Category Archives: vulnerability

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

TalkTalk advised not to talktalk about their breach?

According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)

Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.

Chris Cope small headshot

Chris Cope

“This is interesting as it shows the 2 different priorities at work.  For the police, the key aim is to catch the perpetrator.  This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way.  The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system.  However, TalkTalk have a duty of care to their customers.  If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers.  Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned.  Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”

Julia McCarron

Julia McCarron

“Totally agree … something to add…

This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.

Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.

Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”

Mike Gillespie_headshot

Mike Gillespie

“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.

Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.

All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”

If you would like support for Cyber Essentials and completing your questionnaire, you can find details here

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

TalkTalkThe TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

  • Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.
  • In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.
  • The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.

Attack of the Drones – guest post from Julia McCarron – Advent IM Director

So this week came the worrying news that mobile phones attached to drones can hack Wi-Fi devices and steal our data. That Star Wars script of yesteryear could be coming into its own! Oh hang on … that was Clones not Drones J But seriously, the use of drones in warfare is becoming more and more prevalent, so could their use in cyber hack-attacks become a common threat too?

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Drone usage in war and the fight against terrorism is a concept that’s been explored by TV and film script writers for a long time. (SPOILER ALERT: An insight into my television habits coming up). 5 years ago an episode of Spooks saw an American drone hacked by the enemy in Afghanistan. An episode of NCIS a couple of years ago saw a systems engineer steal a surveillance drone for the purposes of selling it to a terrorist group who then bombed a high profile event attended by the US military. An episode of Castle saw a government drone hacked and used to kill a government whistleblower. Far-fetched? Maybe. Possible? Definitely. Likely? Well we would hope not! But as we often see, TV dramas have a nasty habit of bringing reality to our screens and indeed drone usage has been part of our warfare arsenal since 1959, albeit they were unsophisticated unmanned aircraft essentially.

Drones have many other uses aside from warfare, cyber or otherwise. The US Navy for example uses tiny drones called Cicada containing sensor arrays that monitor weather and location. But they also have microphones that can eavesdrop on conversations within their vicinity. A useful tool for espionage?

Since 2013 the Police Service Northern Ireland have deployed drones as surveillance cameras to support policing operations during royal visits, political summits, the Belfast Marathon, searching for missing persons and the Giro d’Italia. Arguably a positive use of unmanned aerial vehicles as crime prevention and detection aids and possibly deterrents.

In July this year, a student Videographer shot footage of 4 young people running across a school

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

roof in Northern Ireland. He lived nearby and spotted them on the roof, so sent his drone out to inspect what was going on. The children got spooked and jumped down, running for cover.  Private use of this nature however does open up a wider privacy issue in the same way that CCTV coverage does.

So how can they be used to steal data? Researchers at the National University of Singapore announced on Monday that by attaching a mobile phone containing two different apps to a drone, they successfully accessed a Wi-Fi printer and intercepted documents being sent to it. The apps were designed so that one detected open Wi-Fi printers and identified those vulnerable to attack and the other actually detected and carried out the attack by establishing a fake access point, mimicking the end device and stealing the data intended for the real printer. These are techniques they claim that ultimately could be used by corporate spies for industrial espionage, or indeed by terrorists.

As drones are yet to become common place in our everyday lives, it is likely that we would spot the physical threat before the cyber attack occurs. Today. But what about tomorrow? In the last 30 years technology has taken over our lives. Who would have thought we’d all be carrying around a telephone in our back pockets, that’s also a computer and literally voices, “Don’t forget it’s your Mother’s birthday”!

At some point, in the not too distant future, seeing drones flying above our heads will become the ‘norm’. And that’s when our guard will be down and drone attacks won’t just be connected to air strikes but cyber hack-attacks too.

Its 1984 meets Star Wars but this time it will be ‘Attack of the Drones’. May the Force be with us all!

Shellshock – what you need to know.

A post from Advent IM Consultant, Dale Penn

Shellshock what you need to know!

INTRODUCTION

First of all what is the Shellshock software bug? Shellshock (sometimes known as Bashdoor) is a group of security vulnerabilities which were found in the Unix Bash Shell.

That can be pretty confusing for the average user so here is a small break down.

Unix is a term used to describe any operating system that uses among other things shell scripting and resembles the “Unix Philosophy” the most common of which are Apple’s OS X and Linux operating systems.

BASH - Shellshock

Apple….other fruits are available

Shell is a user interface to an operating systems services.

Bash Shell is the default shell on Linux and Apple’s OS X operating systems.

THE VULNERABILITY

Bash is a shell that allows a user to input on Linux , Unix and Apple’s OS X operating systems. This can be achieved remotely using network protocols such as telnet and SSH which are protocols used to connect to remote servers in order to facilitate some sort of communications. Therefore this vulnerability can be exploited over a network!

Also this vulnerability requires no authorisation to exploit and could impact on the Confidentiality, integrity and availability of your information.

As such the US Department of Homeland Security have given Shellshock a 10 out of 10 in vulnerability severity (CVE-2014-6271 and CVE-2014-7169)

Chet Ramey a senior technology architect at Case Western Reserve University in Ohio, has been maintaining the Bash open source project and believes Shellshock has been present in Bash for around 22 years and is due to a new feature introduced in 1992.

SO WHAT?

Shellshock was announced on the 24 Sep 2014 and within hours there were reports of machines being compromised using the Shellshock vulnerability.  These compromised machines were used by hackers to create botnets. Botnets are a network of compromised computers that can be controlled remotely by the hacker. Hackers can then use the botnet to carry out attacks. The most common of which is a Directed Denial of Service (DDOS) attack where the attacker uses the members of his botnet to make a request of a specific target. The aim being to flood the target with so many requests that the target is then unable to function properly.

On 26 Sep 2014 a botnet named “wopbot”, which was created using the Shellshock vulnerabilities, was reported to have been used to carry out a DDOS attack against Akamai Technologies and to scan the United States Department of Defence!

WHAT SHOULD I DO?

Home/Office Computers

If you are using Microsoft home or office operating systems then you do not need to do anything as this vulnerability does not affect Microsoft.  However if you are running Unix, Linux or Apple’s OS X you need to download and apply the latest patches without delay! Patches have been made available by several suppliers to remediate this vulnerability.

Mobile Devices

It is not believed that iOS or android is vulnerable to the Shellshock attack however mobile devices can be vulnerable if you have customised your device (Jail broken your Apple device or use customised ROM’s on an android device). If you customised your device than you should consider carrying out the following: 

  • For an Jail broken apple device there is an updated version of Bash available on Cydia
  • If you are using customised ROM’s on your android device the XDA developers site has a link to an updated Bash shell (4.3.30)

Other Devices

Do not forget that many household items also connect to the internet I one form or another. It is important to keep these updated also to ensure your information the best protection. Instructions on how to carry this out will come with your product instruction manual and should be relatively straight forward.