Tag Archives: hack

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

Advertisements

NASA hacking?

A post on allegations of NASA being hacked from Del Brazil of Advent IM

There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.

Advent IM Cyber SecurityThis raises the questions about how secure the NASA websites, servers and systems are.  There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’

The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees.  This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee.  The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials.  Having infiltrated the system with an administrator’s Image courtesy of Master isolated images at FreeDigitalPhotos.netpassword the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went.  It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too.  There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.

The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees.  It is widely

Image courtesy of digitalart at FreeDigitalPhotos.net

image courtesey digitalart on freedigitalphotos.net

 

reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees.   There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.

This is certainly not the first and won’t be the last alleged hack of NASA.  It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.

Protected filesLet’s consider the sensitivity of the alleged data?  Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.

NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’  So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

TalkTalkThe TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

  • Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.
  • In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.
  • The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.

Heartbleed – some info and some advice

If we can help then get in touch but here is some information for you. Advent IM Help and Advice for Hearbleed

 

Geography Lesson – a Cyber attack has no geography

stick_figure_pointing_north_america_image_500_clrThis morning’s security news bought the usual slew of stories on new products, advice and data breaches. One data breach that caught my eye was Maryland University. For reasons that will become clear I will be watching this unfold.

Maryland University has in the last few days suffered a massive data breach that has been characterised as a cyber attack. Normally I am wary of taking this at face value for the simple reason that language around security can sometimes be sloppy and someone using login credentials that that shouldn’t gets labelled as a cyber attack or hack. It is unhelpful and allows people to drift into the dangerous thought arena of ‘someone else’s problem, probably IT’…

This one is different because the university maintains it has excellent security and this this is unlike other breaches…

“Unlike some recent high-profile data breaches elsewhere, this university’s data breach did not occur as a result of a faulty preventative system or an IT mistake” said Brian Voss, the university’s vice president of information technology and chief information officer

 

The story is here if you would like to read it.

We will post any further developments that come to  light.

Image courtesy of freedigitalphotos.net

 

 

 

Sunday Times – Mike Gillespie on SME Cyber Security

Excerpt from The Sunday Times dated 16th February 2014

Small firms can be targeted for their clients’ data as well, said Mike Gillespie, director
of cyber research at the Security Institute, the industry body. “Look at the number of
small businesses that are suppliers or subcontractors to government and big business,”
he said.

 

Read the article in full here