T is for …

Tailgating

Tailgating is very easy to spot. It’s when you follow someone through a barrier without swiping your entry card, adding your pin number etc. You might have seen someone do this in a car park or elsewhere, following another vehicle in without paying: it’s the same principle.

Trojan

Taking its name from the Trojan Horse of ancient Greek tales, a Trojan is a form of malware in which the malicious code is hidden inside what looks like an innocuous application or other piece of code.

Two Factor Authentication / 2FA

2FA is becoming increasingly common, and is a really good idea for any accounts you may have where you have to enter bank or credit card details. Single (one) factor authentication is usually something your username and password.

With two factor, you’re normally asked either for your fingerprint (on iPhones for example), or you may be sent a code to your registered phone, which you need to enter after your password (PayPal operates like this). It’s really just an extra layer of security, based on something you know (eg your password) and something you have (a fingerprint or code from a mobile devices.

Cyber viewing

Just as my recent post focussed on a selection of books related social engineering and the psychology behind cyber crime, this post will look at a range of films, documentaries and TV shows which offer insight into the industry. They’re not intended to be a definitive list, and there are many great examples which aren’t included here, but you’ll get the idea…

So, what do we have in this little collection? All 3 series of Lie to Me basically dramatise the work of Paul Ekman, deailing with microexpressions and what they tell us. Ekman was actually a consultant on the series, so you’d have to hope that a lot of what it tells us about the science is true.

Catch Me if You Can is the film of the book by Frank Abagnale, starring Tom Hanks and Leonardo DiCaprio. It’s quite a good adaptation, but I have to say I think the book is much better. They both document Abagnale’s exploits as a teenage con artist who spent time variously as a pilot, doctor, teacher and lawyer. He was eventually caught by the FBI and became a valuable resource to them and financial institutions, explaining how fraudsters operate and helping to develop ways of making counterfeit banknotes more difficult.

CSI: Cyber follows the same format as all the other CSI series, but focusses on a crack cyber team which includes some former black hat hackers. There are some really interesting (and realistic) scenarios brought to life in both series.

Sneakers and Hackers are both well known in cyber security circles, though quite dated now. Mr Robot is the current favourite for some of my colleagues, who tell me it’s pretty realistic in many respects.

Citizenfour is the real documentary telling the tale of Edward Snowden’s breach: at the time it was filmed the only people who knew it was happening were in the room. Snowden is a dramatisation of the events leading to Snowden making the decision to leak the documents.

We Steal Secrets is the story of Julian Assange and Wikileaks. After watching this and Citizenfour you’ll have a much clearer idea of the scale of data theft and the personalities behind two of the key people who have been maor players over recent years.

Honourable mentions have to go to a couple of films missing from my shelf. Spectre and Skyfall are the two most recent 007 James Bond films, and they both give a good idea of the art of the possible these days. Spectre in particular should ring alarm bells when you see that many governments want to share data with each other.

Die Hard 4.0 is a bit tongue in cheek, but if you think of the story with nation states involved rather than terrorists then it is also (allegedly) possible in parts. Just think of the instances where Ukraine has lost its entire power supply from time to time, or when every Estonian government department was offline for several days and you’ll see that it’s already happening (probably).

What other films or shows have you come across? Are there any you’d recommend?

Social Engineering and Human Nature

I’m often asked, particularly by new entrants into cyber, what books they should read, and what podcasts they should listen to. The list of both is endless, but I thought I’d share some titles with you. Before we start though, a word about my relationship with books…

I’m a passionate reader, and a compulsive purchaser of books. So I have a lot on my shelves that I’ve not yet read, but loads that I have.  I had cause to sit and ponder today and reckon I’ve over 25m of bookshelves at home, which are mostly full – and a pile of books by my bed, and another on my desk.

For some reason, I group my books by subject matter and height order, and have recently moved away from keeping all by the same author together to having them grouped by colour. (My LPs are stored in alphabetical order, by artist then by album title: this is something I’ve done since I was a teenager!)

The picture with this post shows my “social engineering” shelf, which includes titles on microexpressions (Paul Ekman) and the psychology of persuasion (Robert Cialdini). Interestingly, the author of the Cyber Effect, Mary Aiken, was a producer and consultant for the show CSI: Cyber, and was in fact the inspiration for Patricia Arquette’s character in the programme.  (Beware though, once you start watching, you’ll watch the entire series in one sitting!)

It’s not possible to be a good social engineer, to gain people’s trust and ask them to do things to help you, without understanding human psychology. Ditto if you’re carrying out phishing attacks, you need to know what will make people click on links etc.

Microexpressions give away how someone is really feeling, so it’s really important that social engineers understand and recognise these. If you want to know how they can be used, you might want to watch the show Lie To Me. Paul Ekman was a consultant on the show, and his work is explained particularly well in season 1.   (Another binge watch alert here!)

It’s impossible to talk about social engineering without mentioning Kevin Mitnick. Once one of the FBI’s top 10 Most Wanted fugitives, Mitnick is one of the foremost authorities in the world on social engineering. I have already written a post about his book, Ghost in the Wires.

I’ll share information on some of the other books on my shelf another time. These should be a good starter for you if you’re interested in the meantime!

Gatwick Continuity Planning

It was reported on the BBC today that flight departure screens had failed at Gatwick airport for much of the day. The airport authorities implemented their contingency plans – whiteboards – and apparently no flights were delayed or cancelled. Some passengers have complained about a lack of information, but I think that the fact no flights had to be cancelled is a real credit to all involved.

This is a great example of good contingency planning in action. The authorities had obviously thought about what they’d do in advance, so when the screens were unavailable they knew what to do. I can’t imagine they had whiteboards and pens etc just sitting waiting to be used, but it’s a really good effort nonetheless.

What can we learn about this from an Information Security perspective? Business Continuity Planning is vital, but it doesn’t always hinge on having spare technology available. Take it back to basics: what is needed to keep the business running? In this case, electronic boards were replaced with whiteboards and marker pens, but what would be your equivalent?

Try to think about what could happen, and what you could do to react if there was a problem.

Q is for …

Quantum computing

You probably know by now that typical computers function by using 1s and 0s, using binary maths. The transistors in them are either off (0) or on (1), with data being held as binary digits (bits).

In quantum computing, quantum mechanics form the basis of the machine. Rather than bits and bytes, quantum computers use quantum digits (qubits). I have to confess that I don’t understand the maths involved, but the two things to bear in mind are these:

  • There are more than just 1s and 0s: qubits can be in multiple states at the same time
  • Viewing the state of a qubit changes it
  • What these mean is that quantum computers have the potential to be incredibly fast, but it’s difficult to make use of their multiple states because looking at their state changes them.
  • Some organisations eg IBM have built small prototype quantum computers, but the technology is in its infancy. It will probably be several years before this sort of processing becomes commercially available.
  • When they are finally built, processing speeds will be massively increased, which also means that existing cryptography techniques will be at risk because even brute force attacks will be able to be carried out so much faster. A new form of quantum cryptography will have to be developed and implemented.
  • US names arrested Fin7 cyber-gang suspects

    This story appeared recently on the BBC website.

    Three members of a notorious hacking group, variously called Fin7, Carbanak and JokerStash, have been arrested and named. The three individuals were arrested in Germany, Poland and Spain: one has already been extradited to the US and extradition proceedings have begun against the other two. The hacking group had attacked targets in the US, UK, France and Australia, and is still active today.

    The remarkable thing about these arrests is that law enforcement had to overcome one of the largest obstacles to law enforcement in the digital age: legal jurisdiction.  Where computers are connected to each other globally, with actions being carried out from different countries, often in different continents, it’s hard to know which laws have been broken, and which law enforcement agency takes priority / precedence.

    In this case, those answers appear to have been solved. There has been a lot of collaboration between the various law enforcement agencies in the US and Europe, resulting in these arrests. It is to be hoped that this level of collaboration becomes the norm, and that countries are able to work together to bring criminals to justice, wherever they are active and irrespective of where their targets are.

    Town dusts off typewriters after cyber-attack

    This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

    It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

    This incident immediately raises a number of questions:

    • How did the organisation allow all machines to get infected?
    • Did they have an incident response plan and did it include this scenario?
    • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
    • Does the organisation have a standard build, and were the build states of all 500 devices known?
    • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
    • What scanning of incoming attachments was carried out?
    • What training have staff had in respect of phishing emails and incident response procedures?

    From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.

    P is for …

    Password

    There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

    You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

    Patching

    Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

    Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

    When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

    Payload

    Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

    An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

    Penetration test

    A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

    Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

    This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

    There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

    Phishing

    Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

    These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

    Principle of Least Privilege

    A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

    For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

    O is for …

    On-premise

    This term is used to describe equipment which is physically located in your offices. The alternative would be a third party hosted service such as those offered by cloud hosting providers.

    Open Source Intelligence

    The internet is full of many sources of information, many of which are free. This is known as Open Source Intelligence (commonly called OSINT).

    The most well known sources of information are social media sites like Facebook, LinkedIn and Twitter. If users do not lock down their accounts, potential attackers can learn a lot about them just by trawling their details. For example, Facebook allows you to list family members, friends, schools, colleges and work places, all of which are invaluable to attackers.

    Operating System

    All computers need code to tell them how to interact with their components eg keyboards, mice, monitors etc. They also need code which tells them what to do when switched on, how to store files and how the file store is structured. All of these services are provided by the Operating System, or OS for short. The most common operating systems for desktop and laptop computers are Microsoft Windows, Mac OS and Linux. Smartphones and tablet devices also have operating systems, the most common being Apple iOS, Android, Blackberry and Windows Mobile.