How poor data-stripping can expose organisations to Spear Phishing attacks
A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.
This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.
In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.
This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.
Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.
This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.
It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.
Bespoke Penetration Testing
How US internet giants are tackling the issue of GDPR compliance
It is rare that anyone ever feels much sympathy towards the behemoths of the internet, Facebook and Google. But spare a thought for these giants when it comes to them implementing the upcoming General Data Protection Regulation (GDPR). Due to become law for all organisations handling the data of EU citizens from 25th May 2018, the GDPR’s reach extends much wider than Europe itself, meaning that in spite of the fact that US data protection laws are significantly less onerous, global companies will be compelled to fall into line. With the capacity to impose fines of up to £17m or 4 per cent of global turnover (whichever is higher) even Facebook and Google are having to sit up and take notice. Yet the two companies are currently handling the issue of data protection very differently.
One of the main principles of GDPR is the ‘right to be forgotten’. Under GDPR people must give explicit consent for their personal information to be collected online, meaning that ‘opt out’ boxes will be replaced with ‘opt in’. Individuals will also be able to ask for any personal data held by companies to be deleted and details of any information held must be easily available and at no cost.
Google has publicly stated that it will be ready. Two Google executives blogged in May that “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018… We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process”. Given the scope of Google’s business this commitment will require detailed process and a significant investment but it will no doubt have a beneficial impact on the organisation’s worldwide reputation.
Facebook has made no such promises. Having already dropped into hot water when the European Commission fined it £95m for providing misleading information when they purchased WhatsApp in 2014, it was also fined £129,000 by French authorities in May 2017. This was because of its questionable data sharing and user tracking. In Italy, its new acquisition WhatsApp was recently fined 3 million Euros for making users agree to share personal data with Facebook. In addition, Facebook is also being investigated by authorities in Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of their data for advertising. This is all before GDPR becomes law.
Facebook’s seemingly cavalier attitude toward data protection is perhaps better understood in the context of the new American administration. On 3rd April 2017 President Trump signed a new law making more personal data legally available. Overturning the previous legislation, Internet Service Providers in the United States are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers. Yet as long as its reach is global, Facebook is still bound to the legislation in Europe, just like the rest of us. Mark Zuckerberg would be wise to embrace the change rather than fight it, because the cost of non-compliance will be immense.
Data protection – the gap widens across the Atlantic
GDPR – General Data Protection Regulation
Time running out for GDPR compliance
GoT2: What the Game of Thrones HBO ransom reveals about White Hat Hackers
As Game of Thrones fans watch the unfolding drama in Westeros on their TV screens, corporations around the world are equally riveted by the now public battle for HBO’s data. The ransom message sent to Richard Piepler, CEO of HBO, not only outlines the terms of the attack team’s demand, including an image of the Night King balancing out HBO’s options, but also reveals a great deal about the hackers themselves.
Identifying himself as Mr Smith, the spokesperson makes a few things clear. Although demanding an undisclosed number of millions of dollars, the ransom note which is now being publicly shared on Facebook, states (in his own words): ‘Our motives isn’t political nor financial. (Even we hate trump like other Americans do). Its like a game for us, we enjoy to get data. Money isn’t our main purpose.’
Mr Smith is also at pains to differentiate himself and ‘his colleagues’ from other hackers who were notably involved with the Netflix breach earlier in the year: ‘We are whitehat hackers and it’s very shameful if you compare us with some noisy & amateur blackhat ones like Darkoverlord’. The term ‘white hat’ comes from Western films, where the heroic cowboy wears a white hat and the bad guy wears a black one. It is now used as internet slang for an ethical computer hacker, or a computer security expert who specialises in penetration testing and in other testing methodologies to ensure the security of an organisation’s information systems. Whether an organisation demanding millions of dollars ransom can ever be described as ‘white hat’ is doubtful, although Mr Smith is at pains to disagree.
‘Don’t call us nasty Hackers, we are IT professionals, consider what is done to you as a huge pentest‘, he writes. In fact Mr Smith’s email reveals that ‘HBO was one of our difficult targets to deal with but we succeeded. (It took about 6 months)’. But keen to elevate his whitehat ethics he continues: ‘You will see in future steps in our operation that we fulfil any promises made and any given word…The answer is simply: we are white-Hat. You must trust us. The HBO is our 17th Target. Only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely’.
Ridiculing the ‘greedy CEO or an Idiot one who doesn’t understand the new era of cyberspace’ Mr Smith explains why his organisation has out-foxed a number of corporate giants. He asks, ‘How are you able to stop a group like us that spends about 400 – 500,000 dollars in a year to buy Odays exploits? We often launch two major operations in a year and our annual income is 12 – 15 million dollars. We are serious enough to do our business, the main question is: How much is your seriousness to keep your empire on its feet in a BRAVE NEW WORLD?’
Providing a leakage schedule, Mr Smith has given Richard Piepler three days to respond to the group’s demands and warned against bringing in the FBI or ‘other f***ing IT idiots’. It is too late for that, he claims. Providing a simple choice between a Bitcoin transfer and the destruction of the HBO empire, he invites them to ‘declare your surrender!’ and decide between falling or standing as a media giant.
How HBO’s CEO feels right now is anyone’s guess. His situation is in some ways comparable to that of the warring houses of George R R Martin’s creation. For years they thought their enemies were each other but are now realising that the real enemy is one few of them has ever seen. Richard Piepler and HBO had probably considered their competitors to be their enemies, but now see in this Brave New World of cyberspace that the real enemy is also the unseen one; and on this occasion, one who claims to wear a white hat.
Instances like the HBO attack are, thankfully, rare but the case brings to light a number of important points for CEOs everywhere. Firstly, do not underestimate the determination, ingenuity and skill of hackers. Secondly, that conducting your own penetration testing and vulnerability assessments are preferable to having a hostile outsider do it for you. SRM has many years’ experience in all aspects of information security and has a team which is experienced and highly skilled in penetration testing, vulnerability assessments and ethical hacking. In short, we are the good guys; the real White Hat Hackers.
Calling in the Red Team: going above and beyond the vulnerability scan and penetration test
Information Security Testing & Compliance
Game of Thrones: data theft and pen testing
The penetration test – a test of faith?
The real risk of ransomware
Security by Design.. a little thought can save a great deal of expense!
Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.
There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.
The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.
This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.
For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.
For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems. We can seek to create an environment where we have the upper hand!
This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)
If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.
If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.
Summer holidays: don’t take your eye of the PCI DSS ball
The summer months are traditionally a time when hard-working people take a break. Those left in the office can end up feeling over-stretched or less-motivated than normal. But it is not a time for anyone to take their eye off the ball. Visa has issued new advice on how to Play it Safe this Summer, emphasising once again that working with the right partners is ‘crucial to protecting the cardholder environment’ and ensuring that PCI DSS compliance is met and maintained.
Produced for the US market, Visa’s analogy is based on the principles of baseball but it goes something like this:
First base – follow secure procedures
Ensure service providers follow secure procedures when using remote access to reach your environment. Service providers accessing a merchant’s Point of Sale (POS) system using remote access must follow secure procedures and those providers should go through the QIR certification program if eligible. This protects against data breaches and helps to facilitate compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Second base – change passwords
Change all default passwords to strong, multivariable passwords. The Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches in 2016 occurred because criminals used either stolen and/or weak passwords. Requiring all employees to create complex passwords, and to change them often, adds a critical level of security to the environment.
Third base – ignore suspicious emails
Remind employees to ignore any suspicious emails and report them to IT. The DBIR found that 1 in 14 users were duped into opening an attachment from a phishing email and ‘95% of phishing attacks that led to a breach were followed by some sort of software installation’. Informing employees about phishing schemes will help prevent security lapses in the future.
Home run – partner with a Registered Service Provider
Partner with a Registered Service Provider. Soha Systems Survey on Third Party Risk Management found that 63% of all data compromises involve a third party vendor. Service providers listed on the Visa Global Registry of Service Providers meet Visa’s requirements for validating compliance with industry security requirements. Using these registered providers helps to secure the promise of a trusted payment system.
PCI DSS – seek professional advice
Establishing an organisation’s exact PCI DSS requirements can be a complex business and professional advice should be obtained.
SRM is an accredited QSA Company. Our team of QSAs can conduct your PCI assessment to validate and maintain your compliance with the PCI DSS. We have a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the qualifications and expertise to complete the task in a robust and cost-effective way. We also have an established Retained Forensics service which identifies and mitigates the risk of a potential breach.