Wednesday 30 September 2015

“Hunted” - A technology view

How many of you have been watching Hunted on Channel 4?  I have been an avid viewer since the first episode and have to say it was an eye opener.  I was surprised how much surveillance there is in the UK, allowing people to be traced by mobile phone and ATM usage, number plate recognition, CCTV footage, but more concerning the digital footprint people were leaving, where every step could be traced.

Mobile 
The mobile phone has become the hub of many people’s lives, in a short period of time of being a device to make calls, it could then send text messages and play Snake, to being the hub of all communications, such as work email, personal email, social media, text and picture messages, video calls, tracking our movements for fitness, our music, video and photograph repositories, and we sometimes even use them for telephone calls!

I know that if I misplace my mobile phone, I’m at a loss, but that’s probably the subject of another blog post.  In the show, they talk about phone tapping and triangulation, but more concerning was how people didn’t have any security on their devices, allowing access immediately onto the device.

Smartphones are lost or damaged on a seemingly regular basis, but thankfully there is the option to back up the device’s applications and data to a public cloud service.  This functionality is offered by the main operating system providers, such as Google, Apple and Microsoft, as well as manufacturers such as HTC.  This can only be a good thing, except if someone has access to your password, where the backup can be restored.  This would give access to text messages, browser history, and other private and sensitive information.

Email
Unless you are paranoid or technical, you probably have a web based email account provided by Google, Microsoft, Yahoo, etc, as the convenience of a web based email account outweigh any benefits of running your own mail server for your own domain.

Internet based services are easy to reach offering convenience, but also means that you are open to have your account compromised by a hacker.  On the show, one email account where access was gained immediately as the password was saved by the browser.  

A recent episode showed the use of a phishing attack, where a seemingly legitimate email was sent with a link, which led to a website asking for a password.  As most people use the same password for multiple websites, having one password can open access to many online accounts.

Google searches
In the show, internet searches were used to discover what the user was researching prior to being hunted.

I’ve never been worried about what I’ve been searching for on the internet, but if you are, there are privacy services offered by the major browsers.  Although it will mean that your searches are not cached and no cookies will be stored, the provider and the ISP (Internet Service Provider) you’re using will know, as they have to deliver this service.  

If Internet anonymity is important, the using tools like the TOR network, utilising their software and thousands of routers, there is the ability to hide identity and usage.  This can be great for privacy, but can be a threat to national security. 

Social media
The internet revelation of social media allowed to find our friends and share information.  For people to find you, you have to place a certain amount of information on the internet, but many people over share, leaving a lot of information about themselves on the internet.   

The researchers on the show used internet searches to see what they could find about the subject.  When that wasn't enough they also used the users devices for access to social media accounts, where again passwords were either saved by the browser or written down on a piece of paper nearby.

Location Services
The ability for your apps to have location information improves the app experience.  One of the primary uses is for mapping, allowing the device to be located on a map.  It’s not commonly know that location services are typically switched on for a mobile phone camera.  This has a use if you are taking a photograph to share on social media, telling everyone where the photograph was taken.  The downside, the properties of the photograph shows the location, which many not be useful if you don’t want people knowing where the photograph was taken.

I haven’t seen this used on the show, but would have been useful in locating people beyond the mobile phone triangulation and number plate recognition.

Protecting Mobile Devices 
Smartphones are ubiquitous, but are incredibly powerful devices we have in our pockets.  I met someone recently who didn't trust smartphones so has a non-smart mobile phone.  There are some simple measures that can be used to protect the device.  

Create a PIN or password for the device.  Yes, it can be a pain to have that, but it’s protecting the device and the contents.  You will be able to set the device to wipe itself if the incorrect PIN/password is entered incorrectly a number of times.

Ensure your device is backed up regularly, so even if the device is lost or stolen, the data won’t be.  The password for this cloud storage and cloud backup account must have a strong password, and there is often the option to use two-step verification where a code is sent via SMS to the registered mobile device.  If it’s too easy for you to access the account, it’s too easy for a hack to access it as well.

Protecting Email 
Sounds like simple advice, but harder to execute.  Use different complex passwords for each of your online accounts, don’t allow your browser to remember the passwords, and switch on two step or two factor authentication where possible.  

There are applications to help remember the complex passwords, but a popular one, KeePass was recently discovered to have a security flaw.  Just don't write down your passwords and certainly don't keep them next to your computer or tablet!

As ever, ensure the sites asking for your passwords are legitimate sites, and simply delete anything that looks “fishy”!

Protecting Browser History 
Browsers can be set to delete search either automatically or manually, as the search history is automatically cached.  Most browsers will have a secret search feature, where the history is not stored and neither are cookies, typically created when visiting a website.  The issue with cookies, is that they can be read by other services.  For example if you search for a computer game, you will see on subsequent websites advertisements for that game.  This information is stored on a cookie and being read by advertising services.  Keep in mind that sites visited will be tracked by ISP delivering the content, so the Internet history will never truly be private.

TOR can provide anonymity to the user, but the traffic and content can be seen on the exit node and performance can be poor, due to the bandwidth available.  It certainly won't offer the media and feature rich Internet experience we've come to expect.  If you have something to hide TOR maybe the way forward, but the sacrifice may not be worth it.

Protecting Social Media
Think about what information you want about your out on the internet.  Imagine if anyone could have full access to your profile, what could an unscrupulous person do with that information?  Is your password made up of your favourite team, band, child’s name, mother’s maiden name, pet’s name, etc?  Then think if that information is on your public profile?  Set privacy settings to ensure on the people you want can see the information you want them to.

Protecting Location Information
If you need to hide your location, but want to use Social Media?  Check the location services and whether they are enabled on your applications, especially your mobile/tablet apps.  Check the settings for your camera as well. Even if location services are stopped on Social Media, the properties of the photograph can still have the location of where it was taken, if the feature has not been disabled on the camera.

Hunted?
If you are really being hunted, then this is only basic advice, but much like the IT security adage, “It’s not if, but when you’re hacked”, it may well be; it’s not if they find you, but when!

Monday 28 September 2015

LinkedIn – the hacker’s research tool [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/LinkedIn-the-hackers-research-tool

=================

As of July 2015, LinkedIn has approximately 380 million users worldwide, a number that is continuing to grow. The social media platform is very useful for networking in the business world. It invites users to share their online CV with other industry professionals and establish contacts, publish industry commentary, and research potential employers or candidates.

Reconnaissance
The security risks of sharing personal details on other social media platforms like Facebook have been well documented, but for enterprises, LinkedIn can be equally dangerous. LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial, but it forms part of the ‘cyber kill chain’ and can lead to malicious attacks.

For hackers, LinkedIn can inform the ‘plan of attack’. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; and learn the email structure; as well as the names of affiliated companies.

This leaves organisations vulnerable to a range of cyber attacks. One example is spear phishing: a targeted person receives an email inviting them to access a link, which initiates the installation of malicious software.

Socially engineered access
Emails from known sources (a colleague, for example) and information about hobbies, can instill confidence in the targeted individuals, making them more likely to click on the link.

The name drop of the company CEO could create a false air of familiarity, which might spur someone to act hastily and neglect to follow the correct channels. It’s not hard to imagine that an IT helpdesk might grant a ‘known employee’ remote access in response to a pleading call or email to finish time-sensitive work on a Friday afternoon.

This might provide the hacker with the name, job title, and email address of a company employee, all of which are readily accessible on LinkedIn. In return, he stands to make financial gains, steal data, or simply obtain secure company information.

Human error
Most worryingly perhaps is this issue isn’t one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search. LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee, or gained remote access, the key goal is theft, whether for more information, financial remuneration, or data.

Education is the answer
As our virtual presence continues to grow, there needs to be more awareness made inside organisations about the potential risks of basic company details falling into the wrong hands. To safeguard company information and data, enterprises should attend more closely to what they wish to make visible to whom.

As more of our private lives are made public and readily available on the Internet, education becomes the vital component. Organisations should be looking to provide this level of training to all employees, or risk the consequences.

Monday 7 September 2015

Multi-factor authentication – a smart approach to IT security [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/Multi-factor-authentication-a-smart-approach-to-IT-security

=================

Last week, I wrote about the need for businesses to rethink the use of secret questions as a security measure. The Web and social media create a goldmine of user information, which astute hackers can access to answer security questions.

So, what is a preferable alternative for proving a user’s identity? One of the more effective methods is multi-factor authentication.

What is multi-factor authentication? 

Multi-factor authentication is a security system that requires two or more independent credentials to verify a user’s identity.

A user might, for example, be required to provide information that they already know, such as a username, password or PIN. Combined with this, they may be asked to provide information given to them from a token or device – a passcode sent via SMS to a known mobile phone, for instance.

Other authentication methods rely on something on the user or where the user is located, through measures such as biometrics, iris scans, fingerprint readers and geo-location.

A combination of any of these methods results in multi-factor authentication. It is currently widely used for personal services such as emails and banking. And in the US, there have been calls for the method to be issued directly for all forms of Internet banking. Such is the confidence in this form of security.

What are the benefits of multi-factor authentication? 

1. Proof and compliance 

With multiple authentication methods in place, it becomes more difficult for hackers to access the service or website. It also makes it harder to deny an action.

For example, many online banking systems use a combination of passwords, PINs, tokens, SMS and unique codes, to ensure transactions are genuine. By using multi-factor authentication, banks can tie their compliance processes to specific users so the actions cannot be denied.

2. Protection can be free 

Service providers such as Apple's iCloud, Gmail, eBay and Facebook have options to switch-on a two-step verification process. If a user tries to login from a new device, browser or different country, they will be prompted to enter a code, sent to their registered mobile phone number.  The security is there and it is free in many cases!

3. Cloud support

As more cloud-based applications like Salesforce and Microsoft Office 365 enter the workplace, security will become a more complex concern for IT decision-makers. Multi-factor authentication has a critical role to play in addressing some of these concerns. In fact, there are already products available, such as SAML, which offer multi-factor authentication and are designed specifically to support cloud applications.

What are you waiting for? 

Multi-factor authentication presents a very clear upgrade from the simple security question method. The shift to a multi-factor authentication method will add an extra layer of protection against security breaches. - See more at: http://www.mtibytes.com/post/Multi-factor-authentication-a-smart-approach-to-IT-security#sthash.2rXvOi3R.dpuf

Friday 4 September 2015

4 simple tips for bolstering your business’ security [Link - MTI Bytes]

Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/4-simple-tips-for-bolstering-your-business-security

=================

High-profile breaches continue to dominate the news agenda. Stories of compromises to email systems, retail outlets, Internet auction sites and Apple's iCloud service, show no online service is safe from hackers.

Many of these incidents are the result of accounts being far too easily accessible to hackers. Nowadays, these types of hacks are commonplace, and they will likely increase as social media uptake grows further. The more that users share personal information online, the more insecure security questions will become.

There are several issues associated with security question authentication that all businesses should address, through educating employees, as well as reviewing current security protocols and processes.

1. Avoid simple passwords

Despite repeated warnings from the IT industry, the most commonly used passwords in 2014 were ‘123456’ and ‘password’!  With the use of relatively simple passwords, IT security can be compromised within seconds using a dictionary attack.

2. Secret questions aren't so secret

On the surface, a personal security question may seem like a secure way to reset a password. However, what is often overlooked is the huge volume of personal information accessible via the Internet.

Consider, for example, the amount of information that Facebook alone archives about a user’s personal relationships, education, location, employment history and interests. Once a user’s information is out there, there is no way to control, edit or delete it.

A great example of this is the Paris Hilton phone-hacking scandal of 2005. In that case, the T-Mobile Sidekick device had an internet-facing dashboard. To recover their password, users had to answer security questions including what their date-of-birth and pet’s name was. In reality, all of Paris’ security questions could be answered via an Internet search engine!

3. Mix it up

There is always a balance between usability and complexity. We encourage people to use a mixture of upper and lower case letters, special characters and numbers. In reality, this usually results in more password resets, as complex passwords are easier to forget.

4. Be streetwise – does it seem phishy?

Users often receive emails that appear to be from their service provider. The email will stipulate an issue with their account and require an immediate password reset, change or confirmation.

The user will enter their password and be presented with a failed message screen or a confirmation. If the hacker is especially clever, they will synchronise the password with the service provider, so that everything appears normal.

Even with strong and complex passwords, users can still be victims of phishing.  To prevent phishing attacks, users should always check the legitimacy of emails before opening them. If it seems fishy (excuse the pun), ignore it or delete it.

Moving beyond security passwords

Security passwords were once a relatively secure concept. That was until the proliferation of digital technologies and social media took full effect. As security solutions become more complex, the methods of authentication will need to follow suit. In the next blog post, we’ll discuss how multi-factor authentication may be the way forward.