Within the past few weeks, two significant breaches of IT security have reinforced the importance of the individual user’s responsibility when interacting with, using, or being part of a product or system. Most services and companies do their level best to provide the level of security their users would expect. In the end, it is often easier and more efficient to go after the low hanging fruit; the end user. The idea behind a Defense in Depth approach is to provide multiple layers of Security such that if an attacker breaches the outer layers, they are caught by the inner layers. The outer layers generally consist of firewalls, intrusion detection systems, and email filtering while the inner layers end with security policies, desktop antivirus, and IT security awareness training for the end users.
iCloud Backup Brute Forcing
It was recently revealed that the automatic phone backup solution provided by Apple, iCloud, lacked a few IT security features needed to assist in preventing a brute force password guessing attack on phone backups stored within Apple’s cloud. Most notably, a rate limiter on the number of times a password could be guessed before providing access to the backup. Apple has since applied a rate limit but the vulnerability actually being exploited was the end user’s use of predictable account recovery questions and weak passwords. Attackers were using easily obtained, purpose built software to attack and remotely download iCloud backups without the owner being alerted to the attempts. Think of all the information your iCloud backup contains; Pictures, Wifi Passwords, settings, etc. While this method of attack is nothing new, it means that even if Apple was using additional technology to prevent or detect the attacks, the attacks are still possible if you use weak passwords and predictable security questions. Recently Apple enabled two factor authentication on iCloud backups and it is recommended you enable it. Apple also intends to enable security alerting on failed iCloud attempts.
JPMorgan Breach
Late last month, JPMorgan reported that it had discovered an advanced persistent threat which was used to steal hundreds of gigabytes of unknown data for an unknown purpose. While the breach is under investigation, specific details about the attack are limited. It was initially reported that the attack was performed through a previously unknown exploit on one of their web servers. It was later reported that the attack may have originated from one of their employee’s desktops which was infected by a malicious attachment sent through email. The idea behind this kind of attack is to trick an end user into, essentially, inviting the attacker inside the network; bypassing many security layers. Please note that JPMorgan spends millions on security infrastructure and people to secure its enterprise with plans to boost spending to 250 million annually.
Playing your part
The common factor between these two breaches is the attacking of the end user. All it takes is one user with weak passwords or to click on a phishing email to bypass a defense in depth approach. In the case of weak passwords, the attacker is able to move about the network as an “authorized user”. In the case of the malicious email, it provides the attacker with a compromised endpoint inside of the network through which they can pivot their attack to other parts of the network. This approach can also be used to gather further passwords, credentials, and information on who to attack next.
Verify suspicious email outside of the email. Do not install that toolbar, you don’t need it on a work machine. If someone cold calls you for information unrelated to the reason of the call, verify outside of the call. Have IT vet software you’d like to use before you install it. Websites offering unreasonably low prices for products are not doing so to lose money. You’re paying for it somehow. Think before you click. Contact Security if you need clarification, assistance, or advice.
Technology can only provide so much “automatic” protection. In the end, what we click, what programs we install, and where we go on the Internet are ultimately our choices.
CREDITS AND ADDITIONAL RESOURCES
JP Morgan Attack
iCloud Backup Attacks
http://www.macrumors.com/2014/09/02/icloud-backups-vulnerable-to-hacking/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
All you need is one
https://www.nccgroup.com/en/blog/2014/09/phishing-all-you-need-is-one/