I’m sure I’m not the first person create a fake account on Facebook for researching Security and I doubt I’ll be the last, but over the space of the previous month it has shown me just how people go about using the Social Network medium without spending the time to think about the information they are making public. I’ve mentioned in a recent blog post about information garnered from simply listening on a train, and with that in mind, wondered just how much personal information people are willing to share to complete strangers over the Internet. Much is made of the overall security of Facebook, both in passing discussions with customers and in the Media, but how much comes down to how the end user implements this, together with some common sense about just how the Internet works?
My Philosophy regarding all forms of Internet activity, be it Social Networks in general or forum posts, is that if I wasn’t prepared to stand in the middle of a busy street and hold the text, or photograph, on a large placard, then I should not post it on the Internet. Over reaction? Possibly, but with numerous stories in the media regarding Status Updates, posts or tweets leading to job losses, court cases and even prison sentences, surely taking that such a stance can’t be seen as folly. Employers, in my experience, have a varied range of policies regarding Social Media ranging from denying access completely, to allowing full access and everything in between. We’ve even had very recent reports in the Media of employers asking potential staff in interviews for their Facebook password so they can vet them before any job offer is proposed, which is quite frankly mind blowing, let alone an invasion of privacy.
Leading up to this blog post, as alluded to at the start, I created a fake Facebook profile to see how much information could be garnered with very little effort. It took me around 10 minutes to create a profile; 24 year old female, English sounding name, university background, interests in sport, movies and gaming. I added a cartoon as a profile picture and found three stock photos in the Internet to give some substance to the profile. Each picture had at least two girls, in various social situations and at no point did I indicate that either of them were the owner of the profile. I sent out no friend requests, no updates, nothing on my wall and liked no posts, yet within a week I was receiving friend requests. While some of these looked like groups for various activities and just wanting to expand their network, others were real profiles with everything that comes with it. Even after accepting the friend requests I had no communication with them, yet the information garnered, in some cases, gave me a great overall picture of their lifestyle. Some users had all their personal information such as place of work, mobile number, family connections, pictures of their children or partners, all their recent GPS locations from checking in and various other details all available to a total stranger. In a few cases I could also see full profiles of their friends or colleagues. I noticed status updates mentioning serious details about their workplace, which also gives a general indication on how they felt about their employer, leading to a possible target for Social Engineering. While this probably wasn’t too surprising as most of us know what can be placed on Facebook, I received two friend requests from members a local Police Force, with both of them in uniform in their profile picture. Their profile pages made no attempt to hide who their employer was and each profile stated openly they were looking for a relationship, two aspects would be very worrying for their superior’s to discover and makes them open to targeting for social engineers.
Social Networks are a fantastic way to keep up-to-date with friends who may live far away and there is no doubt a site like Facebook or Twitter has dramatically changed the way in which we communicate, but with it has to come user education and an understanding of the risks. Social Networking has exploded on us so quickly that there is a lack of security awareness surrounding the whole medium. While user education is certainly a way forward, the use of filtering throughout the work place and general usage policies would help to eradicate some of these problems.
This Facebook account, incidentally, was closed down by me before this article was written.
Within the past few days we’ve had reports of three high profile security breaches where passwords and possibly full account credentials have been compromised and posted online. My account was one of those hacked by the LinkedIn breach which affected over 6 million people, but with last.fm and e-Harmony also having been compromised, we have had nearly 15 million accounts hacked within hours of each other. With pretty much everything we do these days having some form of online presence, the number of accounts we have to remember is growing in numbers. While we are all aware of the need for secure passwords and to make sure they aren’t shared or used in more than one location, there is only so much information we, as human beings, can hold regarding this. Unless you use a site on a regular basis you aren’t going to remember hundreds of different account details. A large number of the passwords obtained from the LinkedIn breach were along the lines of “password”, “Pa55w0rd”, “letmein”, “linkedinpassword” or such like, alongside this is the fact a lot of people will use the same passwords for various sites, meaning that a compromise of one could potentially lead to the unauthorised access of your Facebook, Twitter, e-bay, Amazon or Pay Pal accounts.
So what is the easiest way to counter this problem? With using weak passwords (for ease of memory), together with the trouble of safe storage (post-it notes) it is becoming impossible to keep our security standards across ten to fifteen websites, the best way to manage this is to allow a product to do it for you. There are various Password Managers out there with a wide range of features to help you get the most of your credential management:
Desktop - desktop software storing passwords on a computer hard drive.
Portable - portable software storing passwords on a mobile device, such as a PDA, smart phone as a portable application.
Token - a security token with multi-factor authentication combines "something you have" (smart card or USB stick), "something you know" (PIN or password) and "something you are" (biometrics).
Web based - Online password manager where passwords are stored on a provider's website.
Stateless - Passwords are generated on the fly from a master passphrase and a tag using a key derivation function.
All these methods have their place, depending on exactly what you are looking for. Many tie-in directly with your browser allowing you to create complex passwords for new site logins, save them securely and use them only when you visit those sites. While I’m not going to promote a particular management tool here, there are many to choose from and many to suit your exact requirements.
Certainly something worth thinking about next time you use your Facebook password while creating a new account elsewhere.
May 2011: Berlin - A suspected al-Qaeda member was arrested and found with a memory card containing a password-protected folder, in which were held some hidden files. Computer forensics experts managed to discover 141 separate text files on this memory card which contained documents detailing al-Qaeda operations and plans for future operations—among them, three entitled "Future Works," "Lessons Learned," and "Report on Operations." These files weren’t easy to find, they were actually hidden within a pornographic video using a method called Steganography.
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. This can certainly be described as a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing" from the Greek words steganos (στεγανός) meaning "covered or protected", and graphei (γραφή) meaning "writing". Generally, messages will appear to be something else: images, articles, shopping lists, or some other cover text and, classically, the hidden message may be in invisible ink between the visible lines of a private letter. While we have the advance in technology, these methods are still relevant, just used within this new medium. Steganography is not a new system for transferring secret messages under the radar; the German’s famously used such methods during World War 2, but has also been linked to modern day terrorism all the way down to paedophile networks.
The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages, no matter how unbreakable, are likely to arouse suspicion. After all, just the act of encrypting a message indicates information contained is confidential or important. Steganography can be said to protect both messages and communicating parties, whereas cryptography protects the just the contents of a message, as in some countries the method of encrypting is in itself illegal. Digital steganography may include steganographic coding inside of a transport layer, such as a document file, image file, or program as demonstrated by the example in the first paragraph. There are various methods if hiding information within the digital medium ranging from simply opening a picture in a text editor and adding some text, to using the least significant bit substitution. To encode data within a file, the software will break up each byte of data into individual binary bits. The values of those bits are then substituted for the least significant bit in a sequence of bytes in that cover file. So, for example, the binary code for the letter "F” 01000110 could be hidden in eight bytes of data in an image file like this:
Before the steganography is applied, data that looks like this:
As you can see, in this case, only three out of eight bytes were actually changed. But even so, the subtle shifts in values could create a significant amount of interference in the target image, movie or audio file if they were packed closely together. There needs to be a compromise here though, as making too many changes to an image or video file will reduce the quality or presentation enough as to arouse suspicion. However, there are more sophisticated tools in which this information can be hidden and cope with image resizing or even cropping by manipulating the discrete cosine transform (DCT) coefficients used in the jpeg compression. These methods can also be used within audio files by making subtle manipulations to the waveform of audio, inserting data in places where it is least obvious to the human ear.
Staganographic detection is notoriously difficult to counter by using technology alone, as the subtle changes are more suited to the human intervention; however, we are now seeing more high-end DLP products make use of the Fingerprint techniques to have more granularity in detection of protected data. Checking this from the bit level and building an extensive database to compare against means that these techniques will have to keep evolving over time, as they have from the start, to make sure it is still a viable method of information transference without those in the middle having any idea what is going on.
You'd be hard pushed these days to find a company or individual user who isn't using some form or Wireless Network (I'm connected to one on the train as I type), and while hardwired networks offer their own security levels, what are the dangers with Wireless Networks when it comes to security? We've recently seen three guys in America who have been jailed for a total of 25yrs for wardriving (The practice of driving around looking for vulnerable wireless networks) and hacking into various companies to steal data, information and nearly $3m. While their crimes did also include physically breaking into buildings and installing keyloggers, their main reconnaissance methods were via the wireless connections they stumbled upon. There are a few myths surrounding securing a wireless network, which I will address first.
WEP or Wired Equivalent Privacy was the standard encryption level a few years ago and some still use this believing it to be secure. As our demonstrations showed during my CEH course last year, WEP is very easy to crack and can be done so in just a few minutes. The trick is to sniff the traffic as it's flowing across the network and through capturing this data, the WEP key is recovered. Very easy to do, especially with the free tools available to help out. WEP uses an RC4 algorithm, whereas using WPA or WiFi Protected Access (Specifically the CCMP encryption system) uses the AES algorithm and is therefore much more secure.
Others also laud the virtues of hiding the ESSID, however, what you are doing here is simply security through obscurity. It will stop people accidently connecting to your wireless network, but the ESSID is passed in plain text the moment anyone connects to the network, meaning all a hacker has to do is sniff traffic until a legitimate user connects in, and they then have the ESSID
One of the other methods is MAC Address filtering. MAC, or Media Access Control, addresses are tied to an individual network card, and are unique; so many security solutions set access based around this. If you have a corporate owned laptop then you make a note of the unique MAC address and only allow this machine onto the wireless, right? Wrong. It sounds great in principle, but currently connected devices broadcast their MAC address, so a simple sniff across the network will give a hacker a handy little list of allowed devices. Still, this isn't useful, surely, as they are unique and bound to specific network cards, right? Wrong again. MAC address spoofing is very easy and by simply using software to present a fake MAC address from the hacker’s laptop, the device is seen as authenticated and allowed to connect.
Wireless networks are not a new thing, yet the mind-set of many is still linked with that of hardwired networks. By installing a wireless network in your office, you are allowing those sitting outside in the car park the same access, potentially, as those who have passed through the personal checks at company reception.
So, for wireless access, I would suggest you think carefully about exactly why you are allowing this and the business justifications behind it. Always use WPA encryption, but not only that, look at your internal network infrastructure and make sure that anyone connecting to it is potentially vlan'd off into a secure area. Only allow the bare minimum of network access you require, as most wireless connections are used for guests or visiting staff anyway, legitimate users shouldn't have a problem securing access through the correct means if necessary. Wireless traffic is also easily sniffed, so again, bare this in mind when looking at what access users have over this connection type.
In this video Matt explores how to set up profiles in the iPhone Config Utility in order to push out policies to managed devices. Along the way he'll show you how to develop policies for passcodes, WiFi and Exchange active sync.
As always, our technical team are on hand if you need help or advice with either your security products or practises.
With the large amount of interest recently in the Sophos Mobile Control product I get asked all the time about the best ways embrace the Bring Your Own Device, or BYOD, situation. In truth, the “best way” is entirely up to your organisations requirements and policies. With Corporate owned devices it is very easy to apply blanket policies, but the issue of BYOD has numerous considerations.
So what kind of aspects do we need to look at when thinking about controlling BYOD’s?
1 – My Life is in there!
“If a Smartphone lives up to what it should be then it is something, as human beings, we will have an emotional relationship with because it's there all the time, it's our window on the world, it's our mouthpiece, it's everything we are and have. ‘My life is in there’ you hear people scream.”
Mr Fry is very well known as someone who has been embracing the Social Networking, and the above quote is very true when it comes to looking at personal devices. People do have their lives in those devices, whether this be e-mails, calendar entries, contacts, photographs, applications.. the list goes on. A recent survey discovered more people have Smartphones than toothbrushes, the information contained within these devices together with the impact on trying to control these aspects can be huge on a personal level. Policies need to take this into account: What do we control? What levels of control do we wish to take? What can we realistically expect our users to accept in order to use their personal devices for work.
2 – A defined purpose
A clear distinction is required on the purpose of using these devices for work. Are managers, directors or other members asking to use them just because they want to use a nice shiny toy, or are they clear business applications for these devices? We’ve seen a clear use for corporate devices in all sectors, including NHS, Corporate and local governments from documentation management to using them for Web Application and data entry. However, is it realistic to be using BYOD’s for these aspects? In most cases, the more granular Device Management features are overkill to the requirements, with simply enforcing passcodes or managed, compliance driven access to e-mail being the main factors.
3 – Remote Lock and Remote Wipe
Corporate owned devices make it easy to use the Remote Wipe feature included with most solutions, although with non-sandboxed solutions, BOYD gives the extra complication of wiping all personal data too. We’ve had a few customers who have mentioned this as a positive, giving the end user a way to have confidence that their own data can be wiped in case of loss or theft, but in the most part, users are very reluctant to have this feature at the hands of work colleagues they have no relationship with. Sandbox devices bring their own complications with document and data management being the positive aspect, however, you still need to have profiles in place external to those for basic management of the device itself. You are also adding a third party solution on top of the devices OS, which may or may not be compatible later down the line
4 – Data or Device
In discussions regarding device management, it often becomes clear that customers are looking at securing Data rather than the Devices, in which case it is more an overall solution of document management tied in with DLP solutions in order to reach their goal. It is going to be very unlikely that Mobile Devices will be used to view sensitive data intentionally as those with compliance criteria to meet will undoubtedly be hand tied into accessing this data elsewhere. The Data security problems often come from unintentional leakage, such as forwarding e-mails or documents, and while device management can cover a few areas when dealing with this, it is more a Data Management issue
So, in short, Mobile Device Management really falls into three areas. Are your requirements suitable for a sandbox solution, or is managing the entire device more suitable, or are you looking at control Data to the devices, rather than the devices themselves? These three aspects really need consideration before looking for a suitable solution.
A recent report by The John Grieve Centre for Policing and Security at London Metropolitan University, contributes 80% of all cybercrime to your run-of-the-mill crook. Going against the Hollywood movie grain, cybercrime is more likely to be perpetrated by the older generation than the basement dwelling loners portrayed on the silver screen. Nearly half of cyber-crooks (43%) are over 35 years old, and less than a third are under 25. (29%)
So has the lined blurred between the Blackhats, Hacktivists and Script Kiddies? The motives of anyone involved in cybercrime will always be defined, but we can arguably say the line between them has got thinner. With the Hacking tools available on the web, Backtrack being one of many, the need for coding or scripting has been substantially reduced. This means that those with a mere penchant for mischief will now be able to do considerably more damage, for arguably less effort. Virus writing software is freely available and easily allows people to build malware, spyware and Trojans which can exploit application vulnerabilities or create an army of botnets around the globe with which to launch these attacks. With the increase in the technology available it means a decrease in the skills needed to commit cybercrime, meaning the people hacking into your SQL database could easily be the local street gang rather than some organised Russian syndicate. Cybercrime isn’t just limited to online scams, dodgy pharmaceuticals or ID theft anymore, the range of damage caused by these attacks, together with the methods involved have shown in the recent media that much more is at stake, and that burying your head in the sand and taking the “It won’t happen to me” attitude is a seriously dangerous one to take.
So how can we combat the evolving nature of cybercrime? As the technology available in the hacking circles increases, the methods needed to protect against have to keep pace. Those that perpetrate these nefarious activities have an extensive network either by association or through other mediums and keeping up to speed with these ever changing attacks is becoming increasingly difficult. The moment security vendors put something in place to stop a possible attack the crooks will find a way to circumvent it. Vulnerabilities are being found on a daily basis in a variety of applications, and with the explosion of social networking and other communication methods, these are often known to attackers well in advance of any potential patches being released into the wild. It is essential that IT administrators do not rest on their laurels but keep up to date with the latest technology, methods and advancements if they are going to ensure protection of their network infrastructure.
A recent article within The Register has shown that the main reason Windows machines are infected with Malware is due to third-party applications and lack of security or patches. Of these infections, 85% are due to drive-by attacks within various websites and is fast replacing E-mail as the main source of malicious software infections. With this in mind, would you be able to tell me how secure your web filtering solution is? There are many myths and presuppositions regarding web content, but many administrators seem to err on the dangerous side of lethargically thinking that bad things won't happen to them if they don't think about it.
So what are the main myths surrounding the Internet?
Illusion 1 - My users are educated and don't surf inappropriate websites To quote Edward Felten and Gary McGraw: "Given the choice of dancing pigs and security, users will pick dancing pigs every time". Your average end user isn't worried about security as they see it as being already covered by the IT department. Given the chance to surf a website full of jokes or inappropriate content they will take it if the filtering in place lets them. Reports state employee productivity loss due to web surfing sits at around 1-2 hours a day and that around 40% of corporate internet usage falls within this inappropriate category. While these numbers look useful from a management report point of view, what are the ramifications on a day to day basis? You may inform your users of the threat housed within the pages of their web surfing, but the onus lies with the IT administrators to make sure this content doesn't touch your network. Legal issues regarding gambling or pornography at work are one thing, and often well known, but the malicious threats from a variety of sites not always listed in the usual banned categories pose a bigger risk to your infrastructure. It's not just the usual suspects that house malicious content, in fact, 83% of malware hosted sites are legitimate and trusted sites you would expect people to visit on a daily basis.
Illusion 2 – Infections only happen if you download files User education and experience has now given most people the common sense to be suspicious about attachments they aren’t expecting, or, even downloading files in general from the internet. Unfortunately, the malware writers also evolve with the times and the majority of infections now come from infected websites many IT administrators see as “safe”. Hackers can hijack a site and inject malicious code, causing browsers to download and execute malware without any user intervention at all; meaning simply browsing to a page can cause an infection. With this in mind, having web content policies in place which go purely on URL filtering will severely cripple the web protection on your network. With hackers targeting sites which are seen as generally trustworthy, it may be that even legitimately surfing the internet will lead to malware infections.
Illusion 3 – Web content protection is purely office based Traditional web content solutions, and indeed traditional thinking, mean that filtering and protection are mostly based on the in-office infrastructure. Desktop machines, servers and laptops use standard or transparent proxy configurations to deliver the web content protection. But what happens with remote workers or those members of staff, like me, who spend a lot of time on the road? While in-the-cloud filtering options are available you are still reliant on third-party connectivity, whereas there are now endpoint solutions available which allow the IT administrators to set a policy from a central console and still have the confidence that it will be enforced on machines when users connect in from home, from hotels or even free public Wi-Fi.
The threat within the realms of the Internet is an ever changing and dynamic one, meaning that protection against these threats will need to mirror this, thus not resting on the laurels of age-old solutions and thinking ahead if you are not to get caught in the web of lies.
Reading through a recent article from the Information Commissioner’s Office, I still have to wonder how the message of IT security has diluted on its widespread travels through the ether. With various NHS trusts and city councils losing information, monetary penalty notices being handed out and more stories appearing daily within a range of press mediums, I'm amazed more IT departments are not being more proactive with their data security.
So just how easy is it to lose this information? Aside from the malicious intent, the methods of accidentally losing data are more prevalent than you think. In the last quarter alone, we have incidents of NHS trusts e-mailing or faxing patient records to the wrong addresses, laptops stolen from cars, USB keys lost or stolen and patient confidential information left at a city bus stop. In an age where Data Loss Prevention, Device Control and Encryption are workable and manageable solutions, why do these incidents keep occurring? Some say it could be lack of time and resources in the departments involved, some would indicate user education or awareness. Whatever the reasons behind the breaches, there really is no excuse given the technology available.
I've mentioned it before and have no qualms in saying it again, a layered security approach is without doubt the best way to protect your data from falling into the wrong hands. Encryption techniques, installation and management allow for easy implementation onto company laptops, with no performance overhead, to give peace of mind that if a laptop does fall into the wrong hands, the information kept upon it is safe. Same can be said for USB devices, whether that be setting a policy to use software encrypted drives or going so far as automatically enforcing encryption on every USB key presented to a desktop, the options available to administrators are numerous. Data Security is never going to be a totally set-and-forget solution, but allotting some time to prepare and prevent will surely save you in the long run when it comes to repair and repent.