Monday, 26 October 2015

TalkTalk Breach

On Friday 23rd October 2015, it came to light that TalkTalk, the telecommunications and internet provider was subject to a significant cyber-attack.

Some facts have come to light since the disclosure of the attack:

Third time’s a charm
The latest attack was the third cyber-attack in the past 12 months.  It is believe that that this attack has allowed the attacker to steal four million records.  It may also have been up to ten weeks, since the cyber-attack had occurred. 

DDoS as a cover
A DDoS (Distributed Denial of Service) attack was used to overwhelm the existing perimeter solutions.  The large volume of traffic will overwhelm perimeter solutions such as firewalls and IDS/IPS solutions which are there to scan and protect an organisation from malicious traffic.  It seems there was either no or an inappropriate/inadequate DDoS mitigation solution in place.  DDoS attacks are often used as a subterfuge to mask the real nature of the attack.  In this case, it looks like the attacker is flooding a website, whereas the underlying attack is to exfiltrate customer data.

SQL Injection?
It is widely believed that the attack was on the application available on the internet, and using web application testing tools, such as a form of SQL injection attack, were able to access the data.

SQL is a database application, and an SQL injection is the ability to run a query on a database.  Although very useful for database administrator, it gives malicious attackers the ability to query and export a whole database.  The ability to run SQL injection attacks, are typically due to bad administration practices and not properly protecting the database.

Comprehensive data on people
The customer data lost is incredibly comprehensive.  The list below shows the data the attacker was able to obtain.
  • Name
  • Address
  • Email Address
  • Telephone Number(s)
  • TalkTalk Account Number
  • TalkTalk Password
  • Bank Details
  • Partial Credit Card Details

Encryption?
The TalkTalk data wasn't encrypted, meaning the attacker was able to read all the above information.  The data was in clear text, offering no protection to the customer.

Aftermath
It is believed that the Police and BAE Systems are carrying out a forensic investigation on the attack, but this relies on how much of a digital footprint was left during the attack and whether it was recorded at the time.

BEFORE THE ATTACK
As an organisation handling customer information, there are many actions that would help prior to an attack:

Identification of Data
With numerous databases, server shares, cloud storage solutions and user created data; identifying important information, such as customer’s PII (Personal Identifiable Information) and financial information is paramount.

Protection of Data
Once the important information has been identified, methods of protecting the data should be used.  Encryption of data, where the data is encoded using a unique key and can only be decoded with this key, makes the data useless without it.

Testing of Systems
As applications are exposed the internet, such as customer portals, these need to be tested by a third party organisation with little or no knowledge of the application.  A Web Application Penetration Test could have highlighted some of the shortcomings of the web facing applications, including testing for SQL injections.

DURING THE ATTACK
When an organisation is under attack, a number of solutions could have prevented an attack similar to TalkTalk’s. 

Administrative Rights
It is often said that 100% of attacks have used administrative rights.  There are Privileged Access Management solutions, which will safeguard the administrative accounts, and will offer full traceability of which administrator has done what.  A typical attack will either use administrative credentials they have gained, or to elevate the administrative privileges of a normal user.

Protection from DDoS
A DDoS (Distributed Denial of Service) is normally used by a malicious attacker to take a web presence offline, making a web service inaccessible.  In the case of TalkTalk’s attack, it was use to cloak the underlying attack.  A hybrid DDoS mitigation solution could have prevented such an attack.

Intrusion Detection
There are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) which is used to detect and identify malicious activity on the network, then try to block or stop that traffic, and report back.  These are available as standalone solutions or as part of a UTM (Unified Threat Management) or Next-Generation Firewall solution.  Sometimes the early warning of an attack can help prevent the loss from being so great.

Data Exfiltration
The data will need to be taken for a breach to have occurred, so a DLP (Data Loss Prevention) solution will monitor the vectors from which data can leave, such as web, email, USB, screenshots, printers, etc and if the monitored data leaves in an atypical fashion, it will be quarantined and administrators alerted.  

AFTER THE ATTACK
After the compromise, what options are available?

Logs & Forensics
Post attack, it’s important to know what has been lost and preventing it from happening again.  A SIEM (Security Information & Event Management) solution would be able to aggregate the logs from the various components of the network, and apply a level of intelligence to the data.  Some will be able to carry out a forensic analysis on the logs.

Understanding the attack will allow a more effective remediation plan to be created.

What now TalkTalk?
Reading the press following the TalkTalk attack, there is no understanding to the significance of the data loss.  Although there is no demand to encrypt the data, it doesn't mean that the information of your customers should not have been encrypted.

As a minimum, by pentesting the application to prevent the vulnerability, and encrypting the data so it's useless to the attacker, would have prevented TalkTalk from the media attention. 

There is a call for the government to do more to prevent the cyber-attacks, but as highlighted here the technologies are available to help prevent, gain visibility or slow down the attack.  The onus should not be on governments to protect the customer’s data, it should be the service provider.

Tuesday, 20 October 2015

"Hunted" - Technology View [Link - MTI Bytes]

A piece I wrote has been edited and used on the work blog: http://www.mtibytes.com/post/Hunted-A-technology-view

===================================

Channel 4’s new reality show Hunted has gripped my attention since the first episode launched 6 weeks ago.  I'm particularly surprised by the amount of surveillance there is in the UK, allowing people to be traced or ‘hunted’ using data from mobile phone and ATM usage, number plate recognition, and CCTV footage. What I've found more concerning however, is the oblivious nature of the contestants to the digital footprint they are leaving, not dissimilar to the naivety of employees when it comes to safeguarding corporate data.

So, in a world driven by technology, how do you protect your personal and corporate digital footprint?

1. Manage your devices
Gone are the days of owning one mobile device, we live in a society where people juggle a plethora of devices at any given time. The mobile phone in particular has become the hub of many people’s lives; 66 per cent of people now own a smartphone. In a short period of time the mobile phone has evolved to support all work and personal activity from sharing files to tracking fitness goals, as well as still holding its primary function of making calls.

Ensuring your device is backed up regularly, is one way to manage its contents and protects it against damage or thief. Backing up the device’s applications and data to a public cloud service safeguards contents but also adds an additional layer of security to your data.

2. Password protect
Irrespective of the abundance of recent security hacks, the show brings attention to the amount of people that still don’t have any security on their devices. Without any security measures, others can immediately access the device as well as personal and corporate data. Securing accounts with a password is an essential step to protecting data.

Using complex and different passwords across various accounts and devices also tightens security. Where possible, a two-step verification or authentication is preferable.

Applications such as KeePass can help remember any complex passwords you have.

3. Control browser history
If Internet anonymity is important, tools like the TOR network provide users with ability to hide identity and usage. Internet performance and connectivity can be affected by products such as TOR, therefore consider if the perceived cost of your history is worth it.

Browsers can also be set to delete search either automatically or manually, as the search history is automatically cached.  Most browsers have a secret search feature, whereby the history is not stored and neither are cookies. The issue with cookies is that the information is read by other services, often to advertise to. Remember, Internet history will never truly be private, as ISP will track sites visited.

4. Information control
The revelation of social media is leading to a generation of over-sharers. Think about the information you want on the Internet. Imagine what could happen if an unscrupulous person had access to your private information and what they could do with that information? Sharing information you may use for added security protection such as pet names etc. invites security threat.

It is essential to have prevention tools in place to control your digital footprint and to stop yourself from being ‘hunted’.

Thursday, 15 October 2015

Another week, another data leak [Link - MTI Bytes]

Another piece I wrote for the work blog: http://www.mtibytes.com/post/Another-week-another-data-leak

==================
San Francisco-based crowdfunding platform, Patreon, is the latest casualty in a series of recent data breaches. The incident has seen hackers download and leak a 15GB user database containing names, addresses, email addresses and donation information. So far, the hack has exposed 2.3 million users and their personal data, with the exception of credit card details, passwords, social security numbers and tax information.

In response to the hack, Patreon Founder Jack Conte wrote:

“There was unauthorised access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”

The question arises: how can you protect certain data?

Importance of encryption

Due to Patreon safely encrypting the information using a 2048-bit RSA key, hackers have been unable to access or leak users’ passwords, social security numbers and tax information.

In other words, Patreon protect key information via a multi-level password scheme called ‘bcrypt’.  The key benefit of ‘bcrypt’ is that it is irreversible, which means it cannot be “decrypted”. In Patreon’s case, the failure of the company to store plaintext passwords explains why the hackers could access only certain types of information.

As a result of Patreon using ‘bcyrpt’, an added layer of security protects the information, enabling passwords and credit card details to remain safe despite the hack. This additional security minimises the damage of the hack by securely protecting the most valuable information – the credit card details of millions of users.

Protect the test environment

The belief is that a publicly available debug version of the Patreon website led to the Patreon hack. Essentially, some of the site remained open, as part of a test environment, rather than behind a firewall.

Patreon’s data compromise highlights that test environments exposed to the Internet are just as important as their live counterparts. Security therefore needs to be tight, even on test sites. Web application firewalls and Data Loss Protection (DLP) solutions can help prevent data from leaving the site, ensuring that it is kept secure and is often the first line of defense for any company.

While the Patreon hack is undeniably a terrible breach of security, the company’s use of ‘bcrypt’ is helping to contain the damage, and highlights to other businesses the importance of good security practice.

Wednesday, 7 October 2015

How to minimise the risks of LinkedIn - The Hackers Research Tool [Link - SC Magazine]

I'm very proud the article I wrote was used by SC Magazine.

http://www.scmagazineuk.com/how-to-minimise-the-risks-of-linkedin--the-hackers-research-tool/article/443248/

===============

Staff need ongoing training in defending against the latest threats - which currently includes LinkedIn says Andrew Tang, service director, security at MTI Technology

LinkedIn, the social media platform, is proving to be a very useful networking tool for business professionals, with a growing database of approximately 380 million users worldwide. The site encourages members to freely share their CV, not just with their network but publically online.

It is also becoming an attractive platform for organised crime gangs.  Recently, there have been several cases where hackers have used information gathered from LinkedIn to plan targeted attacks on companies.

Hackers have been found posing as large corporations on the site to entice unsuspecting executives to divulge useful information. Sometimes the hackers don't even need to lure victims by posing as large corporations, they can gather enough personal information from public profiles to scam money or access sensitive corporate data.

These forms of attacks are proving to be a headache for security professionals. Despite having the best tools and processes in place, it is particularly hard to protect information that sits outside of the company network. It can also take months or even years to find the leak.

Risky business

Most employees are now well aware of the security risks associated with revealing too much personal information on social media sites such as Facebook. However, they often don't realise that revealing corporate information on LinkedIn can be equally risky to businesses.

LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial but it can form part of the ‘cyber kill chain' and lead to malicious attacks.

LinkedIn informs the ‘plan of attack'. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; learn the email structure; as well as the names of affiliated companies. This leaves organisations vulnerable to a range of cyber-attacks including spear phishing.

Human error

Most worryingly perhaps, this issue isn't one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search.

LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee and gained remote access, the key goal is theft, whether the gain is more information, financial or data theft.

Education is the answer

As our virtual presence continues to grow, organisations need to make all employees aware of the potential risks of company details falling into the wrong hands. In order to mitigate the risks of social media sites, without blocking them, which will only frustrate employees, organisations must establish a clear security policy.

To safeguard company information and data, enterprises should educate employees about attending more closely to what they wish to make visible to whom.

If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.

The world of IT and security is certainly not static and training should not be a one off activity for new employees. Organisations should consider a continuing programme of education, updating the employees on new threats and breaches on a regular basis.

As more of our private lives are made public and readily available on the Internet, education becomes the vital component.