Author Archives: Ellie Hurst

About Ellie Hurst

marketing manager for Advent IM, which is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications

Fish hack, no seriously..

Advent IM - expert security consultancy for the gambling industry

Image result for fish face Credit: Getty Images. NB. not the actual fish involved

We have talked about phishing before and warned you of the dangers of phishing emails that spread malware, ransomware and other toxic payloads. Today however we are talking fish. Actual fish.

It was never going to be long before the obsession with web-enabling everything from air conditioning to kettles, caused a bit of a problem. In this case, a web-enabled fish tank (stay with us) was hacked and using this fish tank’s connection, criminals managed to move through the network and steal data from the fish home a ‘smart tank’  in a casino…

If you consider the use web-enabled equipment, including any animal enclosures, please risk assess it thoroughly and please protect it properly from fishers, phishers and other cyber botherers. Criminals will head for the point of least resistance every time and you need to know where that is before…

View original post 19 more words

We are moving!

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Well, only this blog….

We have decided to move our security blog onto our newly re-designed website.

There will still be regular comment, support  and opinion of course…it will just sit alongside industry news and our latest events and content.

All you need to do is click here and don’t forget to update your bookmarks.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Webinar – Outsource Magazine – March 16th

Outsource magazine: thought-leadership and outsourcing strategyWe want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

Mike Gillespie_headshotWe are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

Security and Policing Event 2016

s and p 2016This Home Office event will soon be upon us (March 8-10) and we just wanted to let you know you will be able to find us on stand Z20 in the Cyber Zone. You can find details of this event here.

Mike Gillespie will also be presenting in the Cyber

Mike Gillespie_headshot

Advent IM,  Managing Director, Mike Gillespie

Briefing Zone on the 9th on the subject of the cyber security of  Industrial Control Systems.

Come along and meet Mike and Gareth and enjoy some great presentations, content, updates and a bit of a chat.

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

NASA hacking?

A post on allegations of NASA being hacked from Del Brazil of Advent IM

There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.

Advent IM Cyber SecurityThis raises the questions about how secure the NASA websites, servers and systems are.  There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’

The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees.  This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee.  The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials.  Having infiltrated the system with an administrator’s Image courtesy of Master isolated images at FreeDigitalPhotos.netpassword the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went.  It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too.  There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.

The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees.  It is widely

Image courtesy of digitalart at FreeDigitalPhotos.net

image courtesey digitalart on freedigitalphotos.net

 

reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees.   There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.

This is certainly not the first and won’t be the last alleged hack of NASA.  It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.

Protected filesLet’s consider the sensitivity of the alleged data?  Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.

NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’  So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.