Category Archives: security

WindowsITpro: Going beyond the password

Posted on by
1

We have a love/hate affair when it comes to using passwords. The average person has to remember dozens of them for various logins, and many of us try to cope by reusing our favorites. That just opens up all sorts of security issues: if a popular service (take your pick: Yahoo, LinkedIn, Dropbox, and many more sites all have been breached over the years) is compromised and millions of user names and passwords revealed, there is trouble ahead.

In this piece for WindowsITpro, I talk about the past, present and future of the lowly password.

How one small trade association manages their security

Posted on by
Reply

I spoke to the IT Manager of a 65-person trade association in the DC area. I have known this manager, whom I will call John, for decades through various IT positions, mostly in non-profits and trade associations.

(He has asked that I not use his name or the name of his association.)

Things have changed since he first began working at the association eight years ago. “When I was just a few months into my current position, we had about 15 laptops stolen from their docking stations by (what we believe was) the night-time cleaning crew. People came in to work and their laptops were gone. My logistical response was executed pretty well – I had folks up and running very quickly. But we never treated the incident as a serious information breach. These days we think about things differently.”

One of the biggest impacts that John has had was to hire a network management VAR to help setup and monitor their firewalls. He uses a combination of tools such as NetWrix for auditing their Active Directory logs (“I can unlock a user before they even realize it,” he said), Sophos for anti-virus full disk encryption and its web appliance.

He uses another VAR and additional monitoring tool that is industry-specific. “They have a monitoring appliance in our environment that sends a ton of alerts that tend to be very non-actionable – like someone used a cleartext password on a website. Well, there’s only so much I can do about that. The value is that they aggregate our data with our members’ data to look for unusual trends across the country so they can alert us to industry-wide attacks.” This VAR also performs vulnerability scans annually that he says is very disruptive to our storage array. But it is useful. ”For example, did you know that APC products (UPSs and PDUs) have three factory default login IDs and passwords? We knew about the first. Didn’t know about the second and third. So, I’m changing those asap.”

When it comes to dealing with insider threats, he says “a big win for us has been KnowBe4.com It is a very affordable training program that allows me to spam and phish my own staff. Plus they offer videos and a learning management system that we hope to implement next year with HR’s approval. They also send me a “scam of the week” which I repackage and send to staff. It’s both entertaining and educational.” Another classic phishing situation was when one of his VPs sent out member email addresses to a Yahoo address he thought was our CEOs. “ It happened on a weekend and the VP was on his phone and couldn’t really see the whole message on the screen. It was quickly discovered that the CEO did not have a Yahoo address. That was our first real cyber security incident. Calls were made. The board was notified. It was only names and email addresses, but those two items are considered personally identifiable information. This happened about a week before I implemented KnowBe4. If I had gotten approval for it earlier and set it up earlier, this might have been avoided.”

John also deploys a BYOD policy for some of the staff, and is still evaluating mobile device management strategies. They just migrated their email to Office 365 and haven’t yet implemented any two-factor authentication.

John’s total staff is a help desk technician and his VARs, one of whom is on site two days a month.

“Security is a bigger part of my job today because of the increased emphasis and because our association represents a high profile industry where security is also a high profile issue. Our CEO wants us to walk the walk if we’re telling our members to do the same.”

Like what you are reading?

Subscribe to Inside Security!



iBoss blog: How Cyber-geddon Could Happen to Financial Networks

Posted on by
Reply


An article in the June Economist paints a dark picture of the aftermath of a fictional financial services hack. They start with some history and extrapolate based on current potential compromises to various networks. What is interesting about this piece is how cold and calculating they can be: “Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure.”

What this means for the finserve industry and a more detailed description of their scenario can be found in my blog post for iBoss here.

Security Intelligence blog: The Increasing Dangers of Code Hooking

Posted on by
Reply

Security researchers discovered a series of implementations of an old type of exploit known as code hooking. These implementations are increasing and becoming more dangerous. Operating under the name of Captain Hook, these exploits make use of code injection techniques that could cause numerous vulnerabilities and potentially affect thousands of products.

I look at the process of code hooking and its relevance to your enterprise security in my latest post for the IBM blog Security Intelligence here.

iBoss blog: Wireless Keyboards are Vulnerable to Sniffing Attacks

Posted on by
Reply

One of the most vulnerable places across your enterprise (apart from the inner workings of your user’s brains, that is) can be keyboards. And recently, an innovative keylogger attack has been found by Bastille Networks that intercepts wireless keyboard transmissions. The attacker can be located up to 250 feet away from the computer and is a new twist on some old exploits. Out of 12 wireless keyboard manufacturer, the researchers found that eight (such as the one from Kensington, above) were susceptible to the attack. You can read more in my post for the iBoss blog here.

EventTracker blog: What is privilege escalation

Posted on by
Reply

A common hacking method is to steal information by first gaining lower-level access to your network. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts, where the attacker can steal data. This is called privilege escalation, and it happens often.

You can read my post here on the EvenTracker blog on what you can do to protect yourself.

‘I have nothing to hide’ doesn’t mean you are anonymous

Posted on by
2

nothing to hideIn my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.

Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. flash hiding scarfSo essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.

Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.

Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.

Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?

Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.

Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.

Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”

So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.

The debate between privacy and security

Posted on by
Reply

aaaaIt seems as if we are headed for a showdown between privacy and security. I don’t think I have seen a time where there has been more conflict, and more acrimony, than the present day.

Let’s take a look at a few examples.

Earlier this month, the UK’s Telegraph newspaper ran a story that reported the BBC will send out specialized vans to determine if its customers are illegally accessing TV streams without paying a special license to do so. The story was later repudiated by The Register, but not after some sturm und drang across various social media and the BBC made it clear that it wasn’t scooping up traffic on home Wifi networks. That story reminded me of a Google snafu. Between 2007 and 2010, Google Street View cars tapped into the browsing histories, text messages and personal emails of people on unsecured WiFi networks. Street view cars haven’t gotten much love since then. Earlier this summer, an Oakland man was arrested near Google’s Mountain View HQ. He later admitted to bombing other Street View cars earlier this year. He said he did this because he thought Google was watching him, and “that made him upset.” Street View does capture some wacky stuff, and I will leave it to you to dig that up.

But Google isn’t the only place where you can invade someone’s privacy. Take the site Ready or Not. It was developed by UC Berkeley researchers and has an app that can track your physical movements thanks to your phone’s GPS and social media accounts that have location services enabled. You just type in a Twitter ID and you can bring up a map showing where that person has been lately. This is a lesson to turn off those services if you don’t need them: but the problem is many of our apps do require them, so you are left with annoying messages to turn them back on.

Then there was a mother in Houston, Texas who was horrified to learn hackers had compromised her home’s security camera system and put up a live feed of her two daughters’ bedroom online. It turns out one of her daughters accidentally opened up the virtual the door to a group of hackers when she decided to play Minecraft on an unprotected server. It was easy enough for the attackers to identify the IP address of the daughter’s iPad. From there, they made their way to the router and the connected home’s security cameras.

progressiveSometimes the tradeoffs between privacy and security can be a benefit for us. Progressive Insurance sells several billion dollars’ worth of auto insurance over the past several years. Customers agree to place a monitoring device called a Snapshot (pictured) in their cars in exchange for lower premiums. The device beeps when you are speeding or braking hard, and if you are driving after midnight.

aHow about this scarf that can be used to hide your face and other features when you are out on the town and don’t want some flash-wielding paparazzi taking your picture? Its surface and pattern is specially designed to foil the camera’s exposure sensors.

And then several years ago at the royal wedding of Prince William, British police arrested more than 50 protestors. What made this significant was that many of them were arrested before they actually did any acts of civil disobedience, recalling the pre-crime plot lines of the movie and Phil Dick story “Minority Report.” How did the cops locate these miscreants? Using social media posts, of course.

These are just a few examples of where the security/privacy debate is headed. I don’t have any ready answers for how this all going to shake out, but it certainly is going to make for additional conflicts as we struggle with finding the right balance.

EventTracker blog: What is privilege escalation and why should I care?

Posted on by
Reply

A common hacking method is to steal information by first gaining lower-level access to your network. This can happen in a variety of ways: through a print server, via a phished email, or a taking advantage of a remote control program with poor security. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts. That is where the real damage and data theft starts. Given the number of Internet-available servers and reused passwords, this rough outline of attack happens more often than anyone wants to admit, and it can be a very big threat. The good news is that fixing this isn’t very difficult, just requiring diligence and vigilance. It also helps if you have the right protective software, such as what you can purchase from EventTracker, to stop these sorts of “privilege escalation” attacks.

The first thing is in understanding how prevalent this really is, and not bury your hand in the virtual sandbox. Consider the Black Hat 2015 Hacker Survey Report, which was done on behalf of Thycotic last December. The results showed 20% of those surveyed were able to steal privileged account credentials “all the time”. Wow. And what is worse is that three fourths of those surveyed during the conference saw no recent improvements in the security of privileged accounts too. Finally, to be more depressing, only six percent of those surveyed could never find any account information when they penetrated a network

Granted, the survey is somewhat self-serving, since Thycotic (like EventTracker) sells security tools to track and prevent privilege escalation events.

Next, you should understand how the hackers work and what methods they use to penetrate your network. A great play-by-play article can be found here in Admin magazine. The author shows you how a typical hacker can move through your network, gathering information and trying to open various files and find unprotected accounts.  In the sample system used for the article, the author “found a very old kernel, 28 ports open for incoming connections, and 441 packages installed and not updated for a while.” This is certainly very typical.

So what can do you to be more pro-active in this arena? First, if you aren’t using one of these tools start checking them out today. You should certainly have one in your arsenal, and I am not just saying this because I am writing this blog here. They are essential security tools for any enterprise.

Second, clean up your server password portfolio. You want to strengthen privileged accounts and shared administrative access to critical local Windows and Linux servers (Lieberman Software has something called Enterprise Random Password Manager that will do this quite nicely). Any product you use should discover and strengthen all server passwords and then encrypt them and store them in an electronic vault, and will change them as often as your password policies dictate. These types of tools will also report on those resources that are still using their default passwords: a definite no-no and one of the easiest ways that a hacker can gain entry to your network.

An alternative, or an addition to the password cleanup is to use a single sign-on tool that can automate sign ons and strengthen passwords at the same time. There are more than a dozen different tools for this purpose: I reviewed a bunch of them for Network World about a year ago here.

Next, regularly audit your account and access logs to see if anyone has recently become a privileged user. Many security tools will provide this information: the trick is to use them on a regular basis, not once when you first purchase them. Send yourself a reminder if you need the added incentive.

Finally, start thinking like a hacker. Become familiar with tools such as Metasploit and BackTrack that can be used to pry your way into a remote network and see any weaknesses. Known thy enemy!

iBoss blog: Hacking Your Network Through Smart Light Bulbs

Posted on by
Reply

Earlier this year I posted an entry about how the Internet of Things (IoT) can create all sorts of insider threats.  Sadly, this is becoming true faster than anyone has thought. Now connected light fixtures can be compromised, perhaps creating a new punchline to that age-old joke: “How many security managers does it take to screw in a lightbulb?” Only, no one is really laughing. Security researchers at Rapid7 have found nine different vulnerabilities with using the Sylvania Osram Lightify smart bulbs. I talk about which ones of these you should be concerned with if you have these lights in your buildings in my latest blog for iBoss.