November 24, 2015

Another Take on Aggregators: Banks Are Right to Block Scraping

In recent weeks, major US banks have prevented automated logins from aggregators like Mint and Digit, which use client-provided credentials to log in to user accounts and scrape out financial data. The Wall Street Journal's coverage (article behind paywall) implied that banks have acted primarily out of competitive motivations, but that isn't the case.

For these account aggregators to present competitive risk to banks, they would have to offer substitute services - ATMs, cash withdrawal, credit cards, savings accounts, etc. Yet the majority of these aggregators offer services that are complementary to banks. For example, Mint makes it easier for bank clients to consume their financial data, and the application HelloWallet encourages financial health through personalized guidance.

In fact, after briefly mentioning competitive threats, the WSJ article then spends far more time on the real issue, security concerns, than on competition. The article states:

[There is] growing concern within the banking industry that rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers….In addition, it isn’t clear if consumers’ finances would be protected if they willingly handed over their confidential information to a site that was later hacked…[The aggregators] could present growing risks to consumers because of the detailed financial information the sites require from users.
Historically, Mint and Yodlee have been the dominant aggregators, but lately newer aggregators have emerged. These newer account aggregators present two considerable risks. First, unlike Intuit-owned Mint and established aggregator Yodlee, these small start-ups cannot provide a comparable level of security and protection to clients as the banks. Second, with new aggregators popping up everyday, banks have a harder time detecting fraudulent activity when aggregators log in and scrape out data because automated attackers and aggregators are hard to tell apart. The bank’s security team then has two options – restrict all automated logins, or expend resources trying to distinguish safe aggregator bots from all other nefarious bots. The latter is expensive, so it appears that the banks highlighted by the WSJ have chosen the former path of action.

It is not in banks’ long term interests to block account aggregators. As the customers quoted in the WSJ demonstrate, aggregators provide a valuable service. Banks recognize this fact, which is why they created the FS-ISAC’s Aggregation Working Group. The group was formed specifically to solve the problems outlined above while still allowing account aggregators to operate. They ultimately proposed a token-based authentication system that allows account aggregators to directly access the data they need, eliminating the need for clients to provide their user credentials.

Yodlee publicly announced its support for the API system over a year ago and is working with banks to adopt the win-win solution. It is unclear if other aggregators are also in favor of this method and if the token-based system will become the new standard. What is clear, though, is that banks are taking automated online activity very seriously, and so should you.

"Banks, at Odds With Personal Finance Sites, Disrupt Service." The New York Times. 10 Nov. 2015.
Huang, Daniel, and Peter Rudegeair. "Bank of America Cut Off Finance Sites From Its Data." The Wall Street Journal. 9 Nov. 2015.
Sidel, Robin. "Big Banks Lock Horns With Personal-Finance Web Portals." The Wall Street Journal. 4 Nov. 2015.
Watson, Colin. OWASP: Automated Threat Handbook: OWASP. 26 Oct. 2015.
"Yodlee Announces Support of FS-ISAC, OAuth as Standard for." Yodlee. 16 Oct. 2014.

November 17, 2015

Imitation Game – The New Frontline of Security at QCon San Francisco

This week over 1400 software developers are gathering in San Francisco for QCon to share the latest innovations in the developers’ community. The conference highlights best practices in a wide range of emerging technology trends such as microservices, design thinking, and next generation security.

Below are three sessions that will inspire your thinking in next-gen web security and technology.

Wednesday Keynote: The Imitation Game - The New Frontline of Security, 9:00 am, Grand Ballroom, Shuman Ghosemajumder
As one of the four keynote speakers, Shuman Ghosemajumder, Shape’s VP of product management, will discuss the next wave of security challenges: telling the difference between humans and bots. From Blade Runner to Ex Machina, robots in sci-fi have become increasingly sophisticated and hard to distinguish from humans. How about in real life? How are bots taking advantage of user interfaces designed for humans? In his keynote on Wednesday, Shuman will explain how a complex bot ecosystem is now being used to breach applications thought to be secure.

Wednesday Track: The Dark Side of Security, 10:10 am, Bayview A/B, Nwokedi Idika
As Sun Tzu noted in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” To win the battle against rising cyber criminals, you must know your enemy. How do they think? What do they do before and after the compromise? How do they monetize? In this track, Dr. Nwokedi Idika, Senior Research Scientist at Shape, will guide you on a journey into the minds of the cyber criminals.

Wednesday Track: Javascript Everywhere, 10:10 am, Pacific LMNO, Jarrod Overson
JavaScript usage has been expanding past the browser for years. It’s now used in server applications at companies like Paypal and Walmart, native apps like Slack and Atom, mobile apps like Untappd, and even compilers for game engines like Unreal and Unity. Come to this track led by Jarrod Overson, Director of Software Engineering at Shape and JavaScript super fan, to learn why and how JavaScript is used everywhere.

Want more QCon inspirations? Follow #ShapeSecurity and #QConSF on twitter now.

August 4, 2015

Web Security Guide to Black Hat 2015

An important web security concept around “A Breach Anywhere is Breach Everywhere,” will be highlighted at Shape’s booth during Black Hat conference this week. Prominent attacks such as Uber account hijackings highlight how spilled credentials obtained from previous breaches can lead to account hijackings on another B2C site.

Make sure to check out Black Hat sessions relevant to escalating web security threats such as password cracking (Cracklord) as well as expanding web attack surface on technologies like EdgeHTML and Node.JS. You can also engage with web security anti-automation experts at the Shape Security booth #558. On Wednesday at 2:30 pm Shape will be hosting Ted Schlein, Partner at Kleiner Perkins (investor in ArcSight, Fortify, Mandiant), former CEO of Fortify and executive at Symantec.

Cracklord – A Friend of Credential Stuffers
If credential stuffing allows criminals to turn lead into gold, hash cracking is the act of digging lead from the Earth. Cracklord, a system designed to crack password hashes, will be explained by researchers from Crowe Horwath. As password cracking tools increase the pool of available credentials, B2C companies need to strengthen their web security defenses to defeat credential stuffing and account hijacking attacks. Credential stuffing and account hijacking attacks can be described as follows (using Uber as an example):
Uber Credential Stuffing attack.png

New web attack surfaces revealed
Web attack surfaces are constantly expanding as new web technology frameworks and browser technologies continue to be developed and popularized. Those web frameworks offer both the opportunity for built-in security, as well as the risk of a vulnerability affecting the entire user base. In this year’s BlackHat, two briefings on EdgeHTML and Node.JS are particularly relevant.

Researchers from IBM will talk about new attack surfaces within Microsoft’s next generation rendering engine EdgeHTML (codename Project Spartan). Researchers from Checkmarx will talk about different attack methods on Node.JS as well. It’s important for B2C companies to be aware of these new vulnerabilities as attackers are likely to exploit them.

Stop by Shape’s booth #558
Stop by to engage with Shape’s anti-automation specialists to evaluate risks to your website and learn how to protect your web application and mobile API services. On Wednesday, you will get a chance to meet with Ted Schlein, Veteran VC at KPCB (investor in ArcSight, Fortify, Mandiant) and former CEO of Fortify and exec at Symantec.

Have fun and hope you enjoy your week at Black Hat!

Links for relevant sessions on web security

Please follow Shape Security on Twitter – #ShapeSecurity

May 27, 2015

3 Infosec Notes From Our Time At the MIT Sloan CIO Symposium

Moderator Prof. Stuart Madnick makes introductory remarks for the cybersecurity panel, featuring Shape VP of Product Shuman Ghosemajumder, CSO of Schneider Electric George Wrenn, COO of 1E Nick Milne-Home, and CSO of ADP Roland Cloutier. 

Last week, Shape Security attended the MIT Sloan CIO Symposium. Hundreds of CEOs, CIOs, and senior IT professionals from all over the world met to discuss the issues that keep them up at night. 

Here we have distilled for you the three most captivating points discussed during the cybersecurity panel. 

3. “We are approaching a cybersecurity perfect storm,” said George Wrenn, CSO of European electricity distribution leader Schneider Electric.

Wrenn believes the convergence of  “aging infrastructure, the interconnection of everything, the increasing sophistication of cybercriminals, and the unfixed security weaknesses of the early Internet age” leaves consumers and enterprises vulnerable to attack for the foreseeable future. Not only will it be difficult to address these issues individually, but it will be near impossible to survive a severe, multi-platform attack. 

2. “No IT leader wants to stand in the way of innovation or customer satisfaction,” said Roland Cloutier, CSO of payroll services leader ADP

To prevent and survive future attacks, enterprises must shift their focus to mitigating risk over short-term rewards. Customer growth and user retention will only get a company so far if the danger of a breach is always looming. To combat this attitude, product and security leaders must lower risk tolerance across all departments and work together to establish a realistic baseline - for example, a threshold of affected users or records lost.

1. “Adversaries have better technology capabilities than security professionals do sometimes,” said Roland Cloutier, CSO of payroll services leader ADP

Today’s attackers are well-funded entities armed with thousand-node botnets, sophisticated malware, and an entire darknet economy willing to do anything for the right price. This leaves enterprises stuck implementing reactive security measures. The eventual worst-case scenario would be a major national attack that would spur enterprises, governments, and regulatory bodies to produce and enact new security standards. Although the situation would be devastating, the outcome could lead to better protections for consumers.

Take a look at the other events where Shape is attending, exhibiting, and presenting on our website: 

April 28, 2015

5 Things We Learned At RSA

1. KBA and NSA are shaping tech startups
General Keith B. Alexander, who retired as NSA Director in 2014, has become the founder and CEO of a new startup, Ironnet. During his RSA session this year, he talked about how to heal the wounds to the tech community and what gift he’d send Snowden if he were given the opportunity. For the tech community, he recommended classified briefings to get technology companies the facts. For Snowden, he said he would send him the oath, which was met with loud applause from the audience. Take a look at the FCW article here.

2. Breaches are happening, even during RSA
On the 2nd day of RSA, a major hotel chain notified their 18 million members via email that their accounts had been reset out of an abundance of caution. According to us at Shape, it seems possible, even likely, that account checkers had been used to hijack 200 accounts at the hotel chain. Take a look at the Shape blog post on account checkers.

3. Taking security up one level - to the Board
Everyone seemed to like and agree with what was said at the presentation, “A CISO's Perspective on Talking to the Board about Cybersecurity”. See what WSJ wrote about it here.

4. Password management is hard
Shape’s own Zhiwei Li spoke about password managers, exposing several vulnerabilities (now plugged) and discussing which manager would be the best manager in various cases. Take a look at his presentation slides.

5. Botnets are alive and well despite takedowns
Botnets are alive and well, despite takedowns. The federal agencies behind the takeover of a major Zeus botnet (12 governments, 13 companies, 4 non-profits and 3 USG federal agencies) said the criminal enterprises have learned and adapted to build more sophisticated and evasive botnets. Check out the list of agencies involved on the RSA session summary page.

It was a great show for Shape Security. If you go to a lot of conferences, like we do, then we'll be seeing you at Blackhat in Vegas, and again at RSA in San Francisco in 2016.

April 9, 2015

Join our RSA session

The Emperor’s New Password Manager: Security Analysis of Password Managers

Friday, April 24, 2015
9:00 AM – 9:50 AM
Room: 3009

Session abstract: We conducted a security analysis of popular web-based password managers. Unlike local password managers, web-based password managers run in browsers. We identify four key security concerns and representative vulnerabilities. Our attacks are severe: in four out of the five password managers we studied, attackers can learn credentials for arbitrary websites. This work is a wake-up call for developers.

Speaker: Zhiwei Li, Research Scientist @ Shape

More information

Meet Shape at RSA 2015

April 20-24 • Moscone Center, San Francisco, CA

RSA 2015 is around the corner. Will you be attending? Come meet with Shape Security and learn more about our technology. We have a booth, are hosting a private meeting suite at the St. Regis hotel, and offering free expo passes to everyone with our discount code. Read more details below.

Shape Booth

February 25, 2015

Use of Stolen Creds Is Most Dangerous Web Threat, Verizon Finds

Use of stolen credentials is the biggest web threat, says the most recent Verizon Data Breach Report

Learn more about this threat below.

February 19, 2015

Hijacking 1 million accounts for $3

Our last post covered how credential stuffing poses a significant danger to consumer and enterprise websites.

But how much does it cost to actually execute this powerful attack?

Learn about how an adversary can hijack one million accounts for less than a fast food meal.

February 18, 2015

Rising Attack Vector: Credential Stuffing

Credential stuffing is a growing threat to the web community. As more companies are offering their goods and services online, customers practicing bad password hygiene are in danger of having their account stolen whenever a website is breached.

Read more about the rise of credential stuffing below.