How Can You Tell If Hackers Are Hacking You?

Obviously if you have been hacked and have ransomware that is too late to know that you have been hacked:

I would like to discuss how we can find out if hackers are altering your files or are looking around in your network. There are several ways to explain what is happening when a criminal hacker is trying to attack your machines. Usually it starts with reconnaissance of your computers, online profile and other system methods.

 

The cybersecurity  industry has  created something called the Cyber Kill Chain which explains this phenomena(how does a criminal hacker attack you). CSOonline explains it a little… But Cyber Kill Chain was created by Lockheed Martin, a defense contractor with defense terminology.

Advanced (targeted)                 Persistent(month after month)       Threat (person with intent, opportunity and capability)

 

The cybersecurity industry is obsessed with this Cyber Kill Chain – why? because the explanation is a good method of detailing the steps an attacker uses to find a way into your network.

If you think about it there must be a way for us to explain how an attacker attacks, so that we can look and find this attack.

I tried to use less technical  terms with my SVAPE & C diagram using the Mandiant attack analysis of the Chinese hackers.

Scan Vulnerability Analysis – Penetrate Exploit and Control  – i.e. SVAPE & C

The portion of criminal attack we want to dissect is the Penetrate and Exploit.  In other words, recon has already been done, vulnerabilities analyzed, and reviewed.Or as in the Cyber Kill Chain, somewhere between delivery, exploitation, and installation.

Now the attacker is actually trying to take over the machine, by exploiting the system somehow.

What is it that we are looking for? If a system is being altered by a human being the event logs  will also be altered. So keeping an eye on event logs is a good idea.

But if this attack is by an automated program (bot or virus or other malware) then the event logs will only be changed if the bot decides to do this, so likely the bot needs to send information back to the programmer at some point (information like cc numbers, health info, whatever data that you keep on your computer).

How do these criminal hackers attack your computers?

It turns out they use the same techniques as people in DEFCON 25 would (latest convention in Las Vegas). So you can browse through the media server to see what the presentations were.

I like the Leveraging-Powershell-Basics by Carlos Perez

In this presentation the theme is to run little known commands using Powershell which you have to be looking for when trying to find hackers in your network.

The Powershell commands can perform many things for the hackers, and to find out whether commands are run you must turn on advanced auditing enabled, some command line jiu-jitsu is also required.  Hackerhurricane Blog discusses the commands  and settings in Win7 and Windows 2008  and later.

So the key is to find what the hackers do and then try to detect these types of actions.  But then there is another issue, including making sure there are people to modify the scripts to detect the criminal hackers.

Target had the methods(detection) but failed in personnel to act on the detection, because one has to find the real problem within the many false positives.

Most important there must be a will to defend and act.

Contact Us to review your plans, we can audit your defensive plans.

 

To Measure Risk, Measure Impact : Major Threats and Effects

To Measure Risk means to measure impact and threats(likelihood)

(R=L*I) Risk = Likelihood * Impact

 

So what does that mean? What are the threats and their effects to your environment? Answering this will give the true impact of the problem figuring out what risk one really has.

(Above image was copied from @ipfconline1 twitter images)

So let’s assume these are the major threats and Major concerns (from image)

  • Unauthorized Access  53%
  • Hijacking Accounts  44%
  • Insecure interfaces / APIs  39%
  • External sharing of data

Major Concerns

  • Data Loss/leakage  49%
  • Data Privacy  46%
  • Confidentiality  42%
  • Legal and regulatory compliance   39%

The threat is one portion of risk, the impact is another.

The idea is to view all of the threats coming at you and review where you should spend your time.

The problem with this methodology is one has to have a decent understanding of the impact and likelihood of various threats. Some of these items need to be also taken into context.

If you have 100 computers and they are all running Windows Operating systems (different versions 7,8,Server, 10) then a threat to your Windows base for MS17-10 is not as dangerous for all computers.

But what if a virus/trojan attacked and affected 20 computers?  Now the impact would be higher. So the Risk to your organization is higher from a relatively minor Microsoft vulnerability.

So one thing you will find is that even minor vulnerabilities can grow into major problems. So the potential effect of an exploited vulnerability  is the issue. Every month new patches are released and at the same time criminal hackers are trying to exploit the patch exploitability.

Unfortunately every vulnerability has an attack timeline.

Here is the crux of the issue, what is the impact for each separate vulnerability to your environment? As criminals develop better attacks you have to keep the threats in mind and do proper patching so as to defend your network.


By performing an audit of your environment and  reviewing impacts and likelihood you will hopefully be able to evaluate your risk properly.

Contact Us to help you with this process.

What is Real Story on Default Passwords?

Is it really as bad as some say? People are not changing default passwords and thus hackers control their machines if remote access is enabled in some way.

i think it is VERY BAD – as people are really looking for ways to make bad decisions:

https://superuser.com/questions/106917/remote-desktop-without-a-password

\

My apologies to this person who maybe innocently was trying to make some administration easier for him, but the lack of security knowledge is apparent. One should NOT even think of creating a scenario where there is a blank password on a machine (ever – even worse for remote access).

If this machine was connected to a Credit Card Machine now you are in PCI compliance violation.

Ok, we know not to have default or blank passwords…

Or is it that people don’t need to change the default password as the system is not remote accessible?

Even then the default password should be changed, because physical access needs to thought of, and is not 100% foolproof.

Or is it that people think the system is not remote accessible but it really is in some way?

The last scenario may be likely if the level of sophistication is not good.

And the hackers are looking for these machines as a post from last year notes the Verizon data breach Investigations Report  http://oversitesentry.com/why-are-there-cyber-security-issues/

Mentions that Remote Command Execution was found on scanned machines more than at other times.

Human error is one of the main reasons for security failures. in 2014 IBM ‘s Cyber Security Intelligence index notes “95% of all security incidents involve human error”

 

So how does a stakeholder (the board, CEO, exec team) make sure that human error is minimized (as it will likely never be 100% gone). It is to obvious to most: Bring in outside help to get a second or third opinion, and perform tests to see where human error can be minimized.  The CISA (Certified Information Systems auditor) would review the potential risks and set up  an audit to methodically find security issues.

Contact us to discuss

#SmallBusinessWeek Fail on Cybersecurity

I apologize, but I see most small business do not have plans in place for disaster recovery and Cybersecurity because it does not help them run their companies.

True it does not help run the company but it allows you to run the company after a Cyber event happens.

I have written about this before in the past few posts and weeks/months. But there is a definite disconnect between the Decision makers and the current environment. Here is a past post where the mechanics of making money for the Cyber criminals only makes it clear in dollars and cents that the Criminals are making MORE money every year.

I don’t want to bore you with actual criminal dollar numbers, because they are low estimates since people do not report the actual amount.

This picture from a past post also explains the large problem of database breaches.

 

To come back to my initial post – if you never backup your files in a proper way then ‘when’ a problem occurs you will not have a business.

This isn’t even insurance, because if there are no files backed up then it is over. Insurance is “a thing providing protection against a possible eventuality”.

If you have cyberinsurance you can get some money back to rebuild your files. But you still have to rebuild.

IF small business would have had proper IT practices then there is no need for cyber insurance. Look around the world for others that perform good practices that will help you keep your information safe.

Saumil has presented 7 axioms of security at BlackHat Asia  online here: youtube video

7 axioms of security

Intelligence Driven Defense

  1. Defense doesn’t mean risk reduction
  2. CISO’s job is Defense
  3. Schrödinger’s hack – i.e. test realistically
  4. Can’t Measure? Can’t use it
  5. Identify your target users, and improve them
  6. The best defense is a creative defense
    1. create credit cards with no usage except to tell you when it is used.
  7. Make defense Visible, make defense count
  • Intelligence means collect everything!
  • Get creative, get organic (organic security=grow it yourself)

Contact me to discuss: tonyz”@”fixvirus.com

 

Changing Default Passwords: Too Hard?

Is changing the default password too hard on your devices?  For example the highest profile devices (not IoT Internet of things), but the ones that process money: POS(Point Of Sale) terminals.

Above is an Ingenico ISC250 with a stand. (from discountcreditcardsupply.com)

Are manufacturers making it easy or hard to change the default password?

 

Well, if you Google “hacking a point of sale terminal”, then several interesting links come through:

Old news stories are relevant as many businesses (small and large) do not make changes and purchase old equipment. Wired 2012 story of 63  breached POS systems using malware.

The story also mentioned 40 people arrested in Canada over a carding ring, which also tampered by stealing POS terminals and installing sniffers on them.  Which means they were able to modify the machines at will.

 

So this is why I mention the difficulty of changing the default password on these machines. Yet the password information is on the Internet, so if you are a hacker and wish to spend time to learn the password it is available for you to do so.

Helcim Support helpfully has the method of changing the password on their website:

Check the default password from manufacturer: ‘123456P’ not very sophisticated??? and the new password is to be 7 characters long with one letter. An amazing testament of password schema from the manufacturer Ingenico.

At oversitesentry we are dedicated to helping companies harden their security systems, including POS. Changing your default password is a must, and places you in compliance with PCI DSS (Payment Card Industry – Data Security Standard)

I don’t understand why owners and managers in charge of POS systems that depend on revenue from these systems have not understood the concept of changing the default password on their POS devices. Why am I mentioning this?

Because small businesses fail after a successful criminal cyber attack

(from a previous post among many on our blog)

The statistics are bad… but why is this? Is it that the default password is _REALLY_ that hard to change? Is it that difficult to make a Cyber policy?

I think that the managers and owners assume nothing will happen to them, because last month nothing happened.  Their education is based upon experiences and the news of companies being hacked is not a big deal.

VISA has stated in the past that the major problems (breaches) come from basic failures like not changing default passwords. Visa website to go for more information.

The following is a screenshot from a VISA presentation on PCI compliance challenges.

Card Present Vulnerabilities:

  • Insecure remote access used by attackers to gain access
  • Weak or Default passwords and settings commonly used
  • lack of network segmentation
  • malware deployed to capture card data
    • absence of anti-virus tools to detect malware

 

 

So I would like for you to contact me if you want to do something about this problem – tonyz”@”fixvirus.com or 314-504-3974 Tony Zafiropoulos.