 |
| Nick Prescot - Blog contributor |
You can imagine the scene, you've had a hard week at work and there was a flurry of reports, calls, proposals, meetings and updates to the CRM to do over the last 5 days. Along with this, the post-work drink and in the constant corner of your eye, a casting glance to ensure that you are not in the midst of a domestic ‘Defcon 1’ because your partner assumed that you’d be back for dinner; the excuse of the train running late has long expired as she’s looking at the train timetables just as much as you…so back to the scenario…
The vin rose is chilled, the semi-burnt burger in ensconced in the brioche bap and the question is popped, ‘so what you do?’; the answer, ‘I work for an ethical hacking company.’ There is always that momentary pause and then a sudden realisation that I am not a lawyer/accountant/banker/estate agent but something different (and no, not an inspecteur de police). Then whilst the wine is in full flow and there is a rapport built, there comes the second wave of questioning….
‘Can you hack into peoples’ phones and see what they are doing?’, my usual reply is, ‘Yes, we can but you need to be the owner of the phone and also if there is anyone else’s personal data on the there, you could be in breach of the Data Protection Act as they haven’t given your consent to access it.’ Usually that stops the conversation there as I’m going into techno gobbledegook and you can see the whites of the eyeballs roll slowly into the back of their heads.
But I have heard some corkers that have made me wonder what people perceive is an acceptable course of action to check on their other halves. I've heard stuff like, bugs in cars, software on phones, hacking into other users’ what’s app account, key-loggers etc. All of these things are actually illegal and cannot be presented as evidence in court. They can be used to build an information picture about the end user, but the individual concerned is not part of the security/intelligence services and they don’t have a warrant to intrude on the activities of other people’s lives.
So the answer is that unless you are part of a law enforcement agency and/or have the legal right to snoop on other people’s activities online, you can’t undertake these activities unless you have the permission of the target user. It’s the main premise of the Computer Misuse Act 1985 and it’s what we use to gain permission to ‘pen-test’ other firms’ machines for security.
However, if you are on the receiving end and you think that your other half is spying on you, there are some simple tips;
- Put 2 factor authentication on every account you have…Google Authenticator, 2-step verification with Apple, touch ID on the iPhone etc.
- Don’t use the 'free' cafĂ© wifi networks, and if you have to use them, delete the credentials when you have finished.
- If you’re a windows 10 user, turn off Wi-fi sense, it shares your wireless password logins with your friends…encrypted of course but once you have a user you don’t want to have on your network, then a layer of security is gone. Also, don’t run unlicensed software on a windows 10 machine as this can be locked down too!
- Have a PIN that turns on after a minute and then ensure that if the password is failed a number of times, it blocks the device.
- Turn off the location settings on the iPhone. The location settings on the iPhone is a great pub trick to see where they have been upto…people are amazed what info a phone keeps on them.
- Have the remote wipe function turned on and test it…
- Don’t backup the phone to a computer that isn’t yours. (i.e. your work one)
- Always update to the latest version of the software.
And for those geeks that are super paranoid here some tips that I read from an article on the register.co.uk and I have put the points down but you can read the article here
- Use AES 256-bit encryption
- Use Secure Linux as your OS and Grsecurity as a system hardening tool
- The article says Trucrypt but that’s not supported anymore…maybe Veracrypt will do.
- And if you’re not sure the NSA has an article to assist you…you may want to take this with a pinch of salt if you think that the govt. is after you but as for your partner, I’m sure that it’s fine and the link is here
- Compartmentalise your system; put a hypervisor, VHD, the lot...everything should be done.
- Use PGP for any data within your virtualised box and especially if you’re emailing someone.
- Once the VM is up and running, snapshot it so that it can be put on something like a USB stick (that’s of course encrypted).
So this is all in place, and every time you need to look at the leaked encrypted documents (again, stored securely off disk), reload the snapshot and use that environment afresh, so that the VM doesn't have to touch the host machine's disk and also just in case the VM was compromised the last time you used it.
And if you didn’t understand what that was all about, then don’t do anything that arises suspicion because we all know what George Orwell said, ‘If you have nothing to hide, you have nothing to fear.’
More about Nick... contact me
'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab. Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats. By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'
No comments:
Post a Comment