Name and Shame, Facebook 3rd Parties, NZ Digital Device Search

TLP White: Name and shame tactics, Facebook breach and third-party apps, authentication,a new law in New Zealand permitting custom agents to search digital devices.

Hot Links –

 

1. Playing the Name and Shame Game.

The U.S. and other governments are playing the name and shame game, relying on this tactic to deter cybercriminals by attributing blame for attacks to specific nation states. Most recently, a U.S. government complaint alleges that a North Korean government-backed programmer executed the 2014 Sony hack and the “WannaCry” attacks. In 2016, Special Counsel Robert Mueller unsealed an indictment that charged a dozen spies believed to have been backed by the Russian government for interfering with the 2016 elections.

The UK is also pointing fingers, and recently blamed Russian military intelligence of several cyber attacks. The National Cyber Security Center takes the position that Russian’s Main Intelligence Directorate was responsible for four attacks, including hacking the 2016 Democratic Committee, the World Anti-Doping Agency, and the BadRabbit ransomware, in addition to attacking a UK-based television station.

Regardless of the effectiveness of the name and shame approach, these types of actions, along with imposing sanctions and serving indictments, are a form of self-regulation that only governments can do, and they should keep doing it.

2. Third-Party Concerns Surround Latest Facebook Breach.

Following Facebook’s recent data breach, the company announced that it found no evidence that any of the 50 million user accounts impacted by the breach had been used to access apps using Facebook Login. Nonetheless, security experts caution that the breach could have permitted hackers to access third-party apps and websites by relying on the single Sign-On (“SSO”) feature API. This API lets users log in to websites using Facebook credentials and can be obtained using access tokens.

A professor commenting on Facebook’s investigation noted that although the results are encouraging, i.e. that there is no indication that apps have been accessed, the report lacks important information such as how long Facebook’s audit occurred and the implications for apps. There are continued risks for individuals that used Facebook SSO for other third-party apps.

Current SSO deployment practices are problematic for Facebook and other identity providers, exposing users to stealthy attacks. While SSO is appealing for developers focused on a seamless user experience, great risk comes with integrating applications with this API. The risks are especially high when integrating critical functions like authentication.

The Fast Identity Online (“FIDO”) Alliance is one solution that has emerged to the authentication challenges highlighted by the Facebook breach. The FIDO specifications and certifications enable an interoperable ecosystem of hardware, mobile, and biometrics-based authenticators that allow enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords. Moving away from traditional password mechanisms can help limit large scale incidents whose impact is difficult to trace such as with the recent Facebook incident.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 10.9.18 White