Category Archives: web security

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

‘Tis the season to be jolly… careful.

Thanks to Chris Cope for this look at Festive scams.

Its that time of year when we all spend plenty of money buying presents for loved ones and, in a trend that increases year on year, many of these transactions are carried out online.  Online transactions are worth millions of pounds to retailers and its no surprise that criminals are interested in trying to get a piece of that action.  We posted earlier this week on the risks of trusting web sites that seemed too good to be true, or Computer bugs red greynot confirming the authentication of the web page as spoofing, and outright mis-selling, remain common tricks.  However, some criminals are looking at another vulnerability; deliveries.  For those of use who do order a substantial number of items online, the sight of the delivery driver bringing another box or parcel becomes a common one; as does the sight of the “Sorry we missed you” card posted through the letter box. Now it appears that some

Man Delivering Packages

criminals are trying to exploit this element of online shopping.  My wife received an email yesterday from, what at first glance, appeared to be a reputable delivery company.  The contents of the email were, in summary, that a parcel was due to be delivered and the company had found no one in.  Could we please complete the attached word document and send it back to them to arrange an alternative delivery time and date?  Seems straight forward enough, but on closer examination, the  attachment contained malware.  Criminals are attempting to cash in on the sheer volume of such deliveries at this time of year, particularly when online retailers use a variety of delivery agents.  With so many deliveries, its easy to forget how many parcels you have received out of the number you are expecting. 

Woman Using Credit Card Online

So how to protect yourself?  Well firstly most retailers will state which company they use to deliver your items, so an unexpected communication should be treated with caution.  Many delivery agents will leave a physical card if they miss you, so an unsolicited email that doesn’t match those details should cause concern.  Naturally, keeping your anti-virus up to speed is important, don’t ignore warnings that appear.  Finally, check out the email address of the sender.  Some legitimate email addresses have been used in the past, but word of such cons quickly gets around.  When we googled the email address of the email sender, there were a large number of warnings from other victims.  There really is nothing wrong with learning from the experience of others.

Sadly, at the time of year, in what should be a time of celebration, there are plenty of criminals who look to take advantage.  Don’t become a victim, take a few basic precautions and enjoy a Happy Christmas.

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

TalkTalkThe TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

  • Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.
  • In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.
  • The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.

What is TOR ?

An opinion piece post from Advent IM Consultant, Del Brazil

TOR is a service that is freely downloadable that assists in providing anonymity or improves privacy for users who wish to keep, among other things, their internet location secure.  In essence it provides a defensive mechanism against traffic analysis, network surveillance and assists in protecting confidential business activities, relationships and potentially assists in maintain security.  It can also be used to circumnavigate certain country restrictions such as the ‘Great Firewall of China.’

TOR operates by operating through a series of virtual tunnels or a system of TOR relays (other TOR users) which facilitates the use of the TOR network.  In essence the more TOR relays (users) the faster, the more secure and more robust the TOR network is.  TOR relays (users) can be either Middle Relays, Exit Relays or Bridges each with a distinctive role to play in the TOR Network.  A Middle Relay allows internet traffic to be passed onto the next relay whilst the Exit Relay is the final relay before any internet traffic reaches its destination.  A user operating as a Middle Relay will have their IP Address masked and hence be hidden to the rest of the internet but visible to the TOR Network.  Any user/organisation conducting illegal or objectionable activities whilst operating as an Exit Relay may be answerable to policing agencies, complaints or copyright infringement notices etc.    TOR Bridges are vital TOR relays that enable users to circumnavigate censorship software deployed by various countries to ensure that information is freely available or distributed to all persons.

It was developed by the US Department of Defense and is still currently used today by the US Navy for open source intelligence gathering whilst some Journalists use it to contact whistle blowers.  A few organisations use TOR to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organisation. For example if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.  Some TOR users, such as research development engineers, journalists and seekers of democracy are clear that their use of TOR is for legitimate purposes; however it is clear that criminals are frequently using TOR to conduct illegal activities.  There are concerns from various organisations that TOR assists the criminal underworld in conducting illegal activities whilst remaining near enough un-discoverable such as drugs, person or arms trafficking, child abuse or identity theft; That said there has been a few high profile convictions of persons conducting illegal activities whilst using TOR, this includes the Silk Road investigation which resulted in the hidden underground illegal-drugs website being shut down in October 2013.

It has been reported that in the USA the NSA have attempted to target TOR users through cyber-attacks aimed at security weaknesses within various internet browsers.  These targeted attacks only go to reinforce the necessity to ensure that security measures are developed with browsers, applications, operating systems, software and hardware and are also updated on a regular basis.

There are a few security experts that have highlighted TOR as being the first step in attempting to remain secure against cyber-attacks; however as attacks methods and frequency increase, the likelihood of TOR remaining secure are rapidly diminishing.  This will not deter some elements of the internet community from utilising TOR as they strive to remain anonymous whilst corporate and government surveillance increases.

Is there a future for TOR in the corporate or even the government sector within the UK?  In the author’s opinion TOR is unlikely to be used in its current form as potentially throws up a multitude of questions as to why persons or organisations feel the need to conduct business behind ‘closed doors’.  In this age of where transparency and honesty go hand in hand the use of TOR may invoke a distrusting attitude which can harm business opportunities despite the legitimate use of TOR.  TOR does have its uses and in certain circumstances can assist with maintaining confidentiality whilst ensuring that the freedom of speech is maintained.  It is, as always, a fine balance between promoting a business whilst also protecting it as even though using of TOR is not illegal it may, if disclosed or later discovered deter businesses or organisations from interacting with each other.

Targeting of “Western” Critical National Infrastructure and how we all play a part in its defence.

I have read several opinion pieces that suggest ISIS is planning a cyber-geddon style attack on “the West’s” Critical National Infrastructure (CNI). Given the current nature of warfare and the growth of cyberwar/terrorism this seems like a logical opinion.

From the inaugural FT Cyber Security Summit in June this year:

Countries are having to defend themselves against an increasing number of attacks on their information and communications systems from unfriendly states, terrorists and other foreign adversaries. NATO, for example, in June adopted an “Enhanced Cyber Defence Policy”, outlined
in a public information document circulated by the 28-member intergovernmental military alliance at the conference.
“The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry,” states the document. Key aspects of the policy were discussed at
the event including the fact, reiterated by a member of the audience, that a digital attack on a member state is now covered by Article 5 of the treaty, the collective defence clause, meaning that NATO can used armed force against the aggressor.

We can all play a part in securing our CNI by securing our own networks and businesses to make them less likely to get used as mules or zombies to deliver this threat to our CNI. Back in 2011, Chatham House issued a report on cyber Terrorism and one of its recommendation back then was,

Training and development of staff in cyber security
measures should be seen as an integral part of risk
mitigation strategies.

This says staff, not IT staff or security staff just staff and this is because ‘cyber’ is a part of everyone’s day with very few exceptions. Behaviour and culture have an impact on CNI security. Through supply chains, we are all connected and through our IP enabled devices both at home and work, these connections become ever more complex and exploitable. Part of the problem as I see it is a bit of a disconnect with security at the top of many of our organisations.E&Y visuals security survey 2012 2

 

This is where culture is driven from and addressing this worrying knowledge gap is vital. Evidence for this lack of understanding comes from businesses themselves.

 

Board Compliance visual

 

DDoS attacks cause an average jump of 36% in customer complaints

According to research commissioned by BT through Vanson Bourne, on average customer complaints to businesses increase by 36% in the aftermath of a Distributed Denial of Service (DDoS) attack.

It seems like a staggering uplift but when you consider that in the UK alone the same research revealed that almost 60% of businesses admitted DDoS attacks had bought down their systems for six hours or more…a whole working day, it becomes less staggering. Around half (49%) of UK organisations to not have a response plan in place, so in actual fact the damage from a DDoS attack could potentially continue for a considerable period after the event.Add to that the reputational damage and you can start to see why it is so vital for businesses to really get to grips with what they are dealing with.

So if a DDoS attack takes out a network or possibly a data centre for six hours and this is apparently increasing and becoming more sophisticated, surely this should be much higher up the boardroom agenda than it is? I recently read that Cyber security ranked third in importance in boardrooms (KPMG). This initially seemed a little ambitious to be honest. Though when I examine the statement more carefully…third in importance in the boardroom, so that means of the businesses that actually have cyber security represented in the board room (alongside other business functions such as HR or Finance), it is averaging in third place. However we know that around half of organistions don’t ever discuss Information Security at the top level of their organisation.(Ponemon Institute). So effectively what we are actually saying is that we have a handful of organisations discussing this as a Business critical function but even they don’t have it as top priority despite the fact it could effectively be a deal breaker in terms of customers and reputation…

Advent IM Cyber Security Experts

 

 

 

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.

Phishing

One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.

phishing