Security Patches: One Step Forward, Two Steps Back

Posted on February 19, 2015 by Cheryl Biswas

Security breaches, mass DDoS attacks, ransomware mutations. No question about it – the challenges to information security are constant and ever-changing. Over the past twelve months, InfoSec has had to deal with threats not only of a greater magnitude in complexity but also in sheer volume. So in our concerted, and at times hasty, efforts to keep up with all that’s out there, are we leaving ourselves exposed? Do we need to double-back and cover our tracks?

Fact is, there is a lot to keep up with, even for security super-heroes. Given the nature of the beast, we’re always looking forward, trying to keep up or gain a little ground to ready ourselves for the next challenge. But what about those “backdoors” we just closed?

Cleaning up after mass events like ShellShock/Bashbug and Heartbleed isn’t straightforward. Sadly, one patch does not fit all when there are multiple iterations of operating systems and devices. And the truth is – there just aren’t enough good people or hours in a day to comb through all the stuff out there to find and fix what’s at risk, much as we want to. Much as we need to. What happens next is inevitable. The adversary takes advantage, finds the hole, and builds exploits that we then must find and shut down in a series of blocks and tackles.

Here’s a recent case in point: Shellshock and QNAP. Shellshock doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge. The real challenge has been to identify and patch all those different exposed devices. QNAP makes network attached storage devices that are popular world-wide. And therefore ideal targets for Shellshock exploits.

While QNAP did issue a firmware patch in October, Shellshock worm exploits were detailed later in December. The worm targeted a particular CGI script, /cgi-bin/authLogin.cgi, which could then be accessed without authentication. That would allow attackers to launch a shell script that could in future download more malware. Essentially, keeping the backdoor open.

One of the interesting things noted about this worm, per Kaspersky’s detailed write up, was that the script it made then downloaded and installed QNAP’s Shellshock patch. Yes! But in a move that was strictly territorial to keep other opportunistic attackers out.

Kaspersky advised that

“IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price”

I’ve followed up with QNAP, and nothing else has been issued. The onus is on the users to identify and patch their products. Need I say more?

It’s easy to lose track when the tyranny of the urgent sets our agendas for us. And it’s hard to be proactive when you’re busy fighting fires. But the fact is we need to keep watching those backdoors – because they don’t always shut completely.

This post was featured on DarkMatters, the security blog by Norse Corp

The lead illustration is an actual screencapture of Shellshock malware by MalwareMustDie.org, a whitehat security research workgroup

Why Encryption Matters: Political Insecurity vs InfoSec

Posted on January 19, 2015 by Cheryl Biswas

You own your own security. Bottom-line, when it comes down to planning how to protect yourself and what is yours, that decision should belong to you. But that’s not what President Obama, UK Prime Minister David Cameron or French Prime Minister Hollande would have you believe after their exchange of inflammatory rhetoric last week. If these three global leaders have their way, rather than securing our freedoms in the face of terrorism, they’ll be restricting the safeguards we need in place, and opening the cyber backdoor to those threats they fear most.

It appears fear fuelled knee-jerk reactions following the horrific terror attacks in France. French PM Hollande called for tighter surveillance measures to potentially weaken and cripple encryption in France. That encouraged UK Prime Minister David Cameron to say he’d like to ban certain forms of encryption, impacting popular messaging apps like iMessage and WhatsApp. You can read this post by Cory Doctorow to get a shopping list of what they want to limit http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html. US President Obama’s new Internet security proviso followed hard on the heels of Cameron’s call to outlaw encryption. Instead, they want to build “backdoors” into applications, that would allow government officials to have the ability to read all media and messages, and effectively give the state far more access and control over everyone else. But as Cory so aptly points out “there’s no back door that only lets good guys go through it.”

Official White House photo by Pete Souza

When Obama delivers his State of The Union address on January 20th, he’s going to make his case against encryption, and against the people in InfoSec who watch our backdoors constantly, identifying and tracking down threats from around the world. There is a lot of money being made by people who can breach security, acquire our personal data, and sell it to the highest bidder. The stakes are much higher when it comes to securing our critical infrastructure: power, water, communications, defense. We have clear proof that those systems have already been targeted and penetrated. Those systems are vital to our way of life, and deserve the best protection we can offer.

Rob Graham has written an excellent response to this in his blog, Errata Security, and he levels this warning: “The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear…This creates an open-door for nation-state hackers and the real cybercriminals.” http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VL1RgkfF_p6.

Call me crazy, but I think we should listen to those who know a lot more then the rest of us think we do. Misguided Security warns “once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary”. http://misguidedsecurity.blogspot.ca/2015/01/wi-fight.html Encryption keeps data safe, keeps identities safe, whereas backdoors and uninvited surveillance create risk.

These guys aren’t the hackers – they’re the ones that protect us from them. Yet the term is dangerously misunderstood. Rob Graham explains “Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them.” There’s a diligent army of highly skilled folks working on our behalf out there, scrutinizing infinite lines of code to catch what we don’t want to have. They share what they learn in real time, a collaborative, co-operative and highly effective network. Given the opportunity, we really should be listening to them.

Thanks to the folks in InfoSec and the tools they use daily, I’ve watched botnets being launched by attackers from China. To see what is coming at us in real time just click on this link to a map by Norse http://map.ipviking.com/

We need the freedom to innovate and explore technology so that it will serve us better. As Rob Graham points out, “Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. ” How can we defend ourselves if we handcuff those who do? There’s currently a movement afoot within the InfoSec community to spread the word and explain the real value of encryption so that everybody understands they have a stake in this. (I admit, I may be owning one of these shirts myself).

Currently, this seems to be couched as a “tech” issue, with the political pundits throwing words around like “cyber”, “encryption” and “hacker”, terms that can easily be used in a campaign of fear-mongering by government policy makers to assume control. The assumption is that the average person will probably stop listening because they consider this out of their realm, so it doesn’t apply to them. But that couldn’t be further from the truth. This argument is not just about technology anymore. It challenges current standards of freedom and privacy, and within that, how we get to protect ourselves. And everything we hold dear. Isn’t that our decision to make?

Attribution: A Word to the Wise

Posted on December 28, 2014 by Cheryl Biswas

It has been one month since the hack attack on Sony. Thirty days rife with speculation, hype and hyperbole that threw the press into a feeding frenzy. In early days it seemed temptingly easy to believe the attack was in retaliation by North Korea for an American comedy that showed their beloved dictator, Kim Jong Un, being executed. North Korea made an excellent villain as the story played out, and the extent of the damage done to Sony was revealed. For most people, the information as presented in the media made the decision for them: North Korea was behind the attack. But after reading a particularly relevant blog post by Misguided Security (http://misguidedsecurity.blogspot.ca/2014/12/doing-un-walk.html), I realized I needed to carry the message forward: not everyone is getting all the details on the Sony hack, and that is as damaging as the hack itself.

Let me admit my guilt here and now. I did believe that North Korea was behind the attack, setting the tone for one of my earlier blog posts. While I still consider them an InfoSec menace, I’ve read and considered what other wiser, more informed minds had to say. I’m very glad I did because now, in the true spirit of this blog, I can share what I have learned.

From the outset there were many within the InfoSec community who declared that there wasn’t enough proof that it could be North Korea. Over the past few weeks, that chorus of voices has steadily grown, and consistently put forth solid reasons to back their arguments, all the time asking for definitive proof to back the allegations that it was North Korea. It was a fair and rational stance, taken by a group of people who are dedicated to and experts on Information security. More interested in promoting the truth than themselves, they put their reputations on the line to publicly dispute the assertions made by the FBI and high-profile press pundits.

These are people whose opinions I respect and trust, for good reason. They have years of experience tracking malware and real cyber threats. As events unfolded and coverage mushroomed, the CEO of TrustedSec showed the need for calmer heads to prevail when he said “Speculation backed with little facts …we need to be careful…” and then “ We are using some strong words right now and need to back it up without a shadow of a doubt.” His sentiments were echoed by another cautionary voice in the InfoSec community. “We have to be careful on our rhetoric of war and blame, as these little comments can mean big things.”(Jericho).

There are now many excellent blogs and posts about the attack on Sony, and they all give compelling reasons why we should think before we jump on any bandwagon, in this case the one that North Korea did it. The best place to start is with a simple, factual chronology of events. I like this on-going post, started Dec. 5 by Risk-Based Security (https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/). It states, for example, how the now-infamous “Passwords” folder likely was created by the hackers, GOP, when they released the files, and not Sony. But perception is paramount in the blame-game, and unfortunately Sony found itself caught in the unforgiving glare of speculation. Deflecting negative publicity onto North Korea as the evil perpetrator could help serve as damage control, especially if they were portrayed as a threat to national security. That wasn’t hard to do in the given current global concerns regarding ISIS and the Middle East.

It’s so easy to jump to conclusions, to see what we want to see. But as the Sony hack has hopefully taught us, we need to take the time to make informed decisions, and especially to listen to those who challenge assumptions with facts. Throwing around accusations without proof isn’t just foolish, it’s dangerous. It’s a great way to make a bad situation worse. When we know certain nation states are capable of irrational and unpredictable behaviour when provoked, levelling accusations requires more care and discernment. As ‘Jericho’ says, “make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.” Because given all I’ve read, attribution can become a weapon, and not necessarily one of choice.

My Top 10 List: So What Did We Learn in 2014

Posted on December 22, 2014 by Cheryl Biswas

There is no question that 2014 has been a most eventful year for InfoSec – and that’s not necessarily a good thing. Data breaches, malware attacks, compromised Point-of-Sales systems, more data breaches. And of course – the Sony hack. A lot of painful lessons have been learned, many at high cost. So as the year draws to a close, let me present my Top 10 List of what I hope we learned from this year of events we wish we could forget.

1. PATCH IT. Patch it good! System software patches are an integral part of keeping your business, and yourself, safe. Windows, Linux, Adobe, Oracle to name a few, all offer regular patches to cover those vulnerabilities that leave them exposed to hackers looking for a way in. Ideally, you should have a regular ie monthly schedule where patches are checked and updated. Another thing to remember: test patches before you apply them. Microsoft has had two terrible months in a row issuing then recalling bad patches, but not before inflicting some major headaches on those who already applied them. http://www.darkreading.com/application-security/time-to-rethink-patching-strategies/a/d-id/1318256?_mc=RSS_DR_EDT&utm_source=dlvr.it&utm_medium=twitter

2. THINK before you click that link. Phishing and malvertising have reached prolific levels, and are designed so well it’s easy for everyone to fall for the bait. The onus is on us to be certain we know and trust the sender before we open attachments or click on links. Visiting popular websites or social media hopping is an open invitation to a nasty case of malware because many of these destinations have now become choice phishing holes. Don’t get lured in. http://www.esecurityplanet.com/malware/dridex-and-email-a-nasty-social-engineering-team.html

3. Pass on that Password. This is your first and your best defence to secure anything of value. Here is how to do it right. Ideally a length of 16 characters, with a mix of upper and lower cases, including numbers and special characters. Oh – and take a tip from Sony. Don’t file under “Passwords”. http://www.wired.com/2014/09/dont-get-hacked/?linkId=9521469

4. AntiVirus Protection. There are a range of options, and many good SOHO programs are even free, though I would strongly encourage paying more to invest in additional protection against cyber threats. And yes – you definitely need to have this on your phone & tablet. Mobile devices are targets of choice. Given how much of our lives we keep on our phones, why would you put that at risk? Finally, don’t rely on out-dated or lapsed programs. In the constantly evolving world of malware and viruses, yesterday’s solutions won’t cut it. Always keep your AV updated.

5. Breach Protocol 101. If you get breached, handle the situation correctly and professionally. Your customers deserve the decency of being informed as soon as possible to protect themselves and take appropriate action. As in the case of Home Depot, don’t make customers wait for the bad news. Because you can’t put a price on trust and reputation. http://www.theglobeandmail.com/report-on-business/international-business/us-business/home-depot-shares-drop-after-chain-investigates-data-breach/article20308768/?cmpid=rss1&click=sf_rob

6. Secure your SOHO tech. Especially routers. Update, upgrade.
http://blog.norsecorp.com/2014/12/18/millions-at-risk-from-misfortune-cookie-soho-router-vulnerability/?utm_content=buffer85c25&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

7. WiFI Hotspots: Use with extreme caution! In this holiday season of travel and shopping, convenience may be king but letting your guard down isn’t worth it. Secure your tech first – ‘Free’ comes with a price http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks

8. Things aren’t so fantastic when you pay in plastic. This year has proven repeatedly that credit cards are not secure. But given that so much our retail and online world run on plastic, what can you do to stay safe? For starters, Always Check Your Statements. Be in charge of your accounts and know everything coming or going. Secondly, cover the keypad when you enter a PIN anywhere. Because there really are “eyes in the skies” that are waiting for you to enter the magic number.

9. You get what you paid for. When you buy pirated software and 3rd party apps, you often get a free gift-with-purchase, but trust me, it’s one you don’t want. Malware, browser hijackers etc. It’s a headache to huntdown and then remove these nuisance products. You’re better off paying for the real deal. http://www.scmagazine.com/pirated-joomla-wordpress-drupal-themes-and-plugins-contain-cryptophp-backdoor/article/385552/

10. Best for Last. HAVE A PLAN. When it happens – and it will – have a real Disaster Recovery/Business Continuity plan in place. According to exper Dejan Kosutic, “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.” According to CISCO, “60% of Canadian businesses either don’t have a security strategy in place, or don’t know if their current one accounts sufficiently for change and evolution to effectively meet threats.” http://www.itworldcanada.com/article/majority-of-canadian-firms-not-prepared-for-cyber-threats-cisco/100226

And on that cheery note, let me wish you all a safe and successful 2015!

What We Should Learn from Sony’s Pain

Posted on December 11, 2014 by Cheryl Biswas

It is THE biggest news story. Period. And it will be a story that will live on in the telling because it wasn’t just how it happened, it was why. The hacker attack two weeks ago on Sony was an unprecedented take-down of a global corporate giant by the Guardians of Peace (GOP), a group of cyber-terrorists operating from a small country across the globe.

By now, we all have heard the allegations against North Korea as being the power behind the hackers. North Korea is highly volatile, an unpredictable player in the current global theatre. That means their actions are more threatening. While there is no definitive proof, the code was written in Korean. Email messages have been sent from the GOP, a hacker group based in North (not South) Korea, demanding Sony take down the film ‘The Interview’ about assassinating leader Kim Jong Un. And then there’s the fact that in North Korea, a country known for austerity and deprivation, hackers are state-sponsored and treated as an elite group.

They clearly have no problems developing a very malicious form of malware that disabled or destroyed equipment. This type of malware may have been used before. “Shamoon” as it was known then hit 30000 computers in 2012 in an attack against the oil company Saudi Aramco, and then again in an attack against South Korea in 2013. Moreover, they were able access and operate within Sony’s systems without detection for a considerable length of time. Sony is a private corporation, but what if this had been done to a major power supplier, water regulator, or another entity considered part of the critical infrastructure. Cybercrime becomes cyber-terrorism.

The economic costs to Sony will be staggering in terms of loss: equipment, intellectual property, confidential and personal data. Never mind the decimation of employee morale and company reputation. The hackers have been contacting families at Sony, telling them they must take their side or else. The GOP got their timing right, striking just before the Christmas release peak season, and they have brought Sony to its knees.

So what do we take away from this? Back in June, North Korea promised to “mercilessly destroy” anyone associated with the film. Did Sony not see this coming? Whatever they suspected, no provisions appear to have been made. Now, it’s damage control. And here’s the first lesson going forward for us all – as details unfold, they further expose the open wound and that can be more painful than the attack itself. In Sony’s case, it’s been revealed that they kept corporate passwords in a file called ‘Passwords’. Yes, I know. While that in itself didn’t facilitate the attack, it implies that Sony was careless, inviting further unwanted speculation.
And here is the second hard lesson: regardless of how good a defense companies put up against outside hacks, they’re only as good as their weakest link in the security chain which more often than not is human error. In Sony’s case, that meant the problem could have come from within, as simple as someone unwittingly opening those carefully constructed security doors to let the attackers in. For all that companies train and advise their staff, they cannot control their every move or decision. Malware has become an art form in deception, reflecting the spectrum of human weakness.

My hard look at the bottom line: Sony didn’t know how the GOP would strike, but they knew they were at risk, and who the threat was. If this attack could be attributed to state-sponsored North Korean hackers, then current concerns being expressed for the safety of our critical infrastructure need more than words and firewalls. The onus was on Sony to secure their assets, ensuring what measures they had in place were effective. If due diligence is where we can all fall short, we need to close that door or risk more events like this.

A Nasty Case of Krab Web

Posted on November 10, 2014 by Cheryl Biswas

It can happen to anyone. Suddenly, your computer screen is an explosion of pop-ups. You think you’ve clicked close only to have another pop-up take its place. And then they start opening something you never agreed to. Frantically, you try to shut things down only to discover your cursor has a mind of its own. You try to Google what to do, and keep going to a site you’ve never heard of and don’t want. Welcome to the nightmare of a malware infestation.

MALWARE ATTACK! What Do I Do NOW?

I just spent some quality time cleaning a nasty case of Krab Web malware off a laptop. The user had no idea what the item she downloaded would come bundled with. So, let that be my first helpful lesson to you. Unless you download directly from the source, you are getting your downloads from third party distributor. The names are common, including biggies like CNET and Softonic. It isn’t that you can’t trust them. It’s that even they can’t trust what’s going into the mix. Your best bet is to forego the default installation choice and choose “custom”. Because when you just click and agree, a couple pages will zoom past. You may think you agreed to another toolbar but you just signed on the dotted line for a dozen – no, I am so not kidding – a dozen or more annoying and even malicious programs that will take you where you do not want to go. By this, I mean sites where they are phishing for you and downloadable remote access bogeys lurk. But that is a whole separate posting of pain for another day.

STEP 1: Identify and Destroy

Let’s say you are on Windows. Open the Control Panel. Then, select Program and Uninstall. Try to bear with all the pop-up boxes and not click anything. Once the list of programs appears, click on the Date column to bring up items most recently added. You should see a list of at least 12 or so from when you did your download. Some will say “Optimizer”, some will say “Protection”, some will say “Best deals”. They are all bogus. You want NONE of them. Start by selecting each one and clicking Uninstall. You can agree to using the program’s own uninstaller remove it. That’s normal. And the best way to get rid of them. Here’s what I tossed in the trash:

Remote Desktop Access VuuPC\
PepperZip
Optimizer Pro
StormWatch
Search Protection
My PC Backup
Surfkeepit
eDeals
SPT System Updater Service
Word Prozer
HQ ProVideo
Fast Player

Yes, they may sound legit. But they all had today’s date stamp, and some of them were particularly nasty malware/adware. As the song says “Don’t Get Fooled Again!”

STEP 2: Remove Adware using ADWCleaner

You may be able to access your browser at this point. If you can, go to this site: ADWCLEANER DOWNLOAD LINK to download an effective Adware cleaner.

Follow the instructions and install. Click on the “Scan” button and then click “Clean”. You’ll have to reboot.

STEP 3: Remove program files with MalwareBytes

Now, you need a program to go after the virus, Krab in this case. Download MALWAREBYTES ANTI-MALWARE. Follow the prompts and install the free version.

If prompted, click the green “Fix now” box to start the scan.

You may be prompted to upload updates. Click agree. The program will scan, you can watch the progress, and when it’s done you’ll be notified. The dangerous files will be quarantined, and expect to be asked to reboot. Say yes.

STEP 4: Clean your Browsers

You will probably notice a delightful lack of pop-ups this time. But you’re not in the clear yet. You need to clean your browsers now. Follow these steps as outlined.

If you use Internet Explorer, click on the right corner gear icon for Settings. From the drop down box, click Internet Options.

In the next box, click on the “Advanced” tab. Click on the “Reset” button. In the next box, select “Delete Personal Settings” and click “Reset”. When Explorer is finished, click close.

For Google Chrome, click this symbol at the top right: . Then, click on “Tools” and then “Extensions”.

In the Extensions tab, you’ll see Krab Web and other items, some which you don’t recognize. Click on the trash can icon beside those you want to remove. If you didn’t install it, delete it.

STEP 5: Check the Spread

A note of caution: Malware spreads with physical contact so you need to check any other devices you’ve connected to your computer, like USB or flash drives, tablets, or even your phone. Run a scan using your anti-virus and Malware Bytes.Trust me – you’ll be glad you did. Now you’re clean and protected. Surf safe!

** A big thank you to MalwareTips.com and their helpful site

Creating A Culture of Security

Posted on October 13, 2014 by Cheryl Biswas

National Cyber Security Alliance

It’s been quite a year for Tech. And I don’t mean Windows8 or iOS8. We’ve seen a string of data security breaches – Target, Dairy Queen, Home Depot, each one netting more unsuspecting, unprepared victims. We’ve read about Chinese hackers letting themselves into our national security databases, like the National Research Council in July. And the world is still trying to patch the leaks on Linux following the discovery of Bashbug, impacting almost all servers that connect us to the internet, while hackers continue to exploit those vulnerabilities with malicious code and malware.

We don’t know what the next juggernaut coming at us from around the curve is going to be. Malware, data breach, system hack. Or worse. What we do know, based on recent events, is just how unprepared we are for something bigger. There’s a lot of finger-pointing going on, because it’s easy to resort to the blame game. Nobody wants to be held responsible for a disaster. Especially not when a class-action law suit is likely to follow. The costs of clean up are staggering. As are the costs of damage done and customers lost. By all accounts, this is the road that should be less travelled. So how do we make that the case? How do we stop playing catch-up and get out in front of what comes next?

One: we need to rethink the whole concept of security in our interconnected world. Corporate Security Officers and Chief Information Officers have a vital role to play in bringing together all levels of their organizations to support and follow security procedures. We can’t keep paying lip service. We need to create a culture of security from within, working together on a common goal to effectively put up a united front. While that is the objective, a chain is only as strong as its weakest link. Which leads to the next point.

Two: everyone has a role to play in managing security, and it starts with managing our own. Maybe you’ve heard the term “BYOD”? It means “Bring Your Own Device”, an increasing practice by employees in business. Laptops, mobile phones, tablets, flash drives. Portable data is how we live. It’s become how we do business. All this extra tech finds its way into offices every day. But businesses do not secure personal devices. For the most part, they can’t track them. The onus is on us as the owners of personal tech to ensure that we have installed adequate levels of virus and malware protection on our devices, and that we consistently perform regular security updates. As well as following safe practices online so we don’t get phished or download more than we bargained for. If we’re going to bring our devices into work, then we risk exposing all our co-workers, and the safety and integrity of our business, to whatever we do with those devices. That ounce of prevention we take as individuals really adds up because it’s a massive, costly undertaking to upgrade and repair systems in major organizations. Worse, any changes can take a long time to go through the approval process. And during a disaster, that is time nobody has.

Three: there is no absolute guarantee of protection. While we expect businesses and organizations to safeguard data and customers, it isn’t realistic. Human error and human fallibility will override whatever measures we put in place. Hackers work around the clock breaking through all the defensive measures currently in place, finding vulnerabilities we didn’t even know existed. Every mistake we make, like carelessly downloading files or not using antivirus software, gives them the advantage over us and believe me when I say they are watching and waiting for those mistakes. When we commit to our shared responsibility in maintaining our defenses, we commit to building a culture of security from within.

I’m not wearing rose-coloured glasses about how easy this will be. Effecting change is hard, and cultural change is the hardest process. However, we are falling behind in the war on cybercrime, and time is a luxury we soon won’t have. Cyber espionage is already far more sophisticated and damaging than ever, and cyber warfare may bring a fight to our door that we are not prepared to win. There are a lot of very talented people watching our backdoor, who are telling governments and businesses what they don’t want to hear. We need to listen to those voices, heed their warnings, and start taking action now. Because what we do now will most definitely determine the outcome of what happens next.

Resources: http://www.pcworld.com/article/2825032/linux-botnet-mayhem-spreads-through-shellshock-exploits.html
http://www.cio.com/article/2824268/data-breach/how-to-fend-off-data-breaches.html?utm_campaign=sflow_tweet#tk.rss_all

The Talk You Need to Have With Your Kids

Posted on October 5, 2014 by Cheryl Biswas

Yes, it’s awkward. But the time has come to have “the talk” … the talk about “dangerous celebrities” and safe surfing with your kids.

We know there are some warped individuals out there whose idea of fun is harmful, and without boundaries. Celebrity sites have increasingly become the target of hidden malware and online scams. Cybercrime has found a new playground where they hide their poisoned code for unsuspecting visitors, many of whom are kids. Our kids.

The lure of reading the latest scoop on a big name celeb proves irresistible. Our kids think they’re visiting a site with pics and details about someone currently popular, someone all their friends will be talking about. Right now, Jimmy Kimmel is at the top of the hit list with chances being one in five that a website linked to him will be laced with a nasty gift that will keep on giving: spyware, phishing, spam, adware, viruses etc. One quick click is all it takes.

There is no turning back the clock on technology. Our kids live in the same online, interconnected world that we do. Protecting them means shielding them from harm but not from the truth. Not only do we need to become more aware and vigilant, but we need to teach kids the same skills to protect themselves, because we can’t always be with them. And they won’t always tell us where they’re going.

McAfee has some helpful starting points parents can work with on their blog. These include:

Commit to having ‘the talk’: explain how downloads of photos and videos are at high risk of containing bad stuff like viruses
Breaking news = red flag: don’t be tempted by the bait of some exciting new celebrity gossip. That’s what cybercriminals are banking on. Literally.
Protect your devices and identity: Don’t use any device online without protection. That means installing anti-virus/anti-malware programs on all computers, tablets, phones. Choose what’s right for you and your budget.
Stay on the main road: If you want to see something online, use YouTube or Vimeo so you don’t have to download. Because if it says “free download” beware of what else comes with it.
Get a sneak peek: when you hover over a link, you can see the URL appear. If the name in the URL is just a bunch of gibberish, or spelled incorrectly, walk away
Don’t log in or provide personal information: have a standing rule that kids ask before they open any attachment or link. Because that click can lead straight to the lion’s den.
Put a PIN on it: teach your kids how to set up and use passcodes, and make sure you know what they are.

You can click on the link here to read more. http://blogs.mcafee.com/consumer/dangerous-celeb.

The old saying “an ounce of prevention is worth a pound of cure” takes on new meaning when you think of just how much we love our kids, and how far we would go to protect them. Their safety is everything. While we may wait to have that “other talk”, don’t put this one off.

#Shell shocked? What You Need to Know about the #Bashbug

Posted on September 26, 2014 by Cheryl Biswas

I’ve been known to exaggerate but trust me when I say that this latest security threat is so big it’s off the charts. Literally. It was rated as a 10 out of 10 by the National Vulnerability Database. A an official advisory was issued by the Department of Homeland Security, and they don’t just hand those out freely. While this won’t ruin your life the way getting caught in a Home Depot style data breach could, it puts at risk almost every device that connects to the internet. Since our world has become the Internet of Things (see previous post for neat-o chart), that means a lot of risk. So here is what you need to know, and why.

Bash stands for Bourne-Again Shell, a very common program used to run line commands in operating systems like Linux, Unix, Mac OS X. The shell is where we interface with or control the operating systems, and these run pretty much everything we connect to or rely on for connectivity and our “smart” devices. Per trend Micro, “Linux powers over half the servers on the Internet, Android phones and the majority of devices in the IoT (Internet of things).”

The problem is a vulnerability that lets an attacker easily access and make changes to the CGI script written in Bash, those commands that are issued to the operating system. And no credentials are required. As security experts Kaspersky put it “This vulnerability is unique, because it’s extremely easy to exploit and the impact is incredibly severe.” This doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge.

And this is where the other shoe drops. In his article for Fast Company, Chris Gayomali explains how this vulnerability “also affects Bash versions stretching back at least 25 years, meaning, when or if a patch rolls out, there are a number of older electronics that won’t be getting a firmware update.” The obvious solution has been to issue patches, but the issue is if and when everything affected will have patches available. The problem may have the worst impact on major institutions, like banks and hospitals, where change happens slowly and systems have been laboriously put together over time. According to Patrick Thomas, a security consultant at Neophasis labs, “their most venerable systems are also their most vulnerable.”

So what do we do, now that we know? Systems experts are testing for and patching webservers as I write this. Hopefully, our Internet service providers have been successful. As have those companies who host our websites. Here is some excellent advice from Mark Nunnikhoven at Trend Micro:
1. End users should watch for patch updates or alerts for their Android phones, Macs, or other devices.
2. As a customer of a hosted service, like a website, contact the host directly and ask them if they have patched the vulnerability. If not, why not?

For those running a system that uses Linux, or an Apache webserver, this article by Kaspersky Labs recommends updating Bash and outlines helpful ways to test for the vulnerability: http://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/.

Truth is, there’s really not a lot you can do to fix the #bashbug. But you can find ways to stay informed, ask questions (from service providers or friendly folks like me), and follow the practical advice in my earlier posts about protecting yourself. And that is how you can be your best defence against an unexpected offence like this. Welcome to Fortress Security.

Putting a Price Tag on Trust: The Home Depot Data Breach

Posted on September 10, 2014 by Cheryl Biswas

In a year of huge data breaches, The Home Depot security breach is proving to be the biggest yet. Upwards of 60 million users in both Canada and the United States could be affected. Yet, Home Depot took too long to officially confirm the news once the story broke, and when they did, the damage was already done. Now, they are facing a lawsuit which will become precedent-setting because how do you put a price tag on trust?

Welcome to the pitfalls of retail responsibility in the age of data insecurity. No matter how businesses may try to spin them, data breaches mean trouble somewhere down the line, and given the money to be made they aren’t going away. Cybercrime is booming beyond anyone’s expectations. Hackers halfway around the globe are constantly upping the game in their quest for information to sell on the black market. That information happens to be a digital summation of our lives: where we live, what we’re worth, who we are. Those little plastic cards that run our lives can also ruin them in one stroke.

The technical details of how cybercriminals lift card numbers, usercodes, and passwords have been well documented over the past year. Infact, the US Department of Homeland Security issued a security advisory in late August warning businesses of the threat of Point of Sale or POS malware, in particular one called “Backoff” that stole information from credit cards (http://t.co/WiOpgp6c6M). It all comes down to a little piece of equipment we use every day. POS card readers are where we shop, eat, buy gas, withdraw money. And the scary truth is how easily they are tampered with. Crime rings buy or extort their way into fixing the actual hardware to mine data. Cybercriminals have figured out a less obvious route using remote access to command and control the devices so they transmit the data without detection. It’s enough to make anyone paranoid.

Instead of being scared into action, however, businesses seem to have pulled the ostrich hiding its head routine, hoping it would all go away. But it hasn’t gone away, and the lag time has only afforded the hackers more time to perfect their skills while we struggle to catch up. A full week passed before The Home Depot officially confirmed the real extent of the breach. The scope of those potentially caught in the net of hackers is still being determined, with 60 million users a conservative estimate.

So just how do you tell 60 million users that their credit card data and other valuable personal information has just been released to the global criminal black market? There is no good way to spin that much bad news, not following recent announcements that Target, UPS, Supervalu Grocery stores,several major US banks, and Dairy Queen had also been breached. Brian Krebs had revealed the hack attack on Target. On September 2, he broke the news on his website, KrebsOnSecurity, that “a massive batch of stolen credit and debit card information went on sale.” At the outset of the data breach, Home Depot shared dropped. Per an article in The Globe and Mail (trib.al/e8RZclg) , shares in trading fell 3.4%. Now, they face a class-action lawsuit.

The reported costs of a data breach vary, but according to Alcott HR Group, is starts at $5 million for one incident, and another source claims that has now doubled. But the real loss is in what we cannot truly measure, and that is the very heart of retail business. How do you put a price tag trust, consumer confidence and lost customers? Taking responsibility for your POS devices means taking the necessary actions to safeguard your customers. The rest of retail is about to learn an invaluable lesson at Home Depot’s considerable expense.

CyberWatch

Watch for what comes in the Backdoors

Category Archives: infosec