Tag Archives: security

Does teaching hacking lead to more attacks?

white_hat_black_hatA black hat is a hacker who “violates computer security for little reason beyond maliciousness network security, anti-spam or for personal gain”, a definition attributed to Robert Moore in 2005. A white hat has been called an ethical computer hacker and/or a computer security expert who strives to ensure the security of an organization’s information systems. A gray hat is something in between; a hacker that tests systems to find security holes. This involves penetration testing, “pentesting” for short, which is basically initiating a black hat offensive against a company as a test of their systems.

These definitions are just one example of the cloudiness in the world of computer security. Who is good and who is bad depends on whom you ask.

 

Who has the right to be called a hacker?

Real hackers have deep systems knowledge. This does not come from using Microsoft Word to write college papers. It is the result of study and research and a great deal of poking and prodding networks and network devices. In a PC World article, Eric Geier outlines the steps he believes are needed to become an ethical hacker:

  • Pass A+ certification and get a tech support position.
  • Pass Network+ or CCNA certification and work as a network support or admin, then network security engineer
  • Pass Security+, CISSP, or TICSA certification and work in information security
  • Get hands-on experience with penetration testing, then pass the Certified Ethical Hacker (CEH) certification

“At that point, you can start marketing yourself as an ethical hacker,” says Geier. All this training is in addition to earning a university degree.

 

The psychology of hacking

But, as the saying goes, with great knowledge comes great responsibility. If you are capable of breaking into the Pentagon network, would you do it? If so, why? The answer to that question could be any of the following:

It’s like Mount Everest – it’s there.

To brag about the accomplishment to friends.

To find vulnerabilities in the system.

To take or extort money.

An adolescent often finds the first two answers convincing. He or she knows it is illegal and wrong, but that network is an irresistible target. Hacking into a computer system is like joyriding with a network instead of a Ferrari. And the Internet makes kiddie scripts and more complex hacks available to all, including young people (or adults) without fully-developed moral compasses. As these kind of hackers mature, they find employment involving computers, especially in the high-paying security field.

Hacking a system to find vulnerabilities, the third answer above, is not black and white. This is exactly what gray hats do for a living. Since more companies such as Google and Microsoft are offering “bug bounties”, some people are attracted to the challenge and the money involved. In fact, in an article called “Hacking for Good”, Bloomberg Business exults, “Hats off to the white hats. These hackers, who break into computer networks and digital devices to find holes before the bad guys do”. They point to Barnaby Jack as one of these heroes. At Black Hat in 2010, Jack showed how to hack an ATM to disburse cash. This shocking demonstration led to measures to enhance ATM security.

Without a doubt, hacking the Pentagon network to take or extort money, the fourth answer above, is just plain illegal. Criminals use whatever means available for their ends, and the computer is another tool in their arsenal.

 

Why hacking matters

The debate over different-colored hats would be academic were it not for the paramount role that computers play in our lives. Nefarious hacking of financial institutions, governments, and power grids is terrifying for two reasons.  Of course, there is the resulting damage, but also the fact that we don’t entirely know how to avoid the incidents. This is where “good hacking”, white or gray hat, is critical. Without the deep system knowledge gained from hacking, our institutions stand no chance of being protected from adolescent mayhem, criminals, or terrorists.

Most education for security professionals has focused on defensive measures. This is not enough to beat the bad guys at their game. EC-Council declares that its Certified Ethical Hacker (CEH) certification deals with “hacking techniques and technology from an offensive perspective.” To emphasize this point, the title of their next step of certification is called Licensed Penetration Tester (LPT).

 

hacker

To take the CEH course or certification test with EC-Council, a candidate is required to have at least two years of “security related experience” and must sign an agreement to not misuse the knowledge in any way. However, because the CEH certification is much sought after, other organizations have created courses for preparation. These courses are available to whomever is willing to pay.

Should offensive hacking techniques be taught by EC-Council and other public entities such as universities? A growing number of people, however, are adamant that hacking is a way to arm IT personnel to deal with attacks.

What do you think, will this type of education lead to more attacks?

Security Tips & Advice on Safe Internet Browsing Habits

private_browsing If there is one item that pretty much everyone is familiar with on the Internet, it is the very thing we use to browse it, the Web Browser. Whether you use Firefox, Chrome, Safari, on a Desktop or Mobile device, this article concerns you. How you use a Web Browser has implications about your security position and any information that you handle.

1. Do not trust your browser.

It’s simple really, there are just as many ways to compromise a browser and its host operating system as there are to skin the mythical cat. Software exploits for all major browsers are being developed and sold on the black market and also officially by well-known businesses. This means that even if you update regularly and follow good security practices, you are still at risk of getting your browser and its host machine compromised. Once that happens, all bets are off. Therefore it makes even more sense to develop good habits when it comes to using your web browser.

2. Never store passwords in your browser Password Manager.

Yes, storing them, stops you from having to remember them. Well, that’s lovely, guess who else doesn’t have to remember them either? Mr./Ms. Random J Hacker. All he/she has to do is compromise your browser to get your login credentials to your Bank, Insurance Company or Company VPN. There is an option in your settings which can stop the browser from ever asking you to save them. Where should you store them? Use an encrypted off-line password-manager and keep its database on an encrypted USB stick/drive.

3. Learn how to enable and disable particular browser extensions or plug-ins.

Malicious browser extensions bring about security risks as they often lead to system infection. There are more bugs and exploits for browser extensions and plug-ins than you can conceive. There are many cases where these extensions are needed and cases where they’re not needed. Learn to recognize the difference.

4. Frequently clear your browser cache, saved passwords, cookies, history and form data

Your browser will store data while you are using it. What websites you’ve browsed, any cookies from sites you have visited, forms that you have filled and passwords that you have saved (see number 2), the content of visited websites, such as pictures, videos, scripts and text content etc. All of that data can be used to do bad things. Your browser will work fine without that data. If you’re afraid of losing a page you’ve visited just bookmark it.

5. Do not carelessly give your data and information to a web site.

In the course of browsing the Internet, many times will you be asked for various bits of information. It could be something as simple as a user name and a password but could go as far as requesting your full name, address, phone number, email, names of siblings and so on. Just because a web site is asking for that information does not mean they actually NEED IT. Ask yourself whether that Vintage Cars forum really needs to know where you live. If you do not intend to buy something or do not intend to do any business transactions with a website, refrain from providing such information.

6. Install HTTPS Anywhere

When data is transmitted to and from a website, it can be done in a secure way or an insecure way. The secure way will use HTTPS, the insecure one will use HTTP. When data is transmitted with HTTP, a hacker could intercept your traffic and read it or modify it at will, while you’re browsing. If HTTPS is used instead, intercepted traffic is encrypted and cannot be read. That’s a gross over-simplification but will suffice in this context. Not all websites support HTTPS but by using the browser extension HTTPSAnywhere you’ll automatically force any website that you visit (that supports HTTPS) to use HTTPS by default. Remember always check with your IT department before installing anything to your machine.

 

web_address_internet_browsingSome simple habits will make your browsing experience and information safer. It is easier to avoid bad habits than to break them. Now is the time to give up these bad security habits. Use technology tools available to move your organizations security habits in the right direction. Practicing these habits does not guarantee that your browser won’t be compromised but at least you won’t be the “low hanging fruit.”

Facebook cares about your Privacy

Facebook_like_thumbThe social network is rolling out a security for users to use the encryption standard OpenPGP to protect e-mail notifications sent by the company, and to share their public encryption keys with their friends or with the public. The feature is being rolled out to users starting June 1st 2015.

PGP, short for “Pretty Good Privacy,” is a way of scrambling emails or other chunks of text in such a way that, in theory, only the intended recipient can read. To use PGP, you create a pair of keys essentially long stings of letters and numbers used to encrypt and decrypt a message. One is a public key that you can share with everyone, and a private key that you keep a closely guarded secret. People can then use the public key to create a message that can only be deciphered using your private key. That way, even if someone is able to intercept your email, they can’t read the encrypted messages.

Incorporating PGP into Facebook could help protect activists who use the service for political organizing, though it won’t protect all Facebook communications.

Facebook can use PGP to encrypt emails it sends you, such as new message notifications from other users or password reset requests. But messages sent from you to other Facebook users through Facebook itself will remain unencrypted. That means that if someone gains access to your Facebook account or Facebook is forced to hand your account over to law enforcement those messages will be readable. Still, if someone only has access to your email account, and not to your private encryption key or Facebook account, they won’t be able to reset your password or read private notifications sent to you from Facebook.

This is the latest attempt by Facebook to tighten up its security and privacy credentials. Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the concealment tool Tor. Moreover, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year.

Meanwhile, Google and Yahoo have been developing a PGP based encryption system for web mail called End-to-End which could help bring PGP to a much wider audience.

Despite its limitations, privacy advocates are welcoming the new Facebook feature as an important step towards improving security online.

1000px-Facebook_LogoThere are things that Facebook does that we don’t want. The advertising business requires that they collect more data than we want. However, their security team wants to work with the privacy community and there they can make a real difference. Although it’s tempting to say that people with serious security concerns simply shouldn’t use Facebook has a billion and a half users and they’re not going away. Facebook, even if it’s not going to be an organization platform, will always be an outreach platform. It will be a place where people go to do political work, and letting people secure the accounts they use to do that political work is really important. The most important thing for now may be getting more people to use PGP and improving the ecosystem of tools that support the standard. In my opinion Facebook is acting as a trend leader to drag other big platforms into this world. When you think about it if only a thousandth of a percent of Facebook’s users end up using this feature that’s still 15,000 people. By adopting these tools, Facebook is making it harder to for criminals to steal your credentials or read your messages and that’s a good thing because that improves the overall security of Facebook. These tools actually build a better internet for everyone.

Cyber extortion is on the rise

cyber_theftIn 1824, the Duke of Wellington received a letter from a publisher threatening to publish a memoir by his former mistress. The publisher offered to keep the Duke out of the book if he received a sum of money. The Duke reportedly sent the letter back with “Publish and be damned” scrawled on the back.

Fast forward hundreds of years later, extortion not only exists but is thriving. In fact, it has bled over to the digital world.

Over the last couple of years, cyber extortions have revolved around the most valuable aspect of the digital age – data. The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available but things have escalated since.

 

Cyber extortions have taken on multiple forms, all focused on data – encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data:

 

  • Ransomware – As the name suggests, ransomware is a type of malware propagated via the traditional means – phishing emails, website drivebys, malvertising. Once the victim’s device is infected, the ransomware begins to encrypt private files the data, before popping up a message demanding a ransom in exchange for the encryption key. A devastating case of ransomware was Cryptolocker where the attackers demanded payment of $300 in Bitcoins within three days to not only decrypt the files, but to prevent them from being destroyed forever.

 

  • Denial-of-service attacks – A denial-of-service attack is when an organization’s website or online business is flooded by so much traffic that legitimate users are denied access. In an extortion situation, the cyber extortionists demand money to stop the DDoS. These attacks can be difficult to stop and impacts financial revenue. Many tech startups are reportedly targets because many do not have the infrastructure to defend against them. Meetup, Basecamp, Bit.ly, Shutterstock and MailChimp have all been targeted.

 

  • Holding sensitive data hostage – Stealing data and threatening exposure is nothing new. In 2007, Nokia paid millions of euros to ensure that an encryption key for their Symbian OS would not be released to the public. In June 2014, a cyber-extortionist group called Rex Mundi claimed it had customer records for 650,000 European Domino’s Pizza customers. Rex Mundi threatened to release those records if the company didn’t pay a ransom of about $41,000. In January 2015, the same group demanded a ransom from a bank in exchange for nothing releasing 30,000 emails with sensitive data if the bank didn’t pay a ransom. Neither victim paid.

 

  • Holding AWS accounts hostage – In June of last year, an attacker took over Code Spaces’ AWS administrative panel, and offered to return controls for a price. When the company refused, the attacker began to delete data, backups and configurations, putting Code Spaces out of business. The same pattern of attack occurred with Websolr and Bonsai, two search application infrastructure services provided by One More Cloud LLC, but they managed to recover.

 

One of the reasons these attacks have grown exponentially is because of the availability of digital currency. Instead of having to deal with physical cash and paper trails, extortionists now benefit from anonymized digital transactions with Bitcoin. Anyone can set up a Bitcoin wallet address without any financial oversight, which means any cyber extortionist can carry out an attack and extract payment.

 

Is there anything that can be done to prevent cyber extortion? Quite simply, identify and categorize your data. Spend your efforts protecting the most critical data. The easiest way to do this is by moving your data to the cloud. Why? Because when your data is in a corporate approved cloud storage application, you’ll know exactly where it is versus being distributed across multiple endpoints, personal email accounts and internal servers in data centers. The combination of security from your cloud application vendor, and a cloud access security broker probably delivers better security than most organizations can for their internal data center.

As long as companies continue to pay ransoms when attacked, we should expect cyber extortion to continue for a long time. envelope_cash

VoIP: The latest security threat for businesses

VoIP_SecurityMore businesses than ever are jumping on the Voice over IP (VoIP) bandwagon today. Aside from significant cost savings when compared to traditional phone services, VoIP also offers many value-added features such as voicemail-to-email transcription, barge and whisper service, call screening, conferencing, music on hold, call routing, portability, and increased flexibility and mobility for employees that are always on the move or required to travel. Although VoIP’s advantages have plenty to offer the business world, there is also the need for companies to secure voice technology.  In this article I am going to discuss VoIP security and ways you can protect your business.

Studies show that over 75 percent of US businesses are using IP-based VoIP telephone systems as their primary telephone system. As the many advantages of hosted VoIP become increasingly evident to businesses, I think it’s important to clear up a basic misconception when it comes to security. By this, I mean that even if you are connected to your VoIP system through an insecure Wi-Fi network, it does not therefore mean that your VoIP system is automatically vulnerable to hackers.

In order to get into the VoIP system there are additional passwords required. The conversations themselves are encrypted. Undoubtedly the ability to have your phone accessible across multiple platforms makes it vulnerable to hackers generally, but the security issue concerns are related to data network and hardware security issues, not VoIP itself.

When it comes to securing VoIP, businesses need to go above and beyond basic compliance and become proactive in securing VoIP technology from hackers. Since VoIP packets flow over the network (just like data packets do), sensitive corporate information could be intercepted. Some of the same threats that affect data networks can also affect VoIP.

Other threats that can affect VoIP systems are:

  • Conversation eavesdropping/sniffing
  • Default passwords
  • Hacked voicemail
  • Identity spoofing
  • Man-in-the-middle exploits.
  • Denial of Service (DoS) attacks
  • Toll fraud
  • Web-based management console hacks.

VoIP security is a challenge for many companies, but the bottom line is: VoIP security should operate on the same rung as network data security both forms of data contain valuable information. Remember this: The bad guys never sleep; they are always looking for new and innovative ways to hack into business VoIP systems.

Security practices for every company should include:

  • Separating data traffic from voice traffic by creating two virtual VLANs.
  • Protecting the remote admin interface with a complex password and non-standard port.
  • Encrypting sensitive voice traffic:
  • Using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering.
  • Applying physical and logical protection: The VoIP server should be behind a SIP-aware firewall and intrusion prevention system (IPS).
  • Creating user names that are different from their extensions.
  • Keeping VoIP systems always up-to-date and patched.
  • Limiting calling by device.
  • Using encryption to secure calls.
  • Setting strong security policies.
  • Utilizing traffic analysis and deep packet inspection (DPI).
  • Properly securing VoIP gateways.
  • Using a strong voicemail 6-digit passcode or device certificate.
  • Deleting sensitive voicemail messages.
  • Removing mailboxes when employees leave the company.
  • Limiting invalid login attempts.
  • Restricting type of calls allowed on the network and implementing time of day policies.
  • Disabling international calls by default.
  • Security awareness training for employees.
  • Requesting that all employees report odd occurrences.

 

VoIP_phoneOf course some of these practices may not be feasible for some company. With that in mind here are three tips for maintaining VoIP system security:

Restrict password permissions. Business grade VOIP apps have an extra layer of security that has to be activated in order for a user to become connected. When launched on a computer, a VoIP unified communications (UC) app will require users to register with their unique user name/password every time. Companies can restrict the “remember me” options and require users to sign in every single time. That means that even if the VoIP app is attacked in the computer there will be always be another password that would need to be hacked as well in order for someone to get into the system.

Use the available safeguards. It should be said that even if hackers managed to get the password and hack into one phone, it would not affect the entire network it would only affect one user. Fortunately most business grade services have “fraud detection” monitoring and can determine if there are an unusual number of minutes being racked up and will flag it. Watch user trends and stay on top of alerts or changes in tracked usage.

Lastly, exercise common sense when working remotely. Common sense is one of the main security measures you can employ. It’s simply about being aware of your surroundings, where you keep passwords stored.

Calling it a VoIP security issue when someone has your passwords is like calling a bank security issue when someone takes your money after finding your card and PIN together, it’s not.

No network is perfectly secure. But having a clearer understanding of VoIP and its security measures together with basic practices that every company should implement will help ensure better overall security for all users. It will also help businesses looking at their phone options to consider the real risks and benefits of VoIP in achieving success.