Personal Security

How poor data-stripping can expose organisations to Spear Phishing attacks

A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.

This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.

In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.

This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.

Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.

This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.

It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.

Bespoke Penetration Testing

How US internet giants are tackling the issue of GDPR compliance

It is rare that anyone ever feels much sympathy towards the behemoths of the internet, Facebook and Google. But spare a thought for these giants when it comes to them implementing the upcoming General Data Protection Regulation (GDPR). Due to become law for all organisations handling the data of EU citizens from 25th May 2018, the GDPR’s reach extends much wider than Europe itself, meaning that in spite of the fact that US data protection laws are significantly less onerous, global companies will be compelled to fall into line. With the capacity to impose fines of up to £17m or 4 per cent of global turnover (whichever is higher) even Facebook and Google are having to sit up and take notice. Yet the two companies are currently handling the issue of data protection very differently.

One of the main principles of GDPR is the ‘right to be forgotten’. Under GDPR people must give explicit consent for their personal information to be collected online, meaning that ‘opt out’ boxes will be replaced with ‘opt in’. Individuals will also be able to ask for any personal data held by companies to be deleted and details of any information held must be easily available and at no cost.

Google has publicly stated that it will be ready. Two Google executives blogged in May that “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018… We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process”. Given the scope of Google’s business this commitment will require detailed process and a significant investment but it will no doubt have a beneficial impact on the organisation’s worldwide reputation.

Facebook has made no such promises. Having already dropped into hot water when the European Commission fined it £95m for providing misleading information when they purchased WhatsApp in 2014, it was also fined £129,000 by French authorities in May 2017. This was because of its questionable data sharing and user tracking. In Italy, its new acquisition WhatsApp was recently fined 3 million Euros for making users agree to share personal data with Facebook. In addition, Facebook is also being investigated by authorities in Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of their data for advertising. This is all before GDPR becomes law.

Facebook’s seemingly cavalier attitude toward data protection is perhaps better understood in the context of the new American administration. On 3rd April 2017 President Trump signed a new law making more personal data legally available. Overturning the previous legislation, Internet Service Providers in the United States are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers. Yet as long as its reach is global, Facebook is still bound to the legislation in Europe, just like the rest of us. Mark Zuckerberg would be wise to embrace the change rather than fight it, because the cost of non-compliance will be immense.

Data protection – the gap widens across the Atlantic

GDPR – General Data Protection Regulation

Time running out for GDPR compliance

 

Security by Design.. a little thought can save a great deal of expense!

Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.

There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.

The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.

This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.

For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.

For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems.  We can seek to create an environment where we have the upper hand!

This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)

If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.

If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

The Internet of Things and how your doorbell might just be attacking Amazon

We hear a lot about the Internet of Things (IoT) on the web nowadays and the TV is full of adverts for Central heating systems that you can control from your smartphone or tablet. There are Wifi enabled doorbells that contact you on your phone when the postman is leaving you a package at home and IoT light bulbs and power sockets can be bought at your local DIY store nowadays too. It looks as though this is mainstream now, and not just for us techie blokes who like something new to talk about in the pub.

The big unanswered question at the moment is how safe are these things? There have been some horror stories about Wifi enabled Baby monitors exposing images of sleeping children to the world and the most recent case of the Mirai malware found on IoT devices demonstrates just how susceptible any internet connected device can be to exploit. In the Mirai case, malware was deployed to various devices globally but it seems that a large proportion of them may have been IoT devices. The malware was responsible for a huge Distributed Denial of Service Attack (DDoS) aimed at the domain name server, Dyn on October 21st. This in turn disrupted services as far and wide as Amazon, Netflix, Paypal, Twitter and Github…serious stuff then, but how on earth did this happen?
To the average user, these IoT devices are just appliances that you plug in and forget about, so how could they be developed into a threat? Well, by their very nature, they are not to be thought of in the same way that I think about my good old fashioned Duallit Toaster. These devices are intelligent and programmable and can be susceptible to malware in the same way as your desktop computer. The same security precautions should be taken to ensure that they do not pose a threat.

 

The Mirai Malware turns the infected device into a member of Botnet, a collection of devices that can communicate with one another for various means, (the word Botnet is derived from the words Robotic and Network.) This piece of malware has been responsible for several DDoS attacks in the last 12 months but the attack of the 21st Oct seems to have been the most significant in size. It would appear that the number of IoT devices that are becoming infected is on the increase and there is strength in numbers – in fact, Botnets rely on this.

So, what can be done? Well, it is often hard to tell if your Webcam or Doorbell has become infected as it still operates as normal. It might get a bit temperamental at times, (but don’t we all). It is important however to ensure that the firmware is updated regularly and that any default passwords and accounts are removed upon installation. The Malware checks for open default accounts and utilises these to gain control of the device. It has been the advice of many security experts over the years but now it really does hit home – Remove any default accounts and passwords from any device before you intend to use it and check that the firmware is kept up to date. It might go against the grain to patch your doorbell or your webcam but it might just be possible that it is launching at attack on a global website, whilst you sip your coffee……food for thought indeed!

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Promoting and Protecting your Identity

How much control is too much when it comes to social media?

Organisations spend millions on their marketing campaigns in the hope and expectation of raising brand awareness and increasing publicity. However, one seemingly innocuous tweet sent by an employee has the potential to give an organisation all the publicity and attention they could ever want – just with the spotlight focusing in the wrong area.

Managing employee usage of social media is a growing concern for organisations worldwide. Many social media platforms give users the option of stating where they work. If an employee decides to share this information, their behaviour could be considered reflective of the who they work for. The information could provide an insight as to what kind of people that organisation hires and what they find acceptable, thus reflective of their morals and culture. Essentially, this gives employees the leverage to make or break a brands image. This topic is just as important whether or not an organisation has a social media presence too – effectively, their employees create a presence by the virtue of their own online activity.

In 2013, a single tweet ended Justine Sacco’s career as Communications Director of the New York-based internet empire IAC. She posted the tweet before boarding an 11 hour flight to South Africa, which received over 2000 retweets whilst she was in transit – she’d become an internet phenomenon before she’d even landed. Justine was subsequently fired by IAC, a move taken in order to protect their own brand image.

Sacco’s story is an extreme case, but the incident has become a byword for the need for people to be cautious about what they post on social media. However, seemingly innocuous posts could still do a lot of damage to an organisations brand image. Complaining about working conditions could deter future applicants; posting sensitive information could affect the company strategically; and general online behaviour could reflect badly on the company’s culture.

Many social media users are now keen to highlight the fact that “all views are my own”, however these kind of disclaimers will not prevent your employer from firing you if you say something that reflects badly, and it’s not going to prevent people from associating your views with your employer.

Social media policies are being introduced throughout organisations large and small, and we’ve listed a few things to consider when creating these policies:

  • Creating a safe space for employees to speak about concerns goes a long way. Having an outlet for discrepancies within the organisation reduces the chances that employees will express any negative information online.
  • It is worth defining what is considered to be confidential/sensitive information. The assumption that all employees will generally know this is a dangerous assumption to make.
  • It may also be worth discussing involvement in illegal online activity. Warn employees against engaging in any illegal activity. Remind employees to respect others’ copyright, trademarks when online for both personal and professional reasons.

SRM Blog