Category Archives: hacking

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

Advertisements

NASA hacking?

A post on allegations of NASA being hacked from Del Brazil of Advent IM

There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.

Advent IM Cyber SecurityThis raises the questions about how secure the NASA websites, servers and systems are.  There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’

The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees.  This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee.  The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials.  Having infiltrated the system with an administrator’s Image courtesy of Master isolated images at FreeDigitalPhotos.netpassword the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went.  It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too.  There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.

The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees.  It is widely

Image courtesy of digitalart at FreeDigitalPhotos.net

image courtesey digitalart on freedigitalphotos.net

 

reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees.   There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.

This is certainly not the first and won’t be the last alleged hack of NASA.  It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.

Protected filesLet’s consider the sensitivity of the alleged data?  Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.

NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’  So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Trident vulnerable to hacking?

By Julia McCarron with contribution from Chris Cope.

There have been a number of press stories in the last few days that could have us searching for our 3 pronged spears to protect these shores because, if the news is to be believed, the missile version of Trident could be rendered useless or obsolete from a cyber-hack.

I don’t know about you but I viewed these articles with some skepticism as I can’t believe that the MOD and Government haven’t thought to test the technical vulnerabilities of such a critical system before now, especially one with such far reaching consequences if it were breached?

As I understand it from those who have knowledge of MOD workings, all military systems, including Trident and its associated communications networks, are assured via the Defence Information Assurance Services (DIAS) Accreditors.  This assurance process takes into account the likely threats and resulting risks that apply to those systems, including hacking and other forms of cyber-attack.  There is a stringent policy of assessment and review for all major systems, and Trident will be one of the most assured systems due to its importance.  Clearly, though details of this assurance are highly unlikely to ever be released into the public domain; information on risks and counter measures taken against them will be very closely guarded. And I would hope so too!

The MOD will employ a number of safeguards to protect its most important systems.  Many of these will be familiar to the wider information security field and it’s no surprise that ISO27001 features heavily.  The greater the risks to the system, and the more critical it is, the more stringent the controls in place. Many high level MOD systems are effectively air-gapped and have no connection to the internet, even via a controlled gateway. That means they are effectively isolated from other communications networks, even the authorised users are heavily constrained in what they can and cannot do; use of mobile media for example is highly regulated.  Given Trident’s role as a potential counter-strike weapon, the communications to the deployed vessels receive very careful attention.  Not only will there be good level of assurance against the normal range of attacks, but there will be significant redundancy in place, just in case one fails.  Trident is carried by the Vanguard class submarine, which is designed to operate virtually undetected.  Commanders of these vessels have clear direction from the Prime Minister on what to do if there is evidence of a nuclear attack and all communication from the political leadership in the UK fails.

The comments made by a former Defence Secretary about potential vulnerabilities around the Trident system make interesting reading in light of recent concerns over cyber-attack, but the timing of these comments is telling. The House of Commons is due to vote on the future of the UK’s nuclear deterrent … there I go being skeptical again but as my hero Leroy Jethro Gibbs often says, Rule 39# There’s no such thing as a coincidence…

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

TalkTalkThe TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

  • Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.
  • In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.
  • The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.

Planes, Trains and Automobiles (and news stories about hacking them)

A guest post from Dale Penn, an Advent IM Security Consultant – taking a look at vehicle hacking and questioning how much we really need to fear.

Image courtesy of njaj at FreeDigitalPhotos.net

Image courtesy of njaj at FreeDigitalPhotos.net

Even though the title is a tribute to a classic, well-loved comedy, the subject I am about to discuss is no joke!

All of us have seen recent news such as individuals claiming to be able to hack planes and cars and the more recent grounding of LOT airlines. So is there any substance behind these claims or is it little more than hype?

Planes

A US Government watchdog has recently warned that “Modern aircraft are increasingly connected to the internet. This interconnectedness can potentially provide unauthorised remote access to aircraft avionics system”

The report highlights the fact that cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the avionics of the plane is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible.

While on a flight, a security researcher was reading about these new warnings that planes were hackable via their Wi-Fi network and tried to add to the debate by pointing out flaws on the aircraft he was sitting in.

So he tweeted from the aircraft that he could hack into the plane’s Wi-Fi network and as a result gain access to the flight’s communications systems.

The Researcher was subsequently detained and questioned by the FBI.

Bearing everything said above, am I going to cancel my holiday abroad later this year? I don’t think so!

Trains

Professor David Stupples told the BBC that the new European Rail Traffic Management System (ERIMS) is potentially a weak point in railway security.

Stupples is concerned that malware could be introduced into the system, either externally or perhaps more likely internally via rogue staff, which could cause trains across Europe to crash.

ERIMS is replacing the railway signals we are all used to with an in-cab computer display instead. Although tests have been underway since 2008, the full ERIMS system is expected to be rolled out and running sometime in the next decade. Which should give plenty of time for weaknesses to be found and closed down, but also plenty of time for the bad guys to find ways around the defences and new malware to exploit the system.

That, of course, is nothing new and is the same fight that every enterprise has when it comes to protecting networks, systems and data. The difference being that when an enterprise system crashes it doesn’t, ordinarily, have the potential to cause loss of life.

Personally from an information perspective I believe the biggest threat to enterprises is the threat from theft, loss, shoulder surfing and eaves dropping as your work force use the commuting time aboard trains as an extension of their office.  Personnel should receive appropriate training as to how they should conduct business outside the office environment.

Automobiles

As information technology advances more and more of it is used in cars to improve performance and driving experience.  Car these days are a rolling network with a suite of processes and wireless communication methods. Is it possible to hack your car and take remote control of its system? Yes it is! But you have to take a step back from this scary thought and view it from a different angle. Who would want to take control of my car? What would they gain from such an attack? The fact of the matter is if someone wanted to sabotage or steal your car there are much easier ways of achieving this without hacking your car. Frankly the effort involved is not worth the reward and the chance of your car being hacked is very, very low.

In my opinion, even though the capability exists, the likelihood of this attack is so low that the recent car hacking claims are little more than hype.