Sunday, March 13, 2016

Fast-Forward: Shadow IT

The full title of this talk by information security analyst Cheryl Biswas is "What Lurks in the Shadow: Addressing the Growing Security Risk of Shadow IT & Shadow Data." Here are links to her Twitter account and WordPress blog if you want to read more (with posts as recent as December 2015). Cheryl's talk was presented at the BSides Toronto conference, and their website has a link to the slide deck. If you're familiar with shadow IT, I recommend skipping ahead to the second half of the talk for discussion about how to deal with the issue from a practical standpoint.

"Shadow IT" and "shadow data" refer to information systems that exists within a corporate environment but are not known to or supported by IT staff. In the same way a "rogue access point" piggybacks—and threatens—existing infrastructure because it's aknown unknown variable, shadow IT carries similar implications in that it typically exists within the same network environment but is difficult to track.

Cheryl begins the talk by not only outlining how the threat of shadow IT has grown over the past 30 years with the development of BYOD and mobile technology but also highlighting the fact that shadow IT systems typically do not adhere to standard security practices within the organization. They are your worst nightmare in data privacy because they put data at risk that you did not even know was there.

In the second half of the talk, she does something completely different and shares some screenshots of data-breach discussions on Twitter. She then demonstrates how scary a search for the word "default" on can be (hint: vendor-supplied passwords are a Google search away).

The highlight of this conference talk is when our presenter pulls some statistics from a blog post by Cisco SVP Nick Earle, who claims that some organizations are using up to 15 times more cloud services to store critical data than were authorized by the CIO: when surveyed, one organization that thought it was using 51 active cloud services discovered its employees were using a number closer to 700! We can expect that this gap will only increase over time as employees become more tech-savvy and motivated to solve IT problems independently.

Cheryl doesn't go into great depth on vendor solutions that might help solve the problem, but she does acknowledge they exist. The Q&A portion begins at minute 36and includes discussion of how to implement mobile security, an overview of Amazon and Oracle's complicated relationship to the US-EU data protection safe harbor rulings and, finally, tips on implementing "least privilege" (as documented by SANS).

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license

Fast-Forward: JavaScript API Exploits

"Abusing Adobe Reader's JavaScript APIs" is a panel presentation from three members of HP's Zero Day Initiative program that was delivered at DEF CON 23, held August 6–9, 2015, in Las Vegas.

It's worth noting that portions of this talk, including the number of known Adobe Acrobat Reader API exploits, were time sensitive and may have been patched at the time of this blog post. Right around the 4-minute mark they explain how during their research, many patches have come out from Adobe that claim to fix this problem, but the team and their bug bounty program continue to find exploits. The exploits appear to be plentiful. During the presentation Brian Gorenc (@Maliciousinput) mentions that they found a new JavaScript exploit while the group was in the airplane on the way to the conference.

It's also worth noting that it is very easy to disable JavaScript in Acrobat with a few clicks; however, it is enabled by default, and the most vulnerable users continue to be the folks who do not update to the latest version of this free software or have disabled autoupdate notifications entirely. Thirty minutes into the talk, Abdul-Aziz Hariri (@abdhariri) also explains which versions are affected — this information is not included in the slides provided on the DEF CON website. To summarize: Mac OS X is extremely vulnerable, and the "Pro" version in Windows is (or was) too.

As a final caveat, the Adobe Acrobat exploits described in this talk require users to openthe malicious PDF, either accidentally or intentionally through social engineering. Once they do this, the exploits are "chained" in a way to execute "cleanly" in the background without the user noticing any interruption. This is a departure from memory corruption or fuzzing techniques that the presenters note as having less predictable behavior in the wild, and these JavaScript API exploits are far more sinister because it all occurs transparently to end users.

At 12 minutes in, Jasiel Spelman (@WanderingGlitch) explains how the team discovers these exploits. If you are familiar with JavaScript, this section of the presentation is worth your time. If not, the takeaway is that they found manyundocumented API calls, and the undocumented ones make it a lot easier to elevate privileges. Readers of January's Fast-Forward blog post may note that this "known unknown" element is very similar to the problems security professionals face withshadow IT and shadow data. It can perhaps serve as a reminder that when we talk about data privacy, the discussion should include proactive data discovery and auditing as key elements.

For a full wrap-up of this talk, concluding remarks begin at minute 34, which are preceded by a live demo of the exploits in Window 8.1 and Mac OS X.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.