Tuesday, January 20, 2015

Educating non-InfoSec People

EA was hacked and isn't admitting, in my opinion. Let me explain. EA has an application used to buy games and in game things called Origin. I have an Origin account I almost never use, I used it to buy some single player games in the past. I got a your password was reset email and thought, that isn't good. So I tried and failed to login. I had a new password reset email sent to me and logged on to see many, many game purchase I didn't do, and lucky got me, they had all failed. I tried to turn on a security feature to alert me when the account logged in from another IP but couldn't because the answer to my secret password was changed. So I opened up a ticket. It turns out it was changed to a long string of text and not all english characters, joy. So I'm good now. But keep in mind a few things. One, I'm reasonably sure my home PC is not infected or owned in any way. Two, I use an email address for this I don't use for normal emails and is a domain I own not gmail, etc. Three, the password was strong and not reused other places. Four, to get the answer to the secret question from my PC they would have had to owned my PC since I opened the account back in 2013. All of this points to EA was the leak of my data not me, and they stored all of this in clear text or hashed or encrypted with poor key security but in any way stored it in a way that didn't keep the data private when stollen, clear text is my guess. The person on the phone that helped me was nice and said they are dealing with a lot of these and they are forwarding them all to their fraud department who is trying to figure out what is going on.

So I looked it up and found things like this: http://venturebeat.com/2014/12/30/hackers-are-breaking-into-origin-and-making-fraudulent-purchases/ So based on my experience and that is lines up with many others it seems to me that: EA was hacked, they store this info in the clear, they don't have the logging capabilities to determine they were hacked for sure but they suspect it, EA leadership has made the stance that without 100% positive confirmation of a breach they will just deal with it and tell people they have found no evidence of a breach. This is where it gets interesting.

I'm a member of a large online gaming community. So I warned them to change their EA Origin password AND their secret question/answer combo. The overwhelming response I got was disbelief a "large company" such as EA would have been hacked without telling everyone about it and that they wouldn't have been properly encrypting this information and instead the people kept trying to tell me how to scan my PC for malware. I finally gave up trying to explain this to them and they get what they get I warned them. But I found it rather shocking that a group of tech savvy but non-InfoSec people put so much faith in companies doing InfoSec correctly. If you are reading this you are probably in InfoSec and are probably saying the same thing I am. Almost no company does this correctly. It is totally believable EA doesn't encrypt this data. It is even more believable than they decide not to report a breach unless they have to and they have a hard time finding evidence of it. These aren't just believable they are likely based on all I've seen over the years. Yet the average person thinks so highly in the tech capabilities of these large companies it comes off as conspiracy theory craziness and you can't even explain it.

This struck me as very bad. If more people knew how poorly their data was secured people would be mad about it and things would change for the better. But I'm not sure what to do about it. I'm interested in what you all think on the topic, if anyone made it this far. How do you convince people how poorly most companies do InfoSec without them dismissing you as crazy?

Monday, January 5, 2015

Told you so...Almost

From my last post you can see I had serious doubts about the FBI claim that North Korea is involved int he Sony hack and I'm deeply concerned that the FBI is being used as a propaganda arm of the Executive branch of government. Here is an update:

Norse Corp took on the investigation and figured it out in more detail and shared their findings with the FBI. The FBI rejected it and still has not shared why they rejected it or what if any evidence they have against North Korea:
http://nypost.com/2014/12/30/new-evidence-sony-hack-was-inside-job-cyber-experts/

The US Govt sanctioned North Korea while admitting no real evidence exists and no one seems to care but NK:
http://boingboing.net/2015/01/02/obama-administration-north-ko.html

The stalled Cyber Security bill now has support of Republicans in the senate and will likely pass given the NK Sony hack link:
http://www.washingtonpost.com/blogs/post-politics/wp/2014/12/18/eyes-turn-to-the-next-congress-as-sony-hack-exposes-cybersecurity-flaws/

That bill is deeply flawed and shouldn't pass:
https://www.eff.org/issues/cyber-security-legislation

As far as I can tell the Sony hack happened, an insider working with some Russians to extort money as far as I can tell. The White House used the FBI to blame NK to get an unpopular cyber security bill passed. When the story lost it's legs over the holidays they sanctioned NK to keep it alive to try to keep momentum on the bill they want. Once the bill passes I bet they drop the NK story and arrest the insider. Time will tell though.