Facebook SSO Forgery, InfoSec Pros Under Pressure, and Google vs. Internet Pioneer
CyberWeekly Newsletter: Weekly Edition
Facebook SSO Forgery
Facebook’s Single Sign-On (SSO) is being effectively phished in the wild. Oh SSO. While cyber security professionals don’t often sit around to discuss the virtues of identity & access management (IAM), SSO and Federated Identity—twins technologies, like Apollo and Artemis—are a couple of extremely useful security solutions. Even, if they aren’t as sexy as other technologies. They’re useful for the same reason that Password Managers are useful. People aren’t built to memorize dozens and dozens of unique login credentials.
That’s why I can see the appeal for companies like Facebook, Google and Twitter to offer SSO APIs to third-party websites. They’re really Federated Identity APIs, but I’ll stick with the terminology being used in the wild here. By using these SSO logins, users reduce the need to remember yet another password, while giving up a bit more of their privacy to Big Tech firms. Third-party websites reduce the friction to acquire new users, while giving up a bit of their customer data to Big Tech firms. And, well, Big Tech firms simply acquire more user data and become more integrated into the fabric of the Internet.
So it’s not particularly surprising that these SSO login prompts would become the target of enterprising phishers. After all, there is a lot of value for threat actors in pwning your Facebook or Gmail accounts. According to Ars Technica, while the forged Facebook SSO logins are convincing, there are two ways to spot the fakes:
Genuine SSOs from Facebook and Google can be dragged outside of the Window of the third-party site without any part of the login prompt disappearing. Portions of the fake SSO, by contrast, disappeared when doing this. Another tell-tale sign for Myki users, and likely users of other password managers, was that the autofill feature of the password manager didn’t work, since contrary to the address showing in the HTML block, the actual URL the users were visiting wasn’t from Facebook. [Emphasis added.]
How’s that for irony? You wouldn’t need to give you additional privacy to Facebook’s SSO, if you just used a password manager. But using a password manager would have helped your chances of spotting a forged Facebook SSO login and avoiding getting successfully phished, as well. Password manager 1, Facebook 0.
Google Chromecast vs Internet Pioneer
You may remember that a few months ago CyberWeekly provided advice on how to improve your home network security in 30 seconds. Instead of using your IPS’s Domain Name Server (DNS), you can set your network and/or devices to use a security-focused DNS, which blacklists known malicious IP addresses. Google’s free public DNS server—at address 8.8.8.8—was one of the options provided. Ironically, Google’s free public DNS has made less than flattering news in relation to the Google Chromecast.
Dr. Paul Vixie—an Internet Hall of Fame engineer and one of the pioneers of the modern DNS—was more than a little vexed, when he set up his new Google Chromecast. Dr. Vixie quickly found out, that the Chromecast was hardcoded to only use Google’s public DNS, 8.8.8.8, and would not allow him to use his private DNS server.
Of course, Google’s public DNS is overall a beneficial service to security-minded netizens. There are plenty of valid reasons to default to Google’s DNS—especially for less technical users—but the trade off seems clear. By using Google’s hardware, which users pay for, they forfeit the right to control their home networks. Curious exactly why Dr. Vixie was so upset? He told BusinessInsider:
"It's a data leak — I don't allow application-level DNS queries to leave my network, because I don't want any outsider to know which device or application here asked which DNS question.”
I can understand why the Google Chromecast would default to its public DNS. After all, it’s a quality service, and let’s be real… most netizens have no idea what DNS is. However, Google is a technology company with plenty of technical users of its products. Chromecast isn’t some “free” product (like Gmail), where you get what you get. People pay good money for it. So in my book that gives users the right not to funnel more data to Google, if they so choose. Noticing a Big Tech privacy theme in this week’s newsletter.
Defending Forward
The US military can be quite creative in its use of the English language. It has coined simple terms, which are rich in subtext. Terms like force projection and kinetic force. Well, we can add a new term to the lexicon: defending forward. That was the term used by General Paul Nakasone, head of US Cyber Command, in his testimony to the Senate Armed Forces Committee. It is the new guiding philosophy for the Department of Defense, in general, and Cyber Command, specifically.
What exactly does defend forward mean? Gen. Nakasone wrote in his testimony, “In practice, this means confronting our adversaries from where they launch cyberattacks and developing robust capabilities that are responsive to Defense Support to Civil Authorities (DSCA) activities.” That means actively conducting offensive options on APT infrastructure, rather than simply defending US infrastructure.
Clearly a determination has been made that, as opposed to the nuclear arsenal, America’s cyber arsenal become a more effective deterrent, when it's actively used in offensive operations. Cyber conflict is here.
InfoSec Professionals Under Pressure
Security is now an important function most businesses. As readers know, security is not a task that’s ever “done” and the pace of our task as professionals seems to be taking its toll. Information Age reported on a recent survey of 408 CISOs in the US and UK. Here are a few notable highlights:
Almost every CISO suffers moderate or high stress, with 60% saying that they rarely disconnect from their job.
88% of those CISOs surveyed are working more than forty hours a week, while 22% said they are available 24/7.
The US CISO is particularly bad at disconnecting: 89% said they never have a break for two weeks or more from work.
Over a quarter said stress is impacting their mental or physical health, while 23% said the job is eroding their personal relationships.
17% of CISOs who admitted to turning to medication or alcohol to deal with job stress.
Nearly a third of all those questioned believed that, in the event of a breach, they would either lose their job or receive an official warning.
More than half of CISOs (57%) said a lack of resources is what holds back an effective security posture.
63% said they were struggling to recruit the right people.
In plenty of organizations the information security team is doing its best to hold the line, in the hope that they will eventually be provided more resources. The stress isn’t just in your organization or at your level. The challenges are real, but make sure to take of yourselves. It takes less time off to prevent getting burned out, than it does to recover from it.
There’s always another certification to study for and new skill to learn, but make sure to spend time with your family. As I once heard a SANS instructor inform his class, “On their deathbed, no one ever wishes they’d spent more time on Netcat.”
Cool Job of the Week
Central Intelligence Agency (CIA) — Cyber Security Officer (Location: Washington, DC)
Veteran-Preferred Job of the Week
BDO USA, LLP — Cybersecurity Advisory Associate (Location: New York, NY)
Hope you’ve enjoyed this week’s edition of the CyberWeekly Newsletter. Please share with a friend or colleague.
Click here to subscribe to the CyberWeekly Newsletter.
Stay vigilant,
Oritse J. Uku, Editor-in-Chief
Disclaimer: The opinions expressed in this newsletter are my own.