”, the account management software will prompt with a “Too many invalid logons. Please wait one minute and try again.” A timed waiting period such as the example provided can make the brute force software much slower than it was designed for. If the lockout is 1 minute for every 3 invalid attempts, the brute force software would only be able to make 180 attempts per hour as opposed to attempting up to 350 billion attempts per second as is the case with a Linux-based GPU cluster demonstrated by Stricture Consulting Group in 2012. This security feature can be modified in multiple ways including increasing the duration of lockout for each additional lockout or permanently locking the user out until they verify their identity and change the password completely.

The example of the celebrity photograph data breach could have been negated through better security practices from both sides of the coin. Apple did not have adequate password requirements or lockout requirements in place to counter brute force attacks. By following best security practices, Apple could have avoided the negative publicity to both their company and the celebrities affected. However, the celebrities whose accounts were compromised also could have used stronger passwords without requirements being strictly enforced by Apple. Through proper security education, each end user could have protected the privacy of the data that was stored in Apple’s iCloud environment.

Another practice that can greatly improve the security and privacy of data in cloud environments is the deployment and utilization of active monitoring solutions. Active monitoring is conducted by having a team of professional personnel available during all hours of the week to review intrusion detection and prevention hits as well as security anomalies that are identified by technical systems. A baseline should be set by monitoring normal activity on the network for an extended period of time. The average activities and processes conducted on the network should be used as a baseline, which should then be used to compare against future daily activities conducted on the network. Once a statistical anomaly from the baseline is identified, the on-staff personnel should be able to look further into why there was a change from the normal level of activity. An anomaly that Apple may have been able to identify with this type of deployment was seeing an increased quantity of account recovery and failed login attempts for the time period when many of the celebrity accounts were compromised. However, even if there were no significant anomalies that could have been recognized at the time, there are still other best practices that could have assisted in preventing the situation.

Ethical hackers are often contractors who are hired to break into a company’s network in any way possible to steal data that the company didn’t know were vulnerable to attack. The field of ethical hacking is daunting to many companies because this gives the hired third party knowledge of the company’s network infrastructure and its weaknesses. However, organizations must realize that it is much safer and less of a risk to the business to have hired help penetrate their network defenses rather than a hacker who might sell sensitive intellectual property to a competing organization. Through the use of ethical hackers conducting penetration tests, Apple could have identified the security vulnerability that allowed attackers to brute force iCloud accounts.

One last method that Apple could have utilized to defend against the attacks on their customers’ accounts is two-step authentication. Two-step authentication is a method of logging into a user account using multiple passwords. After logging into an account with a static username and password, a second password is randomly generated and required to grant access to the system. The two most common methods of doing so are through the use of a key fob or text message password generators. A key fob is either a hardware or software device that is synced with a server to retrieve a password that is randomly generated every 30 or 60 seconds. In this case, the password is always viewable by the user with the fob. The other method for two-step authentication is through a text message password that is automatically sent to a verified cell phone after a successful login using the designated static user credentials. This password is not always viewable, but also only changes each time a user requests login from a new computer, so in these ways is considered more secure. In the Apple iCloud security breach, this would negate attackers from gaining access to user accounts without having physical access to either the target’s phone or key fob.

The United States government estimates that its spending on cloud computing will surpass $7 billion by the year 2015 (Kaufman, 2009). This investment shows that there is certainly a future in cloud computing, but if security issues continue to exist, it will be difficult to create a strong business model around the technology. Businesses have to be able to assure potential consumers that data stored on the cloud storage environment is going to remain safe. Once information is moved onto the Internet, there will always be a way to access it. If the value of the data being stored on the cloud is high enough, there will often be a threat agent that targets the now-accessible data. If the entire cloud computing industry doesn’t implement best practices for security, cloud service provider system breaches will continue. This will result in an aversion against the use of cloud services, and slowly kill off the industry as a whole.