W is for …

Whaling

When people launching spear phishing attacks against senior members of staff, this is known as whaling (because they’re after the big fish). That’s the only real difference in the terms, though the types of attack may differ slightly.

Whales are more likely to be the target for mandate fraud, where an email purporting to be from eg the Chief Executive of an organisation goes to the Finance Director, or Finance team, asking them to make an urgent payment to a particular bank account.

White Hat

Ethical hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re the good guys: hackers who attack without permission are black hats. The name comes from 50s and 60s films set in the Wild West, where the colour of the cowboy’s hat told you whether they were good or bad.

WiFi

Wireless connections to computers often use WiFi (rather than Bluetooth). Good practice dictates that the WiFi connections should be encrypted, using WPA2 encryption. WEP and WPA are both weak encryption prpotocols and should not be used.

Worm

A worm is a form of malware which replicates iteself in order to infect the computer it is on and any others it can find.

V is for …

VPN

A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.

Virus

A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.

Vishing

Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.

Vulnerabilities

Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

S is for …

Smishing

This is very similar in concept to phishing, but instead of email being used to deliver malicious code or links to malicious website, SMS text messages are used. The messages often look as though they’ve come from someone you know and / or trust, but they have typically been spoofed to make you think they are legitimate.

As with phishing, if you are in any doubt at all that the message has come from the person you think it has, contact them by another means eg phone them, access their website etc.

Social engineering

This is a broad term, but generally speaking it is the art of persuading someone to provide you with information, or access to something, which they shouldn’t really. It takes many forms, and just as with hacking there are people who do social engineering for good (eg red team members) and those who do it for nefarious purposes (eg con men).

Again in general terms, the good guys will only use techniques that only leave you feeling good about the experience, will not try to manipulate or coerce you into doing somehting you don’t want to. The bad guys will have no qualms about trying everything to bend you to their will.

Spam

This is the catch-all phrase used for unwanted email, much of which may contain viruses or malicious links. In many ways its the electronic version of junk mail (aka direct marketing) which most of us experience.  Over 45% of all email sent globally currently is spam, though in 2014 that figure was over 70%.

When you consider there are over 235 billion emails sent every day, it is clear this is a huge volume of spam, and it is therefore unsurprising that some of it makes it into your mailbox, irrespective of what anti-spam tools you are using.

Spear phishing

Spear phishing is a form of phishing (and whaling), and is different because the emails are directed at specific targets. Information about the target is normally found through Open Source Intelligence gathering, and an email is then crafted to take advantage of that information.

For example, if someone did some research on me and found that I was a fan of London Irish rugby and the band Coldplay, they could create an email designed specifically for me which could perhaps give me the opportunity to get 50% discount on tickets to see Coldplay or 75% off a hospitality package at the rugby. If I was a genuine fan of either I might be tempted by those offers, and might click on any link in the message or open an attachment.

Spoofing

There are software packages available which allow a person to mimic another person’s phone number, and there are also techniques which allow them to send email which looks as though it has come from someone else. This practice is called spoofing.

Imagine you have been receiving text messages from your bank, and one day you get another message (in the same message stream) which asks you to click on a link to update your details. This could be a spoofing attack. One way to check is to contact your bank by phone, in person or on their website.

Next, imagine you get an email from your boss, and it looks genuine. It may be formatted the same as your company email address, and may follow the same naming convention eg mary.brown@acme.corp, but the mail has come from outside your organisation and again it has malicious links or attachments in it. Many organisations protect against this by adding some text to the subject line of an email eg the phrase [EXT] or [external] if it has come from outside the organisation. This is a simple and obvious visual clue.

Stuxnet

Stuxnet was shrouded in secrecy but is now very well known. It was a sophisticated piece of code which targeted a specific make of industrial control system, and was used in an effort to cripple the Iranian nuclear programme. It featured a number of zero day exploits which targeted vulnerabilities in the centrifuges used in a specific power plant, causing them to spin out of control while in the control room everything looked normal. The intent was to prevent the Iranians from developing a nuclear weapons capability.

It is an infamous and ingenious piece of code. For more information, you may want to see the documentary made about it, called Zero Days.

Switch

This is a network device which helps segment a local area network into separate networks. It differs from a router in that it only knows one path from one network to another, whereas a router can search among multiple possible routes and determine the best path for network traffic to take.

 

R is for …

Red Team

Just as penetration testers try to get access to an organisation electronically, red teams try to get physical access to the organisation. They use a combination of Open Source Intelligence gathering and social engineering to get access.

These teams are typically engaged by senior management to test processes such as visitor registration, tailgating, signing in, staff challenging non-wearers of passes etc.

Remote access

As the name suggests, this is the process of providing access to systems from a remote location. For example, many people are given access to their work systems when not in the office. This uses remote access tools including VPNs and Two Factor Authentication, or a combination of multiple tools. It means you don’t physically have to be in the office to access your work systems.

RAT

A Remote Access Trojan (RAT) is a piece of malware which enables attackers to gain control of a target machine from a remote location. When attackers use phishing techniques, the first step after a link is created is often to implement a RAT. This enables an attacker to get access to the device and carry on their attack using other tools.

Router

A router is a network device which examines network traffic and forwards it to the most appropriate part of the network.

 

P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.

Do you have privacy fatigue?

It’s a fact of life these days that we constantly seem to have people giving out dire warnings about being careful what information you share online, who can overhear you giving out your credit card numbers etc. It seems like we’re being warned that there are ears everywhere.

Do you know what? There are.

But these constant messages of your impending doom could also have a negative effect, a sort of “it doesn’t matter what I do, the bad guys will get my data anyway” attitude. This sort of apathy and resignation could be a form of privacy fatigue, and is discussed in this excellent article which my better half kindly shared with me.

It describes how you can tell if you’re suffering from privacy fatigue, and explains what the term means and is based on academic research, which I liked.

There are a couple of points to note about the article though: the sample was quite small – less than 400 people, and the demographic was quite narrow – only people in their 40s and early 50s.

Perhaps the biggest shortcoming in the article as far as I could see was that it didn’t talk about the “so what” aspect of what it had to say (but then it’s in a psychology publication, not a security one so that makes sense). What are the risks of sharing, and why is it important not to become fatigued?

I can still remember the days when mobile phones, smartphones, email, social media and computers didn’t exist. Back then, you wouldn’t dream of standing in the middle of the street and handing out your bank details including statements, or shouting out details of when you were going on holiday. You almost certainly wouldn’t go up to everyone you met and told them where you kept your cheque book and cheque guarantee card (told you I remember a long way back!). Would you have stood on one side of a wall and shouted over it, to whoever might have been listening, who you’re thinking of employing and how much you’re thinking of paying them, or details of a business proposal you’re writing?

I’m guessing that you would agree all of those would be pretty foolish things to do. But effectively, that’s what you’re doing when you drop your guard in respect of privacy.

If you don’t lock down your privacy settings on your social media applications, you’re making every aspect of your life visible to anyone else on the internet.

If you use the same password on multiple websites, you’re making it easier for the bad guys to get access to more of your life.

If you’re talking about confidential things, knowing who else is listening is really important.

Please don’t be complacent. Please be careful. Please don’t get privacy fatigue.

Vehicle Security

You’ve no doubt heard the stories about cars being hacked over WifI or Bluetooth, but today I want to talk about an easier security risk: second-hand, hire and courtesy cars…

I’ve recently had my car in the garage to have it serviced, and I was provided with a reasonably new courtesy car. I had to drive a fair distance so paired my mobile phone over Bluetooth so I could listen to podcasts while driving. As part of the pairing process I was asked if I wanted to replace the existing contact list for the phone in the car, and that set me thinking…

I looked at the sat nav, and guess what? Several pages of addresses were listed, none of which I’d added: these had been created by those who had the car before me.

I looked at the list of connected phones, other than mine, and there were a couple of pages of paired phones, including some which said things like “John Smith’s iPhone”.

I looked at the existing phone contacts listed on the car – none of them were mine.

What does all this mean? It’s all pretty innocent stuff, right? Wrong.

I can now try to match “John Smith” with the addresses listed. I can use the phone contact list to look for people that “John Smith” might know: for example, on social media and sites like LinkedIn. I know what kind of phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so inclined.

Of course, I’m not so inclined: I’d much rather tell you about it so you can protect yourself.

So, what can you do? Simple: if you borrow a car, whether as a hire car, courtesy car, or if you’re selling your car, make sure you delete all your details including addresses and contact information before you hand the car back.

I told you so…

Just thought I’d share this piece from the Hoax-Slayer website (great site to visit often, in my opinion) which basically confirms everything I said in my previous article on here. It’s good to know I wasn’t giving you false information! 

Other things to look out for, which I hadn’t mentioned previously are:

  • the sensationalist videos, like one purportedly showing a snake which has eaten a man
  • the enticing videos, like those purportedly showing celebrities flashing parts of their body
  • the desperate videos, where people are going to be in distress and need your help

All of these are deliberately crafted to get you to click on the initial link. From there, who can tell what you’ll be persuaded to do…

Things you do on Social Media which you shouldn’t

As a regular and long time Facebook user, I’m often surprised at some of the behaviour that goes on there. I’m not just talking about the harassment and ridicule of people, the cat videos and all that, but there are a number of things which are putting you and other users at risk. I’ll going to explain what some of those risky behaviours are here. 

If it sounds too good to be true, it probably is…

1. Competitions where you simply have to “Like” and share a page to enter in order to win a free Maserati or holiday to Bora Bora, things like that. I talked about this in my previous article, but it’s worth reiterating. You have access to Facebook, Google etc for free, and the price you pay for that free access is that your data is shared with their partners. You then start to receive targeted advertising for products they know you’re likely to want. When you “like” one of these targeted adverts that decision also gets added to the data they hold on you, which gets sold on. Have you ever personally known anyone win one of these contests? The advertisers are paying the likes of Facebook and Google because you clicked a link and what do you get? More and more adverts! 

If all you get is more adverts, that’s harmless though, isn’t it? I’m afraid not. Some unscrupulous businesses will use this as a means to target you with scams, with malware, with all sorts of things with the aim of ripping you off, infecting your machine or getting access to all your contacts. 

2. Images of starving or sick children and animals, asking you type “amen” etc rather than scroll by. This is just another way of getting your details, for the same reasons as above. Click on enough of these and your changes of being sent some sort of scam mail asking you to donate money to help prevent starvation etc increase. 

This may sound cruel and heartless, but for the bad guys this is just a numbers game, it’s just business to them. They. Don’t. Care. The more people they can sign up, the more money they can make. Manipulation is the name of the game. 

3. Lists where you have to fill in details like have you ever been in a police car, had a tattoo, been whale watching etc. Part of the information you give up (and the fact you participated) feed into 1 above, with the attendant consequences. You’ve just given advertisers a good idea of the sort of things you like to do, or are prepared to participate in. They can work out what level of risk you’re prepared to take, what sort of person you are – and that means they can target your vulnerabilities and weaknesses and work out what you’re likely to fall for.

Some of these lists can be quite long and hidden within them are questions which you may have used for your security information with your bank or other online services. These include questions like what your first pet’s name was, what your first school was etc. These can then be used to try to steal your identity, get access to your accounts, open credit cards in your name and so on.

4. Offers of free software or add-ons to existing products, which I’ve seen more and more often on LinkedIn. Even seasoned security professionals are clicking to “like” the post, or reply with “yes”. This is no different from 1 above, and these people should know better. I often feel like chiming in to remind them of what they’re doing –  but my responses would also be captured and I’d be targeted in a different way! 

It’s worth pointing out here that 1-4 are sometimes known as “click baiting”, because it’s a bit like fishing. The bad guys put bait on their hook, cast it out into the water and see who or what bites. 

5.  Adverts for products you may be interested in may just be the advertisers confirming what they think they know about you. Or, it could be less subtle with the adverts taking you to fake sites in order to obtain your credit card details, or offering you goods which don’t appear or are substandard. The links you click on may contain malware, or may take you to a site which is infected. If you really want that product, go to a reputable web site that you know to be genuine and buy from there. 

6. Another favourite is when you get a friend request on the likes of Facebook or LinkedIn. What do you to do to verify that the request is from who they say they are? What happens if you’re already friends with that person? Could their account have been cloned? Do you check by another route to see if the request is legitimate? Do you just accept the request because they’re connected to other people you know? This is all potentially dangerous and may leave you open to a variety of different attacks, from the click baiting sort of thing we’ve seen above, to social engineering and requests for money / other assistance. 

Hopefully this hasn’t all scared you, but has made you more aware of the risks of doing the things listed above. Think before you click on that link, or before “liking” that post. One of the things the bad guys do is try to elicit a reaction from you by preying on your emotional responses. So leave your computer, tablet or mobile device for a minute or two and give yourself a chance to think. Just remember the adage: “if it sounds too good to be true, it probably is”.