Thursday 27 August 2015

Mumsnet In The Naughty Corner Again

Blogger: Hannah Doughty
Mumsnet has been targeted once again in a fresh sequence attacks. The parenting site was recently attacked in a series of cyber and swatting attacks resulting in the reset of user passwords and temporary shut down of the site.
Justine Roberts, creator of the online network for parents, commented in an online post: “This attack was double the size of the previous one and was distributed across many servers but we have no reason to believe that any security breaches occurred, the intention was to take the site offline.”
On 19 August, new attacks on the site occurred after hackers obtained Mumsnet-related data from an ‘external system' and a trick call was made to police saying a bomb was planted at a premises in Highgate, believed to be headquarters for Mumsnet. Another hoax call was made on 20 August, targeting a Mumsnet user. Armed officers were called to their home in Croydon over “the welfare of residents”.
Kane Hardy, VP of EMEA, Hexis Cyber Solutions commented, “The next step should include an in-depth analysis of how the attackers were able to execute the breach on hand and collect the necessary information to make efficient decisions on prevention of future similar incidences.”
Scotland Yard confirmed no suspects have been identified, although analysis will continue. 
Roberts stated, “We are contracting external protection providers to help deal with future issues.”

Life is Short: Have an Incident Response Plan



Guest Blogger: Nick Prescot
Senior Information Security Manager at ZeroDayLab
Data breaches are the digital equivalent of car crashes – they happen every day and they are not getting reported because they are so common.  That’s because it’s not news anymore, it’s become part of daily life.  Yet many of the companies that process the data of people, businesses etc. across the world are still thinking it won’t happen to them because someone in the IT department has said that it’s secure, and that’s ok.  It’s mainly because when the IT person speaks, the language is not in the realm of saving money or making money, and that's the last thing that someone in finance wants to hear.

I find it quite a repetitive stance from companies that I engage with that data security is an IT department problem, including with the IT security manager within the IT department. However, there isn’t a department within a modern day business that doesn't use a system.  An incident is usually something to do with availability of a system, not a loss/breach of data and yet the 2 conduits are treated the same.

For nearly 10 years some institutions have taken a much more proactive approach, namely the payment card brands through PCI-DSS to ensure that their data (i.e. the data on the payment card) is secure and transacted in a secure manner.  Whatever your thoughts on PCI DSS, it is actually a good data security standard and demonstrates a good level of security for the processing of the data.  However, it’s nearly 10 years since its inception and payment card breaches are still happening a lot.
However, when it comes to personally identifiable information (PII) the same level of due care and attention is not given the same level of treatment; personal data can have a much bigger impact on people’s lives than the loss of payment data in the form of identity theft.  If you think about the Ashley Madison breach, yes it’s hilarious that politicians and civil servants have put their preferences on there, but what about people from countries where adultery/homosexuality can be a criminal offence?  What might be legal in one country in terms of storing and processing of data and the particulars around that data, will result in a criminal offence in another country.

The securing of that data isn’t just an IT problem, it’s a problem that is spread across every facet of the modern business.  Anything that is associated with the company’s domain name whether it be Twitter or the website needs to be part of the data security posture that any company employees.  What happened with payment data will happen with personal data with the advent of new EU regulation in 2015.  It’s not here yet but it makes the processing of data much more of a business issue in terms of fines and regulatory reporting.

Data security isn't an issue that’s going to go away soon, or something that can be magically solved with a new shiny box that sits on top of the server.  It goes deeper than that; it’s the data that you process about people, companies, markets etc.  The currency of this data isn’t necessarily tangible at first sight but in the wrong hands, this can have a negative impact. In article written by Edward Lucas for the Times this week (August 25th), he makes a very good point:
 ‘We need a wholesale and urgent cultural change in our attitude to online safety. The decisions we face are difficult, involving trade-offs between freedom and security, of the kind we already make in real-life matters, such as road safety and public health.’

The author of this article has put his point in a far more succinct manner than myself, but the key point is this; we live in a digital age and information is the tradable and valuable currency that makes a lot of money for the likes of Google etc. but in the wrong hands, makes lots of money for the hacker in the case of Ashley Madison, reputational harm for the end user.



The key aspect for underlining a business strategy to determine how much time, energy and effort is needed to spend on beefing up your security is to understand the value of your data – not from a PCI and/or a regulatory point of view but the perceived damage to your business.
All too often, companies are ‘woo-ed and coo-ed’ by vendors that promise a one-stop solution that prevents a certain problem from occurring.  It does to an extent but there is also a people and process angle to the security posture as well.  You need to have a person responsible and accountable for that new box, to make sure that the lights are on, that it’s kept up to date and patched. Then you need to have a process so that if the main person is on holiday or decides to move onto pastures new, the configurations of the box are the same.

Data breaches happen because there is a lack of technical and business security controls in place, or there is a culture of complacency because a breach hasn't yet happened.  I know from 1st hand experience of the culture placed within a business it has and hasn't been breached, and sadly the middle ground is not often seen (i.e. they haven’t been breached but are in the mode of thinking that they have been).



As the Ashley Madison website bizarrely states, ‘make a plan, have an affair’; and until companies such as these have a solid and robust plan to secure the data they are holding from a privacy and security perspective personal infidelities will continue to be disclosed in ways never meant to happen.

More about Nick...contact me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

Monday 24 August 2015

Hackers Find Plenty of Fish in the Sea

Blogger: Hannah Doughty
Plenty of Fish is the latest dating site to come under attack, just days after  'Ashley Madison'  37 million users data was leaked. 
The malware attacking Plenty of Fish site, known as Tinba, is a spying malware that could have been downloaded quietly onto the users computer. The malware is said to have been hidden in adverts and unusually can be smuggled onto a users computer even though the user has not actually clicked on the advert.
Tinba can track every keystroke when a user is trying access a bank account. When a bank account is accessed or credit details are being entered on a website Tinba starts to record and collect every keystroke.
Experts at Malwarebytes, a security website which sells anti-virus software, found evidence of the hackers targeting Plenty of Fish’s estimated 12million members in the UK.

Jerome Segura, senior security researcher at Malwarebytes, said: ‘This type of attack does not require any user interaction. It does not matter if you haven’t browsed a dodgy site.'

Wednesday 19 August 2015

This Is a Very Serious Matter Everyone in this Reum is Under Suspicions

Nick Prescot - Blog contributor 

You can imagine the scene, you've had a hard week at work and there was a flurry of reports, calls, proposals, meetings and updates to the CRM to do over the last 5 days.  Along with this, the post-work drink and in the constant corner of your eye, a casting glance to ensure that you are not in the midst of a domestic ‘Defcon 1’ because your partner assumed that you’d be back for dinner; the excuse of the train running late has long expired as she’s looking at the train timetables just as much as you…so back to the scenario…

The vin rose is chilled, the semi-burnt burger in ensconced in the brioche bap and the question is popped, ‘so what you do?’; the answer, ‘I work for an ethical hacking company.’  There is always that momentary pause and then a sudden realisation that I am not a lawyer/accountant/banker/estate agent but something different (and no, not an inspecteur de police).  Then whilst the wine is in full flow and there is a rapport built, there comes the second wave of questioning….

‘Can you hack into peoples’ phones and see what they are doing?’, my usual reply is, ‘Yes, we can but you need to be the owner of the phone and also if there is anyone else’s personal data on the there, you could be in breach of the Data Protection Act as they haven’t given your consent to access it.’ Usually that stops the conversation there as I’m going into techno gobbledegook and you can see the whites of the eyeballs roll slowly into the back of their heads.

But I have heard some corkers that have made me wonder what people perceive is an acceptable course of action to check on their other halves.  I've heard stuff like, bugs in cars, software on phones, hacking into other users’ what’s app account, key-loggers etc.  All of these things are actually illegal and cannot be presented as evidence in court.  They can be used to build an information picture about the end user, but the individual concerned is not part of the security/intelligence services and they don’t have a warrant to intrude on the activities of other people’s lives.

So the answer is that unless you are part of a law enforcement agency and/or have the legal right to snoop on other people’s activities online, you can’t undertake these activities unless you have the permission of the target user.  It’s the main premise of the Computer Misuse Act 1985 and it’s what we use to gain permission to ‘pen-test’ other firms’ machines for security.

However, if you are on the receiving end and you think that your other half is spying on you, there are some simple tips;

  • Put 2 factor authentication on every account you have…Google Authenticator, 2-step verification with Apple, touch ID on the iPhone etc.
  • Don’t use the 'free' cafĂ© wifi networks, and if you have to use them, delete the credentials when you have finished.
  • If you’re a windows 10 user, turn off Wi-fi sense, it shares your wireless password logins with your friends…encrypted of course but once you have a user you don’t want to have on your network, then a layer of security is gone. Also, don’t run unlicensed software on a windows 10 machine as this can be locked down too!
  • Have a PIN that turns on after a minute and then ensure that if the password is failed a number of times, it blocks the device.
  • Turn off the location settings on the iPhone. The location settings on the iPhone is a great pub trick to see where they have been upto…people are amazed what info a phone keeps on them.
  • Have the remote wipe function turned on and test it…
  • Don’t backup the phone to a computer that isn’t yours. (i.e. your work one)
  • Always update to the latest version of the software.

And for those geeks that are super paranoid here some tips that I read from an article on the register.co.uk and I have put the points down but you can read the article here

  • Use AES 256-bit encryption
  • Use Secure Linux as your OS and Grsecurity as a system hardening tool
  • The article says Trucrypt but that’s not supported anymore…maybe Veracrypt will do.
  • And if you’re not sure the NSA has an article to assist you…you may want to take this with a pinch of salt if you think that the govt. is after you but as for your partner, I’m sure that it’s fine and the link is here
  • Compartmentalise your system; put a hypervisor, VHD, the lot...everything should be done.
  • Use PGP for any data within your virtualised box and especially if you’re emailing someone.
  • Once the VM is up and running, snapshot it so that it can be put on something like a USB stick (that’s of course encrypted).

So this is all in place, and every time you need to look at the leaked encrypted documents (again, stored securely off disk), reload the snapshot and use that environment afresh, so that the VM doesn't have to touch the host machine's disk and also just in case the VM was compromised the last time you used it.

And if you didn’t understand what that was all about, then don’t do anything that arises suspicion because we all know what George Orwell said, ‘If you have nothing to hide, you have nothing to fear.’
More about Nick... contact me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'


Thursday 6 August 2015

RBS & NatWest Attacked: DDoS Attacks on the Rise?

Blogger: Hannah Doughty

The attack which disabled the RBS and Natwest Bank online services last Friday morning appears to be part of a renewed trend of DDoS attacks against the banking industryAccording to law enforcement sources in America and Europe, distributed denial of service (DDoS) attacks against banks and other financial institutions are increasingly accompanied by ransom demands.
A statement from NatWest bank, part of the Royal Bank of Scotland Group, “The issues that some customers experienced accessing online banking this morning was due to a surge in internet traffic deliberately directed at the website. At no time was there any risk to customers.”
In 2014, RBS was hit by £56 million in fines for the failures in 2012 that disabled 6.5 million customer accounts. Critics said that the acquisition of so many disparate banks has led to a hodge-podge of IT systems, leaving the system vulnerable to outages and attacks.
In June 2015, RBS pledged to invest £150 million a year on cyber-security on top of hundreds of millions it had already spent for security and resiliency projects.
Security experts were not surprised by Friday's DDoS attack. It follows warnings from both the FBI in America and the Swiss Governmental Computer Emergency Response Team that DDoS extortion rackets against banks are on the rise.
In the US, an FBI agent told the Marketwatch.com website that more than 100 companies including banks and brokerages had received DDoS threats since April. Richard Jacobs, assistant special agency in charge of the cyber branch at the FBI's New York office, said the ransom requests were usually for tens of thousands of dollars.
While a £6,000 ransom amount may seem high, especially compared to the typical ransom demands for consumers held hostage which typically are in the £200 range, banks facing a DDoS attack could be looking at losses of £60,000 an hour, according to Neustar. 

How do you mitigate against these attacks?

Have you got got a Response plan in place?

MIT Cracks Tor Anonymity & Finds Hidden Servers


Blogger: Hannah Doughty

The Tor network is comprised of 2.5 million daily users that include journalists, political activists, terrorists and others who don't want to share their browser histories with Google, Facebook and other commercial entities.
Computer scientists from Massachusetts Institute of Technology (MIT) and the Qatar Computing Research Institute (QCRI) have displayed a security vulnerability affecting the Tor anonymity network. This makes it possible to identify hidden servers with up to 88 percent accuracy — bad news for daily Tor users that rely on the service.
Tor enables the hosting of websites that are not found via a Google search or by directly typing in a website URL. These hidden services that protect a site's IP address and other identifying information are what scientists at MIT have unveiled.
The researchers showed that by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms determine whether the circuit was an ordinary web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit, being 99 percent accurate.
The attack works by collecting a large amount of network data from a pre-determined list of Tor hidden services in advance of assigning a digital fingerprint to all services in question — all done without breaking Tor's encryption.
Source and more on this story at SCMagazine 

Do you know who is talking about you on the deep and dark web?
How do you decipher that?