How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely  or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick.  (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you.  And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually:  If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure  by employing Security Auditors.

 

Contact Us to discuss

Why Would Someone Want to Attack Me?

We see a lot of headlines in the news, but it stems from the nation states attacking.      Youtube video from Black Hat Asia2018

China attacks specific companies.

Russia also attacks in cyberspace and it culminated when Russia attacked Estonia 2008, also the next year a military physical attack in Georgia with a Cyberspace attack as well.

Snowden disclosed the US attack of Stuxnet into Iranian centrifuges.

This is a ‘right’ of the nation state attackers using their knowledge of Zero Days and encrypted keys.    Where the nation states say it is their right to attack other nation states, because “no one will know” as it is not a physical attack.

Except this culminated in a Russian attack on power infrastructure attack where Estonia lost power for several days.

The side effect of Stuxnet was that other hackers(criminal etc) figured out how the attack was done, then investigated this possibility and eventually was able to create a new attack with malware for ransomware.

So what does this mean? It means that attackers  will eventually figure out the defensive flaws that one normally cannot see or notice.

the actual methods of inserting programs are varied, sometimes the user allows the software to run with spearphishing or just clicking on the wrong site on the Internet.

Above picture is from “Decentralized malware youtube video“.

 

The trust the private sector has in their computers between customer and company is not in the thoughts of nation-states attacking each other.

A side effect of nation states attacking each other is the need for better defenses for all, since we are all on the Internet. Once the knowledge of attacks comes out of the shadows the criminal hackers take a little bit of time and develop the attacks also.

So you may not look like you have anything to attack, but if you are on the Internet you will be attacked.

 

The only thing you can do is to create a defense that can handle even sophisticated attacks.

Contact us to discuss this phenomenon.

 

 

As Technology Changes Faster “Remember The Basics”

I like Jonas Bjerg’s YouTube video of “How Abundance Will Change The World”

Elon Musk  predicts 100 Gigafactories in the world(of which he will build 4)

Peter Diamandis  and Elon were at the World Government Summit 2017.

Cost per Genome is going down and has gone down exponentially.

Quick review of video: ‘So robots will take over, the world will have abundance and people will lose meaning (having lost their jobs)’.

So what will happen to friction of all this? When have you known people to actively agree 100% with how technology has gone along?  As usual there is no thought to security.

What about crime?

I know, I am in Cybersecurity field, and to me it is simple to see, when “some” people lose their jobs to robots, they may become hackers and either create new crime syndicates, or work for an already successful syndicate.

Maybe I want to make more money than from the Universal Basic Income that some are proposing once many of the drivers and doctors are out of a job. How will I make more money? by figuring out a way to get a piece of the cyber slice$ that is around “in abundance”

Then we have a Dark Reading post ‘Back to Basics’ Might be your best Security weapon

Here Lee Waskevich’ commentary points out what I have said for many blogposts: We must focus on the basics first then we can point out the more advanced issues.

So let’s train our employees to find the scams in our mailbox (email and mail)  SCMagazine points out a survey that found 32% of Britons would become a money mule for criminals.  The issue is that unemployed people talk themselves into many things, especially if they have no previous arrest records.

In this Blog we know that people do illegal things and companies and people must defend themselves appropriately. Even as technologies become increasingly complex with more robotics and electrification of everything. (I always wonder why we focus on Cybersecurity AFTER a breach has occurred).

Let’s put 10% of our efforts into Cybersecurity and then we will be better off. Contact Us to review your Cybersecurity profile.

Ok, that’s good, but what about the Crypto Currency craze? There will and are thefts here – Hot for Security has a story on how $400k was stolen in BlackWallet application using DNS, and as you can see right now 1/16/2018  13:30 the site is down.

So what does that mean? If you are involved with money and even crypto currencies you better be testing your environment for cyber attacks.

How Do We As Consumers Get companies More Secure?

Every week there are more hacking incidences.

There is a serious problem – a significant number of people and companies are not doing what is necessary to prevent Cyberattacks. This is also a moral weakness, and is a function of misunderstanding Cybersecurity and human nature.

The problem we have is that everyone needs to be better at cybersecurity. So it is a colossal misunderstanding of the nature of Cybersecurity.  This is compounded by Hollywood’s portrayal of hackers and hacking events.

Kevin Mitnick was an early  hacker (before 2000) and got caught – convicted, now he is a consultant.

Hollywood makes hacking mysterious and easy for certain people, but this is a fantasy world. And of course there is no explanation as to how one can defend against hackers.

In my mind (as an ethical hacker and computer professional of 20 years) this state of Cybersecurity affairs will not get better until a paradigm shift.

It would be nice if everyone understood at least the basics, as I have many posts on this topic.

Let’s try and push the companies to do the right thing.

Why are Companies not protecting their computers the way they should?  Misunderstanding and psychology, but what can we do to change their minds?

(from an old post an infograph by Small Business trends)

As a small company if you do not do what it takes, then you may go out of business if you literally lose your data tomorrow. The reason for this is that backups are not what they seem.

Apparently the knowledge of potential failure in the future(due to bad decisions) is not enough for 22% or more ( in some surveys) of companies. This is a huge number and will keep the criminal hackers fed forever. So how can we change that?

All Cyber-consumers should demand Cybersecurity done right from all companies we do business with.  And since it is 2017(almost 2018) and we depend on computers and what the convenience does for us, we should all be interested in making sure only what we want to get done gets done.

So we have to ‘help’ the companies which we depend on to keep operating – like restaurants, banks, hotels, and many other seemingly innocent companies (let’s not discuss government and Equifax), as we are talking about all small businesses, the accountants, the lawyers, the plumbers, HVAC, everyone large and small. All except the public companies, as they _have_ to have somebody taking care of business. It is only the companies that do not “have” to do that don’t in sufficient numbers

What if you could “know” that at least a minimum of processes were done to at least prevent a catastrophe if something does happen? What is that worth to you?

Would you do business with someone if at any moment they can have a catastrophic event and then go out of business?

Sure it should be where we do not have to think about this Cybersecurity thing and thus it “Ought” not to cost anything, but it we do not live in fantasyland like Hollywood.  Do you know why it costs? Because ransomware has changed the game. It used to be when hackers were  just annoying, like spam. But now criminal hackers are making serious money and thus they will continue to do it until we stop them cold. As I have mentioned in the past this is an uphill struggle though since human nature is to ignore the problem and  this has been proven in the fact that 25% of people do not patch their computers.

So let’s repeat: If one does not patch your computer, your computer(or device) becomes vulnerable to malicious software, then it has a higher and higher chance of getting hacked every month it does not get patched.

So eventually it is a beacon for bad software to come in, and very soon (like a year or 2) ransomware will  test your cybersecurity defenses. This problem will get worse until we can peer pressure everyone into  getting Cybersecurity audits from CISA certified professionals.  Like us.

Contact us to help you get up to snuff, or to get a neighbor company up to snuff.

We are going to have an Oversitesentry seal of approval so that everyone that is doing the basics can at least sleep a bit better about their future.