You can now find our blog at www.cqr.com/blog so please pop on over and keep up to date with Information Security News from around the globe.
Monday 15 September 2014
Tuesday 9 September 2014
Much ado about SOCMINT!
You may not have heard of the term SOCMINT which emerged a
couple of years ago as the abbreviation for Social Media Intelligence. What has
this to do with Apple iCloud and Celebrities?
Well if you are to believe Apple this is what was used to hack into
celebrity iCloud storage. It appears the
criminals gathered enough online information on these individuals to reset
their passwords and hijack their accounts.
Effectively we have a successful social engineering attack without
manipulating the human. No one rang
Apple, no one rang the celebrities, no eavesdropping in restaurants, no near
contact to clone phones or going through celebrity trash cans. It appears this attack relied totally on intelligence
gathering and analysis of online digital content and perhaps some targeted
phishing emails.
Social engineering of social media, I think I can create a new
acronym - SESM. Checked Google no one has used it before.
How do you stop SESM happening to you? Google, Microsoft and Apple all want you to
use their cloud services, it’s free,
it’s so convenient and you can recover
your device, so “ don’t use it” is not
the practical answer. It is about responsibility for your security. In a foreign country would you hand over your
passport to a complete stranger? Yet when
it comes to our online digital life the lack of physical presence seems to create the belief that it is ok to pass
responsibility for the security to others.
How much did you pay these strangers to do this for you?
Here are some simple strategies to keep
strangers and hackers out of your digital life:
1.
Passwords are important, give
them personality – use special characters or a pass phrase. If a site you are
using does not support them, account lockout hacker tools can automatically run
every word in the dictionary and common password combinations against your
account in only a few hours.
2.
Get in front of a screen with
someone who you have not “friended”, might be a sibling or work colleague.
Get them to look you up on Facebook and
other social sites and see what
they can see as a stranger – you might be surprised. You can then go and fix your security
settings.
3. On social media value your circle of
trust. Do not “friend” anyone you have not met. What they say to you in a
request could be totally false. There is no internet Bro code that states “I
will not make up a social media page and tell lies”. You need to protect
yourself and your friends. If they say they know you through a mutual friend –
ask your friend how they know them
before responding.
4. Would you walk up to a creep on the
street and handover a photo of your smiling face with your home address written
on the back? No, so don’t do it online.
If you upload a photo taken at home or a friend’s house make sure the location/gps
data has been removed.
5. Birth date. You need this for
Facebook so everyone can wish you happy birthday but do you really need to
divulge it on other sites? Most of the
time these sites only want this so they can market to you, it is not adding to
your experience. Limit the amount of personal information you enter on such
sites, just because they ask you don’t have to tell. If you have to enter a
birth date then for example round the year to the nearest decade. If one of these sites is compromised then the
hacker cannot use the birth date to help gain access to your important sites.
6. SMS alerts. Apple has announced it
will strengthen its iCloud account alerting in light of the celebrity hack. If
there is one thing to do as soon as possible it is go to your social media
sites and check that you have SMS alerts turned on for account change requests.
7. Security questions. As appears to
have happened to the celebrities. The questions like - what is your mother’s
maiden name , what city were born in or
what high school did you attend don’t really cut it. Instead
try - what movie star or
singer do you not like? You are more
likely to post or join conversations about things you like rather dislike –
politicians are probably the exception.
8. Phishing emails can look very
legitimate and may be personally addressed. Never respond or open links in unsolicited
email asking you about online account details or that they have something for
you. Just delete them. Only go to your
sites using your browser favourites or app, you can then check if there are any
legitimate messages for you.
Greg Starkey
BDM
www.cqr.com
Tuesday 2 September 2014
For your eye's only
“Celebs in nude photo scandal’ make it to the top of our
news feed today and who’s clicking on the link. I have to say for 1 ‘not me’.
I’m sure Jennifer Lawrence has a lovely figure but I don’t need
to see it and the photos were never intended for the public, they are private
photos stored on a private cloud account. The only reason why the likes
of you and I are aware of them is because someone stole them! Yes, stole,
‘to take without permission or right, especially secretly or
by force’. It took for someone to hack into her and the accounts of
others and copy and exploit their private images online for all to see and
continue to use what they have to blackmail others this is a criminal act.
I was pretty shocked and disappointed seeing comments made
on social media about the images and requests for links to the images, if you
really need to see it there are sites already available with similar content by
consenting adults rather than exploiting someone who hasn't. Celebs may be
famous and making a living by providing the world with entertainment but what
they do in their own time in their own homes is private, and everyone is
entitled to their own privacy. In general we have all been brought up to
respect others, to use a level of discretion and these values should be
remembered, and simply by not clicking on that link begins to remove and sense
of credibility the hacker would feel from performing such a deed.
Although there has been no official comment of how the hack
was made or specifically where the photos were taken from iCloud or Photostream
(and likely we won’t hear about it either) I’m sure that this has raised many
questions around the Apple offices this week.
The moral of that story is if you’re using a cloud based
photo storing service maybe a little cautious of what you store, having an
eternal hard drive works just as well, as for what Jen Law is up to, if this is
really important to you maybe you need a hobby…
Sarah
Taylor
www.cqr.com
Thursday 28 August 2014
To click or not to click…………
We
recently assisted one of our clients during an information security incident, a
server monitoring system had picked up unusual file access activity on one of
their network file stores, upon further investigation they discovered that a
piece of malware was encrypting files on a user’s network share.
By the
time we arrived onsite they had already started to contain the outbreak, taking
the infected network drives off line, identifying the user whose network drive
was being infected, removing the user’s PC from the network and disabling their
network account.
At that
time they were in the process of rolling out new anti-malware definitions
across the network so they immediately commenced a full network scan using the
latest definition files concentrating on the offline network shares.
Investigation
of the user’s machine, indicated they have browsed to an external URL minutes
before the unusual activity was logged.
The user had received an email, from a reputable postal service
reportedly saying the organisation had a parcel that was awaiting payment and
delivery, being a member of the accounts payable team, the user clicked on the
link that opened a copy of the postal services website. Unbeknown to the user malicious files were
being downloaded initiating the malware infection using the win32 crowti
ransomware variant and subsequently starting encrypting of all their files.
The
email itself was very well crafted using good English and corporate branding of
the postal services company, only upon closer inspection and hovering over a
link to unsubscribe did we notice that the link misspelt the word “unsubscribe”
as “unsubscrube”. Checking the email
headers revealed the IP Address and checking the registration confirmed the URL
was located in Russia.
Whilst
the incident was being Triaged the client asked, what they could have done to
stop this kind of attack, we recommended they block the IP address in their
firewall and block the domain on their SMTP relay but once the cyber criminals
move to a different IP address or domain these defences would be useless,
enabling smart screen filter as a group policy setting on their browsers could
afford them an extra layer of security.
But in
hindsight all of these enterprise and perimeter security controls are great but
the user decided to click on the link in the email, not maliciously but in the
normal duties of their role. Users are
the last line of defence….right?
Correct
they are the last line of defence, but far too often organisations treat users
just as that last in the line, security/awareness training as just another tick
in the box to ensure some form of compliance.
Organisations can have the best of breed technical security controls in
place at the perimeter, but these are only as good as the speed and efficiency
of the vendor releasing signature or definition files and the IT department’s
diligence at deploying updates. During
this incident the infected PC and network drives were disconnected from the
network with ten minutes during which time approximately 50K files were
encrypted.
The user
however is the one constant that is always present and one that the
cyber-criminal is relying on to perform an action or act that provides them
with the backdoor they need.
Is
annual security refresher training enough, when compared to how the security
landscape changes in our view no! Too
many organisations use this as a tick box exercise, a cyber-criminal is relying
on the end user, this is the mechanism that allows them to not brute force the
front door spending 100’s of hours reconnoitring a target company and then
trying to push an exploit through the front door.
How many
times have you done something you were told not to do, “Don’t walk on the grass!”
“Don’t
bite your nails!” humans have individuality and intrigue these are some of the
traits that make society the great place it is so why would we curtail it. You cannot tell someone not to do something, their
very inquisitiveness will ask well “what will happen if I….” rather demonstrate
through past experience, constantly building security awareness into their
daily habits, so that they become accustomed to questioning the norm.
Large
organisations have layers of security to protect their important information,
with the abundance of social media and on-line interactions “the general public”
does not have these controls to protect them, with the internet all around us,
we need to make all users of the internet aware of the inherent dangers of its
use, many of the day to day natural things we do to protect our homes, cars,
handbags/wallets etc, if we applied the same common sense approach to the
internet we would make the cyber criminals job that much harder.
Neil Bray
Senior Security Specialist
www.cqr.com
Wednesday 6 August 2014
What is Privacy? OAIC are showing us the way.
When looking for a new home we like to see photos of what the house looks like but for a tenant/home owner are there any rules that govern what photos the real estate agent takes and is there anything you can do if you are unhappy about the photos they have taken.
The OAIC's fifth video in their Privacy series tell us,'Is my real estate agent aloud to take photos in my house?'
________________________________________________________________________________ If your neighbour has a security camera and you are concerned about your Privacy the OAIC's latest video gives you some advice on what you can do to apease the situation.
The OAIC's fourth video in their Privacy series tell us,'What can i do about my neighbours security camers?'
________________________________________________________________________________
We all have personal information held by organisations, but how do you access that information, are you able to just ask for it or might you have to pay or wait for an extended period of time, and then what if it is incorrect are you able to make changes where you need to?
The OAIC's third video in their Privacy series tell us,'How do I access my personal information?'
________________________________________________________________________________
If you know that personal information about you has been mishandled what should you do, and how do you go about making a complaint?
The OAIC's second video in their Privacy series tell us, 'How do I make a privacy complaint?'
_________________________________________________________________________________
Following on from PRIVACY AWARENESS WEEK in May 2014 when CQR were partners of the OAIC (The Office of Australia Information Commissioner), the OAIC have released the first a series of 5 video's which are designed to help individuals learn more about PRIVACY and the common concerns they may have.
All of the video's are to be release over the next 2 weeks and we will be here to support the OAIC in spreading the word on PRIVACY.
The first in the series is 'What is Privacy?'
Further information on the changes to the PRIVACY ACT can be found on the OAIC website.
Sarah Taylor
www.cqr.com
The OAIC's fifth video in their Privacy series tell us,'Is my real estate agent aloud to take photos in my house?'
The OAIC's fourth video in their Privacy series tell us,'What can i do about my neighbours security camers?'
________________________________________________________________________________
We all have personal information held by organisations, but how do you access that information, are you able to just ask for it or might you have to pay or wait for an extended period of time, and then what if it is incorrect are you able to make changes where you need to?
The OAIC's third video in their Privacy series tell us,'How do I access my personal information?'
________________________________________________________________________________
If you know that personal information about you has been mishandled what should you do, and how do you go about making a complaint?
The OAIC's second video in their Privacy series tell us, 'How do I make a privacy complaint?'
_________________________________________________________________________________
Following on from PRIVACY AWARENESS WEEK in May 2014 when CQR were partners of the OAIC (The Office of Australia Information Commissioner), the OAIC have released the first a series of 5 video's which are designed to help individuals learn more about PRIVACY and the common concerns they may have.
All of the video's are to be release over the next 2 weeks and we will be here to support the OAIC in spreading the word on PRIVACY.
The first in the series is 'What is Privacy?'
Further information on the changes to the PRIVACY ACT can be found on the OAIC website.
Sarah Taylor
www.cqr.com
Friday 20 June 2014
Nice filesystem you've got there...
"Nice filesystem you've got there. Be a shame if anything... happened to
it. Know what I mean?"
It's a stock phrase used by thugs in extortion rackets in
countless movies, TV shows, and video games.
It's also exactly the threat that Cryptolocker presents. Cryptolocker is malware that when activated
will encrypt all the files that it can write to, and hold the decryption key
hostage. If you pay the thugs the
extortion money before the clock runs out, they give you the key, and you get
your files back. If not, your files are
gone for good.
The media love using the countdown timer in Cryptolocker
as a background, all the while talking about this new threat, and how the
government should be doing something about it.
Except of course that it isn't really new. It's just the latest way that criminals have
found to monetise malware now that the fake-antivirus market is drying up. And it won't be the last.
Don't get me wrong, it really is a serious problem both
for individuals and for business, but it is relatively easy to avoid, and even
possible to recover from without paying the criminals, but only if you plan
ahead. Here's the plan:
1. Patch
everything.
Most malware uses known vulnerabilities in operating
systems and software applications to take over your computer. If they are patched, they block the initial
attack.
2. Run current and
up to date antivirus on all computers.
If the criminals can't use an unpatched vulnerability,
they will try to install the malware by tricking you into clicking on a bad
link, or opening a bad attachment. If
you are running a current antivirus solution from any reputable vendor, then
the vast majority of this sort of malware will be blocked before it can be run.
3. Make regular
backups and ensure the backups are offline.
Even in the worst case where the malware has encrypted
all of your files, the criminals aren't the only place to recover them from if
you have a recent backup. While it's
very convenient to keep a USB backup drive connected to keep the copies, if you
can write to that drive, then so can the malware. After you've made a backup, disconnect the
backup drive.
4. Restrict user
access to read-only everywhere except where required.
Cryptolocker will encrypt every file on every network
fileshare it can write to. In a business
most users should not have full write access to all the corporate data
repositories. Restrict access either at
the share level or the filesystem level.
5. Have a response
plan.
When the worst does eventually happen, and all the protective
controls fail, having a plan means that you won't make the situation even worse
by panicking.
Remember the threat over the next few weeks is no
different from the threat over the last few weeks, or months, or years! The media just has a new bone to chew on, but
the defences are exactly the same as they have always been. Just don't pay the criminals.
Labels:
CQR,
cryptolocker,
decryption key,
filesystem,
malware
Friday 9 May 2014
Privacy Awareness Week Day 5: Managing a Breach or Complaint
Business standpoint:
The OAIC has not yet enforced the requirement for businesses
to disclose a breach, however they do provide considerable support if you do
fall victim to a breach that compromises personal information. You can find further information in this Guide to handling personal information security breaches.
Reporting a breach does not preclude the OAIC from
receiving complaints and conducting an investigation of the incident (whether
in response to a complaint or on the Commissioner's 'own motion').
Make sure that your incident response procedures identify
the actions you will need to take if a breach to personal information were to
occur. Consider:
- Who you should contact, When, How?
- What information will you need to disclose?
- What immediate actions can you take to minimise the impact of the breach?
- Your communications strategy, will you need to contact those affected by the breach? When will you do this? How will you do this?
- How will you manage complains from individuals affected?
Who else can help?
- AUSCERT www.auscert.org.au
- CERT Australia www.cert.gov.au
- Specialist Consultants (such as CQR!)
How do I know I can trust a consultancy such as CQR?
- CREST Australia, assess and certify companies and staff for their proved technical ability
- Looking for companies that are ISO/IEC 27001 certified, ensures the company is compliant to security standards.
- You can check companies for their certifications through Jas Anz
Personal standpoint:
If you are not happy with the manner in which your personal
information is being handled by an organisation you do have some rights that
ensure that the organisation reviews your concerns or complaint.
Ensure you write a formal letter detailing what your
concerns are directly to the organisation and they will be obliged to manage
your concerns in a timely manner.
If you do not get a satisfactory result the OAIC is there to
help you. It is free to lodge a
complaint with the OAIC. You do not need
to be represented by a lawyer to make a complaint about your privacy. However,
if you do decide to hire a lawyer, you must pay for the lawyer yourself.
The website contains more information about your rights as
an individual at: www.oaic.gov.au/privacy/making-a-privacy-complaint
Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones
Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?
Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones
Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?
Yvonne Sears
Senior Security Specialist
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com
Subscribe to:
Posts (Atom)