A piece I wrote has been edited and used on the work blog: http://www.mtibytes.com/post/Hunted-A-technology-view
===================================
Channel 4’s new reality show Hunted has gripped my attention since the first episode launched 6 weeks ago. I'm particularly surprised by the amount of surveillance there is in the UK, allowing people to be traced or ‘hunted’ using data from mobile phone and ATM usage, number plate recognition, and CCTV footage. What I've found more concerning however, is the oblivious nature of the contestants to the digital footprint they are leaving, not dissimilar to the naivety of employees when it comes to safeguarding corporate data.
So, in a world driven by technology, how do you protect your personal and corporate digital footprint?
1. Manage your devices
Gone are the days of owning one mobile device, we live in a society where people juggle a plethora of devices at any given time. The mobile phone in particular has become the hub of many people’s lives; 66 per cent of people now own a smartphone. In a short period of time the mobile phone has evolved to support all work and personal activity from sharing files to tracking fitness goals, as well as still holding its primary function of making calls.
Ensuring your device is backed up regularly, is one way to manage its contents and protects it against damage or thief. Backing up the device’s applications and data to a public cloud service safeguards contents but also adds an additional layer of security to your data.
2. Password protect
Irrespective of the abundance of recent security hacks, the show brings attention to the amount of people that still don’t have any security on their devices. Without any security measures, others can immediately access the device as well as personal and corporate data. Securing accounts with a password is an essential step to protecting data.
Using complex and different passwords across various accounts and devices also tightens security. Where possible, a two-step verification or authentication is preferable.
Applications such as KeePass can help remember any complex passwords you have.
3. Control browser history
If Internet anonymity is important, tools like the TOR network provide users with ability to hide identity and usage. Internet performance and connectivity can be affected by products such as TOR, therefore consider if the perceived cost of your history is worth it.
Browsers can also be set to delete search either automatically or manually, as the search history is automatically cached. Most browsers have a secret search feature, whereby the history is not stored and neither are cookies. The issue with cookies is that the information is read by other services, often to advertise to. Remember, Internet history will never truly be private, as ISP will track sites visited.
4. Information control
The revelation of social media is leading to a generation of over-sharers. Think about the information you want on the Internet. Imagine what could happen if an unscrupulous person had access to your private information and what they could do with that information? Sharing information you may use for added security protection such as pet names etc. invites security threat.
It is essential to have prevention tools in place to control your digital footprint and to stop yourself from being ‘hunted’.
A Cyber Security professional, who currently holds EU GDPR Practitioner, CISSP, MCSE:Security and MCTS certifications.
Tuesday, 20 October 2015
Thursday, 15 October 2015
Another week, another data leak [Link - MTI Bytes]
Another piece I wrote for the work blog: http://www.mtibytes.com/post/Another-week-another-data-leak
==================
San Francisco-based crowdfunding platform, Patreon, is the latest casualty in a series of recent data breaches. The incident has seen hackers download and leak a 15GB user database containing names, addresses, email addresses and donation information. So far, the hack has exposed 2.3 million users and their personal data, with the exception of credit card details, passwords, social security numbers and tax information.
In response to the hack, Patreon Founder Jack Conte wrote:
“There was unauthorised access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”
The question arises: how can you protect certain data?
Importance of encryption
Due to Patreon safely encrypting the information using a 2048-bit RSA key, hackers have been unable to access or leak users’ passwords, social security numbers and tax information.
In other words, Patreon protect key information via a multi-level password scheme called ‘bcrypt’. The key benefit of ‘bcrypt’ is that it is irreversible, which means it cannot be “decrypted”. In Patreon’s case, the failure of the company to store plaintext passwords explains why the hackers could access only certain types of information.
As a result of Patreon using ‘bcyrpt’, an added layer of security protects the information, enabling passwords and credit card details to remain safe despite the hack. This additional security minimises the damage of the hack by securely protecting the most valuable information – the credit card details of millions of users.
Protect the test environment
The belief is that a publicly available debug version of the Patreon website led to the Patreon hack. Essentially, some of the site remained open, as part of a test environment, rather than behind a firewall.
Patreon’s data compromise highlights that test environments exposed to the Internet are just as important as their live counterparts. Security therefore needs to be tight, even on test sites. Web application firewalls and Data Loss Protection (DLP) solutions can help prevent data from leaving the site, ensuring that it is kept secure and is often the first line of defense for any company.
While the Patreon hack is undeniably a terrible breach of security, the company’s use of ‘bcrypt’ is helping to contain the damage, and highlights to other businesses the importance of good security practice.
==================
San Francisco-based crowdfunding platform, Patreon, is the latest casualty in a series of recent data breaches. The incident has seen hackers download and leak a 15GB user database containing names, addresses, email addresses and donation information. So far, the hack has exposed 2.3 million users and their personal data, with the exception of credit card details, passwords, social security numbers and tax information.
In response to the hack, Patreon Founder Jack Conte wrote:
“There was unauthorised access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”
The question arises: how can you protect certain data?
Importance of encryption
Due to Patreon safely encrypting the information using a 2048-bit RSA key, hackers have been unable to access or leak users’ passwords, social security numbers and tax information.
In other words, Patreon protect key information via a multi-level password scheme called ‘bcrypt’. The key benefit of ‘bcrypt’ is that it is irreversible, which means it cannot be “decrypted”. In Patreon’s case, the failure of the company to store plaintext passwords explains why the hackers could access only certain types of information.
As a result of Patreon using ‘bcyrpt’, an added layer of security protects the information, enabling passwords and credit card details to remain safe despite the hack. This additional security minimises the damage of the hack by securely protecting the most valuable information – the credit card details of millions of users.
Protect the test environment
The belief is that a publicly available debug version of the Patreon website led to the Patreon hack. Essentially, some of the site remained open, as part of a test environment, rather than behind a firewall.
Patreon’s data compromise highlights that test environments exposed to the Internet are just as important as their live counterparts. Security therefore needs to be tight, even on test sites. Web application firewalls and Data Loss Protection (DLP) solutions can help prevent data from leaving the site, ensuring that it is kept secure and is often the first line of defense for any company.
While the Patreon hack is undeniably a terrible breach of security, the company’s use of ‘bcrypt’ is helping to contain the damage, and highlights to other businesses the importance of good security practice.
Wednesday, 7 October 2015
How to minimise the risks of LinkedIn - The Hackers Research Tool [Link - SC Magazine]
I'm very proud the article I wrote was used by SC Magazine.
http://www.scmagazineuk.com/how-to-minimise-the-risks-of-linkedin--the-hackers-research-tool/article/443248/
===============
Staff need ongoing training in defending against the latest threats - which currently includes LinkedIn says Andrew Tang, service director, security at MTI Technology
LinkedIn, the social media platform, is proving to be a very useful networking tool for business professionals, with a growing database of approximately 380 million users worldwide. The site encourages members to freely share their CV, not just with their network but publically online.
It is also becoming an attractive platform for organised crime gangs. Recently, there have been several cases where hackers have used information gathered from LinkedIn to plan targeted attacks on companies.
Hackers have been found posing as large corporations on the site to entice unsuspecting executives to divulge useful information. Sometimes the hackers don't even need to lure victims by posing as large corporations, they can gather enough personal information from public profiles to scam money or access sensitive corporate data.
These forms of attacks are proving to be a headache for security professionals. Despite having the best tools and processes in place, it is particularly hard to protect information that sits outside of the company network. It can also take months or even years to find the leak.
Risky business
Most employees are now well aware of the security risks associated with revealing too much personal information on social media sites such as Facebook. However, they often don't realise that revealing corporate information on LinkedIn can be equally risky to businesses.
LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial but it can form part of the ‘cyber kill chain' and lead to malicious attacks.
LinkedIn informs the ‘plan of attack'. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; learn the email structure; as well as the names of affiliated companies. This leaves organisations vulnerable to a range of cyber-attacks including spear phishing.
Human error
Most worryingly perhaps, this issue isn't one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search.
LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee and gained remote access, the key goal is theft, whether the gain is more information, financial or data theft.
Education is the answer
As our virtual presence continues to grow, organisations need to make all employees aware of the potential risks of company details falling into the wrong hands. In order to mitigate the risks of social media sites, without blocking them, which will only frustrate employees, organisations must establish a clear security policy.
To safeguard company information and data, enterprises should educate employees about attending more closely to what they wish to make visible to whom.
If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.
The world of IT and security is certainly not static and training should not be a one off activity for new employees. Organisations should consider a continuing programme of education, updating the employees on new threats and breaches on a regular basis.
As more of our private lives are made public and readily available on the Internet, education becomes the vital component.
http://www.scmagazineuk.com/how-to-minimise-the-risks-of-linkedin--the-hackers-research-tool/article/443248/
===============
Staff need ongoing training in defending against the latest threats - which currently includes LinkedIn says Andrew Tang, service director, security at MTI Technology
LinkedIn, the social media platform, is proving to be a very useful networking tool for business professionals, with a growing database of approximately 380 million users worldwide. The site encourages members to freely share their CV, not just with their network but publically online.
It is also becoming an attractive platform for organised crime gangs. Recently, there have been several cases where hackers have used information gathered from LinkedIn to plan targeted attacks on companies.
Hackers have been found posing as large corporations on the site to entice unsuspecting executives to divulge useful information. Sometimes the hackers don't even need to lure victims by posing as large corporations, they can gather enough personal information from public profiles to scam money or access sensitive corporate data.
These forms of attacks are proving to be a headache for security professionals. Despite having the best tools and processes in place, it is particularly hard to protect information that sits outside of the company network. It can also take months or even years to find the leak.
Risky business
Most employees are now well aware of the security risks associated with revealing too much personal information on social media sites such as Facebook. However, they often don't realise that revealing corporate information on LinkedIn can be equally risky to businesses.
LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial but it can form part of the ‘cyber kill chain' and lead to malicious attacks.
LinkedIn informs the ‘plan of attack'. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; learn the email structure; as well as the names of affiliated companies. This leaves organisations vulnerable to a range of cyber-attacks including spear phishing.
Human error
Most worryingly perhaps, this issue isn't one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search.
LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee and gained remote access, the key goal is theft, whether the gain is more information, financial or data theft.
Education is the answer
As our virtual presence continues to grow, organisations need to make all employees aware of the potential risks of company details falling into the wrong hands. In order to mitigate the risks of social media sites, without blocking them, which will only frustrate employees, organisations must establish a clear security policy.
To safeguard company information and data, enterprises should educate employees about attending more closely to what they wish to make visible to whom.
If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.
The world of IT and security is certainly not static and training should not be a one off activity for new employees. Organisations should consider a continuing programme of education, updating the employees on new threats and breaches on a regular basis.
As more of our private lives are made public and readily available on the Internet, education becomes the vital component.
Wednesday, 30 September 2015
“Hunted” - A technology view
How many of you have been watching Hunted on Channel 4? I have been an avid viewer since the first episode and have to say it was an eye opener. I was surprised how much surveillance there is in the UK, allowing people to be traced by mobile phone and ATM usage, number plate recognition, CCTV footage, but more concerning the digital footprint people were leaving, where every step could be traced.
Mobile
The mobile phone has become the hub of many people’s lives, in a short period of time of being a device to make calls, it could then send text messages and play Snake, to being the hub of all communications, such as work email, personal email, social media, text and picture messages, video calls, tracking our movements for fitness, our music, video and photograph repositories, and we sometimes even use them for telephone calls!
I know that if I misplace my mobile phone, I’m at a loss, but that’s probably the subject of another blog post. In the show, they talk about phone tapping and triangulation, but more concerning was how people didn’t have any security on their devices, allowing access immediately onto the device.
Smartphones are lost or damaged on a seemingly regular basis, but thankfully there is the option to back up the device’s applications and data to a public cloud service. This functionality is offered by the main operating system providers, such as Google, Apple and Microsoft, as well as manufacturers such as HTC. This can only be a good thing, except if someone has access to your password, where the backup can be restored. This would give access to text messages, browser history, and other private and sensitive information.
Email
Unless you are paranoid or technical, you probably have a web based email account provided by Google, Microsoft, Yahoo, etc, as the convenience of a web based email account outweigh any benefits of running your own mail server for your own domain.
Internet based services are easy to reach offering convenience, but also means that you are open to have your account compromised by a hacker. On the show, one email account where access was gained immediately as the password was saved by the browser.
A recent episode showed the use of a phishing attack, where a seemingly legitimate email was sent with a link, which led to a website asking for a password. As most people use the same password for multiple websites, having one password can open access to many online accounts.
Google searches
In the show, internet searches were used to discover what the user was researching prior to being hunted.
I’ve never been worried about what I’ve been searching for on the internet, but if you are, there are privacy services offered by the major browsers. Although it will mean that your searches are not cached and no cookies will be stored, the provider and the ISP (Internet Service Provider) you’re using will know, as they have to deliver this service.
If Internet anonymity is important, the using tools like the TOR network, utilising their software and thousands of routers, there is the ability to hide identity and usage. This can be great for privacy, but can be a threat to national security.
Social media
The internet revelation of social media allowed to find our friends and share information. For people to find you, you have to place a certain amount of information on the internet, but many people over share, leaving a lot of information about themselves on the internet.
The researchers on the show used internet searches to see what they could find about the subject. When that wasn't enough they also used the users devices for access to social media accounts, where again passwords were either saved by the browser or written down on a piece of paper nearby.
Location Services
The ability for your apps to have location information improves the app experience. One of the primary uses is for mapping, allowing the device to be located on a map. It’s not commonly know that location services are typically switched on for a mobile phone camera. This has a use if you are taking a photograph to share on social media, telling everyone where the photograph was taken. The downside, the properties of the photograph shows the location, which many not be useful if you don’t want people knowing where the photograph was taken.
I haven’t seen this used on the show, but would have been useful in locating people beyond the mobile phone triangulation and number plate recognition.
Protecting Mobile Devices
Smartphones are ubiquitous, but are incredibly powerful devices we have in our pockets. I met someone recently who didn't trust smartphones so has a non-smart mobile phone. There are some simple measures that can be used to protect the device.
Create a PIN or password for the device. Yes, it can be a pain to have that, but it’s protecting the device and the contents. You will be able to set the device to wipe itself if the incorrect PIN/password is entered incorrectly a number of times.
Ensure your device is backed up regularly, so even if the device is lost or stolen, the data won’t be. The password for this cloud storage and cloud backup account must have a strong password, and there is often the option to use two-step verification where a code is sent via SMS to the registered mobile device. If it’s too easy for you to access the account, it’s too easy for a hack to access it as well.
Protecting Email
Sounds like simple advice, but harder to execute. Use different complex passwords for each of your online accounts, don’t allow your browser to remember the passwords, and switch on two step or two factor authentication where possible.
There are applications to help remember the complex passwords, but a popular one, KeePass was recently discovered to have a security flaw. Just don't write down your passwords and certainly don't keep them next to your computer or tablet!
As ever, ensure the sites asking for your passwords are legitimate sites, and simply delete anything that looks “fishy”!
Protecting Browser History
Browsers can be set to delete search either automatically or manually, as the search history is automatically cached. Most browsers will have a secret search feature, where the history is not stored and neither are cookies, typically created when visiting a website. The issue with cookies, is that they can be read by other services. For example if you search for a computer game, you will see on subsequent websites advertisements for that game. This information is stored on a cookie and being read by advertising services. Keep in mind that sites visited will be tracked by ISP delivering the content, so the Internet history will never truly be private.
TOR can provide anonymity to the user, but the traffic and content can be seen on the exit node and performance can be poor, due to the bandwidth available. It certainly won't offer the media and feature rich Internet experience we've come to expect. If you have something to hide TOR maybe the way forward, but the sacrifice may not be worth it.
Protecting Social Media
Think about what information you want about your out on the internet. Imagine if anyone could have full access to your profile, what could an unscrupulous person do with that information? Is your password made up of your favourite team, band, child’s name, mother’s maiden name, pet’s name, etc? Then think if that information is on your public profile? Set privacy settings to ensure on the people you want can see the information you want them to.
Protecting Location Information
If you need to hide your location, but want to use Social Media? Check the location services and whether they are enabled on your applications, especially your mobile/tablet apps. Check the settings for your camera as well. Even if location services are stopped on Social Media, the properties of the photograph can still have the location of where it was taken, if the feature has not been disabled on the camera.
Hunted?
If you are really being hunted, then this is only basic advice, but much like the IT security adage, “It’s not if, but when you’re hacked”, it may well be; it’s not if they find you, but when!
Mobile
The mobile phone has become the hub of many people’s lives, in a short period of time of being a device to make calls, it could then send text messages and play Snake, to being the hub of all communications, such as work email, personal email, social media, text and picture messages, video calls, tracking our movements for fitness, our music, video and photograph repositories, and we sometimes even use them for telephone calls!
I know that if I misplace my mobile phone, I’m at a loss, but that’s probably the subject of another blog post. In the show, they talk about phone tapping and triangulation, but more concerning was how people didn’t have any security on their devices, allowing access immediately onto the device.
Smartphones are lost or damaged on a seemingly regular basis, but thankfully there is the option to back up the device’s applications and data to a public cloud service. This functionality is offered by the main operating system providers, such as Google, Apple and Microsoft, as well as manufacturers such as HTC. This can only be a good thing, except if someone has access to your password, where the backup can be restored. This would give access to text messages, browser history, and other private and sensitive information.
Unless you are paranoid or technical, you probably have a web based email account provided by Google, Microsoft, Yahoo, etc, as the convenience of a web based email account outweigh any benefits of running your own mail server for your own domain.
Internet based services are easy to reach offering convenience, but also means that you are open to have your account compromised by a hacker. On the show, one email account where access was gained immediately as the password was saved by the browser.
A recent episode showed the use of a phishing attack, where a seemingly legitimate email was sent with a link, which led to a website asking for a password. As most people use the same password for multiple websites, having one password can open access to many online accounts.
Google searches
In the show, internet searches were used to discover what the user was researching prior to being hunted.
I’ve never been worried about what I’ve been searching for on the internet, but if you are, there are privacy services offered by the major browsers. Although it will mean that your searches are not cached and no cookies will be stored, the provider and the ISP (Internet Service Provider) you’re using will know, as they have to deliver this service.
If Internet anonymity is important, the using tools like the TOR network, utilising their software and thousands of routers, there is the ability to hide identity and usage. This can be great for privacy, but can be a threat to national security.
Social media
The internet revelation of social media allowed to find our friends and share information. For people to find you, you have to place a certain amount of information on the internet, but many people over share, leaving a lot of information about themselves on the internet.
The researchers on the show used internet searches to see what they could find about the subject. When that wasn't enough they also used the users devices for access to social media accounts, where again passwords were either saved by the browser or written down on a piece of paper nearby.
Location Services
The ability for your apps to have location information improves the app experience. One of the primary uses is for mapping, allowing the device to be located on a map. It’s not commonly know that location services are typically switched on for a mobile phone camera. This has a use if you are taking a photograph to share on social media, telling everyone where the photograph was taken. The downside, the properties of the photograph shows the location, which many not be useful if you don’t want people knowing where the photograph was taken.
I haven’t seen this used on the show, but would have been useful in locating people beyond the mobile phone triangulation and number plate recognition.
Protecting Mobile Devices
Smartphones are ubiquitous, but are incredibly powerful devices we have in our pockets. I met someone recently who didn't trust smartphones so has a non-smart mobile phone. There are some simple measures that can be used to protect the device.
Create a PIN or password for the device. Yes, it can be a pain to have that, but it’s protecting the device and the contents. You will be able to set the device to wipe itself if the incorrect PIN/password is entered incorrectly a number of times.
Ensure your device is backed up regularly, so even if the device is lost or stolen, the data won’t be. The password for this cloud storage and cloud backup account must have a strong password, and there is often the option to use two-step verification where a code is sent via SMS to the registered mobile device. If it’s too easy for you to access the account, it’s too easy for a hack to access it as well.
Protecting Email
Sounds like simple advice, but harder to execute. Use different complex passwords for each of your online accounts, don’t allow your browser to remember the passwords, and switch on two step or two factor authentication where possible.
There are applications to help remember the complex passwords, but a popular one, KeePass was recently discovered to have a security flaw. Just don't write down your passwords and certainly don't keep them next to your computer or tablet!
As ever, ensure the sites asking for your passwords are legitimate sites, and simply delete anything that looks “fishy”!
Protecting Browser History
Browsers can be set to delete search either automatically or manually, as the search history is automatically cached. Most browsers will have a secret search feature, where the history is not stored and neither are cookies, typically created when visiting a website. The issue with cookies, is that they can be read by other services. For example if you search for a computer game, you will see on subsequent websites advertisements for that game. This information is stored on a cookie and being read by advertising services. Keep in mind that sites visited will be tracked by ISP delivering the content, so the Internet history will never truly be private.
TOR can provide anonymity to the user, but the traffic and content can be seen on the exit node and performance can be poor, due to the bandwidth available. It certainly won't offer the media and feature rich Internet experience we've come to expect. If you have something to hide TOR maybe the way forward, but the sacrifice may not be worth it.
Protecting Social Media
Think about what information you want about your out on the internet. Imagine if anyone could have full access to your profile, what could an unscrupulous person do with that information? Is your password made up of your favourite team, band, child’s name, mother’s maiden name, pet’s name, etc? Then think if that information is on your public profile? Set privacy settings to ensure on the people you want can see the information you want them to.
Protecting Location Information
If you need to hide your location, but want to use Social Media? Check the location services and whether they are enabled on your applications, especially your mobile/tablet apps. Check the settings for your camera as well. Even if location services are stopped on Social Media, the properties of the photograph can still have the location of where it was taken, if the feature has not been disabled on the camera.
Hunted?
If you are really being hunted, then this is only basic advice, but much like the IT security adage, “It’s not if, but when you’re hacked”, it may well be; it’s not if they find you, but when!
Monday, 28 September 2015
LinkedIn – the hacker’s research tool [Link - MTI Bytes]
Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/LinkedIn-the-hackers-research-tool
=================
As of July 2015, LinkedIn has approximately 380 million users worldwide, a number that is continuing to grow. The social media platform is very useful for networking in the business world. It invites users to share their online CV with other industry professionals and establish contacts, publish industry commentary, and research potential employers or candidates.
Reconnaissance
The security risks of sharing personal details on other social media platforms like Facebook have been well documented, but for enterprises, LinkedIn can be equally dangerous. LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial, but it forms part of the ‘cyber kill chain’ and can lead to malicious attacks.
For hackers, LinkedIn can inform the ‘plan of attack’. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; and learn the email structure; as well as the names of affiliated companies.
This leaves organisations vulnerable to a range of cyber attacks. One example is spear phishing: a targeted person receives an email inviting them to access a link, which initiates the installation of malicious software.
Socially engineered access
Emails from known sources (a colleague, for example) and information about hobbies, can instill confidence in the targeted individuals, making them more likely to click on the link.
The name drop of the company CEO could create a false air of familiarity, which might spur someone to act hastily and neglect to follow the correct channels. It’s not hard to imagine that an IT helpdesk might grant a ‘known employee’ remote access in response to a pleading call or email to finish time-sensitive work on a Friday afternoon.
This might provide the hacker with the name, job title, and email address of a company employee, all of which are readily accessible on LinkedIn. In return, he stands to make financial gains, steal data, or simply obtain secure company information.
Human error
Most worryingly perhaps is this issue isn’t one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search. LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee, or gained remote access, the key goal is theft, whether for more information, financial remuneration, or data.
Education is the answer
As our virtual presence continues to grow, there needs to be more awareness made inside organisations about the potential risks of basic company details falling into the wrong hands. To safeguard company information and data, enterprises should attend more closely to what they wish to make visible to whom.
As more of our private lives are made public and readily available on the Internet, education becomes the vital component. Organisations should be looking to provide this level of training to all employees, or risk the consequences.
=================
As of July 2015, LinkedIn has approximately 380 million users worldwide, a number that is continuing to grow. The social media platform is very useful for networking in the business world. It invites users to share their online CV with other industry professionals and establish contacts, publish industry commentary, and research potential employers or candidates.
Reconnaissance
The security risks of sharing personal details on other social media platforms like Facebook have been well documented, but for enterprises, LinkedIn can be equally dangerous. LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial, but it forms part of the ‘cyber kill chain’ and can lead to malicious attacks.
For hackers, LinkedIn can inform the ‘plan of attack’. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; and learn the email structure; as well as the names of affiliated companies.
This leaves organisations vulnerable to a range of cyber attacks. One example is spear phishing: a targeted person receives an email inviting them to access a link, which initiates the installation of malicious software.
Socially engineered access
Emails from known sources (a colleague, for example) and information about hobbies, can instill confidence in the targeted individuals, making them more likely to click on the link.
The name drop of the company CEO could create a false air of familiarity, which might spur someone to act hastily and neglect to follow the correct channels. It’s not hard to imagine that an IT helpdesk might grant a ‘known employee’ remote access in response to a pleading call or email to finish time-sensitive work on a Friday afternoon.
This might provide the hacker with the name, job title, and email address of a company employee, all of which are readily accessible on LinkedIn. In return, he stands to make financial gains, steal data, or simply obtain secure company information.
Human error
Most worryingly perhaps is this issue isn’t one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search. LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee, or gained remote access, the key goal is theft, whether for more information, financial remuneration, or data.
Education is the answer
As our virtual presence continues to grow, there needs to be more awareness made inside organisations about the potential risks of basic company details falling into the wrong hands. To safeguard company information and data, enterprises should attend more closely to what they wish to make visible to whom.
As more of our private lives are made public and readily available on the Internet, education becomes the vital component. Organisations should be looking to provide this level of training to all employees, or risk the consequences.
Monday, 7 September 2015
Multi-factor authentication – a smart approach to IT security [Link - MTI Bytes]
Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/Multi-factor-authentication-a-smart-approach-to-IT-security
=================
Last week, I wrote about the need for businesses to rethink the use of secret questions as a security measure. The Web and social media create a goldmine of user information, which astute hackers can access to answer security questions.
So, what is a preferable alternative for proving a user’s identity? One of the more effective methods is multi-factor authentication.
What is multi-factor authentication?
Multi-factor authentication is a security system that requires two or more independent credentials to verify a user’s identity.
A user might, for example, be required to provide information that they already know, such as a username, password or PIN. Combined with this, they may be asked to provide information given to them from a token or device – a passcode sent via SMS to a known mobile phone, for instance.
Other authentication methods rely on something on the user or where the user is located, through measures such as biometrics, iris scans, fingerprint readers and geo-location.
A combination of any of these methods results in multi-factor authentication. It is currently widely used for personal services such as emails and banking. And in the US, there have been calls for the method to be issued directly for all forms of Internet banking. Such is the confidence in this form of security.
What are the benefits of multi-factor authentication?
1. Proof and compliance
With multiple authentication methods in place, it becomes more difficult for hackers to access the service or website. It also makes it harder to deny an action.
For example, many online banking systems use a combination of passwords, PINs, tokens, SMS and unique codes, to ensure transactions are genuine. By using multi-factor authentication, banks can tie their compliance processes to specific users so the actions cannot be denied.
2. Protection can be free
Service providers such as Apple's iCloud, Gmail, eBay and Facebook have options to switch-on a two-step verification process. If a user tries to login from a new device, browser or different country, they will be prompted to enter a code, sent to their registered mobile phone number. The security is there and it is free in many cases!
3. Cloud support
As more cloud-based applications like Salesforce and Microsoft Office 365 enter the workplace, security will become a more complex concern for IT decision-makers. Multi-factor authentication has a critical role to play in addressing some of these concerns. In fact, there are already products available, such as SAML, which offer multi-factor authentication and are designed specifically to support cloud applications.
What are you waiting for?
Multi-factor authentication presents a very clear upgrade from the simple security question method. The shift to a multi-factor authentication method will add an extra layer of protection against security breaches. - See more at: http://www.mtibytes.com/post/Multi-factor-authentication-a-smart-approach-to-IT-security#sthash.2rXvOi3R.dpuf
=================
Last week, I wrote about the need for businesses to rethink the use of secret questions as a security measure. The Web and social media create a goldmine of user information, which astute hackers can access to answer security questions.
So, what is a preferable alternative for proving a user’s identity? One of the more effective methods is multi-factor authentication.
What is multi-factor authentication?
Multi-factor authentication is a security system that requires two or more independent credentials to verify a user’s identity.
A user might, for example, be required to provide information that they already know, such as a username, password or PIN. Combined with this, they may be asked to provide information given to them from a token or device – a passcode sent via SMS to a known mobile phone, for instance.
Other authentication methods rely on something on the user or where the user is located, through measures such as biometrics, iris scans, fingerprint readers and geo-location.
A combination of any of these methods results in multi-factor authentication. It is currently widely used for personal services such as emails and banking. And in the US, there have been calls for the method to be issued directly for all forms of Internet banking. Such is the confidence in this form of security.
What are the benefits of multi-factor authentication?
1. Proof and compliance
With multiple authentication methods in place, it becomes more difficult for hackers to access the service or website. It also makes it harder to deny an action.
For example, many online banking systems use a combination of passwords, PINs, tokens, SMS and unique codes, to ensure transactions are genuine. By using multi-factor authentication, banks can tie their compliance processes to specific users so the actions cannot be denied.
2. Protection can be free
Service providers such as Apple's iCloud, Gmail, eBay and Facebook have options to switch-on a two-step verification process. If a user tries to login from a new device, browser or different country, they will be prompted to enter a code, sent to their registered mobile phone number. The security is there and it is free in many cases!
3. Cloud support
As more cloud-based applications like Salesforce and Microsoft Office 365 enter the workplace, security will become a more complex concern for IT decision-makers. Multi-factor authentication has a critical role to play in addressing some of these concerns. In fact, there are already products available, such as SAML, which offer multi-factor authentication and are designed specifically to support cloud applications.
What are you waiting for?
Multi-factor authentication presents a very clear upgrade from the simple security question method. The shift to a multi-factor authentication method will add an extra layer of protection against security breaches. - See more at: http://www.mtibytes.com/post/Multi-factor-authentication-a-smart-approach-to-IT-security#sthash.2rXvOi3R.dpuf
Friday, 4 September 2015
4 simple tips for bolstering your business’ security [Link - MTI Bytes]
Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/4-simple-tips-for-bolstering-your-business-security
=================
High-profile breaches continue to dominate the news agenda. Stories of compromises to email systems, retail outlets, Internet auction sites and Apple's iCloud service, show no online service is safe from hackers.
Many of these incidents are the result of accounts being far too easily accessible to hackers. Nowadays, these types of hacks are commonplace, and they will likely increase as social media uptake grows further. The more that users share personal information online, the more insecure security questions will become.
There are several issues associated with security question authentication that all businesses should address, through educating employees, as well as reviewing current security protocols and processes.
1. Avoid simple passwords
Despite repeated warnings from the IT industry, the most commonly used passwords in 2014 were ‘123456’ and ‘password’! With the use of relatively simple passwords, IT security can be compromised within seconds using a dictionary attack.
2. Secret questions aren't so secret
On the surface, a personal security question may seem like a secure way to reset a password. However, what is often overlooked is the huge volume of personal information accessible via the Internet.
Consider, for example, the amount of information that Facebook alone archives about a user’s personal relationships, education, location, employment history and interests. Once a user’s information is out there, there is no way to control, edit or delete it.
A great example of this is the Paris Hilton phone-hacking scandal of 2005. In that case, the T-Mobile Sidekick device had an internet-facing dashboard. To recover their password, users had to answer security questions including what their date-of-birth and pet’s name was. In reality, all of Paris’ security questions could be answered via an Internet search engine!
3. Mix it up
There is always a balance between usability and complexity. We encourage people to use a mixture of upper and lower case letters, special characters and numbers. In reality, this usually results in more password resets, as complex passwords are easier to forget.
4. Be streetwise – does it seem phishy?
Users often receive emails that appear to be from their service provider. The email will stipulate an issue with their account and require an immediate password reset, change or confirmation.
The user will enter their password and be presented with a failed message screen or a confirmation. If the hacker is especially clever, they will synchronise the password with the service provider, so that everything appears normal.
Even with strong and complex passwords, users can still be victims of phishing. To prevent phishing attacks, users should always check the legitimacy of emails before opening them. If it seems fishy (excuse the pun), ignore it or delete it.
Moving beyond security passwords
Security passwords were once a relatively secure concept. That was until the proliferation of digital technologies and social media took full effect. As security solutions become more complex, the methods of authentication will need to follow suit. In the next blog post, we’ll discuss how multi-factor authentication may be the way forward.
=================
High-profile breaches continue to dominate the news agenda. Stories of compromises to email systems, retail outlets, Internet auction sites and Apple's iCloud service, show no online service is safe from hackers.
Many of these incidents are the result of accounts being far too easily accessible to hackers. Nowadays, these types of hacks are commonplace, and they will likely increase as social media uptake grows further. The more that users share personal information online, the more insecure security questions will become.
There are several issues associated with security question authentication that all businesses should address, through educating employees, as well as reviewing current security protocols and processes.
1. Avoid simple passwords
Despite repeated warnings from the IT industry, the most commonly used passwords in 2014 were ‘123456’ and ‘password’! With the use of relatively simple passwords, IT security can be compromised within seconds using a dictionary attack.
2. Secret questions aren't so secret
On the surface, a personal security question may seem like a secure way to reset a password. However, what is often overlooked is the huge volume of personal information accessible via the Internet.
Consider, for example, the amount of information that Facebook alone archives about a user’s personal relationships, education, location, employment history and interests. Once a user’s information is out there, there is no way to control, edit or delete it.
A great example of this is the Paris Hilton phone-hacking scandal of 2005. In that case, the T-Mobile Sidekick device had an internet-facing dashboard. To recover their password, users had to answer security questions including what their date-of-birth and pet’s name was. In reality, all of Paris’ security questions could be answered via an Internet search engine!
3. Mix it up
There is always a balance between usability and complexity. We encourage people to use a mixture of upper and lower case letters, special characters and numbers. In reality, this usually results in more password resets, as complex passwords are easier to forget.
4. Be streetwise – does it seem phishy?
Users often receive emails that appear to be from their service provider. The email will stipulate an issue with their account and require an immediate password reset, change or confirmation.
The user will enter their password and be presented with a failed message screen or a confirmation. If the hacker is especially clever, they will synchronise the password with the service provider, so that everything appears normal.
Even with strong and complex passwords, users can still be victims of phishing. To prevent phishing attacks, users should always check the legitimacy of emails before opening them. If it seems fishy (excuse the pun), ignore it or delete it.
Moving beyond security passwords
Security passwords were once a relatively secure concept. That was until the proliferation of digital technologies and social media took full effect. As security solutions become more complex, the methods of authentication will need to follow suit. In the next blog post, we’ll discuss how multi-factor authentication may be the way forward.
Subscribe to:
Posts (Atom)