Securitybreaches – Explaining Security

Hacking, is it Like a Recipe?

One thing we do know that Hackers are very successful in hacking overall. We don’t really know how they do it? But the headlines say it all: “Yahoo says 500 Million Accounts Stolen”

If you study the image above (a bubble representation of all hacked entities) from the website www.informationisbeautiful.net

You see Yahoo actually with 320 million and River City Media with 1.37 Billion hacked accounts. Each bubble has a story, with a breach and people affected by the hackers attacking some aspect of the information technology defense.

So how easy is it for hackers to attack ? Is it a recipe? Do you perform a few functions and then steal the data?

I have blogged this methodology for 3 years now, and it is interesting that in 3 years plus with various explanations the methods of hackers has not changed too much.

(image from previous post)

We can summarize and say the hackers review the job (attack) and try to find an opening to perform their objectives:

Money
Political reasons
The fun of it (young hackers)
National goals

After they review the attacks by looking at your defenses they are now ready to probe your specific defense with specific attacks.

In my mind the #1 reason for hackers to attack is money and the Darknet tells the story, the Darknet is where the criminal hackers trying to make money sell their gains.

If you ask me the credit card problems we have gotten due to the new normal of these “hacking events” is annoying but not life changing for the most part.

What would be LIFE changing is the hacking and stealing data (information) of health records. Now the hackers could really mess with other aspects of our lives which we are not used to modifications.

How exactly would a “screwed up” health record look? The next time your doctor looks at health records are they doctored? Or not?

Every day there is a new day and the hackers are looking for new ways to make money including using the massive amount of health data already stolen.

This means we need to be wary of our information usage and review all manners of defenses everywhere.

Test, test, test your defense should be the mantra. Because the hackers are probing and attacking all the time. It is a classic red vs blue issue.

Sure Connect ABC device to Internet!!??

Sure Connect ABC device to Internet!!??

Amazing to note that many companies are creating devices to connect to the Internet and thus open these devices up to a variety of attacks.

Note the following Blog MWR Labs

The default root password has been disclosed by Packetstorm last year January 12th, 2016.

Login to telnet with the credentials: root / founder88

Did you read that correctly? Yes last year.

This Biometric hardware by Fingertec does not operate like a traditional machine, it is ‘updated’ and gets it’s intelligence from the ‘cloud’. Which means it is on the Internet.

This means that you are exposing this device to the hackers and wily operators of the world.

The problem we have is managers that make decisions to purchase and install these devices are not thinking about security at all.

In fact due to their preconceived notions of it will not happen to us, we are too small, we have nothing to steal, and more excuses, Cybersecurity is not thought about.

They do not understand the implications of clear text tcp/ip communications by Fingertec. To a seasoned hacker (security professional) the device will take a little effort but can be breached rather quickly. Especially if basic precautions are not kept, like changing default passwords.

PCI compliance requires default passwords to be changed, but do we really have to wait for PCI compliance to require the biometric devices to have encrypted communications over the Internet

What if you have Biometric devices? are they connected to the Internet? Maybe they are vulnerable.


Contact US to help you with vulnerability analysis

New DDOS Attacks Changes Likelihood in Risk Assessments

The hacker must have a method in starting an attack like Dynamic Denial of Service (DDOS). in the last few days. the one which used hacked cameras and DVRs (Brian Krebs story) in attacking many Internet properties.

Im sure you have seen the many media stories about this DDOS attack on various media (including Computerworld)

Moneyquote from Computerworld article: Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.”

The hackers used the weak default passwords of these devices (cameras and DVRs – IoTs) to create a program that controlled many of these devices to then create an attack using the simplest method of all – just ask for a connection.

Asking for a connection might be innocuous but when a hundred thousand devices do it then it becomes a traffic jam. And pretty soon it is not a regular traffic jam, but the monster trucker traffic jam.

We have discussed this IoT powder keg before in our “Hidden hacks in Network” Also “IoT Botnet can DDOS Your Webserver”

What does this new DDOS attack mean for the foreseeable future?

we have to figure out Risk in our compliance-IT departments.

Risk assessment:

Risk = Impact * Likelihood

The interesting thing of security is that Likelihood can change with the latest occurrences in the world.

So now all of our Risk calculations are changed.

In the past many vulnerabilities are downplayed when they consist of some kind of DOS (Denial of Service)

As usual this means that it depends on your impact from a DOS event. If you are using a webserver to accept sales orders and you are getting attacked by these DOS events your Risk has now increased.

What can you do? It may be hard to differentiate the traffic from standard traffic, but that is what we would have to do. Figure out what this malware does and filter the traffic. Here is where you have to have competent Network Operations Center (NOC) . The source code to the Mirai malware which was purported to be behind the DDOS attacks was placed up on GitHub (by James Gallagher) and looks to be still there https://github.com/James-Gallagher/Mirai

What if there is no major impact because there are no sales on the web(Internet) then there would be no appreciable affect BUT

As Amazon, Twitter and other Internet properties had problems due to the nature of the DDOS as it affected DNS servers providing addresses to the general public.

This particular attack was an indirect attack, as your own servers were not targeted only DNS servers which may or may not have translated your name to IP addresses across the world. So ‘it depends’ on whether you would have an impact or not. One thing is for sure if you are creating IoT devices and have lax security default passwords and the like which are vulnerable to these types of attacks, in the future you may be liable for any damages.

In any case this is a great example for re-evaluating your Internet exposure and updating your risk analysis.

Using Yahoo Email? Should You Notify Customers that Your Email is Breached?

Everyone listening to the news should know by now that Yahoo’s email service has been hacked. CBSNews story: {Yahoo Confirms Massive hack of 500 million accounts, blames “state actor”}

In Yahoo’s terms of services section DISCLAIMER OF WARRANTIES:

19. b.

YAHOO AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS MAKE NO WARRANTY THAT (i) THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR REQUIREMENTS; (ii) THE YAHOO SERVICES OR SOFTWARE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE; (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE YAHOO SERVICES OR SOFTWARE WILL BE ACCURATE OR RELIABLE; (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR EXPECTATIONS; AND (v) ANY ERRORS IN THE SOFTWARE WILL BE CORRECTED.

I’m no legal analyst, but this disclaimer of warranty is not promising they will keep your stuff secure. when it says so in their disclaimer of warranty!!!

Are you using Yahoo mail as a business email account? Since Yahoo Mail was hacked and your account likely was one of them, you have to think about this as if a hacker has your account information:

The hacker could look at your email – what can they figure out from your email flow?

Do you use of your Yahoo email account as primary account on logging into other services?

Where do you log in with your yahoo account information (it is the primary email) wherever that is could cause problems for you.

Unfortunately Yahoo is also the email service for many Phone, Cable and Internet service companies, and that means your home email account is now compromised. For example this story in The Telegraph mentions 8 million accounts now affected in the UK.

A hacker could log into your Yahoo account and notice emails which create other hacks.

So if you re using Yahoo email think about all the places it is being used as a login account name and consider what happens when the hacker has that as well.

How are your risk management assessments when the hackers have usernames and passwords in your network? In fact risk assessment should be changed with that in mind? Does your IT security keep that scenaio in mind?

Should you be looking in your network for data to be retrieved by accounts looking like normal traffic? Are you reviewing standard traffic for exfiltration of company data?

Now that you know your email has been hacked when do you notify customers? If it was me, I would notify them that my Yahoo account is potentially hacked and will be moving to another company ASAP.

Being a little paranoid is not a bad thing in Cybersecurity.

Contact Us to discuss the changing liabilities in your Cybersecurity risk management framework with this Yahoo hack or any potential liabilities that you may not have thought of yet.

Password Manager Lastpass Has Security Flaw

Unfortunately another flaw in software for which we expect to have _none_, at least in security software written in ZDNet¹ post:

This just in 7/28/16 story by Cnet – http://www.cnet.com/news/big-security-bug-fixed-by-lastpass-password-manager/ Looks like Lastpass fixed another bug quickly…

Tavis Ormandy (a Google Project Zero hacker) used a couple of tweets to point out security flaws in Lastpass

LastPass is reportedly patching the problem… Forbes² seems to review more detailed problems with Lastpass as well since it looks like another hacker Mathias Karlsson also hacked Lastpass as noted in Detectify³ although Mathias’ hack was fixed.

So now what? Should we discontinue using password managers? Or how should we use our computers?

Definitely use different passwords on different sites:

Email(gmail), banks, Twitter, Facebook, LinkedIn, and many other locations ask for passwords and require us to create a unique password.

In Security one has to be aware of the news of zero day vulnerabilities, and ZDnet is #9 on our Top30 blogs to watch at our page: Security-News-Analyzed(4). The idea is to be a hawk on everything in your environment as to any potential problems so that you can watch and react if needed.

The password management problem is going to be with us until a new technology can remove this particular authentication issue.

Until then I recommend to keep several password managers and one additional “method” Use pen and paper for a few passwords. Make sure you have different passwords for all sites, and keep a few passwords ‘offline’.

Contact me to discuss how to help you protect your network even if you have Lastpass (there are ways to defend ) Tony Zafiropoulos 314-504-3974