Monday, October 30, 2017

Update on the Scotiabank breach and code leak, plus my mortgage saga...

This is just a quick update...

Video on where things are at after sixty days....  It's grim.

Tuesday, October 10, 2017

Update on the Scotiabank API Breach

Just a quick note to say that as of 11:49am (EST) on Oct 10, 2017, it appears that the CCIRC has successfully removed the Scotiabank security breach.  The offending repository is gone.

Now, this isn't the end of this story - another breach is identified...  More to follow in the coming week.

The dangerous cybersecurity pattern I see at Scotiabank

I’ve noticed something of a dangerous repetition at Scotiabank in Canada.  

October is Cyber Security Awareness Month (CSAM), and for the second year in a row, during CSAM, I found the bank has been compromised and more by luck than skill has dodged a catastrophic cybersecurity problem.

In April 2016 I noticed that Scotiabank was pushing out Android mobile apps that had an “unauthorised addition” in them, after a frustrated programmer added their own personal content to drop an f-bomb at one of the bank’s vendors.  Trying to alert the bank went nowhere and by summer the Canadian Federal agency “CCIRC” (Canadian Cybersecurity Incident Response Centre) was alerted and monitoring the situation too, as regular updates of the app were pushed out by the bank with the unauthorised code.  Scotiabank finally got the message after 230 days on November 15th 2016.  On November 16th Canada had “f-bomb free” apps.

This means that during CSAM 2016, Scotiabank was compromised and not aware of it, even though everyone around them was fully aware.

We can only infer that one of two things happened;  Either someone checked that code and OK’d they insult (an unlikely scenario), or we were seeing that if a terrorist wants to get code out to the masses, they just have to get a job as a mobile programmer with Scotiabank.

Given the situation that unsavoury additions to apps were pushed through to the public, the bank was extremely lucky that any offender only chose to insult a vendor, rather than adding code to syphon off customer information.

For CSAM 2017, the situation repeated, but it also got markedly worse.  

I reported to the CCIRC on October 7th 2017, that a vendor to Scotiabank had posted the keys for the backbone API of the bank to a public GitHub repository.  

In addition to the keys, the source for a Windows-based security application was also public, and the XSD’s for that API as well as the mock XML requests and responses and other documentation for that API were also available.  I also spotted that a .Net DLL for client side security (referenced in a December 2016 leak) was included, and this was fully reverse-engineerable with no obfuscation. This meant that two annual leaks could be cross-correlated and the DLL used both the AES key and Triple DES key that were in this latest leak, too.

The icing on this cake was this information has been public since November 2015.

In conclusion, what really got me during this episode is that Scotiabank has been potentially compromised for two years, and it’s going to be really tough for Scotiabank to prove that nobody has already used this information to gain unauthorised access to that API.

Sunday, October 8, 2017

How I ended up with the keys to Scotiabank

So, in a chain of events that doesn't surprise me in the least, I have pointed the CCIRC (the cybersecurity bit of the RCMP) at a public GitHub repository that contains a security breach for Scotiabank, originating at one of it's partners South of the US. 

In short, I was researching a YouTube video for Cyber-Security Awareness Month, and knowing that all big banks in Canada have a problem with leaking code into GitHub, went to look for a common example of Scotiabank's continual leaks.  

Like the TCS leak back in summer, I found more than I was bargaining for, and immediately had to notify the authorities.

To summarise the situation:

  • The AES and TripleDES keys to talk to the back end of the bank are public.
  • Windows software that is supposed to be used for security work within the bank is public.
  • The client security library described in the 2016 breach is now public.
  • The XSD's for the com.bns.soa API are public.
  • All the mock requests and responses for the API are public, along with documentation on how the service works.
  • Somebody wrote the username/password in plain text and stored that in a text file.
As you can guess, it turned out that when I looked at the library, it's not been protected either, so anyone can reverse the binary back to source in less than a second second.  That same library was used by the Windows software that was leaked in its Visual Studio source-code form...

Oh, and this has all been wide open since November 2015

The big question while I wait for the CCIRC to clean up this mess is how Scotiabank can prove that nobody else has been going in for two years.

Anyway, more details in the vlog about this...