According to the Washington Post, the Pentagon has recently received a report that states that over 2 dozen US weapon systems plans and specifications have been stolen via digital attacks on defense contractor and subcontractor systems. The list of possibly compromised systems include several key military assets such as the FA-18 fighter, the F-35 Joint Strike Fighter, the Black Hawk helicopter and the Patriot Missile. Officially, the Pentagon has downplayed the report, stating that they have no reason to believe the strength or integrity of the military compromised in any way, but Department of Defense officials have said, off record, that there is growing concern that the Pentagon and our government at large are increasingly falling behind in their ability to defend our digital borders from future cyber attacks.
What this means for you:
Regardless of your political leaning, there are few Americans who believe that our government runs a tight ship, and anyone who’s had any dealings with the Federal government knows that for the most part, they are woefully behind in just about every aspect of technology. Poor operational standards and old technology is a recipe for security disaster on a large scale for any business, and the Department of Defense is about as big a business as you can get.
Just like the problem life insurance salespeople face (no one wants to face the fact of dying), many businesses still have not come to grips with the fact that they will have (or already have had) a security breach. Many defense contractors who have lived in the bubble of American military superiority for so long have developed a complacency that is leading to poor decisions and lack of preparation until it is too late. The Chinese military is hungry to tip the scales, and it seems that they have the digital advantage.
Surely your business is more nimble than the Department of Defense. Have you grown complacent and ignored your technology’s security? Wouldn’t you rather do some work ahead of a security breach rather than scrambling to repair the damage?
In a controlled experiment run by technology website ArsTechnica.com, hackers were given a list of over 16000 hashed passwords and asked to try to decipher as many as possible. Not only were they able to crack over 90% of the passwords in about 20 hours, one of them managed to decipher over 60% of the encrypted passwords in less than an hour using a single computer.
To put this into some context, the target list contained passwords of varying lengths and composition, containing both letters, numbers and symbols, and was encrypted using an MD5 Hash. For the uninitiated, “hashing” a password is a one-way encryption method used to store passwords. When you go to log into your password-protected service, the server takes the password you just typed in, “hashes” it, and then compares it to the hashed password it has stored for you, and if they match, you are authenticated. Hashing is commonly used so that if a server is compromised and a list of passwords is downloaded, all the hackers have gained is a list of unencryptable letters and numbers. Of the encryption methods available, “MD5” is very common, because it requires little computational power, something that busy websites want to reserve for other functions.
The hackers in the ArsTechnica project used brute-force dictionary attacks driven by their own hand-built hash source lists, essentially decoding the target list by comparing hashes with lists that contains upwards of a billion combinations of letters, numbers and symbols. The computers used in this exercise were garden-variety workstations capable of processing several million guesses per second using parts easily procured from any computer store. Late last year one of the hackers involved showcased a cluster computer built using the same parts. Designed specifically for cracking passwords, this machine was capable of processing 350 billion hash guesses per second, and if it had been used in the above exercise, would have rendered out the list in a few hours.
What this means for you:
The real intent of ArsTechnica’s exercise was to demonstrate how trivial passwords are in terms of true security, even ones that are traditionally believed to be very strong, e.g. “qeadzcwrsfxv1331”. The hackers involved in the exercise pointed out the controlled nature of the exercise actually limited their ability and efficiency as compared to “real world” scenarios – the fact that they were limited to traditional workstations and were cracking a list about which they had no further information. Typically, crackers will have much more information about the passwords they are attempting to decipher, such as the security rules enforced when the users create them (e.g. 8-14 characters, must contain a letter, number but no symbols, etc.). Even knowing the service or site the passwords were used on will help crackers decipher passwords, as it will often allow them to uncover the encryption method used to hash the passwords.
If you think you are being clever by creating “hard” passwords that are ten characters or longer and interspersed with numbers, there is a statistically high probability that even that combination will be on these brute-force source lists, especially if you use the common substitutions like 3 for “e”, zero for “o” and so on. Computers have become so powerful that cracking even the most complex passwords is really a matter of patience and persistence.
On the flip side, most services we use are secured against brute-force attacks, at least on an account by account basis. No hacker is going to waste his or her time trying to guess your online banking password via the methods described above, as they would get locked out after the 3rd or 4th failed guess. But if they somehow managed to get into the bank’s servers and download a list of hashed passwords (which has been happening to other services quite often), you can bet your password will soon become another statistical probability in some hackers brute-force dictionary list.
A Congressional report authored by California Representative Michael Waxman and Massachusetts Representative Ed Markey publicizes that some United States utility companies are under constant cyberattack. Based upon a survey of 160 utilities, the publication notes that a dozen of the respondents report that they experience “daily, constant or frequent attempted cyber attacks.” Congress and the White House are understandably concerned that hackers could damage the nation’s powergrid, but the utilities say that their security standards are sufficient to protect the systems that keep America’s lights on, and that the attacks suffered by the utilities are no different than the ones that other American businesses and organizations suffer on a regular basis.
What this means for you:
Unless you happen to be a highly placed Security Officer at the North American Electrical Reliability Corporation or a member of the House Energy and Commerce Committee, there’s not much you’ll be able to do personally to prevent cyberterrorists hacking a utility eventually. Many security analysts predict that it’s only a matter of time before a US utility gets hacked, and you may recall a rather hushed-up incident affecting a large Saudi energy company not too long ago.
The real truth of the matter is that most companies, regardless of size, function or even nationality, are being probed and tested on a regular basis. The server that hosts this website experiences dozens (sometimes hundreds) of attacks on a daily basis. Is C2 being targeted specifically? Unlikely, but whether there is specific human intent behind the attacks or not, the fact remains that if (when) one of those automated attacks actually manages to penetrate a weakness, you can bet a human will follow along behind to assess whether the target is worth further hacking, or simply relegated to the growing army of zombified computers that are pointed at more high-value targets. My server doesn’t contain anything important enough to warrant concentrated effort, but you can bet that a compromised utility company server is a high-value target. And when everyone is gunning for you, it can’t dodge bullets forever, no matter how good you think your security is.
Hackers have compromised a Department of Energy website, leveraging a previously undiscovered security flaw in version 8 of Microsoft’s Internet Explorer. IE 8, which is now 2 versions back from Microsoft’s most recent release (v10), is used by almost a quarter of all Internet Explorer users, and is most commonly found on Windows XP computers. The “watering hole” style attack is thought to be the work of Chinese hackers based upon the malware used and the command and control protocols used. The hacked website is used by the DOE to disseminate information on radiation-based illnesses, leading analysts to believe that this was a targeted attack aimed at compromising the computers of government employees working with nuclear weapons and reactors, ostensibly for the purposes of gaining access to classified information and systems.
What this means for you:
This is the first instance of this particular exploit being discovered, but given the publicity and Microsoft’s well-known inertia in issuing security updates for it’s older products, there is a chance that if you are still using IE 8 you could be at risk. Microsoft recommends upgrading to a new version of Internet Explorer, but in the event that you are unable to upgrade due to your business requirements or application limitations, Microsoft has issued the following guidance for working around the security flaw until it can be patched:
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Add sites that you trust to the Internet Explorer Trusted sites zone to minimize prompt disruption
As I’m not a Microsoft employee, I can also recommend switching browsers to Chrome or Firefox. Both issue security updates much more rapidly, and though they are not free of security flaws and zero-day exploits, both browsers typically fair better than IE in terms of overall security strength.
Just when we were getting flight attendants to relax the electronic device restrictions on flights, a German security consultant has demonstrated a real-world hack and takeover of an airplane’s critical guidance and control systems using an app he built that runs on an Android smartphone. Hugo Teso of n.run, who is also a trained commercial pilot, demonstrated the exploit at the Hack in the Box conference in Amsterdam, and has developed a framework and app as a means to illustrate just how poor the current state of aviation security actually is. Teso designed the framework to be unusable outside his simulation environment, but he maintains that his environment mirrors technology that is currently in use throughout the aviation industry. On top of being able to completely own the Flight Management System (sometimes referred to as the “Autopilot”) of an aircraft, Teso’s app, named “PlaneSploit” demonstrated how, once complete control of the aircraft’s control systems was obtained, the actual operation of a flying aircraft could be remotely controlled from a smartphone.
Teso has carefully kept his research private, and has been working closely with the aircraft industry to help them close the gap on the many security vulnerabilities that exist in the thousands of aircraft in use today. Even still, it’s possible that other security analysts could uncover the same exploitable weaknesses in avionics platforms, and perhaps behave less altruistically than Teso. Also keep in mind that the autopilot systems can be manually overridden and the aircraft flown “by hand” using backup analog instrumentation. The trick, Teso reminds us, is that unless the pilot knows the plane has been hacked, he won’t know to take over control until the damage has already been done.
What this means for you:
Unless you are a commercial pilot, or someone of influence in the airline industry, I’m afraid there’s not much you can do about this except continue to raise awareness with everyone around you about technology security. Even though I sincerely doubt we’ll see any real-world plane hijackings via smartphone any time soon, now that this Pandora’s Box has been opened, it may never be shut again.
Security tester Phil Purviance has gone public with his findings on a popular router that widely sold to consumers and small businesses. He sums it up succinctly:
…any network with an EA2700 router on it is an insecure network!
The router in question is commonly found at big box retailers like Fry’s Electronics, Best Buy and pretty much any retailer that sells consumer electronics. Purviance reported his findings to Cisco over a month ago, but the hardware giant has yet to comment or issue any fixes to the public.
What this means for you:
If you are using a Cisco Linksys EA2700 router for your internet connection, your device and any computer connected to the EA2700 is at risk. Seeing as most folks aren’t even aware that their routers have software/firmware that can be upgraded, it’s likely that even if Cisco were to fix all the vulnerabilities outlined by Purviance, those fixes are unlikely to be applied by most consumers and small businesses. At the moment, the only true fix for the EA2700 is to replace it with something else, but with what? Researchers are still playing catch-up in this space, as there are literally hundreds models of consumer-grade routers installed in the US alone.
As a business owner, you should consider upgrading to a business-class router from a major manufacturer like Dell, Cisco, Fortinet, etc. (Cisco’s business-class equipment, ironically, is typically considered a standard choice). At the very minimum, understand what you have installed, upgrade the firmware if possible, and check with your local IT professional (C2 is always there to answer your questions!) to determine if there are any widely known exploits published about your particular router model.
As if you didn’t have enough to worry about, the security blogosphere has dragged another bogeyman out into the daylight, and this one is ugly. Researchers from ioActive are now positing that rather than targeting businesses and their more sophisticated technology defenses, hackers could very easily begin to target consumer-grade equipment installed by internet service providers (ISP’s e.g. Time Warner or Comcast) in your home.
Why would they do this? Aside from the much flimsier technology used throughout the home-internet industry, the IP address assigned to your device is easily discoverable because the ISP’s themselves publish information about entire blocks of internet addresses that are allocated to them. This is doubly bad because not only do hackers now have an easy-to-parse list of targets, they can make assumptions about the targets based upon the ISP that services those addresses: things like the types of equipment used by the ISP (and default passwords), geographical locations, even the types of internet service (ie. DSL, cable, satellite, etc).
As part of their investigation into the feasibility of such an attack, ioActive researchers were able to compile a list of 400,000 actual devices installed in customer homes that might be vulnerable to a simple attack that could allow hackers to “own” the device and use it as a means to gain access to any computer connected to that device, ie. all the computers in your home. The basis for the attack? The simple assumption that the default administrative password was not changed since it was installed by the ISP.
What this means for you:
Having equipment installed in your home that you don’t understand and can’t personally confirm as secure is risky and negligent. It would be akin to leaving power tools lying around within reach of a child. Sadly, most ISPs have very thin (to nonexistent) policies around governing the security of the devices they install in your home, and worse, they often rely on third-party labor to do the installs, further increasing the chances that your router was installed quickly and possibly carelessly. On top of this, how many of you after having waited multiple hours for an internet install to happen, watched the installer rush out the door before learning anything about how your new equipment works, who to call for support, or how to change the password on the newly installed router?
Do yourself a favor: familiarize yourself with your internet router, WiFi access point, or any other piece of network equipment in use in your home, figure out how to log into the device(s), and then change the password to something that is hard to guess, and written down in a safe a secure place. Don’t make it easy for the hackers by continuing to ignore the backdoor into your home network!
Matt Honan, the Wired writer who had his digital identity stolen in a harrowing cyberattack last year, is back with another chilling article about yet another technology failing to protect us: this time it’s our beloved smartphones. More specifically, it’s the ones we’ve left behind, donated or possibly even sold via eBay, when we upgraded to a newer mobile device. The problem? Even though we may “wipe” the phones, the process may still leave enough information behind for the wiped phone to reveal sensitive information about their owners, including where the phone has been (geographically), what websites have been visited, and even phone numbers, addresses and other confidential data we thought erased.
What this means for you:
Depending on the type of phone you are discarding, and how it is wiped, this may or may not be an issue for you. For example, iPhones after the 3G mentioned in the article are encrypted by default, and if “reset” properly, the encryption key is destroyed, rendering any data on the phone unreadable, even if it is recovered. Most large organizations with a savvy IT department will only allow smartphones to access corporate email and files after your phone has been configured with proper security settings, up to and including an encrypted partition to store your email and any files you might access from the corporate network. Most Android phones should be able to encrypt all data (check “Settings -> Security”) depending on version of Android your phone is running, providing the same type of protection that Apple has on its late-model iPhones.
I can hear you saying, “I don’t have any data on my phone that is sensitive,” and unless you are 100% sure of this, always assume there is something on your phone you don’t want untrustworthy eyes seeing. Even older flip-phones have phone numbers, addresses and other data you might not want to share with a stranger. If you are at all in doubt, hold on to that phone until you can talk to a professional about wiping it securely. If you don’t plan on letting the phone have a second life through eBay or donation, take it to an eWaste facility or event that offers secure destruction. This process renders the phone (and any electronic device, like a hard drive) down to its basic metallic components, completely destroying any data stored in any component. Don’t have access to such a process? Drop your phone into a bowl of water for a day or, as the Wired article suggests, take a hammer to it (wear proper safety equipment please!) before disposing of it through a proper eWaste avenue. This isn’t a guaranteed method, but it will take a dedicated effort that most data scavengers will bypass in favor of the next discarded smartphone that will be an easier mark.
Apple has joined the growing ranks of digital services enabling two-factor authentication as a means to protect their customers from account theft. Two-factor authentication has long been a staple of secure corporate and government networks, and employs a basic mechanic of password plus a randomly-generated authentication code that is delivered to a device that you must have in your possession at the time of authentication. In the past, this device has traditionally taken the form of keychain fobs and cards whose sole purpose was to generate numeric keys constantly, but this same functionality can now be delivered through apps that are installable on smartphones, via SMS message to registered cell phones, or even via automated voice calls to your home or office phone.
What this means for you:
In Apple’s case (as with services like Gmail, Facebook, and many massive, multiplayer online games like World of Warcraft), two-factor authentication is an opt-in service, and is not enabled by default with your Apple ID/iTunes account. Enabling the extra security requires you register one or more cell phones with Apple that will receive your authentication code via SMS. Should you do this? If you use services that require an AppleID (iTunes, iCloud, Mac.com, etc.) with any frequency, and especially if you have iTunes credit banked, you should absolutely enable two-factor authentication, especially if the account is tied to a core service you rely on, such as a Mac.com email address, or iCloud for your iPhone and other Apple devices. Two-factor security makes your AppleID (or any other account like Gmail, etc.) that much harder to hack. There will be some inconvenience, especially if you are in a hurry to access your account and have to hassle with the extra security code entry, but imagine the alternative if your account is hacked.
With greater security comes less convenience, a fact of life in this digital age, and not something that will change in the foreseeable future without a significant evolution in security technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
With results that will probably surprise no one (and warming the hearts of black-hat hackers everywhere), the US Government Accountability Office has published its findings on a recent security audit of the Internal Revenue Service. The summary reads like the report card every good parent dreads, “Needs improvement.” Despite having a comprehensive security plan (the development of which was funded by your dollars!) the GAO has found that the IRS has failed to follow through in many areas of implementing and enforcing that plan in various parts of its operation, and these failures have severely compromised the overall security of the very important data the IRS collects on all American citizens.
What this means for you:
As you might expect, the 31-page GAO report is not the most exciting of page-turners. I’ll save you the dry read with the “moral” of the story: having a security policy is only as good as how well it is enforced and maintained. It does your company no good to say that “All employees must use strong passwords that are changed every 60 days” if no one is checking to see if they are actually adhering to the policy. It’s actually much worse for your company if you do have a security policy, experience a breach, and then discover that the breach was due to lack of enforcement.
Don’t get me wrong – I’m not recommending against having a security policy. You should have a security policy, especially if you handle sensitive data of any sort, and you should be making every effort to enforce, update and maintain that policy on a regular basis. A simple security breach could cause untold damage to your company’s reputation, and even more so if you have to admit that it happened because you failed to follow through on your own company’s policies.











