Five tips to avoid becoming a ransomware victim

Ransomware is one of the major threats computer users now face, even though recent reports suggest that many people don’t actually know what it is.

Delivered via spam or phishing emails that trick users into clicking on malicious links, ransomware renders computer systems, devices or files inaccessible and holds the victim hostage until payment is made, usually in the form of bitcoins.

“Victims are faced with the choice of paying up or losing all their valuable data forever. Unfortunately, this approach works for cybercriminals, because consumers and businesses are unprepared for their data — whether it’s a business’ intellectual property or family photos — to be taken from them with no hope of retrieval unless they pay,” says Usman Choudhary, chief product officer at ThreatTrack Security. “Understandably, nearly 1 in 3 security professionals at companies say they’d be willing to pay for the safe recovery of stolen or encrypted data, and that number jumps to 55 percent at organizations that have already been targeted. Meanwhile, your average home user feels as if they have no choice but to pay”.

To help IT pros ensure their organizations don’t fall prey to ransomware, the VIPRE antivirus team at ThreatTrack has issued five essential safety tips as follows:

1 Back up your data – External hard drives keep dropping in price and growing in capacity, so they provide an easy and affordable way to back up your data. There are also numerous cloud-based ‘set it and forget it’ options for automatically backing up your data to an offsite server. Backing up is by far the best do-it-yourself tactic you can take to protect yourself from being blackmailed.

2 Start a schedule – It’s good to back up your data but it needs to be done regularly to be effective. ThreatTrack recommends backing up your data at least once a week and, ideally, once a day.

3 Be aware of phishing emails – Employees need to be aware of the latest social engineering tactics being used to lure people into clicking on malicious links and attachments. There are many resources available that can help, including online tutorials and security awareness training services. Just sending out regular communications about the various tactics and terms used — spam, malware, spear-phishing, etc — will help employees become more vigilant about identifying phishing attempts.

4 Update your software – Ransomware authors often seek to exploit vulnerabilities in popular software applications. If you’re diligent about keeping applications up to date, you’ll minimize your exposure to potential attacks. Better yet, make sure that any applications that can be set to update themselves automatically have that feature turned on.

5 Keep work and personal data separate – A recent survey showed that nearly a third of IT security staff were asked to remove malware from an executive’s computer/device because they had let a family member use it. With so many people working from home it can be hard to separate work from personal life, but keeping these two worlds apart can go a long way toward protecting data and minimizing the impact of an attack.

If you are struck by ransomware, ThreatTrack recommends you immediately cut off any connections, shutting down your computer and disconnecting it from the network. While the damage to that system has already been done, you can help stop the spread of malware to other systems or devices.

Author: Ian Barker
Beta News
Original Publication Date: June 2, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in General | Leave a comment
Posted in General | Leave a comment

How to protect data centre critical national infrastructure from cyber attack

 

Following on from the threats, how to secure the data center and the NCI is the next step. When it comes to the data centre, successful protection and operation of relies on understanding and managing people, processes, technology and the physical environment in which it operates, according to Catalin Cosoi, chief security strategist at Bitdefender.

“Continuous, reliable monitoring of a data centre’s operating parameters and regular vulnerability assessment are two very important protective measures, as well as data sharing between governments and industries regarding cross-sector risk analysis.”

Cyber security techniques used within the ICS industry can be adapted and applied to data centres, Ed Ansett, chairman at data centre design and MEP critical systems risk analysis company i3 Solutions Group, recently told CBR.

On the other hand, Ansett alerted to the fact that so far ICS cyber security knowledge is yet to be transferred to the IT and MEP engineers.

“Whilst some organisations begin to realise the threat and audit their data centres for Data Centre MEP Control Systems (DCCS) vulnerabilities the majority still remain vulnerable to cyber attacks,” he said.

As electric and nuclear power plants are hacked, the data centre industry has lessons to learn from these incidents.

According to James Maude, senior security engineer at Alecto, NCI shows the clear need for isolation and least privilege in terms of who is able to access the site’s IT systems. “It should not be the case that an attacker can gain access to critical systems via a phishing email attachment.”

He told CBR: “Allowing unknown content from the internet to execute in the same context as critical data or systems, especially those that are potentially vulnerable, is a recipe for disaster.

“Highly sensitive systems, such as data centres, should be air-gapped where necessary and no control systems should ever be directly public facing.”

Overall, protecting NCI comes down to critical security controls (CSC), a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence.

Some of the controls included in CSCs are inventory of authorised and unauthorised devices and software, secure configurations for hardware and software on mobile devices, laptops, workstations and servers, and malware defences.

When it comes to data centres specifically, the general approach to protection is one of ‘defence in depth’ by creating successive layers of security measures, such that the facility is protected by numerous security controls, designed so that the failure of a single group of protective controls does not necessarily compromise the entire data centre.

According to the CPNI, the protection approach should start with a threat and risk assessment, linked to an operational requirement the purpose of which is to ensure that the business needs are correctly understood.

These in turn allow a layered defence model to be derived from a rigorous analysis of security requirements driven by a formal risk and threat assessment model.

The protection strategy should take into account other key factors throughout its lifecycle from construction through to operational delivery of the business requirement and be reviewed regularly.

In the end, successful protection and operation of a data centre rests on understanding and managing
the complex relationship between people, processes, technology and the physical environment in which they operate.

However, speaking to CBR, Garry Sidaway, VP security strategy at NTT Com Security said that the risk of a cyber attack is not going away and critical systems such as SCADA and ICS are not becoming less vulnerable to attack.

“It is still very much the responsibility of the industry to continuously monitor and control its own systems and IT environment, train and educate its employees and do everything possible to reduce the risk of cyber attack.”

He said that the first step in controlling risk is to actually understand the current risk exposure across all areas of the business and prioritising the areas on which it is critical to focus.

Chris McIntosh, CEO ViaSat UK, told CBR that the security approach should be the same to all incidents no matter who is attacking.

“In order for companies to truly secure their infrastructure they need to start from the assumption that they have already been compromised to some extent and from there take the necessary actions and precautions.

“By ‘compromised’, I include situations where network devices (such as routers, hubs and gateways) have some form of malware or defect that has existed from before they were even installed into the network.

“This is known as supply chain contamination and there are many reported incidences of this kind of threat worldwide. Another type of inside attack is the either inadvertent or malicious activities of company insiders or employees.”

When it comes to actually merge the IT and OT infrastructure, such as ICS, this completely depends on the organisation’s security policies.

Says Jay Abdallah, EMEA director of cyber security services at Schneider Electric, to successfully merge the two environments, we need to understand the risk profile of each subsequent network.

“For example, the IT network is always deemed a high risk network due to its connection to the outside world, where the process network is assigned a lower risk,” he told CBR.

That said, however, the criticality of these networks is reversed. The process network has an extremely high criticality rating, whereas the business network has a moderate criticality rating.

Abdallah said that once an organisation identifies the risk and criticality ratings, followed by granular subsystem ratings, controls can be adjusted accordingly.

“Our top recommendation is to isolate the two networks from one another, but utilise the IT technologies in a secure manner wherever possible for update purposes.

“Endpoint protection updates, patch updates, or secure alarms / historian data sharing (unidirectional) are some examples of where these two networks can converge.”

These environments’ fragile state is also set to gain one more addition that will create a bigger security headache to all, including data centre operators.

With the appearance of M2M communications and IIoT, data centres are being geared with a whole new level of connectivity but at the same time attractive entry doors to hackers.

Abdallah said that putting sensors and other technologies on the critical infrastructure systems has not widened the attack vector for hackers any more than a system without the sensors in place would have, if done in a secure and controlled manner.

“The sensors and other technical security controls actually give plant administrators more visibility into their networks, which can significantly reduce the risk by cutting the incident response time drastically.

“These controls also add multiple layers of defence on the critical infrastructure components themselves, making the attack more difficult to carry out.”

In the case these attacks are indeed carried out, the end scenario could be one of death and high amounts of money and business lost.

An attack against a data centre has the power to spark chaos across any industry and even cause fatalities.

So said i3′s Ansett who has told the data centre industry that it still has a long way to go when it comes to making hubs downtime-proof.

“It is only a matter of time until failure in our industry starts killing people,” he said.

The loss or compromise of a major corporate data centre could have a disastrous economic impact or cause significant reputational damage across the economy as customers and trading partners are affected by the failure of the organisation.

According to the Ponemon Institute, the financial cost of a data centre outage in 2016 has shoot up 38% since 2010.

The average cost is now $740,357, or $8,851 per minute. In 2010, this was $505,502, representing $5,600 for every 60 seconds.

Between 2010 and 2016, the higher total cost of an unplanned outage rose from $680,711 to $946,788.

Fabio Invernizzi, Sales Director, Data Protection, Software, Dell EMEA, told CBR: “Recovery should be planned, predictable and controlled.

“Being able to recover data in a timely fashion is all based around ensuring that the chosen data protection platform complies to a key set of service levels (SLAs) based on the criticality of application and data.”

As the data centre industry expands its footprint, it is becoming ever more urgent that these national critical infrastructures get the needed recognition from all industries and governments in order to avoid a major scale future cyber disaster.

Author: Joao Lima
Computer Business Review
Original Publication Date: May 6, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in General | Leave a comment
Posted in General | Leave a comment

How to choose the right security solution for your business

Last year, it seemed like we couldn’t get through a single week without hearing about yet another data loss. Breaches like TalkTalk and Ashley Madison,  increases in insider threats both accidental and malicious, and the rise of BYOD and remote working as the new normal have all combined to create the perfect security storm for every organisation with data.

As a consequence, the security technology market has and continues to grow and evolve based on these new threats. The worldwide cyber security market is set to hit $101bn in 2018 according to Gartner. With that huge a market and the slew of solutions available, choosing the right security solution can be as confusing as the variety of threats organisations now face.

So what are the key questions organisations should ask when deciding on new security technologies?

1. Are you expecting to grow, expand, merge or acquire? 

Almost all organisations, especially IT departments are tasked with doing more with less so costs will always need to be considered but it’s important not to consider them in isolation and not without thinking ahead. Every organisation will be different but if you can think about what you need right now and what you need in the short and medium term future, you can avoid some unexpected issues, and costs.

For example, if you’re a small start-up that is likely to quadruple in size in a year, you need to think about whether a potential security technology scales and if it does, what does the cost look like at scale? Many small businesses opt for software rather than hardware solutions but buying additional licenses, for example, can be an expensive business so providers who offer scalability and flexibility in terms of switching tariffs etc can be worth a small premium at the outset.

Most cloud and XaaS solutions offer great scalability and are often cheaper than on premise solutions but you need to consider the security implications and indeed the security record of your solutions provider and complete the due diligence of investigating what security provisions they have themselves as well as what back up and disaster recovery might be offered as part of that cloud security solution.

In addition, if you’re likely to get bought or buy or merge with another company, you might favour open technology that’s more compatible with other systems that you may need to integrate with at a later date.

2. Do you have a remote workforce? 

Employees now expect to be able to access information from anywhere, anytime and from any device. So much so that BYOD has now become the norm. But even without the challenges of BYOD, organisations will always have senior team members who travel and are expected to work while they do so, and IT teams will need to give them remote access to systems and secure any data on their mobile devices.

There are two key considerations around securing remote workers. Firstly, you need to ensure that the remote access to data on your network is secure. For this you’ll need some sort of Network Access Control (NAC) solution. And secondly, you’ll need to secure any data stored on a mobile device because mobile devices by their very nature present a huge data loss risk in terms of the devices themselves being lost or stolen. To combat losing the data on these devices, there are geo-location technologies that will track the device, technologies that can disable or wipe the data remotely and of course, there are also encryption technologies to consider.

3. Do you have offices in different locations?

Many companies have more than one location and as such, they need to consider how information is going to be accessed and shared among those locations. The main decision here is whether to operate a ‘mother ship’ approach whereby the servers and databases reside at one location and all other locations connect to this either through a WAN or a Virtual Private Network (VPN) or to go with a fully cloud based approach.

There are still security risks with the cloud but not necessarily more than on-premise risks and there can be considerable cost savings to the often huge CapEx associated with on premise hardware. Of course, there are also firewalls to consider and how solutions like anti-virus will be managed depending on which solution is chosen.

4. What kind of regulations do you need to consider? 

Depending on your location and industry, there may be strict compliance regulations that you need to adhere to that could impact what exact security solutions you choose. There are always compliance and regulations in sectors like banking, insurance, law etc, there is the HIPAA Act that protects the privacy and security of health information in the US and in Europe, the EU GDPR will come into force in just two years time which will see fines to the tune of 4% of global annual turnover doled out for data security breaches.

It’s imperative that any organisation does its due diligence not only about the regulations within their own industry now and in the near future but also the regulations within the industries they might wish to supply to. Otherwise, the benefits and features of the security solution you choose could be irrelevant very quickly.

5. Will one solution do or do I need a combination? 

You should consider what exactly you need to protect and not be afraid of using more than one provider. To use the example of securing remote workers above, there’s no point securing your network if you’re not also going to secure any mobile devices that connect to it – you might find a provider to secure both or two that specialise in each, either is perfectly acceptable as a strategy, you just need to understand how they will interact and ensure you’re not giving the IT department double the work.

Security is a complicated and ever-expanding business and realistically, it’s unlikely that you will find just one provider that will look after all your firewalls, antivirus, mobile, network access and back up and disaster recovery solutions. Consultancies and managed service providers can help to either advise what solutions can work together or even take most of the problems of resource away by offering outsourced security management with SLAs.

Once you have security technologies in place, there will be onboarding and there should be ongoing educational activity so that all employees understand their responsibilities in using the security solutions correctly and handing data carefully to avoid breaches.

But, before everything, before you even google ‘security solutions’, there’s a lot of upfront thinking to be done and a lot of questions to be asked before you’re really in a position to make an informed decision about what you need.

Author: Unknown
Computer Business Review
Original Publication Date: May 4, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in General | Leave a comment
Posted in General | Leave a comment

MICROSOFT SHA-1 DEPRECATION FINAL COUNTDOWN BEGINS

The home stretch of Microsoft’s planned SHA-1 deprecation schedule has arrived. This summer, with the planned release of the Windows 10 Anniversary Update, users should see signs that the weak cryptographic hash function is being phased out. Microsoft said that once the anniversary update is rolled out, Microsoft Edge and Internet Explorer will no longer display the lock icon in the address bar for any site signed with a SHA-1 certificate.

Developers should see this happening soon in the Windows Insider Preview build, Microsoft said. Last November, Microsoft hinted that it would starting blocking SHA-1 signed TLS certificates this June, moving up its scheduled deprecation of SHA-1 by more than six months. By February 2017, Microsoft said last week, Edge and IE will block SHA-1 certs outright. “This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program,” Microsoft said in an announcement posted by the Microsoft Edge team.

“Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.” Cryptographers and mathematicians have been inching toward practical collision attacks against SHA-1 for close to a decade. Collision attacks happen when two separate inputs for a hash function generate the same hash, allowing an attacker to forge certificates and nudge malware and attacks onto systems as legitimate operations. Microsoft is not the only technology provider to steer clear of SHA-1.

Google, last December, announced its deprecation timeline and already by January of this year, users were seeing error messages displayed if Chrome encountered a SHA-1 signed certificate. It promises that by Jan. 1, 2017—or perhaps by the end of June coinciding with Microsoft’s early deprecation—SHA-1 will be blocked in Chrome. Mozilla is on the same Jan. 1 2017 timeline as well, after announcing in 2014 that it would no longer trust SHA-1 in Firefox. The accelerated timelines are a direct result of advances in SHA-1 collision attack research, nudging these attacks from the theoretical to the practical.

The final dagger came last October in a paper called “Freestart collision for full SHA-1” that describes how current attacks can be modified to drastically reduce the cost and time to arrive at a SHA-1 collision. The researchers estimated that their attack could, with modern cloud computing resources, be accomplished in fewer than three months at a cost of up to $120,000 USD. That’s a drastic reduction from a 2012 paper that projected a practical collision would be possible by 2018 at a cost of $143,000. Government or criminal organizations with any measure of decent funding could pull off this type of attack today, experts guess.

Collision attacks against MD5 have been demonstrated in the wild, forcing an accelerated deprecation of that hash function. The most notorious MD5 collision was pulled off by the attackers behind the Flame malware. They were able to leverage the collision to sign malware as if it were coming from Microsoft, and as a result, would be trusted. The Flame attackers used the forged Microsoft digital certificate to perform a man-in-the-middle attack against victims, impersonating the Windows Update mechanism and installing malicious code instead.

Author: Michael Mimoso
Threat Post
Original Publication Date: May 3, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in General | Leave a comment
Posted in General | Leave a comment

Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

A SMOKE DETECTOR that sends you a text alert when your house is on fire seems like a good idea. An internet-connected door lock with a PIN that can be programmed from your smartphone sounds convenient, too. But when a piece of malware can trigger that fire alarm at four in the morning or unlock your front door for a stranger, your “smart home” suddenly seems pretty dumb.

The security research community has been loudly warning for years that the so-called Internet of Things—and particularly networked home appliances—would introduce a deluge of new hackable vulnerabilities into everyday objects. Now one group of researchers at the University of Michigan and Microsoft have published what they call the first in-depth security analysis of on such “smart home” platform that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone. They discovered they could pull off disturbing tricks over the internet, from triggering a smoke detector at will to planting a “backdoor” PIN code in a digital lock that offers silent access to your home, all of which they plan to present at the IEEE Symposium on Security and Privacy later this month.

“If these apps are controlling non-essential things like window shades, I’d be fine with that. But users need to consider whether they’re giving up control of safety-critical devices,” says Earlence Fernandes, one of the University of Michigan researchers. “The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock.”

Unlocking Doors

The Microsoft and Michigan researchers focused their testing on Samsung’s SmartThings platform, a networked home system that’s in hundreds of thousands of homes, judging by Google’s count of downloads of its Android app alone. What they found allowed them to develop four attacks against the SmartThings system, taking advantage of design flaws that include badly controlled limitations of apps’ access to the features of connected devices, and an authentication system that would let a hacker impersonate a legitimate user logged into the SmartThings cloud platform.

In the most severe of their proof-of-concept attacks, the researchers found they could exploit SmartThings’ flawed implementation of a common authentication protocol known as OAuth. The researchers analyzed an Android app designed to control SmartThings services, and found a certain code—meant to be secret—that let them take advantage of a flaw in the SmartThings web server known as an “open redirect.” (The researchers declined to name that Android app to avoid helping real hackers replicate the attack.)
The researchers exploit that inconspicuous bug to pull off an intrusion worse than merely picking a lock: it plants a backdoor in your front door. First they trick a smart-home-owning victim into clicking on a link, perhaps with a phishing email purporting to come from SmartThings support. That carefully crafted URL would take the victim to the actual SmartThings HTTPS website, where the person logs in with no apparent sign of foul play. But due to the hidden redirect in the URL, the victim’s login tokens are sent to the attacker (in this case the researchers), allowing them to log into the cloud-based controls for the door lock app and add a new four digit PIN to the lock unbeknownst to the home owner, as shown in this video, sabotaging a Schlage electronic lock:

That malicious link could even be broadcast widely to SmartThings victims to plant secret backdoor codes in the locks of any SmartThings owner who clicked it, says Atul Prakash, a University of Michigan computer science professor who worked on the study. “It’s definitely possible to do an attack on a large number of users just by getting them to click on these links on a help forum or in emails,” says Prakash. “Once you have that, whoever clicks and signs on, we’ll have the credentials required to control their smart app.”

Bad Apps

The researchers admit that the other three of their four demonstration attacks require a more involved level of trickery: The attackers would have to convince their victim to download a piece of malware disguised as an app in Samsung SmartThing’s dedicated app store that would appear to simply monitor the battery charge of various devices on a SmartThings home network. The challenge there would be not just in getting someone to download the app but in smuggling an evil app into the SmartThings app store in the first place, a step the researchers didn’t actually attempt for fear of legal repercussions or compromising real peoples’ homes.

Due to what they describe as a design flaw in SmartThings’ system of privileges for apps, however, such a battery monitor app would actually have far greater access to those devices than SmartThings intended. With it installed, the researchers have demonstrated that an attacker could disable “vacation mode”—a setting designed to periodically turn lights on and off to make the owner appear to be at home—set off a smoke detector, or steal the PIN from the victim’s door lock and send it via text message to the attacker. Here’s a video demo of that PIN-stealing attack in action:

In a statement, a SmartThings spokesperson said that the company had been working with the researchers for weeks “on ways that we can continue to make the smart home more secure,” but nonetheless downplayed the severity of their attacks. “The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure,” the SmartThings statement reads. The company, in other words, blames the authentication vulnerability that allowed the addition of a secret lock PIN on the Android app the researchers reverse-engineered to pull off their redirect attack.

“Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.”

It’s a Privilege Problem

The researchers say, however, that their attacks would still work today as well as they did when they first approached SmartThings; neither the Android app they reverse engineered to exploit the SmartThings authentication flaw nor the privilege overreach flaw itself has been fixed. And they argue that it would be tough for Samsung’s SmartThings app reviewers to detect the sort of malware they created. None of the battery-monitoring app’s malicious commands were actually apparent in its code, they say, and could instead be injected from the server that controls the app when it’s past that code review and running on the victim’s device.

They analyzed 499 SmartThings and found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren’t meant to possess.

“The code is set up so we can very nicely push in the malicious stuff,” says Fernandes. “But you’d have to explicitly be looking for that.” As evidence that SmartThings owners would actually install their malware, they performed a survey of 22 people using SmartThings devices and found that 77 percent of them would be interested in that battery monitor app.

The researchers argue that the more fundamental issue in SmartThings’ platform is “overprivilege.” Just as smartphone apps must ask a user’s permission for access to his or her location, a SmartThings app that’s meant to check a lock’s battery shouldn’t be able to steal its PIN or set off a fire alarm, they argue. In fact, they analyzed 499 SmartThings and found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren’t meant to possess. “It only takes one bad app, and that’s it,” says Prakash. “They really need to fix this overprivilege issue.”

The broader lesson for consumers is a simple one, says Michigan’s Prakash: Approach the whole notion of a smart home with caution. “These software platforms are relatively new. Using them as a hobby is one thing, but they’re not there yet in terms of sensitive tasks,” he says. “As a homeowner thinking of deploying them, you should consider the worst case scenario, where a remote hacker has the same capabilities you do, and see if those risks are acceptable.”

Author: Andy Greenberg
WIRED Magazine
Original Publication Date: May 2, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in GeneralLeave a comment
Posted in General | Leave a comment

The Critical Hole at the Heart of Our Cell Phone Networks

The Critical Hole at the Heart of Our Cell Phone Networks

IN FEBRUARY 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phone, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.

A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.

The telecom industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real—and ongoing. AdaptiveMobile release a report in February highlighting some of those attacks.

SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed two German researchers using SS7 to spy on US Congressman Ted Lieu, with his permission. Lieu has called for a Congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.

So what is SS7 and why is it so vulnerable?

SS7, a Primer

SS7, also known as Signaling System No. 7, refers to a data network—and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system—SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.

SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.

The Problem

The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York. This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing your texts and calls in this way, an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.

Who has access to SS7? Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.

It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.

“[T]he bulk of SS7 attacks can be prevented with technologies that are readily available,” Nohl told WIRED. “There’s a few cases that require more involved defenses that one could argue could take two years to implement… but at least the basic defenses [are] in most networks in Northern Europe and in many other networks around the world.”

Those fixes have apparently not been implemented by two vulnerable carriers in the US: T-Mobile and AT&T. Nohl and a colleague showed on 60 Minutes that both were still open to SS7 attacks. Verizon and Sprint use different protocols to exchange most of their data, so in theory are less vulnerable. But McDaid notes that all mobile networks will eventually migrate to a different signaling system called Diameter. That system “uses a lot of the same concepts and design as the previous SS7 network,” he notes, including the assumptions of trust that plague SS7.

How Exactly Can SS7 Be Hacked to Track You?

To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.

Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.

This isn’t hypothetical. We know this kind of tracking exists in the wild. AdaptiveMobile’s report describes one SS7 tracking operation in which the attacker sent requests for location information from a number of systems. Requests to track the same phone customers came from SS7 systems around the world instead of from a single system—presumably to avoid suspicion, since many requests from one system would be more noticeable. These systems sent several hundred queries a day to track some phone customers, but only queried once or twice a day for others the attackers were trying to track.

“Obviously the more you use [a system to send requests], the more possibility that you give [yourself] away. But these are low-volume, high-value type of targets,” McDaid says. “As long as you keep these in low-volume, chances are these aren’t actually going to be noticed.”

Another operation in a European country that McDaid won’t identify tracked phones in the Middle East and Europe from systems installed at each of the European country’s four telecoms, suggesting the telecoms were complicit in the tracking. “That’s our assumption … if it is an espionage system or state system, they actually may not have much choice in the matter.”

Interception

Nohl describes three techniques for intercepting calls and texts using SS7. One he demonstrated last year for 60 Minutes Australia when he sent a request from Germany to a carrier in Australia requesting a politician’s voicemail settings be reconfigured to forward calls to Nohl. Networks could easily prevent this by only complying if the customer’s phone is in the region where the request originates, but few do this check, Nohl says.

Another method abuses a feature for rewriting numbers you call. If you’re out of the country, for example, and dial a number from your contacts list, the rewrite function will recognize that it’s an international call and automatically add the country code.

“[A]dding in the country code for instance is done by taking the phone number that is the ‘wrong’ number and sending back the ‘right’ number [with the added country code],” Nohl says. Convenient, right? But an attacker can tell the system to replace any number with his own. When calls arrive, he forwards them to the correct number, setting himself up a in the middle of the conversation to listen and record.

 A third way takes advantage of the fact that mobile phones are usually in sleep mode until they receive a call or text and won’t contact a network until then. During this time, an attacker can tell your carrier that you’re in Germany and any communication intended for you should be redirected there. Eventually, your phone in the US will wake up and tell your carrier where it is. But the attacker can send another message contradicting this. “As long as we do this every five minutes, there is only a very, very short time you will exclusively receive your calls or texts, and then all other times we will receive them,” Nohl says. You would later notice the roaming charges on your bill, but by then the damage to your privacy would be done.“It’s not the most elegant [interception method] because … you will have to pay for these roaming calls. But this one works really well,” he says.

What Can Be Done?

That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.

There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.

“[S]o all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.

McDaid says that telecoms are working to thwart SS7 attacks, but most have addressed only the easiest methods so far.

“Now they’re in the stage of having to implement much more sophisticated types of firewalls and [algorithms] to try to detect and block the more sophisticated stuff,” he says. “They’re harder for an attacker to do, but also harder for defense to stop…. Believe me, it is being worked on.”

Author: Kim Zetter
WIRED Magazine
Original Publication Date: April 28, 2016
Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.
  
Posted in General | Leave a comment

What is a VPN?

A VPN or Virtual Private Network is a network connection that enables you to create a secure connection over the public Internet to private networks at a remote location. VPN enables all network traffic (data, voice, and video) to go through a secure virtual tunnel between the host device (client) and the VPN provider’s servers, and is encrypted. VPN technology uses a combination of features such as encryption, tunneling protocols, data encapsulation, and certified connections to provide you with a secure connection to private networks and to protect your identity.

So, using a VPN connection offers a layer of additional protection in that your actual IP address is not stored across Internet servers to be later exposed in hacking or malware attacks. It also will protect you against a live sniffing attempt, especially if you use a public WiFi network.

Types of VPN 

VPNs differ by architecture, purpose of usage, and accessibility. However, the two basic types of accessibility are site-to-site VPN and remote access VPN.

Site-to-site VPNs

Site-to-site VPNs are used in the corporate environment. It ensures the safe encrypted connection of two or more local area networks (LANs) of the same company or of different companies. This means that two or more geographically separated offices are virtually bridged together into a single LAN and users can access data throughout this network.

Remote Access VPNs

Remote Access VPNs connect an individual computer to a private network. Remote Access VPNs can be divided into two groups:

1) Corporate VPNs

Corporate VPNs are ideal for business travelers and telecommuters to connect to their company networks and remotely access resources and services on the networks. When a user connects his/her device to the company’s VPN, the VPN thinks that the user’s computer is on the same local network as the VPN.

2) Personal VPNs

Personal VPNs provide consumers with the same private and secure connection as the corporate VPNs. However, instead of connecting private networks to access private resources, users utilize personal VPN services mainly to browse the web anonymously and to secure their web browsing sessions at public WiFi.

As mentioned above, personal VPN services are especially useful when connecting to a public WiFi network. Overwhelming majority of public WiFi networks are not secured. Using a VPN service, encrypts all your internet communications and provides you with the added layer of security making it more difficult for hackers to read and steal your private data

VPN Encryption

The Three Levels Of VPN Encryption

There are three mass market VPN encryption protocol

1) PPTP

2) L2TP

3) OpenVPN

PPTP

Point-to-Point Tunneling Protocol was developed by a consortium founded by Microsoft for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN. It is a VPN protocol only, and relies on various authentication methods to provide security (with MS-CHAP v2 being the most common). Available as standard on just about every VPN capable platform and device, and thus being easy to set up without the need to install additional software, it remains a popular choice both for businesses and VPN providers. It also has the advantage of requiring a low computational overhead to implement.

L2TP and L2TP/IPsec

Layer 2 Tunnel Protocol is a VPN protocol that on its own does not provide any encryption or confidentiality to traffic that passes through it. For this reason it is usually implemented with the IPsec encryption suite (similar to a cipher, as discussed below) to provide security and privacy.

L2TP/IPsec is built-in to all modern operating systems and VPN capable devices, and is just as easy and quick to set up as PPTP (in fact it usually uses the same client). Problems can arise however, because the L2TP protocol uses UDP port 500, which is more easily blocked by NAT firewalls, and may therefore require advanced configuration (port forwarding) when used behind a firewall (this is unlike SSL which can use TCP port 443 to make it indistinguishable from normal HTTPS traffic).

L2TP/IPsec encapsulates data twice which slows things down, but this is offset by the fact that encryption/decryption occurs in the kernel and L2TP/IPsec  allows multi-threading (which OpenVPN does not.) The result is that L2TP/IPsec is theoretically faster than OpenVPN.

OpenVPN

OpenVPN is a fairly new open source technology that uses the OpenSSL library and SSLv3/TLSv1 protocols, along with an amalgam of other technologies, to provide a strong and reliable VPN solution.  One of its major strengths is that it is highly configurable, and although it runs best on a UDP port, it can be set to run on any port, including TCP port 443. This makes traffic on it impossible to tell apart from traffic using standard HTTPS over SSL (as used by for example Gmail), and it is therefore extremely difficult to block.

Another advantage of OpenVPN is that the OpenSSL library used to provide encryption supports a number of cryptographic algorithms (e.g. AES, Blowfish, 3DES, CAST-128, Camellia and more), although VPN providers almost exclusively use either AES or Blowfish. 128-bit Blowfish is the default cipher built into OpenVPN, and although generally considered secure, it does have known weaknesses.

AES is the newer technology, has no known weaknesses, and thanks to its adoption by the US government for use in protecting secured data and it is generally considered the gold standard when it comes to encryption.  Using a 128-bit block also means that it can handle larger (over 1 GB) file – an improvement over its predecessor.

Ultimately, the choice is yours; however, if you want privacy on the Internet then you need a VPN.

Intellectual Point is a Global Information Technology, Training, Consulting and Software Development Company. Intellectual Point provides professional hands-on computer and IT training as well as certifications to prepare you with the marketable skills and knowledge needed for today’s competitive job market.

  
Posted in General | Leave a comment

Cyber Security: Security Operations Center (SOC) vs. Network Operations Center (NOC)

Everyday cyber security professionals go to work without any idea about the identity and probable actions of their adversaries. In information security, just as on the military battlefield, if you do not understand the motivations, intentions and competencies of your opponents, then you cannot understand the risks to your enterprise or focus on your defenses.

Even after all the recent data breaches and hacking incidents, many people, companies and organizations still disregard major security protocols and fail to understand that cyber security is a discipline where cyber criminals and hacktivists are always a step ahead.

There are several ways by which a company or an organization defends against a cyber attack. Many companies have adopted the “monitor and response” strategy. This strategy recognizes that simply a signature-based defense won’t be effective against sophisticated targeted attacks. This generally takes place in a Security Operations Center (SOC) or a Network Operations Center (NOC). In most organizations the SOC and NOC run together, but separately.

There are some similarities between the role of the Network Operation Center (NOC) and Security Operation Center (SOC); however, often this leads to the mistaken idea that one can easily handle the other’s duties. This couldn’t be further from the truth.

So why can’t the NOC just handle both functions? Why should each SOC and NOC work separately, but operate in conjunction with one another?

First, the roles of SOC and NOC are subtly but fundamentally different. While it is true that both SOC and NOC are responsible for identifying, investigating, prioritizing, escalating and resolving issues, the types of issues and the impact they have are considerably different.

The NOC is responsible for handling incidents that affect performance or availability while the SOC handles those incidents that affect the security of information assets.

Both SOC and NOC are involved in risk management and risk mitigation; however, the way they accomplish this goal is different.

The NOC’s job is to meet service level agreements (SLAs) and manage incidents in a way that reduces downtime. It focuses on availability and performance.

The SOC, however, is in charge of protecting intellectual property and sensitive customer data – a focus on security.

While both of these things are critically important to any organization, combining the SOC and NOC into one entity and having them each handle the other’s duties can spell disaster – because their approaches are so different.

Another reason the NOC and SOC should not be combined is because their skill sets are different.

A NOC analyst must be proficient in network, application and systems engineering, while SOC analysts require security-engineering skills.

Last but not least, the very nature of the adversaries that each group tackles is different. The SOC focuses on “intelligent adversaries” while the NOC deals with naturally occurring system events.

These are completely different directions, which result in contrasting solutions. Consequently, both SOC and NOC are needed to work side-by-side but in conjunction with one another.

Our cyber security career track can help you get into the highly in-demand cyber security field.

* Get certified and get noticed
* Become a viable asset to potential employers by leveraging a higher degree of proficiency
* Remain relevant in the ever-changing job market

To learn more, contact us today: (703) 554-3827 or (571) 577-7890

Posted in General | Leave a comment

DevOps

What is DevOps?

We have added the DevOps training program to our extensive schedule this year.  When you go and look at what DevOps is, it’s a little unclear, there’s really no definitive answer to exactly what it is.  So what I have found and have concluded is that DevOps is a movement of sorts.  It emphasizes communication, collaboration and integration between software developers and IT operations.  Instead of looking at these two groups as independents, DevOps recognizes the interdependence of software development and IT operations and helps an organization produce software and IT services more rapidly, with frequent iterations.

 

The Definition of DevOps

DevOps is a new term emerging from the collision of two related trends.  The first knows as “agile system administration” or “agile operations”; derived from applying newer Agile and Lean approaches to operations work.  The second is an understanding of the value of collaboration between development and operations staff throughout all stages of the development life-cycle when creating and operating a service, and how important operations have become in our increasingly service-oriented world.

What it boils down to in my mind is that DevOps is around to make the systems side of technology to work smoother.  The people who are in DevOps are programmers, developers, and I think master problem solvers.  So get in where you fit in and take DevOps training.

To learn more on DevOps and our training, click here.

Posted in General | Leave a comment

Hottest & Most in-demand IT & Cyber Security Certification’s at your Fingertips!

With hundreds of successful hacking attacks on many corporate and government systems and networks, Cyber Security & Security training moves to the forefront in 2016. The Information Technology (IT) Security salaries are rising fast and IT Security is here to stay. An article published in Forbes magazine on January 2, 2016 stated that there would be “One Million Cyber security Job Openings in 2016.”  Click here to read more…

Here at Intellectual Point, we offer the hottest and most in-demand certifications in cyber security.  All our courses are Department of Defense (DOD) 8570.01M approved training course and we are certified by the State Council of Higher Education for Virginia (SCHEV).

Here are just a few of the hottest and most in-demand classes we offer:

  1. CompTIA A+, Network+, Security+ As an example of the importance of these courses, they are required by the Department of Defense in Directive 8570 for all IT employees and contractors. These foundation level courses provide the hard facts on how systems work in a network, and how to be aware of Security implications with port access, routers, cards, etc. Without this knowledge, you may be guessing as to how DNS, subnetting and other aspects of the LAN/WAN work properly.
  2. Certified Ethical Hacking (CEH) and Computer Hacking Forensics Investigator (CHFI). There are two kinds of organizations today, those that know they have been hacked, and those that don’t know they have been hacked. From the highest levels of Government agencies, to the smaller commercial businesses, hackers are stealing secrets every day. Huge numbers of State-sponsored hackers are working tirelessly to obtain your information and turn it over to their own government and businesses to compete in the world stage.
  3. CISSP and CASP Security is one of the major concerns of any organization. With hundreds of thousands of other country state-employed hackers working to obtain your sensitive information, security today is at a high level. Businesses make substantial investments in information assets, including technology, architecture, and processes. These assets are protected on the strengths of the professionals in charge.

We offer dozens of additional courses in the field of Information Technology such as, Cloud+, Amazon Web Services (AWS), and Certified in Risk and Information Systems Control (CRISC) – just to name a few.  Whether you want to start a career in Cyber security and Information Technology or you just want to change your career you can call us at 703-554-3827 or email us for additional information.  We will be happy to help you!

 

-Courtesy of Charlie Kafami  (Current Intellectual Point Student)

Posted in General | Leave a comment