Monday, December 5, 2016

The 230 day vulnerability

In April of 2016, I found myself talking to a lady at the Office of the President at Scotiabank.  I knew something that Scotiabank might want to know about with regards to a cybersecurity problem it didn’t know it had, and we were trying to explore the next steps to exchange information.  

The outcome of that call was I would send Scotiabank an email laying out some background information, and they'd pass it to the most appropriate person in the bank to get the next steps in progress.  I work in technology and I definitely don’t work for free, especially for banks, and Canadian banks generally don’t pay the public for cybersecurity advice - which traditionally means that nobody tells the banks what they need to know in the first place.  However, I sent them an email that explained that the bank had a big cybersecurity problem and I tabled a simple barter; as a bank they could make a phone call for me which I didn’t have the power to do, and in return they would get the information that they needed.  It’s a simple “You help me, and I’ll help you” arrangement and no money has to change hands.  

A day or two later, a senior cybersecurity person at Scotiabank called Rob Knoblauch took a look at my LinkedIn profile and that was the last observable action taken by ScotiaBank on the matter that I could record.  Given the choice of acting on the fact that someone is telling you you have a cybersecurity issue, or taking the other option of not acting on it, the issue disappeared into a black hole, and nobody at the bank ever contacted me again.  Exactly 120 days after that, I sent a follow up email to the Office of the President, explaining that I was sending information to the CCIRC.  No response came from that message...

So, what precisely was at stake?

The bank had been observably slipping in it's cybersecurity efforts for some time, and by April 2016 it was now showing serious signs that an internal cyber-shambles was in full effect.  Not only had the bank forgotten to protect its Android source code (meaning every time it published a new app, everyone from white-hats to criminals could see how the app works and could compromise it, patch it, repurpose and repackage it, etc), but it still allowed phishing on its Internet banking website because they’d not patched a simple click-jacking attack vector.  It was also known that cybersecurity policies either were not being followed or didn’t exist, as popular credential sharing sites still contained ScotiaBank’s domain.  

Meanwhile, in the US,  a Mobile Application Development Platform (MADP) vendor, Kony Inc, who makes the tools that ScotiaBank uses, was the subject of ire by a frustrated Scotiabank programmer who inserted a message on a test screen in the Android app with the words "Fuck kony" (sic) in it.  The programmer probably thought that nobody would ever see this unauthorized addition to the app, unaware that the release team at Scotiabank was failing to obfuscate the app properly when sending it out to customers, and also unaware that nobody appeared to test the security of the final product.  As a result of Scotiabank turning off it's code obfuscation on its Android app that same month, anyone that knew what had happened was now crawling through their mobile source code, and it was apparent that any rogue programmers within the bank inserting unauthorized changes would be able to get away with it, because nobody had caught it and now over a million Canadians were walking around with expletive laden apps on their phones.  The CCIRC were notified that the source code was available to all and sundry, but the rogue programmer problem was left in place as a warning canary, to see whether the bank would be doing proper code reviews and time how long it would take for them to catch it.  Besides, if anyone did anything worse inside the bank to the app, it would be caught outside the bank and the alarm raised.

October was National Cybersecurity Awareness Month (NCAM), and Scotiabank was as vocal as many of Canada’s big banks with its platitudes about cybersecurity and how it takes security “very seriously" and pedalled well-worn rhetoric that "security is of paramount importance".  Each time, the focus was on making sure the customer did not compromise themselves and the bank with them, meanwhile, in spectacular fashion, Scotiabank kicked off NCAM with two more mobile source code breaches in as many days, as it pushed more updates to it’s app, still with no protection on it’s source code.  

It also came to light that Scotiabank’s programmers had posted crash stacks to the public paste site for internal iPad kiosk projects within the bank.  During NCAM, Scotiabank had more leaks than a sanitary towel advertisement with blue water demonstrations.   This blog, which many banks read in Toronto, tipped everyone off that Scotiabank had an unauthorized code addition in it’s app on November 15th.  By November 16th, a new app was being pushed to Canadians that, whilst still exposing much of it’s source code, was at least being polite again to it’s MADP vendor.  As ever, ScotiaBank said nothing about the matter.

The exact time that the programmer slipped in the vulgarity is unknown, but it is proven to have been visible to those outside the bank for at least 230 days, during which time the bank never caught it using it’s own policies and practices.  

Whilst Canadians spent much of 2016 walking around with swearing aimed at the bank's vendor in their pockets, they were simultaneously very lucky that this same programmer had only done what he or she did, and that they had not planted a few lines of unauthorized code to exfiltrate credentials instead.  As the bank was repeatedly shipping an unauthorized change in their apps, Canada was dodging a serious chance for a very large insider-job bank heist.  

That is something definitely worth mulling over.