In a Russian Conflict: Cybersecurity another Dimension of Attack

(((4/19 update below)))

In that cybersecurity is another Dimension of attack  (versus Dimensions: Land, Air, Sea, and Space) how would we be affected by this dimension?

In Land one sees their foe most of the time, and if the enemy wants to take your stuff they have to physically take it.  (Or they try and send munitions instead via Artillery with limited range).

In Air one can take troops up and over your land and enemy land forces to drop them and take stuff. Munitions are able to  drop from remote areas, but one has to send missiles and airplanes where radar can see them.

In Sea one can move around with ships or submarines to drop people to take stuff. The munitions are sent via devices as well which are physical.

Space is also a dimension which although in a unique area, is also a physical dimension with physical munitions.

In Cyber how do you know if the enemy is not already in your  systems.  There is no need for enemy soldiers to leave their homes or their barracks, they can attack your infrastructure without moving. Control of your computers can be done automatically and it can look like a third party attacked.  Cyber has an electronic dimension so the fact that it is not as physical “or real” has made understanding this dimension more difficult for some.

So what does this mean? It means if you understand how to navigate a command line or can read custom code you can understand this phenomenon (Cyberwar) in ways a non speaker is not capable:

Maybe this analogy will help:

You know in Physics there is Height, width, and length?

What about the fourth dimension(and not time) :

It is hard for us 3D people to think 4D.  So that seems to be the same for people who do not live in Cyber, they just DO NOT get the details!!!   It does not matter how much I try to explain the details, 4D is too much of a leap for some.

 

So I think Cyber is just too difficult or maybe a better word is ‘strange‘ of a concept for many people.

 

****UPDATED 4/19 12pm Central******

An interesting story about Russia attacking US and UK routers…

https://mashable.com/2018/04/17/russian-router-warning-us-uk/#slGg.DbuWsqF

Remember my post on 3/13/18?  http://oversitesentry.com/replace-your-wi-fi-router-if-2yr-old/

some good quotes from the mashable article:

‘These “cyber actors” are identifying vulnerable devices to break into, where they can extract device configurations, harvest login details, and control the traffic that goes through the router.’

 

A quick review from my post  — you can’t patch older than 2 years routers, as they are not being patched by manufacturers.

********************************

The compliance departments are reverse engineering the effects of a breach and Cyber understanding.   It is too difficult to decipher code, so we say don’t perform CC processing without encryption.  We don’t say what the encryption is and how it should be sent. There are many more pitfalls for a manager without technical knowledge.

If Hackers can steal data of your prized customers with a thermometer, then what else can they do?

So what to do? Create Cyber audits to review the IT world in your entity. Otherwise you will see headlines that you will not like.

Contact Us to discuss

 

 

Protect Privacy of Client Data using New Ways

Do you want to actually improve your level of Cybersecurity?

What will you do differently today or in the next few months better than last year?

As in past post the GDPR has laid out new regulations 

that affect an entity that has data of an EU resident with impact on any of the following:

  1. Private and family life, home and communications data
  2. Physical and mental integrity
  3. Personal data
  4. Freedom to work and choose occupation
  5. Freedom of thought , conscience and religion
  6. Freedom of expression

The key in this graph is to be near the Green shaded squares, and not the bright red squares. I.e. having a high probability with a critical impact is bad and requires focus.  Whereas an unlikely probability is negligible impact then this is not so important to focus on.

The problem is to find the Critical impact and high probability events in a manner that are easy to see as well.

In the computer world we have focused almost exclusively on personal data (PII – Personal Identifiable Identity).

But there are more difficult to identify privacy concerns such as:

What does it mean to protect freedom of expression?

So if someone has a political cause that they follow, like Greenpeace. If for some reason another non-profit has an interest in getting new donations.  Here is a google search that had a “People also search for”  area:

So keeping even a log of searches or other information might lessen some freedom.

Freedom to choose an occupation?

How can lack of privacy screw up your freedom to choose an occupation? Besides the pictures on Facebook about your late night parties. What if you say one thing on Facebook, and yet another in interview?

Freedom of thought?

The freedom of thought may be happening already, but that may be “good”. If you are a criminal and try to add illegal items for sale, that may not be possible due to the filters. Although your freedom was curtailed, the overall good of less illegal acts on the Internet may be desirable. Other curtailing of freedom of thought as in my politics is better than yours is quite more complicated to curtail or even attempt to make fair, as it is in the eye of beholder. So politics may not be able to be policed.  This subject will depend on the country it is in, as USA has a unique constitution as in freedom of press and speech.

Private and home communications?

Here the nirvana of the advertiser means to learn how you use ‘stuff’ so that they can modify and make you buy their ‘stuff’ instead. So how much of private information should be ‘clouded’? Too bad there are  no smoke generators, where one can create a bunch of junk signals that makes the advertiser just confused.

 

So you can see that Cyber is about People and information, as an interesting Youtube Blackhat keynote said (presented by The Grugq) : Cyber is a new dimension in conflict which is still not fully theorized or conceptualized. Not that it is stopping anybody.

So we have to start focusing on privacy data protection in many new ways (and use the GDPR as a start – only because one can see into the initial bureaucracy mind of regulations of privacy).

 

Contact us to get a start on the new privacy regulations to come.

How many Bad Cyber-Characters Are There?

As I was listening to

The Future is not Blockchain. It’s Hashgraph. I had a question as they were discussing how a potential attack could come into their product, i.e. what if 3 out of 5 cheaters were in a card game? Obviously the cheaters would win, unless the game was found out to be cheated and you could enforce something to recoup losses.

The problem we have is we are on the Internet, and we have to be, so my question came as an obvious, how many bad characters are on the Internet right now?

Let’s list some of the known actors:

  1. Ransomware creators (criminal syndicates in friendly legal areas – East European countries)
  2. Ransomware creators (bad state actors – like NorK, Iran, and to some degree China -only because China has some local government that can do this for some time – and any others that push their weight around)
  3. Malware creators that want to make Bitcoins or Monero by using your computers to mine cryptocurrencies.(could be anybody)
  4. DoS (Denial of Service) attacks causing threats and ransom in other ways are sold on Darkweb for money, so anybody can attack anybody else(competitors, neighbors etc.)

 

The reality is we do not know “exactly” our adversaries, and there are estimates that ransomware cost $5 Billion in 2017, but numbers can be inflated.

But let’s turn that around – if your device receives ransomware and you cannot unlock it then stating statistics of millions (or Billions) of dollars means little when your device is not working.

So yes it is good to know your adversary, and there is no shortage of criminals and their methods to extract more money from their marks(people who do not know how to defend their computers).

What does that mean to all of us without exaggeration?

So we know there are a lot of cyber criminals, and they are constantly looking for you to mess up. They are becoming more sophisticated not less.

So here is a report by Mandiant (a Fireeye company) that investigates last year’s actual breaches and other activity as they have found at client sites and more- you can click on the report without registering.

There is also an interesting statistic they have compiled: “Dwell time” the number of days that there is evidence of a compromise on the network before detection.

America dwell time was 75.5 days in 2017, an improvement of 23.5 days(was 99days).

The average for the world was 101 days in 2017.

So this is an interesting statistic and is in line within Cybersecurity discussions as I know them. A bad character once they breach a network they will stay under the radar for a while, then performing their stealing or destruction before they are found.

So if we use both sets of information we know the Cyber criminals are making a lot of money and they are very sophisticated. They are not like the old “script kiddies” where it is fun to see what mischief to get into. Today’s bad characters are here to stay, to make more money this year than last.

We have to become more sophisticated as we keep using more of the Internet with more technologies.

Contact Us to discuss the sophistication of attackers and more.

Can European Regulation Help You Design Data Privacy?

There is a great video overview of what it is GDPR(General Data Protection Regulation): “Preparing for GDPR” by John Elliott, head of payment security, EasyJet

Make no mistake, bureaucrats like to look at each others notes, so if a “new” regulatory method is coming … the US and Asia is watching.  In fact the GDPR has some aspects of American breach regulations, which apparently European countries have not had before(notification of breaches).

In my eyes the most interesting aspect of GDPR is that this snapshot of the video shows how it is now focusing on potential data security problems (breach, privacy etc) which will be weighed as to it’s effect on the actual customer data. i.e. besides the breach and obvious effect of a number records stolen to criminal hackers. There is a “respect for private and family life, home and communications”, “Freedom to work and choose an occupation”.  These two sentences picked out of the others show that the bureaucrat can make up a lot of rules out of this, and it is not clear what the company has to do to the data for it to be “respect for private and family life”.  It may be that the data has to be deleted so that no one sees it after so many days.

The general nature of this new effort by the EU is of course written in this manner because technology is ever changing. Thus it is hard to write regulations with new technologies especially as they are implemented faster than the regulations are written( the last time EU regs were redone was in the 90s).

Another snippet from the video refers to general security note of what he terms it as a “Regulatory Zone of Compliance”:

A graph of how much focus every entity wants to end use on GDPR.

The four choices:

  1. Money is no object
  2. Playing safe
  3. Probably ok
  4. Hope we are lucky

I think I would change #1 to “100% safe by using all possible effort and resources($$) to ensure this”.

And maybe add to #4 the phrase “we will not be hacked or regulators will not find out if a problem occurs”

But instead why don’t we change this graph to a Focus on Cybersecurity %? Which dovetails closer to my Psychology of Security past blogpost.

What is our Focus on Cybersecurity?

Best to start at bottom.

  1. Little Focus (25% of what it needs to be) – hope regulatory bodies and hackers avoid us
  2. Good Focus (50% of the effort) – we make some effort at regulation and defense against hackers
  3. Better Focus( 75% of effort) – more effort at defense against hackers and compliance
  4. Best Focus (100% effort) – There is no expense spared and effort performed that we will not make sure  that hackers do not affect business, of course compliance is a given.

Is it the Best it can be? 100% effort?

The Psychology of Security if you remember, has to do with most people not focusing on security, since the risk is not obvious and thus we are willing to risk higher and higher levels until it stares us down.

So we need to discuss a way for us to change minds, if you have problems with decisions at the top.

Where we need to be more secure, here is where compliance can help us make the people that run organizations focus more on security and data privacy.

Since Security decisions are dependent on emotions as well as practicality, we can fulfill both by saying we will tackle this new compliance as we do not want to get fined and reduce the FUD (Fear Uncertainty and Doubt) or emotions.

 

In fulfilling this compliance we are also protecting our client data, although it may seem hard to see.  The bureaucratic movement never ends, and even now it is learning from the EU in america, and make no mistake… it will come here soon enough. Better to  get ahead of this push.

What I would recommend is to find all of your client data and make sure that you are not selling it or even the look of selling it.

Be careful how you handle the data.   Treat it better than your own, treat it as if it is gold (or bitcoin).

 

Contact me to discuss this in detail.

The Real Problem With Facebook Privacy Issues

We can easily read the latest news on Facebook’s transgression of not protecting privacy of 50 million users on the CNN website ,  on 2015 this ‘hack’ supposedly happened and Facebook ‘let’ it happen.

I guess the media and the rest of the world was not paying attention, as in 2009 Dark Reading story: “Private Facebook Info exposed By Simple Hack”

Apparently a blog called FBHive was able to view supposedly private information .

How about this:

In 2008 a Sophos video about how to view everyone’s birthdate on Facebook, even if it claims to be “secure”.

So all one needs to do is hack Facebook. So what do I mean by that? Well, all one has to do is to play around with the URL settings of Facebook.

I.e. https://www.facebook.com/<FirstInitialLastname> for  main account lookup, but then you need security username and password.

If you use https://www.facebook.com/photo.php?fbid=

Then use a set of numbers, which you can modify to look at other people’s  information. What all these hackers found out is that Facebook has some settings that are public no matter what Facebook Privacy settings are. (we are not going to ‘hack’ Facebook on this post) .

So, what to do? The only thing one can do is to have a sufficient red team and make many tests from outside Facebook. It is obvious that Facebook does not have the capability to review its own security flaws.

So if one is a programmer then one can create quick programs to cycle through all numbers and place them in your own database, thus creating your own database of all the Facebook userbase.

There are more problems, one programmer was able to delete other user’s photo albums. The specific details are at zerohacks.com  “Deleting any photo albums – How I hacked Your Facebook Photos”

Needless to say the enterprising programmer was able to delete another photo album and received $12.5k from Facebook’s bug bounty program. (He released to Facebook first not to the criminal hackers).

 

 

A serious Cybersecurity Audit must be performed by known attackers, call the ethical hackers or certified Information Systems Auditors (CISA).  The price for this audit is cheap compared to the damage being done to Facebook today (many billion$ in stock price and reputation). The estimates are that Facebook has over 2 Billion monthly active users (Zephoria Digital marketing).

Even as some younger users disconnect due to shifting moods, there are still quite a few users on Facebook. I suspect this is only a beginning of the blowback to the Facebook reputation. As this latest election related snafu has created quite a big spotlight.

The point of this post is to be careful what you post, as if you post, it is public no matter the safeguards. Hackers are always out there probing for weaknesses, and it is better to find them yourself rather than have the criminals tell you after a defining Cybersecurity event for your company.  TonyZ says: “Do not post anything that you are embarrassed for the world to know!”

Contact Us to discuss your Cybersecurity audit program.