Friday, November 18, 2016

Answers on the Scotiabank rogue bank programmer problem.

If you're reading this, it's likely I've just told you via email to come here for some answers to the question(s) you just asked me.  

It's been a strange time since the ScotiaBank incident went public.  Many people have asked me the same questions over and over, and I continue to get asked about it.  It's a serious time drain right now.

So, here are a few of the answers to the more common questions:

How long was this going on for?

The earliest I can confirm it was a problem was March 31st.  Given it was corrected on November 16, that's 230 days.

Did anyone else know about this?

Yes, I had previously communicated the problem to Kony's Chairman & CEO.  I'd been tracking this hidden insult over numerous releases of the app.  Mr Hogan is also aware that after the story broke, ScotiaBank quickly issued an emergency patch.  I've no idea whether ScotiaBank has apologized to him or Kony directly, though I do doubt it.

What's your take on events?

I think Canada was lucky not to have it's first serious "inside job" bank cyber-heist.  

When Scotiabank showed that a rogue programmer can contribute unauthorized code to an app and nobody did adequate code reviews to catch these unauthorized additions, we should be thankful that this rogue programmer only inserted f-bombs, when they could just have easily put in a few lines of code to exfiltrate credentials en-masse.  

What has ScotiaBank said to you?

Nothing.  They're Scotiabank and I'm just a customer.  They don't listen to me, and unless they are chasing money, they won't call me either.

Did you notify them?

No. I used to help Scotiabank because I thought it was the right thing to do, but I publicly withdrew my support a long time ago after the customer/bank relationship broke down.  These days, if it's just a regular vulnerability, I leave it as a warning "canary" to see how long the bank takes to spot it.  If it's a big issue that could impact millions of people, I might document and send to the CCIRC.  At that point, it's down to the authorities to deal with the bank directly.

How did you find this?

I was documenting some other known problems for the CCIRC.  

Do you know of other issues?

Yes.  I'm aware of a number of them. 

Should we be worried?

Personally, I banned my family from using ScotiaBank digital products, and recommended to friends (after the second October breach) to avoid their digital products.  I'm the only one to use online banking (out of necessity) in our family, and this is only done on a designated Mac with additional precautions specifically implemented for dealing with ScotiaBank.  

I don't allow the mobile apps on our devices (I saw what happened in April with the porn problem), as I believe that the bank is allowing itself to be a target for a massive breach.

So, there you go.  That's the answers to the common questions I keep getting asked.

Tuesday, November 15, 2016

When programmers are unhappy...

Update 1:  After this post was made, Scotiabank quickly cleaned up the f-bomb on November 16, 2016, a mere 230 days after it first appeared. 

Update 2: An update to all the questions I got about this are here.

Over the years, I've learned that an unhappy programmer is a bad thing.  What ultimately happens is either the programmer does something bad, or does something stupid - and in some unfortunate cases, does both.  

Here's an example with Scotiabank that showed up an unhappy programmer, and it's actually quite embarrassing for that bank.

ScotiaBank built their current Android app using the Kony system, and this is outlined on Kony's website.

  (Click for full resolution)

However, the unhappy developer left a "F**k kony" message in the app and then shipped it to over a million of the bank's customers....  Here's the figure backing that up, as shown on the Google Play store.

(Click image for full resolution)
Here's the offending message pulled from Scotiabank's Android 16.9.1 app (it was also there in 16.9.0).

(Click image for full resolution)

This is the type of thing that can make or break a reputation of an institution.  You need to keep your developers happy, and address the issues they have, otherwise things slip and what we're seeing out of ScotiaBank is the result.

Wednesday, October 19, 2016

Cyber-security in a non-linear world.

I was mulling over a tweet this morning where I read about how Canada was going to be helping in financial cyber security with other G7 nations (Link).  I found this a bit ironic as the financial security in Canada is usually quite atrocious.  I’ve spent a while now, collecting proof of how bad it is, and there are definite trends I've noticed.

I’ve been trying to work out for a while as to what the root cause of the problem is.  Usually, I can simply correlate a symptom to a cause; Yesterday, for instance, I pointed out to ScotiaBank that they’re allowing customers to be phished again.  

This is a problem I’d previously reported to the CCIRC.

Whilst that’s the symptom, the underlying cause is one of these three things:
* The bank doesn’t check for this.
* The bank does check for this, but failed to check properly.
* The bank did test properly, but someone thought it was OK to publish regardless.

The problem is simply that the aforementioned symptom is just the tip of the iceberg.  Elsewhere, I see way bigger issues.  My thoughts turned to trying to work out why the bank security keeps failing - something I usually blame on policy, because if the people writing the rules for “what to check” know what they’re doing, and other people following those procedures do it properly, you wouldn’t have these problems.

And then the idea occurred to me today that there’s a bigger fundamental issue…  

Anyone that has followed military tactics will know how the current Russian/Surkov non-linear warfare model is bamboozling lots of people, well, basically the bank’s face a similar problem and it’s bamboozling them, too.  In the old days, you had the bank and the bank robber.  The linear aim was for the robber to get the money in the vault - so it was the bank’s job to stop that happening.

Fast forward to 2016 and we have this triangle, where if you compromise one side of the triangle, you can get to the other two.  

In this model, we have:
1) The bank.  This is the bank and it’s infrastructure like online banking, virtual vaults, payment messaging systems, etc.
2) The customer.  This is your average Joe on the street.  He/She can be socially engineered.
3) The shared environment.  This is where the bank interacts with customer’s hardware.  

In a non-linear attack, an attacker can go for any side of this triangle, any combination of two sides, or the hat-trick of all three sides.  That means the bank cannot easily anticipate how to out-fox a would be attacker - and sometimes the attack on the bank means the bank isn't directly attacked in any detectable way.  

The modern bank has to be on guard on all three sides and protect itself from a non-linear threat, and that simply doesn’t always happen.  Any bank that gets sloppy with it’s procedures, or allows customer phishing on it’s own site is going to be inviting trouble.  If a bank leaks data, has incomplete security procedures or leaks source code, then it’s going to invite really big trouble.

I’m not a security expert by trade, but I am observant and I track what I see.  When I see banks suffering these symptoms, I see the potential for really big trouble.

Monday, October 17, 2016

An attempt with Visual Studio 2015s "Visual Studio" template

I've been programming since I was about 8.  Trouble was for 3 years I did it on paper as I didn't get an actual computer until 1984.

Over the years, I've programmed a lot of things:  Notable items include working on first Palm Pilot banking app in Canada.  Mobile advertising on buses.  Writing several versions (singlehandedly until I was given help) of iHeartRadio for iOS, and most recently I programmed the app for Tellspec.

That quick run down skips a lot of Windows, Mac, iOS, Palm, Blackberry, and so on, jumping about between development environments and platforms.  I've literally spent my past 9 years up to my eyeballs in iOS with some runs into C# for FEMA EAS related stuff, and other languages for banking or manufacturing.

So it was that I found myself installing Visual Studio last week.  This is something I first got introduced to in the late 1990s when VB 6 merged with Visual C++ (and IT Ake with Visual InterDev for web development).  (I'd been with VB since v3 before that)

I may have started programming on a 48k Spectrum, and I may have had millions of people running my code on iOS, but Windows is like my spiritual home.  I've spent decades there.  My first professional Windows app (the "Memory Compactor") worked on Windows 3.11 and played on a mechanism of Windows that I could use to the users advantage to free up memory.

Now, I found myself "coming home" for a new project on the side, where I was tinkering with an idea.  The outcome of the project has no bearing on the company i work for - the only thing at stake was whether the idea would fly or not.  If it flies, I present the idea to the boss - and if it fails, then I've spent a bit of time keeping abreast. At worst, if someone asks me what the latest version of Visual Studio I've used is, because they're trying to trip me up, I can answer 2015.

So I installed the Community Edition to get re-acquainted with it. (yes, this hardcore Apple Dev was back in Microsoft land)

On the whole, I was very pleasantly surprised.  There was some familiarity that made me happy - and there was something new, which made me really happy.... the MFC "Visual Studio" style template.

The standard templates for SDI and MDI MFC apps have been around 20+ years and are well documented to the nth degree.  If you have a problem, 20 seconds in your favourite search engine will show you the answer.  This new Visual Studio template, however, is new, undocumented, and doesn't have a tone of Q&A.

On the flip side, I posted a comment on Twitter that I'd spent a day in VS (which for a person who spends most of his time in Xcode, makes for a massive change), and was surprised to hear from the Visual Studio Twitter team.

They were proactive, but given my circumstances (I work on a mac in a virtual machine), their enthusiasm to share keyboard shortcuts didn't hit a bullseye with me - but that's not their fault as I'm on a Mac right now.

Now I let them know that unfortunately I was a slight edge case, and they took it gracefully and extended that if I needed future help to shout....

And this is where this post comes into play.

I started Windows programming in VB3.  Like before the data access control showed up and revolutionized things.  I've grown up through VB4, 5, 5 Control Edition, 6, Fred, C#, and simultaneously gone through MSVC 1, 2, 3, 6, (skip a lot) and now land at (14?).....

... and I hit a problem.

Rather than complain about lack of docs, I spend several consecutive evenings (I have a day job to attend to) trying to find a solution and ultimately now decided to pick up the offer from the Twitter team about help.

What I want to know is how this VS template works.  I can put properties in the Property Sheet view and if I ask for the current document, it always null, meaning I cannot persist those changes.

I normally don't consider myself an idiot, but if I'm using a VS2015 template, surely there is some documentation somewhere explaining how this is supposed to work?

It's not the end of the world for me (I can just drop the idea that we ship a windows app), but I'm kinda feeling that I should have a solution.


Thursday, October 6, 2016

Thoughts on this month's #FraudChat

Toronto's Financial Crimes Unit (FCU), in partnership with other community and government stakeholders, has a Twitter chat each month called #FraudChat.  I usually try to listen in on it, and most months I have no comment.

But not this month.

I was particularly looking forward to this month's, as in Canada right now it's Cyber Security Awareness Month, and this means we were more likely to be in for some special guests.  As always, it was an informative event to follow along with.  The topic was identity theft/fraud.  Some guests concentrated on property/title fraud, but I was interested in hearing what one particular guest had to say - the Canadian Bankers Association (hereafter the "CBA").

The entire chat covered many angles, from physical issues like people dumpster diving for mail, to hacking and trojans, credit reports, scams, property title fraud, etc.  However, given my knowledge of Toronto, I was looking for signs of something specific to come up in conversation.  

Diving in a dumpster might reasonably reveal information on between 1 to 5-6 people.  A trojan on your phone might slurp the contact details of 1,000 people.  When you have 20 million people doing online banking on just a handful of websites, thats where I'm interested.

Now, the CBA is obviously going to be biased into pushing all the security onus on to the customer.  In this chat, however, all they brought to the table was a series of tweets that pointed to pre-existing articles on their website.  All of which were exactly as biased as you would expect them to be (how to spot a phishing email, don't give out your personal details, etc).  

I feel like this was a lost opportunity on the part of the CBA.  Whilst there was no usual "we take security very seriously" that you'd expect to hear from any bank or banking-related organisation, there was also zero mention of what their members were doing that was new and would tackle the existing security deficiencies that Canadian banks have.

However, every cloud has a silver lining.  The CBA website gave me something that I can use to determine what I've suspected for years, but have never been able to prove with bank cyber security.  So, as soon as I've had some spare time, I will be back with the result to the burning question of the past five years.


Thursday, September 22, 2016

Hopefully a sign of new things to come...

It's been a busy year this year.  In my day job working in food security, I've been to Taiwan, Arizona and South Korea.  I've met a lot of people who want to help solve some really really big problems that literally affects billions of people.  It's been rewarding to see this year unfold, if a little challenging.

In my spare time, I've also had some rewards.  As most people know, I've had nearly two decades of challenges with one of my banks.  Well, something interesting happened.

Traditionally, the customer/bank relationship looks like this:

It's not a productive loop, and it's prone to issues.  For instance, I've experienced "We're looking into your problem" when I've not actually stated what the problem is yet.  (In programming, we call this a "race condition").  Another problem is that if you are the one reporting, there's the sensation that things disappear into a black hole as you never get feedback.

But, that was all I had for 18 years.

About a month ago, something I saw emanating from the CIBC twitter team that was obviously "incorrect from a technical standpoint" annoyed me.  On that day, I was going to be downtown, so I thought I might as well just break the "Report" -> "Thanks" cycle and walk into the bank with the solution to the issue.  Long story short, my "let's just cut to the chase" style wasn't met with the same enthusiasm.

I have no idea what switch flipped that day within the bank, but after 18 years, we changed to this method of communication:

Now, instead of the uncertainty of whether technical messages are getting through, or are distorted in a game of "broken telephone", the bank was asking what I needed? 

That's a very simple question for me - If someone gives me a room full of technical and policy people that I can speak unimpeded and natively to in order to explain a) what I can see and b) where I can see it, then I can get effective feedback (anyone that's ever worked with me knows I don't like red-tape or unnecessary delays) as to whether what I'm saying is even being understood, as well as the added bonus that you can hold a Q&A session to clear up any loose ends. I think that in 30 minutes, I offloaded more information about customer optics and technical issues than I have since the "triple-Interac-debit whilst saying money was not debited" debacle of 2013.  

Another good thing that came out of this is the customer service person I normally deal with (and probably frustrate to no end) was also in on the conversation.  In an age where KYC ("Know Your Customer") is a buzzword in banks and large organisations and doesn't actually mean that they "know" who you are, I think it was good that the frontline customer service person who normally has to deal with me could see me in my native habitat.  Instead of being the keyboard warrior on Twitter that they know and recognise, they could the bigger picture when this wound-up-spring was finally let loose.

We didn't agree on everything (for instance, 9:59am to 1:49pm is still basically 4 hours in my book), but I think it was a productive use of my time and their time.  I was told new things that nobody had explained before, and they were told things that I see as problematic.  

Time will tell if things actually get cleaned up security wise, but my guess is it will because now people know the extent of what can be inferred outside the bank, and most crucially, know that people outside the bank know.

Thursday, August 25, 2016

Securing the news...

I read an interesting article today, about how the news outlets are getting targeted by hackers.

This doesn't surprise me for a number of reasons:
  1. Most news today is not an unbiased account of fact, but rather it takes sides and therefore it becomes a polarizing factor that can raise ire amongst some people.
  2. News media outlets today are not used to securing news, so something that is unprotected can be adulterated and changed into something it was never intended to be.
In Canada, we have two major corporations that control most of the news and media in general.
  • Bell Media 
  • Rogers Media
Regular readers of this blog will realise something:  This is Bell Canada and Rogers, the two monolithic cellphone and internet providers in Canada.  These two organisations are traditionally not good at security with their own customer facing systems, so you can imagine what type of security I have noted has been imposed on their media divisions.  

I did a quick 2 minute scan to see what I could find security wise....

What I found was this:  The media divisions are open to the exact same methods of being compromised as each parent company is currently known to be.  This percolates down through each media property such as a radio/tv station website, or newspaper site.  So, in short, it's possible to adulterate the news in Canada.  

We all know the phrase about those who control the message control the people - and that's what makes the media a target for hackers.