Knocked into a cocked (Panama) hat

11 04 2016

Unless you’ve been living under a rock for the past week you can’t have failed to be aware of the ‘Panama Papers’. 2.6Tb of data, 11.5m documents, 30,000 lorries worth if you printed then out and so on and so forth.

Information relating to offshore companies, tax avoidance and (possibly) tax evasion, dodgy art deals, alleged money laundering activities, corrupt country leaders and multi millionaires.

So what has this to do with my reader base? Well unless you’ve been keeping something from me and you’re actually an international bad guy, up there with Scaramanga and Blofeld, not a lot on the face of it.

But, let’s just take a step back and look at this from a slightly different angle.

Here we have a law firm, Mossack Fonseca, who prided themselves on guaranteeing confidentiality, indeed on their web site under data security they say “Your information has never been safer than with Mossack Fonseca’s secure Client Portal”. The people they dealt with chose them because they didn’t want their activities to be under public scrutiny, they designed company structures to be obscure and obtuse, everything was geared towards secrecy.

And yet, based on reviews carried out by various security firms, they were running software that was not only out of date, but which had well publicised (and exploited) vulnerabilities. Their servers were not protected by firewalls, the secret data was unencrypted, and it appears their monitoring was so poor (or maybe non-existent) that they failed to notice the exfiltration of vast amounts of data over many months.

So, just to repeat, this company existed in a world where secrecy and confidentiality was everything. Where their customers made fundamental assumptions that their activities would remain hidden from public gaze, and that they could trust their lawyers to protect their interests at all times.

Despite all of that, this organisation appears to have disregarded pretty much every rule of information security.

So if a firm operating in that environment could be so bad at looking after their customer’s data, what about the thousands of other companies with an internet presence who are holding YOUR data. The small (and not so small) organisations you share your details with on a daily basis, the ones you order from online, send emails to with personal details included, upload files of photos, documents or whatever. How confident can you be that they are any better prepared than Mossack Fonseca?

And that’s why this story is relevant to my readers. Poor information security practices are endemic across all industries and all sizes of organisation. We put up with it because we are not big enough to make the difference on our own, and not rich enough to organise the campaigns necessary to force changes through.

Mossack Fonseca is the 4th biggest player in this field, you can bet the clients of numbers 1,2 and 3 have been asking some very pointed questions over the past few days.

Maybe, just maybe, the exposure of the personal details of the richest, most powerful (and let’s be honest, most scary) people on the planet might be the trigger that pushes achieving real information security to the forefront of the thinking of governments and other influential bodies. Could this incident be the tipping point that’s always eluded us, because as sure as eggs are eggs the hundreds of millions of personal records of ‘ordinary’ people that have been leaked over the past year were not seen as important enough.

Fingers crossed.

David

 

Advertisements




Stand and deliver – your money or your (computer) life

28 03 2016

Ransomware. It’s been around for a few years now but in the last 6 months or so it’s really hit the mainstream press, and therefore entered the consciousness of the ‘ordinary person’. Recent high profile cases include a couple of hospitals in the US, a police station and a local authority in the UK.

Before I go into the details and explore what you can, or more likely can’t, do to protect yourself, I think it’s worth taking a step back and looking at the so called ‘underground economy’ of cyber crime.

Back in the day, the bad guys in the computer world were generally loners who did what they did for kicks and credibility amongst their peers. Very irritating, occasionally brilliant and generally disorganised.

That changed once it became clear that there was money to be made from what has come to be known as cybercrime. The professionals moved in as organised crime saw it as another lucrative string to their bow, promising low risk and high returns. Along with the increased organisation and the massive amounts of money, came demands for structure, specialists, quality control and co-ordination as well as the incessant demand for more and better products.

Nowadays a complete ecosystem is in place that is at least as organised as the mainstream legitimate economy. There are market places for the sale and exchange of everything from software to stolen credit cards. Code comes with money back guarantees, free trials, help manuals and even help desks. Every aspect of the economy has specialists who only focus on what they do best and hand on to the next person in the chain when their part is complete.

Into this mix comes ransomware.

Ransomware is, to put it in simple terms, a piece of computer code that you inadvertantly download to your PC. It might infect your PC via an email attachment, a website or even from an advert you click on. However it gets in, it has one purpose, to encrypt your files, and once those files are encrypted they will stay encrypted unless you can obtain the decryption key. And here’s the clever bit, in exchange for a fee usually in bit coins the bad guys will send you the decryption key.

The first you will probably know about it is a screen that will pop up on your computer looking something like this which is from Cryptolocker,

blog-cryptolocker

but they are all pretty much the same. At that point you have three choices:

  1. Restore your files from the backup (you do have backups don’t you?)
  2. Pay the fee
  3. Accept you have lost the files for ever and just move on.

Option 1 is fine as long as the backups are not accessible from the PC and the ransomware has not already found them and encrypted them as well. Assuming they are OK you simply need to disinfect your PC by running up to date antivirus software (the av software usually runs a day or so behind new ransomware so it might not work immediately – check online), delete the encrypted files and restore from your backups.

Option 2 is not ideal for a couple of reasons. Firstly the current fee is around 4 Bit Coins, which at time of press is about $700. For a company, that might be a small price to pay, for the audience of this blog it’s a not inconsiderable amount. Secondly, whilst it’s in the interest of the bad guys to make the process work, there are a number of reasons why it could fail. There might be an error in their code, there might be a problem with their use of encryption or law enforcement may have found them and taken the website down that’s hosting the decryption key. But as I said previously, this is a business and they are keen to maintain their reputation, and anecdotal evidence suggests that paying the fee will result in you receiving the decryption key.

Option 3 depends on you knowing what’s on your PC and whether you care about it. You still need to disinfect your PC but that’s about it.

So what can you do to protect yourself from ransomware? To be honest, beyond the normal good practice of regularly applying security updates and running up to date antivirus software not a lot. The age old advice of avoiding ‘dodgy’ websites, whilst still valid is not sufficient as many mainstream websites are infected these days (often via their advertisers’ sites). Not clicking on unexpected email attachments or following unknown links in emails is also fundamental good practice but is no guarantee that you’ll be safe.

One thing you might want to consider is to remove the admin rights from your normal account and create a separate account that you only use for admin type things (such as installing software). Some of the ransomware relies on being the Administrator on the box, so if you are logged in as a ‘normal’ user then it won’t work, or at least will only work on those files you control. Not perfect, but something.

The bottom line is that you are in the same position as the rest of us in the Commercial world. You have to expect the attack and then plan your response and try and mitigate the impact.

What stuff on your PC do you care about? Unless you are running a business, it probably boils down to photos and music, with a few personal letters thrown in.

You should make sure that you have backup copies of these important things. My previous blog about the Cloud gives some suggestions, but you could also consider offline backups on USB drives, SD cards or whatever. The main thing is to have them somewhere that is not immediately accessible from your PC, so that if bad stuff happens you’ve still got those photos of great aunt Daisy’s 100th birthday.

So that’s it I’m afraid. Ransomware is here to stay and will get more effective and more prevalent as time passes. Using the Internet gets more like Russian roulette every day, bad stuff is out there and it’s likely to get you at some point. All you can do is do the basics right (many of which I’ve covered in previous blog entries), and know what you are going to do when it’s your turn to get hit.

Depressing? Probably, but like everything else, until the general public really cares about something, governments and business won’t pay attention and get the problems fixed. Internet security is bubbling to the surface but at the moment there is more lip service than customer service being paid to solving the problem. Whilst software companies can get away with writing poor code, ISPs can get away with not caring about what they are hosting and Joe Public continues to do stupid things Internet crime will continue on an upwards tick that shows no sign of flattening out anytime soon.

 

Safe surfing

 

David

 

 

 

 





The Internet of Things and security

7 06 2015

Like so much in the world of computing if you ask 5 people for a definition of the Internet of Things (IoT) you’ll get 10 slightly different answers. So for the sake of balance here’s an eleventh.

In my simplistic view, the IoT refers to those items that can be accessed over the internet but which you would not normally consider as being obvious candidates for internet access, nor indeed as being especially computerised. The examples often quoted are kettles, fridges, heating systems and lighting systems, but the list is literally endless.  Want to check on the charge left in your electric car, then look it up on your smart phone, want to record that television programme, then access your recorder from your office PC, want to turn on your oven, set it from the train on your way home. It was estimated that in 2014 there were 16 BILLION wirelessly connected devices and that by 2020 that number would exceed 40 billion.

So why am I writing about being able to turn your kettle on from your car in a security blog?

Let me take you back to those innocent days when the internet first entered the consciousness of the mainstream, when AOL sent you an endless stream of CDs, when you could either make a phone call OR use the internet and 56k was considered to be fast. Back then no-one really thought about security, no-one considered that bad guys might be able to do bad things over the internet and no-one cared.

Fast forward to 2015 and we are bombarded with stories about hackers, e-crime, government snooping and our personal details being on sale on Russian websites. We are encouraged to use strong passwords and to keep safe online (see my previous blogs) and many of us do take more care about using the internet.

Our world is much more connected, and we are more connected, whether over social media, in our dealings with our employers or our banks, or in our day to day lives, and into this maelstrom comes the Internet of Things.

The problem is that the vast majority of devices that make up the IoT have security settings that hark back to those early days. The chips they use are not designed from a security perspective, the security settings (if they even have them) are weak and easily guessed or broken. They are commodities, produced in the millions and designed to be thrown away, not upgraded or patched, if an issue is found, and these devices are connected to your home networks, to your business networks, to our hospitals and the critical national infrastructure.

In the vast majority of cases we have no idea what can be done with these things above and beyond their advertised use. The same chipsets appear across a range of devices with the settings needed for your kettle enabled, but other possible uses still sitting there in the background. Smart meters for your electricity and gas use come with all of the capabilities on the chips, not just the few that you have decided to pay for, and all of this capability is connected to the internet available to anyone who can find their IP address.

So why should you care? Well in order for you to access your kettle from your train, it has to be connected to the internet. How does it do that? Well it’s sitting in your house, plugged in and raring to go, wirelessly connected to your home network and waiting for you to call. To be on your home network it must be authorised and enabled, which means it has to know about your network and vice versa, which would be fine if it looked after those very sensitive details, but generally speaking it doesn’t. So you have a kettle that is holding the keys to your home network, exposed to the internet with pretty much zero security, and if you can see it, so can the other billions of people with internet access.

That means that with relative ease and a bit of readily available kit, those billions of people can access your home network and the devices sitting on it, such as your PC on whch you do your internet banking, and have a wander around to see what they can find.

That is why your remote access kettle finds its way into  a security blog.

So what can you do about it?

Well, to be butally honest very little. If you want to use these devices you have to accept that you have as much chance of improving the security as you have of changing how a vacuum cleaner works. You buy it as a commodity, you take what the manufacturer offers and you live with it. You can’t go in and change the default password on a kettle any more than you can change the spin cycle on your washing machine.

Obviously not all of these devices have the appalling levels of security that I’ve highighted in this posting and I’m sure that much like the progression from the early days of the internet to today things will improve. Security will start to be considered at the design stage and many of the more obvious errors we see know will be resolved, but as we know it’s a jungle out there and at the moment the consumer is at the bottom of the food chain.

There is nothing that can be done to slow the pace at which these devices are being introduced, and to be honest I for one don’t think anything should be. The IoT presents fantastic opportuniites many of which we are only beginning to realise, and can take us down paths we’d never considered possible, but like any technological revolution it comes with risks and we need to go on the journey with our eyes open.

If you choose to embrace the IoT then you are at the vanguard of a brave new world. We have no idea what it will look like and we have no idea where it will lead us but what we do know is that if there is an opportunity to make an illegal buck out of security weaknesses the bad guys will be queueing up to take full advantage.

And on that happy note I’m going to walk through to the kitchen to put my kettle on for a cup of tea.

As always I’d love to hear your thoughts on what I’ve written so please share your comments below.

Keeps safe and happy surfing

David





Facebook and Security

21 07 2012

Did you know that if Facebook was a country it would have the third highest population in the world? Why should you care? Well, if you get your privacy settings wrong you could be exposing your personal details, innermost thoughts and candid photographs to a community with more than twice the population of the USA.
Before we get into how you can manage your privacy on Facebook, it’s probably worth spending a little while looking at the ethos behind the company and the ideas of its founder Mark Zuckerberg. Whilst not wanting to put words into his mouth, Zuckerberg’s underlying philosophy is that people should share information about themselves, their interests and their communities. His dream is to create an ‘open information flow’. Whilst that may be commendable, in the early days he drew a lot of flak by making the default settings on Facebook ‘Public’ to help realise that dream. Whilst that has changed in recent months they do occasionally revert to type and bring in new functionality that shares everything with the world again. Not a good place to be if you care about your privacy.
So how do you go about checking what Facebook is revealing about you to the world? Your first port of call is to click on the little downward pointing arrow on the top right of the Facebook screen and to select ‘Privacy Settings’. That brings up a screen with a number of options, so lets work through them one by one.
First things first, set the ‘control your default privacy’ to ‘Custom’.
How you connect – this is the most basic level of connectivity with the Facebook world. Who can see your e-mail address and phone number, who can ask to be your friend and who can send you messages. Each of the options offers you three settings ‘Everyone’, ‘Friends of Friends’ and ‘Friends’. For what its worth I have all three of these set to ‘Everyone’.
Timeline and Tagging – now we’re starting to get a bit more intimite with the community. This is where you start sharing information you post, but also control who can post on your pages (which will also be shared don’t forget). I’m more cautious in this area so I have them set to ‘Friends’, except for the two ‘review’ options which I have turned off.
Adds, Apps and Websites – these are the areas where Facebook moves away from you and your world into a much more commercial arena (with you as the focal point). You are now entering the Marketing space and these people want to get your details. Some want to sell you things, some want your endorsement so that your friends will buy things and some are just plain criminal. Click on the first entry and you will see all of the things that you are allowing to access your Facebook details. Thought you had this tied up in the ‘Timeline and Tagging’ settings? Think again! When you clicked on that fun app which let you do something on Facebook and selected the ‘allow to share’ option (and of course you could not use it if you didn’t), did you realise that you have just exposed a whole heap of your details to an unknown company for them to do with as they wish? Have a wander down that list and delete those which you no longer want to be part of. Also, check the last two entries on this screen ‘Public Search’ and ‘Adverts’. The first reveals how much you are exposing to ‘strangers’ when they search for you via a search engine such as Google. the second is a classic Facebook activity’ “We aren’t doing this yet, but if we were this is what would happen”. I’ve set both of these to ‘no-one’. Back to the main list and the next option allows you to retrospectively limit past sharing activity.
Limit the audience for past posts – this is a ‘nuclear option’ but in essence it means that in one stroke you can remove all of the ‘friends of friends’ or ‘public’ access to historical posts. This can’t be undone in a single stroke though.
Blocked people and apps – this is where you can block the stalkers, or those persistant apps which keep trying to make you join them.
So there you have it. Privacy on Facebook is much more granular than it used to be, but you do need to keep an eye on it, just to make sure nothing has ‘reverted’ since you last checked.
In my next post I’ll dig deeper into the world of Facebook from an information security perspective, looking at steps you can take to protect yourself in your posts and sharing some of the Facebook disasters that continue to appear.
As always, if you have any thoughts or comments then please get in touch.

Until next time, surf safely.

David





Some Basic Tips for Internet Safety

14 07 2012

There is a saying that “on the Internet, no-one knows you’re a dog”‘. What this means is that it is very easy to hide your identity, but that cuts both ways. The person you think you are chatting to, or accepting as a friend on Facebook may not be who you think they are. Trust is a basic human instinct, it’s how societies develop, enabling co-operation and progress. The problem is that there are always people looking to take advantage of that situation. When you meet someone in person there are certain actions you follow to assess them. Looks, voice, mannerisms, dress are all used by us to decide whether we are going to like or trust them. First impressions count for a lot and people take great care to create good ones. Interractions on the Internet are no different. A professional looking web site, a well crafted invitation, suggestions of mutual friends, all go a long way towards establishing credibility. Unfortunately on the Internet you are at a disadvantage because it is very difficult to validate the information you are presented with, but it’s not impossible.

So here are a few basic tips you can follow to validate that connection BEFORE you commit.

1. Use Google (or your search engine of choice) to cross check the web site before you pass any information over. Many of the scam sites have been identified and ‘outed’ on the Internet.  A quick Google will bring these to your attention.

2. Before accepting that Linked-in or Facebook friend request, have a look at their profile. Does it look credible, are there errors, does it make sense?

3. Whilst not foolproof, a very simple check is to ‘hover’ your mouse pointer over a URL before you click. Does the address that appears at the bottom of the screen look ‘right’? If you are expecting it to point to your bank, and the address seems to be going to Russia, it probably makes sense to be cautious.

4. If you are going to send personal or financial information to a web site, make sure the connection is secure. The URL should start https (instead of the usual http). This shows that the information will be encrpyted whilst it is being transmitted.

So there you go, a few more tools to add to your bag. The surface has barely been scratched, but as someone else has trademarked ‘every little helps’.

See the next blog for some more hints and tips.

David








%d bloggers like this: