Cassius: "The fault, dear Brutus, is not in our stars, But in ourselves, that we are underlings." Sensational stories are popping up about insecurity of the popular video meeting app Zoom. Videos on servers that are not even password protected, as reported by WaPo, including "how do do Brazilian wax job" -- but it turns out "most" of these are on external storage not controlled by Zoom. Some are even calling it malware. Features such as connecting to cloud storage from your private (home, or company) network have always been a security violation in several ways:
If your company data use policy and security policy are not yet clear or do not address sharing of videos or other documents, get on it and make sure all your users - employees, contractors, and customers - know and follow them (your customer can record your session too... can you detect that?). For individuals, RTFM (read the fine manual), or at !east look through your settings (in Zoom there is "automatically start recording when you start the meeting..."). Decide where you store your videos if you do decide to record, and verify it's in the right place under at least password protection. Sure Zoom has security issues, and the more scrutiny, the better product will come out of it. But no matter how good the product is, it is up to the user to take care of the information (and video). If you use a nice alternative like WebEx from Cisco, and record a meeting, then put it on a public cloud platform, that's neither WebEx's problem, nor is it Zoom's.
0 Comments
The phrase that caught my eye is highlighted below: "discovering digital assets organizations don't know about". Discovery of Unknown Internet Assets - how can you have internet assets you don't know about? Because it has bypassed the IT and Security teams entirely and came into being through another mechanism of Shadow IT. All it takes is a manager willing to approve an expense on the company credit card for cloud and other services. Which can make short work of finding them: have the accounts payable (for credit card expenses) summarize what cloud services are being charged and which managers have been approving them. Have those managers fess up where those internet assets are deployed, and bring them into the spotlight, and get those services into compliance.
In the pursuit of efficiency. In other words: to avoid being drowned in the flood of obligations to perform our due diligence. When we look at IoT (the Internet of Things), the numbers of devices easily outgrows normal means of management. Very large numbers of IoT devices can be installed anywhere, including places that are hard to reach to perform a direct repair or update. So remote administration that is easy and automated, is not just nice to have, it is an absolute necessity. Systems and services to manage and perform admin/update/patch on thousands, or tens of thousands of devices, can be a huge overhead; the scale of IoT installations are by their raw numbers unprecedented and overwhelming. So what is a conscientious system admin to do? Some easy to use tools paid services have popped up recently supporting Raspberry Pi and its related operating systems - Raspbian is a variant of Debian, on which Ubuntu is based, so these remote admin tools work on all of those platforms. Using a tool like dataplicity is trivially easy and takes little time. You can have one managed device for free. It's as simple as: 1) go to their website and enter your email, which generates a confirmation message, and password creation page. 2) copy and run a one-line script that invokes an install process running on python - at the end of that a URL is provided, but you don't need to even copy or remember it. 3) go to the dataplicity website, log in, and click on your device, and inside your web browser is a terminal logged into your RaspberryPi / Debian / Ubuntu system. su to your local account and then you can so all admin functions from a command line. That's it! You have just bypassed all the firewalls protecting your system, and anyone on the internet with the account and password, has a command line on your internal system, from any browser you (or they) choose to use. This, if you have not already figured out, is the reason you must not do this on your work computer without appropriate authorization and approval from IT and Security teams. Most entertaining is that I have not found any mention that doing this on your work computer (most likely) is a violation of your company's security policy, since you're exposing an internal system to the public internet and anyone who has an account name+password; anyone, including hackers, attackers who might have compromised the service provider. Good news: it's easy to enable 2-factor authentication; use a phone number to receive a text message with a code to log in to your device (or use authy). Bad news: you can host a website from your Pi/Debian/Ubuntu system easily: https://docs.dataplicity.com/docs/host-a-website-from-your-pi . Down in the fine print, Security considerations When you switch on Wormhole you are placing the web service hosted on your Pi directly on the wider internet. That's actually the point, but what it means is that you need to take special care in what you put online. While it is not (yet) part of the product feature set, it would be easy to add the ability to access VNC or RDP not just to the Pi/Debian/Ubuntu system, but to any machine in the same subnet as the Pi. If you're curious about how this is a trivial use of the existing capabilities, drop me a note and we can chat, or even run a demo. Dataplicity and resin.io provide similar remote access that can be configured to run WITHOUT static ip addresses, without port forwarding inbound from a remote location, and without firewall exceptions. Beautiful, and should scare all security and IT professionals charged with protecting the networks and systems. What should you do instead? For free (I mean no monthly fees), you can install tor on these platforms (sudo apt install tor), configure the device to be a hidden service on TOR (the dark web). Your 56 character .onion address is not known to anyone but yourself, you maintain full control of the connection rather than trust a third party (and their employees, consultants, vendors) with access to your internal system, No need for dynamic dns, no need for static IP, no need for firewall exceptions. Comparing the address space of IPv6 (2^128=3.4x10^38) and TORv3 (36^56=1.4x10^87). That's 49 more zeros in magnitude. Other than China where the GFWC actively blocks TOR, this could be the universal remote admin that is better than dataplicity with just a bit more work. A general plan to implement in an enterprise environment is described in the SRATOR web site. Any of these methods for bypassing the firewall should be a concern to IT and Security professionals who try to protect the private network of any company or organization, but doing it all in house with TOR can eliminate some of the risks of outsourcing.
Cisco bought umbrella a few years ago. Umbrella.com now forwards to https://umbrella.cisco.com/ and the free services seem to be migrating to paid ones, but there are a number of resources that appear to be "no charge". The page for this live demo
https://info.umbrella.com/cisco-umbrella-live-demo.html talks about "Users today work from anywhere — and they’ll often bypass the VPN to get work done. Sound familiar? Get the boost you need to secure your apps, data, and users whenever they’re on the move." Circumventing the VPN is a fundamental violation of conventional security policy, if that is not already obvious. Other free information include "what attacks aren't you seeing" - if you see some ideas that are useful, great. As noted elsewhere, mention of a product does not constitute endorsement. https://learn-umbrella.cisco.com/ebooks/what-attacks-arent-you-seeing Imagine your boss reads about Shadow IT before you have a chance to take control of the situation. It's not ALL bad news. You can refer her to this article, that talks about the upside of Shadow IT in your organization. The big plus is that "Employees are more productive when allowed to use preferred technologies."
https://www.entrustdatacard.com/pages/shadow-it It is still necessary to take control because the video still claims that Shadow IT will be responsible for 1 in 3 data breaches, amounting to billions of dollars of losses for companies. Good luck ! The identification of Shadow IT is not new. Some writers believe it can constitute 30 to 40 percent of the total IT spend of an organization. https://www.quickbase.com/blog/5-shadow-it-statistics-to-make-you-reconsider-your-life points out that unmanaged use of IT renders the entire organization vulnerable to attack from external groups as well as random leakage of internal corporate data to the outside world. This is particularly likely with the proliferation of cloud services purchased by employees and paid for by a manager's credit card. Boom! Who's doing the security audit on that? Probably nobody.
Suggestion: have Accounting or Purchasing produce a list of credit card or purchase orders paying Amazon, Google Cloud, Microsoft, Apple, Dropbox, Box, MEGA, or any service provider selling cloud based services, and verify that the use of such services are actually approved by IT and security teams. That is one piece of low hanging fruit that should be grabbed right now. The only reason you might delay this discovery is because you don't want to know how bad things are. Good luck! Djilpmh Pi gave a talk on topics related to Shadow IT at the November meeting of ISSA New England. Great to see and meet five students who made the trip from Champlain College to attend this meeting. And thanks to this ISSA Chapter for welcoming me to talk about this topic which otherwise remains in the shadows.
We put a lot of trust and confidence in the core products that support our businesses. But what if a clever attacker were able to compromise a system admin's workstation, and gain superuser privileges on such internal systems as email, messaging, and collaborative platforms (say in the Windows world, Outlook, Skype, and SharePoint). The attacker is now embedded deep in the system with alternate admin accounts, and is reading everything you're doing.
How do you recover or even plan how to remove the infiltrated attacker, when they can see every email and message? If you have a disaster recovery plan to respond to that ugly scenario (do you believe it won't happen?), it could well be to communicate (hopefully securely) over methods that are not visible to the internal IT system. Online systems such as https://riseup.net/ in normal situations are undesirable because their communications are not directly visible to the corporate IT and Security teams. But if those core IT systems have been compromised, a "Plan B" for at least a subteam or leadership team should use tools that are not transparent to the attackers who now own your internal IT and security. |
AuthorDjilpmh Pi has been tracking the spread of Shadow IT for some time. This collection lists some of the most egregious examples. He Archives
January 2020
Categories
All
|