Archive for the ‘Network Security’ Category

By William V. Burns

 October 27, 2014 

Secure your accounts

Secure your accounts

 In my previous blog post, I described a number of scenarios, in several different locations, that demonstrated risks to your banking. As they say, the Internet is a bad neighborhood. It is possible to safely use your banking resources even in such a sketchy environment. Just as you need to take physical precautions when you use money, you also need to take Internet security into account.

Let’s look at the precautions you can take to help reduce the risk in each of those places:

Right at the ATM you just left.

Skimming and shoulder surfing are two big threats here. Be familiar with your surroundings. If there is something different about the ATM, go inside and ask an employee about it, or delay your withdrawal and go to another ATM location. Don’t let people get close while you enter your PIN. In case something or someone is watching, make a habit of hiding your PIN entry with your other hand.

 Back at home, on your PC.

Phishing and malware are your two biggest threats. Phishing can be defeated by guarding your banking and personal information as zealously as you would the contents of all your bank accounts were they in an envelope. Don’t click on any link emailed to you. Never respond to any request, by phone, mail, email or whatever, that asks you to send them your password and account information. No legitimate institution will request that. Only use the bank’s website to logon, and don’t keep the password written down or on a file in the computer.

 Malware is a virus, or keylogging program, or a reconfigured web browser. Scan your PC for viruses and other malware often, using well-known software. Don’t ever download some security package at random from the Internet.

 Lock your session, or log out, from any machine you’re using, if you’re going to be away from it. Set your screensaver to lock automatically after a minute of inactivity. When you dispose of your system, make sure the hard drive has been destroyed properly.

 At the store, or the fuel pump, or the supermarket.

Skimming, shoulder surfing, employee copying of your info, the main protection is to either use cash or visit the same locations as much as possible and keep your eyes open. When traveling, you can buy some refillable VISA or gift cards to use at these places instead of your main bank card.

 Inside your smartphone.

You want to do your banking from your phone. In coordination with your investment app, your email app, and your text and Twitter and FaceBook connections, all your life is tied into one communications center. Here’s how to do mobile banking safely. Whether it’s a tablet or a smartphone, the only way to install an app is directly from your financial institution or via a link from that site. Don’t go to an application store directly and download an app, and especially don’t follow a link from an email or an unfamiliar website to get your banking app.

 Secure your mobile device. Keep it with you, make sure it automatically locks within seconds of idleness, password protect it, and make sure you have installed an app or method (some devices come with this feature install) to remotely disable it. Make sure you have looked up this method and made yourself familiar with it, before you have a lost device and have to spend precious minutes or hours trying to figure this out.

Don’t use public Wi-Fi connectivity for your mobile device. It’s far too easy to break into a mobile device using unsecured Wi-Fi. Use your 3G or 4G network. If your device doesn’t connect to such, ‘tether’ the device to your phone which does. If you feel you must use public Wi-Fi, never use your banking or other financial app while you’re connected.

Change your passwords often, at least one a month. This goes for your device, your apps, and if possible, your home Wi-Fi. Difficult? Yes, but with people phishing around for your information, it’s essential. If you have trouble keeping track of your passwords, I suggest a ‘container’ for all of them that’s much more secure than a sheet of paper or a text file (don’t use those), such as RoboForm, which manages and even creates secure passwords and stores them in an encrypted form. It’s about ten US dollars a year for the subscription, and is usable on almost every system or even a USB stick.

On the other side of the world, in a corporate server.

So you do your best. You become more aware of your surroundings, you update your PC, you are careful where you click and where you log on. But one day, you trust your financial information to a company or institution (school, another bank, your own bank, the government, etc.) and they lose it to a hacker.

What do you do now?

Learn the laws about your financial responsibility, and the financial institution, and the company that lost your information. Study this now, before you have such a loss. You may find that your bank, or the company that had the breach, has to make you whole. If you use a major credit card or a debit card with a VISA, MasterCard, or other major payment processor logo on it, you may be completely covered from loss.

In the immediate aftermath of a loss, call the bank or financial institution immediately. They may be able to reverse or replace the loss right then, or after a short period. Give them as much information as you can. Assume that all your other information is compromised, and change and cancel current cards as soon as possible and feasible.

Monitor your credit. Make sure you get an annual free credit report from the three major credit agencies, and see if everything on there came from you. You can also ‘freeze’ your credit files so nobody can use your identity to open new accounts of any sort unless you unlock it.

In short, use common sense, lower your amount of trust in strangers, read more about banking security (we link some excellent articles in the bibliography) and keep aware of risk.


 Bibliography:

CreditCards.Com – 8 Tips to Stop Banking App Fraud

Net Teller – Protecting Yourself from Online Banking Fraud

 Kaspersky – What is a Keylogger?

Fidelity – Protecting your mobile and online banking

RoboForm – Password Manager

Clark Howard – Credit Freeze and Thaw Guide

By William V. Burns

 October 27, 2014

Online Banking Risks

Online Banking Risks

 Withdrawing money from your bank or other financial institution triggers some sort of animal instinct in us; we feel a sense of satisfaction in handling the cash, followed by a quick look around for predators.

That look around was too late, and ineffective anyway. You have already been preyed upon. Oh the cash in your hand is safe enough, depending on how much crime there is in your neighborhood. Count it quietly and put it away. But check the balance on your ATM receipt. You see? Your balance is now zero.

 The predation was invisible and swift.

Where it could have happened?

 Right at the ATM you just left.

There is an entire criminal industry centered on defrauding people while they withdraw money. One widespread method is called ‘skimming.’ The criminal has a device, called a ‘skimmer,’ made by them or bought online on the darker side of the Internet, which looks like part of the ATM. They walk up, snap or glue it in place, and walk away. When you swipe your card in the ATM, the device reads your card information; it records you entering your PIN, and then transmits your bank information to the criminal who then uses that information to empty your account.

 Back at home, on your PC.

It looks like your bank sent you an email alert. There was a problem with your account! The email asked you to verify your banking information immediately or your account would be locked. You clicked on the link in the email and logged on to your account. You saw the words ‘account verified.’ You relaxed.That email wasn’t from your bank. It was from a criminal. You got phished.

 At the store, while buying something for yourself.

The ‘skimmers’ referred to above are also installed by criminals on Point Of Sale (POS) terminals in retail locations. There also exist for sale ‘dongles’ that can be surreptitiously plugged into the POS in line with the cable or in an empty socket – these dongles capture the information from your card purchase and send it to our criminal. They emptied your account.

 At the fuel pump.

Fuel pumps are big targets nowadays for skimmers. There’s also some fraud from clerks inside the station convenience store swiping your card twice; once on the machine, and the second time through a small card reader plugged into their smartphone. Got your money.

 In line at the supermarket.

You wouldn’t let a stranger lurk right behind you at the ATM or the fuel pump. They have no reason to be so close. It’s different in the supermarket checkout line, where we’re all just folks, pushing our food, booze, snacks, and cleaning supplies up against each other, fumbling at the little keyboard. The fellow leaning close is engaging in a ploy called ‘shoulder surfing,’ a bit of social engineering to grab your PIN. Your card number has already been compromised through him taking a quick digital picture with his phone. One email later, and his partner in Zaire withdraws your money.

 Inside your smartphone.

You download a new banking app for your smartphone, and load it up with your account information, routing number, and password. Unfortunately, the app was designed by a hacker, and they sold your information to a third party, who loots your account.

 On the other side of the world, in a corporate server.

You bought a nice pair of pants at this franchised boutique six months ago. You used your debit card. The corporation has a database with customer names, addresses, card numbers, and authentication data. After some hard work finding a security vulnerability in the boutique’s corporate server and exploiting this to gain access, a Russian hacker now has your account information, which he sells to another cybercriminal. Your account balance falls to zero shortly after.

 What next?

What can you do? How can you protect yourself when there are so many people after your money?

Sensible precautions are outlined in part two, which will follow shortly.


 Bibliography:

Krebs On Security – All about Skimmers

USNews – Is it safe to bank online?

Wall Street Journal – ‘Phishing’ Scams Cast Net on Mobile Banking

 Naked Security – 8 Tips for safer online banking

 Bankrate – Online banking: Is your Money safe?

by William V. Burns

October 24, 2014

You are a juicy, delicious phish. Allow me to explain. I am not referring to the jam rock band, the ice cream flavor from Ben & Jerry’s, or the homophonic wiggly gilled denizens of watery environments.

No, to a select group of individuals, you are far more valuable. You are a trusting person with a mouse. You click on things.

More precisely, you follow links in emails.

Now, I can’t really blame you. You were taught that behavior. ‘Click here’ was the mantra of the early Internet. Email was one of the prominent ways to spread links around.

*sound effects*

“You’ve got mail! Click!”

 Those times are now in the past, and it’s time for you, Mr. or Ms. Phish, to put the mouse down for a moment and let me explain about Social Engineering and Phishing.

phishing

Phishing – Pic from betacontinua on flickr

Social Engineering is the practice of abusing the usual trust folks have for other people in order to gain some advantage. Simply put, there are jerks out there that will lie to you and take advantage of your habits and tendencies to trick you into handing over your money, or your information, or your money and information.

One set of jerks, commonly referred to as ‘hackers’ or cybercriminals, go setting traps for you through email. They coined the word ‘phishing’ to describe the practice.

One way or another, these criminals harvest some likely consumer emails, known to be active, and associated with a known company, preferably one that has a financial relationship with you, especially a bank or online payment service such as PayPal.

Their next step is to set up a server which can host a webpage which looks like that bank or payment service, with a logon page or credentials confirmation page. The cybercriminals will set up temporary or even stolen hosting in order to create this site, which will collect people’s account and login information.

Then they go ‘phishing.’ A batch of emails is sent out, often through compromised or open mail relay servers, to thousands of harvested consumer email addresses, and these emails have a clean background, a logo, contact information, and overall look just like they came from (for example) your bank. Often the email will have language suggesting a sense of urgency:

A purchase was made using your card which may have been a fraudulent use.

Please log on to our site and verify your identity, or we will cancel your account

within the next six hours. Click here to verify your identity: link

 Pro tip: don’t click that link. Victims follow the link, end up on the criminal site, try to ‘verify’ their information, and enter it into the web page, which collects it for the ‘hackers.’

Millions of people every year fall for this trick. And why not? It looks like your bank is protecting your account.

How to stay safe:

  • Don’t click links in emails. Go to your bank or institution’s already-known email address, or call them. Don’t use the information from the email.
  • Sign up on your real institution’s website for a smartphone app (so you know you’re getting the actual app). Get your alerts and information from there.
  • Be less trusting about your email. If several of you at work have received the same ‘phishing’ email attempt, contact your company’s security office.
  • Learn more, stay up to date. Read some of the linked articles below for much more information.

There is a more focused version of this, called ‘spearphishing,’ where the cybercriminals have collected specific information about your company and tailor the emails and the collection site so they seem even more legitimate. If you’re considered a top person in your organization, you might even be the only person to get the email. This last version is known as ‘whaling,’ and is the most focused of all.

Don’t click that email link!


 Bibliography:

TechRepublic – 12 steps to avoid Phishing scams

 Kaspersky – Simple Phishing Prevention Tips To Protect Your Identity and Wallet

 Biztech – 10 Tips for Phishing Prevention

 InfoWorld – How to stop your executives from being harpooned

 About Technology – What is Whaling?

by William V. Burns

October 22, 2014

What is the Internet of Things?

The Internet is a network – a group of objects connected by an electronic medium. The Internet you are familiar with consists of clients, such as PCs, laptops, tablets and smartphones, that connect through cable modems, phone modems, wireless access points, or cellphone towers to a massive maze of switches, routers, backbones, and servers.

As mysterious and unknowable the Internet of today is to the average consumer, the upcoming Internet of Things will be much less familiar, and more pervasive.

…sensors and actuators embedded in physical objects—from roadways to pacemakers—are linked through wired and wireless networks… (McKinsey Quarterly – The Internet of Things)

The idea is for each important device and object to have its own presence on the Internet. Imagine your toaster, your refrigerator, your home security system, your car, your children’s toys, the doorknob on your front door, light bulbs… An endless list of network-enabled household items will be gradually purchased, installed.

The Internet of Things

How big is this going to get?

About 50 billion machines and devices could be linked by 2020 — Cisco Systems

IDC said the installed base of things connected will be 212 billion by the end of 2020, including 30.1 billion connected autonomous things — ZDNet

Estimates are disputed, but with all sorts of networking and Internet capabilities being built into consumer devices, including wearable connected devices, you can be sure that market penetration will be wide.

Is there a security threat to you, the consumer? Yes, but you can work to reduce the threat.

My fridge has been hacked?

Already in the emergent Internet of Things there have been scattered security breaches and attacks using the new infrastructure. The most infamous so far was recounted at Proofpoint:

The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.

There have been securirty camera hacks, baby monitors taken over, and social media accounts compromised. Mobile phones and other devices have been broken into and the photos stored on servers copied.

Hacking is the flashiest sort of attack, but a more likely assault on your own ‘things’ will be data theft, personal and financial information silently copied from network-attached devices you update yourself, or that your corporate ‘partners’ such as online merchants, banks, and even governments enhance with your data.

Some Fitbit users in the past have found statistics about their sexual activity posted online —Forbes

When are you away from home? Your security system knows. What is your medical history? Your smartphone fitness app knows. What medicines do you take? Your pill reminder knows. What do you buy? Amazon, and stuff you link it to, know. Who is your spouse? Who are you cheating on them with? Your personal calendar app knows. Who do you meet with? Where do you work? What is your bank account balance? What is your credit score? It’s all available, for good, or ill, in the Internet of Things.

Securing your ‘Internet of Things’

1) Find out what you have, be aware of what you buy, or your landlord installs.

Any powered-on item in your home, from power strips, light bulbs, thermostats, appliances, set-top boxes for cable, and personal items you connect to the Internet could potentially fall into this category.

Make an inventory.

  • If it’s older than 2012, and not wired to the Internet, or periodically dumped to your PC, leave it off the inventory.
  • If it is connected to the Internet and is not a PC of some sort, put it on the inventory.
  • If it is a ‘smart appliance’ – check the manual and specs to see if it is connected.
  • You need manufacturer, model name, date of manufacture, serial number.
  • Check on the Internet for technical specifications to see if the device is Internet-capable and what it does besides its major consumer duties. Your big screen TV might have a RJ-45 cable jack in the back, but if it’s not wireless, it’s not connected to the Internet.
  • Update the list of online devices whenever you buy or acquire something. Don’t forget gifts. That new BluRay player…
  • If you have a smartphone, you can download a network discovery app, change your connection on the phone to your wireless network, and then scan your network for connected devices. I use Fing.

2) Read the privacy agreement if they exist for these devices. You may find some surprising sharing of data with company ‘partners.’

3) Physically secure the devices. Get rid of any you don’t want or need. Make sure your hand-held and pocket and purse-held devices are password protected. If you can activate services where you can remotely disable them in the event of a theft, do so.

4) Register your purchases online to receive updates such as recalls or notices your data may have been compromised.

5) Situational awareness is key. Watch news and social media sources for information about current security vulnerabilities, hacks, and misuse of information. Don’t be an early adopter of new, untested technology or buy the latest shiny new gadget unless you’re technically adept enough to understand all its potential security issues.

6) Don’t volunteer or store potentially embarrassing or sensitive data on devices that connect to the Internet, if possible. Nude selfies, exercise information that includes frequency of sexual activities, banking info, passwords, pay level and retirement plans, etc.

7) Update your devices – security patches, anti-malware software, firmware updates – these are where your manufacturer fixes security issues as they find them.

The Internet of Things will bring many benefits: greater social interaction, better home security, easier access to medical and financial resources, and an interconnection that will enable social changes we cannot even forecast. With some precautions by the consumer, and increased security measures (already underway) by the manufacturers, this can be a positive development.


 

Bibliography:

 WhatIs.Com — Internet of Things (IoT)

 Forbes — World’s Top Privacy Experts Worry about Internet of Things

 Austin Business Journal — Behmann: How the Internet of Things promotes collaborative innovation

 TechCrunch — Convergence In The Internet Of Things Is Priming The Tech World For A Major Cultural Shift

 Cisco — Internet of Things (IoT)

 The Internet of Things Council — What is the Internet of Things?

 InfoWorld — What the Internet of Things really means

TechoPedia — Internet of Things (IoT)

 McKinsey Quarterly —The Internet of Things

room5 – IoT Expertise

 Forbes – Security and the Internet of Things

eSecurity Planet – The Internet of Things is a potential security disaster

ComputerWeekly – The Internet of Things is set to change security priorities

 Proofpoint – Proofpoint Uncovers Internet of Things (IoT) Cyberattack

 ZDNet – Internet of things: $8.9 trillion market in 2020, 212 billion connected things

 BusinessWire – The Internet of Things Is Poised to Change Everything, says IDC

How do you destroy or damage an oil refinery, a nuclear power plant, a municipal water system, a power grid, a natural gas pipeline, a sewage treatment plant or other vital infrastructure?

SCADA = Supervisory Control And Data Acquisition

This is a networked device used to monitor, control, and troubleshoot a piece of industrial equipment remotely. SCADA systems are a great money and time saver for large industrial plants. But right now they are also its weakest point.

SCADA Display for a Water Reclamation Station

SCADA Display – Water Reclamation Station

Attacking a SCADA installation may give a hacker partial or complete control over a valuable piece of infrastructure—the attacker can shut down devices, close or open valves, or issue commands that may damage or destroy assets controlled by the SCADA.

One attack dumped more than a quarter million gallons of sewage. Another hacker completely mapped out the South Houston water company’s SCADA vulnerabilities (including three-character passwords on devices).

The most famous SCADA attack is of course the Stuxnet worm, which slowed down the Iranian nuclear program, and which has infected more than 100,000 machines worldwide.

This video shows a 1 megawatt generator destroyed by a SCADA attack in a test by the Department of Homeland Security:

How do Hackers attack?

  • They research and exploit known vulnerabilites. Hackers develop ways to use vulnerabilities in SCADA software to add malicious code and take over the control system.
  • They achieve physical access. A suborned employee, a USB memory stick that’s been infected with Stuxnet, a quick hop over a chain link fence.
  • They get into the network. Wireless installations are notoriously easy to compromise. Many SCADA systems are hooked into the Internet with no firewall.
  • They use older vulnerabilities. Unpatched systems are particularly open.
  • If a hacker can’t use a vulnerability to gain control, sometimes they can use it to perform a ‘denial of service’ attack.
  • Malicious code can be injected into a system through its web-based interface. Directory traversal, SQL injection, even improper configuration of common server or workstation files, all these and more can serve a hacker’s purpose.

It is possible to reduce your risk from unauthorized incursions. Here are some steps you can take:

  • Document your SCADA installation thoroughly. Collect in a document (to be updated on a regular basis) important information on hardware components (servers, terminals, disk storage, applications vendor information, and versions), data stores (database names, schemas, and locations), network infrastructure (routers, switches, firewall configuration, network address schemes, connections to other networks).
  • Establish a change control management regimen. Make sure all patches and system changes are discussed before they are performed, that a risk analysis is present, and that changes are logged after being implemented. Keep current on system and software patches.
  • Control and manage access to the system. Create rules for access and how data is shared. Monitor, log, and periodically audit all access.
  • Build a perimeter. Disconnect from third party networks and the Internet. Discontinue use of wireless networks. Establish firewalls with strict rules between the SCADA systems and the intranet. Install software to monitor for malware and intrusions. ‘Harden’ your SCADA installation by turning off features such as remote maintenance. Consider the physical security of your systems as much as the electronic ones.
  • Prepare a recovery plan and accumulate whatever assets you need to rebuild your system quickly in a clean configuration in case of an attack.

SCADA allows the management of facilities that can cost hundreds of millions of dollars. It’s worth expending the time, money, and resources to protect them.

–William V. Burns

Sources:

Intro to SCADA:
http://www.icpdas.com/products/PAC/i-7188_7186/whatisscada.htm

Shodan
Here’s a site which explores how to find exposed devices: http://www.shodanhq.com/
It’s known as the “Google for Hackers”

SCADA Hacker
Vulnerabilities and their consequences:
http://www.scadahacker.com/howto.html

Tech News World
Securing SCADA Systems: Where Do We Start?
Patrick Sweeney
06/23/11
http://www.technewsworld.com/story/72731.html

Tofino Security Blog
Eric Byres
04/11/13
http://www.tofinosecurity.com/blog/securing-scada-systems-why-choose-compensating-controls

Network World
Lucian Constantin, IDG News Service
01/23/13
http://www.networkworld.com/news/2013/012313-securing-scada-systems-still-a-266077.html