Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
Over the past 2 years, I’ve seen the rate of malware attacks climbing at an accelerated rate. This is due largely in part to the evolution of malware as a lucrative crime combined with sophisticated, easy-to-use platforms that are designed for and marketed to non-technical users. Previously, successful viruses and their code were jealously guarded and the purview of an elite “cadre” of hackers who would advertise their creations as badges of honor. Now these same cadre of malware programmers are racing to bring product to a highly competitive market. Malware is a business, and business is good.
What this means for you:
It’s not just an assumption that you will be targeted by malware. It’s most likely a fact. Malware makes its handlers money by casting the widest net possible, which means everyone is a target, and the attack platform that can prey on the most victims wins. With that in mind, the safest mindset to adopt is that your technology will be or already is under attack, and you must gird yourself for the onslaught. Here are 3 ways to prepare, plus one less-obvious way that may or may not be practical for most organizations:
- Install a good firewall on your network periphery. Though most ISP-provided routers come with some basic firewall functionality, your business or organization should be protected by a professionally managed firewall that can provide what’s known variously as “Unified Threat Management” or “Gateway-based Defense”. In a nutshell, these devices sit on the entry point of your organization’s internet connection and monitor all data going in and out, scanning for malware, hacking attempts, objectionable content and spam. This is your first line of defense, and if maintained properly, can protect you from numerous threats 24/7/365.
- Use effective malware protection on your vulnerable technology. Even assuming you have some sort of protection on your network periphery, there’s still plenty of ways for malware to get inside your network, and once they are “inside the gate”, your computer or server’s only protection from a really bad day is the anti-malware you’ve installed locally. This software should have some form of active protection (always-on scanning, port blocking, etc.) and not something that has to be run in order to detect or cleanup a malware incursion. If malware isn’t detected and handled the moment it approaches your computer, it’s too late.
- Back up your data. Sad as this fact is, no anti-malware is 100% effective. Your machine will get infected and at that point, the only way you don’t lose this battle is if your data is backed up and isolated from infection. This means offsite backups, with at least 7 days of historical versions just in case the backup software unknowingly backed up infected files (which it can and will do if you don’t catch it quickly enough).
- Disconnect from the internet. If the above 3 items are beyond the reach of your organization for either budgetary or technical reasons, this rather drastic alternative is very effective. Even though it may be impractical for most companies, approaching this problem from this perspective may lead to some creative changes in operations and employee behavior. As a simple example: block access to social media sites on work computers, but provide separate, isolated wifi for mobile devices that allows them to scratch that itch on their own devices.
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net
In the early days of malware, the most well-known viruses were designed to be noticed: at minimum they made themselves a nuisance through a variety of prankish behavior, all the way to the other extreme of destroying data (usually right after taunting you, just to make sure you noticed you got infected). Today, cyber criminals make their best money and achieve their political goals by going undetected for as long as possible, until they are ready to strike. Security firm Cylance has released a report that alleges networks of multiple companies considered to be critical infrastructure and/or highly sensitive – think airlines, natural gas producers, defense contractors – have been completely compromised and “owned” by an outside group suspected to be backed by the Iranian government. Through this coordinated campaign (also called an “Advanced Persistent Threat” – APT) dubbed “Operation Cleaver” by researchers, the unidentified group of hackers obtained complete control over the entire network infrastructures – all servers, network equipment and everything connected to them, and remained in control over the course of at least 2 years. The companies remain unidentified in the report, primarily for security concerns.
What this means for you:
In a conversation with a client today, we discussed the recent hacking takedown of Sony (another APT that completely owned their network), and why they made a more attractive target than my client who is only a fraction of the size. As mentioned above, malware was originally designed to wreak havoc in a chaotic fashion, but now that there is money or power to be gained from it, hackers are much more organized and pursuing targets which usually fall into one of two buckets:
- The average home computer user – easy to hack, but usually not worth much, except when campaigns net thousands of victims. The dollars add up quick.
- High-value companies or organizations – more difficult to hack, but once compromised, can result in significant monetary and political impact.
As you may have guessed, most small and medium-sized business fall squarely in the middle, and if they are hacked, it’s usually by a malware aimed at the first group. HOWEVER, the client and I considered another possibility: what if the object was to destroy data in order to disrupt your business? Even with a culture steeped in Hollywood fantasies of corporate espionage and sabotage, it may still be hard to imagine a competitor stooping so low as to put out a “cyber hit” on your organization. Considering that we already know organized crime is elbow-deep in funding and profitting from malware attacks, maybe that threat isn’t as far-fetched as we might have hoped. Coordinated attacks like Operation Cleaver are typically backed by nation states, primarily because the resource requirements are steep, but a smaller, focused campaign to take out a small company could be handled by a single, freelance “cyber-hitman”. If I can imagine it, you can bet this is already happening. We just don’t know about it yet.
In the US, Thanksgiving traditionally marks the start of the holiday season, and most of us will open our hearts and minds (and wallets) just a bit more than we do during the rest of the year, and we let down our guard to enjoy the holiday spirit. Sadly, criminals and other malicious agents are also in the holiday mood, and count on the distractions of the season to really suck the joy out of the holidays. Here are some things you can do to make sure your holidays aren’t marred by the cyber Grinches:
- Stop opening email attachments
This is how the dreaded Cryptolocker virus gets onto your computer. If you receive an email from someone with an attachment that you weren’t expecting, pick up the phone and call that person to confirm that the attachment is legitimate. Hey, it’s holidays. Shouldn’t you be reaching out and touching someone anyways? - Stop clicking links in emails
Just because you received an email from someone you know that has a link to the world’s funniest/scariest/cutest video does not mean you should click that link. At minimum, hover over the link to read where it’s really going to take you. Or pick up the phone and call that person to verify they sent the email in the first place, especially if the email seems to be out of character for the sender. Sensing a trend here? Wouldn’t you rather be on the phone catching up with an old friend rather than explaining to a bunch of angry relatives why you sent them a virus via email? - Beware of fake Holiday Greeting cards, donation solicitations and other holiday-related spam
Hackers will be taking advantage of the increased volume of these types of emails. Observe rules #1 and #2, and watch out for poor grammar and out-of-character emails. Just received an X-mas ecard from someone you haven’t talked to recently? You guessed it…pick up the phone! - Be careful with your personal data
Let’s say you knuckled under the pressure and clicked a link. The website you landed on is asking you for some personal information that seems relatively harmless: Birthdate, ZIP Code, last four of your Social Security number. Unless you are at the website with which you already do business (and have verified its that company’s actual website and not a fake one!), stop what you are doing and back away from the computer. Even these bits of data can be used as a digital wedge to get at other data from your personal life, which can lead to theft of both your money and identity. - Put a password or pin on your phone
See last week’s article on why this is important, and how to do it. Don’t ask why, just do it. Trust me. - Be less conspicuous about using your smartphone
Thieves are targeting smartphone users, especially iPhone users, because the devices are in high demand on the blackmarket, especially overseas where the phones can be reactivated without fear of being tracked. A protective case can help disguise your phone, but if you really want to blend in better, choose one that isn’t blinged out and brightly colored. That case that really helps you stand out in a crowd also paints a big target on you for thieves. Keep it in a deep pocket or a bag/purse that zips or latches shut so it will be less likely to accidentally fall out and picked up by someone looks for a free smartphone. - Keep an eye on your laptop and/or tablet
A lot of us will be traveling during this time of year, and it’s becoming increasingly common to drag along our work laptop so we don’t get too far behind while visiting with family. You’d be surprised at the number of laptops lost/stolen in airports and rental car terminals, primarily because the owners are distracted and overburdened. Having to call your boss to tell them you lost your work laptop and all the data on it will make for a very stressful holiday. It’ll be even worse if you have to call clients to tell them you have lost their sensitive data or may have exposed them to a security risk. - Where possible, don’t let online vendors store your credit card information
Up until very recently, most online stores assumed you wanted to keep your credit card “on file” with them for convenience on future purchases. While this is still the case, many now offer the option to remove that information, or to not store it in the first place. Given how many websites are being hacked these days, you may be better off not keeping that number on file, especially if it’s with a store you don’t frequent. Having to enter your credit card information once or twice is a trivial inconvenience as compared to having to replace all your credit cards because a website you bought something from years ago got hacked. - Beware deals on technology “too low to be believed”
With technology, you get what you pay for 99% of the time, which is to say that if you got it cheap, it’s likely that it is cheap. That knock-off iPhone charger might have been a steal, but if it burns up your battery due to an electrical short, your $5 charger just cost you $500. - Give yourself a gift this year: Back up your data
All hard drives fail eventually. Phones break, get lost or stolen. Viruses happen. If your data is important enough to save to a disk, it’s important enough to back up. There are online subscriptions that can take care of your most precious digital assets for pennies a day and are so simple to use that anyone who knows how to click a link can set up an account. You might not be able to keep the cyber Grinches at bay forever, but a good backup can take most of the sting out of worst virus infections or hardware failures.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net.
Knowing full well that American Express is the credit card of choice for many professionals, cyber criminals are targeting AMEX customers in a wave of convincing phishing emails. The emails appear to be from AMEX stating that fraudulent activity has been detected on the recipient’s card, and provides a link for the user to update their information. The link actually leads through a series of redirection scripts on compromised websites and eventually lands the user on a website that has the outward appearance of a legitimate AMEX website. This site’s sole purpose is to collect critical personal data such as your Account ID, Social Security Number, Mother’s Maiden Name which will shortly be used to perpetrate some actual account and identity theft.
What this means for you:
By now you should naturally be suspicious of any emails that show up in your inbox asking you to reset your credentials, especially if you did not explicitly perform a password or credential reset. Rolling over the links in the emails will show you the destination URL, and if the link isn’t one you recognize, stop right there and trash the email. Even if the URL looks legitimate, don’t use the link in the email. Go to your credit card website by manually typing in a URL that you know is good. Not sure what the URL is? Look for one printed on the back of your credit card, or failing that, just call the customer service number via phone. As a rule, credit card companies and banks will notify you via phone of suspected fraudulent activity, so emails like this should always be viewed with a healthy amount of skepticism.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
It must be another day ending in “Y” as hackers are making headlines again: Airplanes, cell-phone chargers and now your car might be the target of hackers. As you might have already guessed, auto manufacturers have been building computers and networks into cars for years now, and modern models can have as many as 70 different computerized systems that control every aspect of the car: braking, steering, acceleration, etc. Where there’s a computer, hackers are sure to follow, and security experts have successfully demonstrated hacks on late model cars that can take over just about any aspect of computerized systems including slamming on the brakes full the car is at full speed, jerking the steering wheel and shutting down the engine completely.
What this means for you:
Before you drive your shiny new ride over to the nearest Cars for Causes office and pack the family off to that bunker in Montana, you should know that the hackers in question worked for months to crack the auto systems on a specific model of car, and in most cases the hacks required physical access to the vehicle. However, according to past reports, ethical hackers from UCSD have managed to compromise at least one late-model GM vehicle via wireless methods, and it’s hard not to imagine that as automobiles become even more complex and automated (Google’s self-driving car, anyone?) as well as wirelessly connected to the internet, the unethical hackers won’t be far behind in tarnishing what otherwise might be a bright, self-driving future.
Image courtesy of Sura Nualpradid / FreeDigitalPhotos.net
You’ve seen it in movies and television probably dozens of times: video surveillance systems being hacked into by both heroes and villains and being fooled into showing looped footage allowing said hero/villain to proceed undetected. This time around, life is imitating art as a security researcher demonstrated at the Black Hat security conference held this past weekend. In his presentation, dubbed “Exploiting Surveillance Cameras Like a Hollywood Hacker”, former NSA worker Craig Heffner demonstrated how he was able to research and exploit readily available internet-enabled video cameras commonly used for security surveillance in homes and businesses around the world. Given the well-honed skeptical nature of Black Hat attendees, Mr. Heffner provided a live demonstration wherein he focused a compromised camera on a bottle placed on stage. While the audience watched via the security console, Heffner hacked the camera to display a spoofed image of the bottle (the “Hollywood” part), and then proceeded to “steal” the bottle while the security camera continued to display an unmolested bottle.
What this means for you:
Unfortunately, Heffner was able to exploit cameras from many manufacturers primarily because the device firmwares contained hard-wired passwords and other backdoor mechanisms. Thanks to the internet, Heffner was able to download copies of many camera firmwares and research the vulnerabilities without even owning the actual device. Heffner contends that he has yet to come across a model of internet security camera that he cannot hack, primarily because the manufacturers have been careless in removing the backdoors and weakness, and that the basic operating system varied in only minor ways from model to model. If you are actively using any of the cameras listed in Heffner’s presentation, you may want to consider disconnecting them from the network (which essentially defeats the “Internet-enabled” part), or disabling them completely until the manufacturers patch the obvious security weaknesses.
Image courtesy of Renjith Krishnan / FreeDigitalPhotos.net
- 1
- 2