Press Room

WhatsApp hack and Stuxnet worm very similar

Global Security Magazine, May 2019:

The WhatsApp hack is very similar to the Stuxnet worm, first uncovered in 2010, says Colin Tankard, Managing Director of data security firm, Digital Pathways.

The WhatsApp debacle seems to allow spy software to attach itself to phones via the call function. It was spread by an advanced cyber actor which infected mobile phones via a vulnerability in the app.

The Stuxnet worm targeted SCADA systems and was thought to be responsible for the causing of substantial damage to Iran’s nuclear programme. It was believed to have been developed jointly by both America and Israel, though neither admitted this. The malware was leaked out into the public arena and caused major damage.

“The WhatsApp hack seems to me to be another of the Stuxnet type of event. Whilst it was supposedly developed only for government agencies, as was the Stuxnet hack, it somehow leaked out to the rest of us.

“These hacks are very hard to detect. The only real chance you have is to employ Advanced Threat Detection software. This will flag up any ‘unusual behaviour’ and immediately stop it, giving the organisation time to review and understand what the attack was and how to solve it.

“Meanwhile, I urge everyone to take the WhatsApp advice and update the app immediately.”

Read the article in Global Security Magazine here

Why Cyber Essentials is essential

Professional Security Magazine online, April 2019:

It is a universal truth that we all have to take the security of our data to heart, whether personally or commercially, writes Colin Tankard, pictured, Managing Director at the data security company, Digital Pathways.

Trying to help us do exactly that, the Cyber Essentials tool kit, a UK government information assurance scheme operated by the National Cyber Security Centre (NCSC), was launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms. Designed to be applicable to all sizes of organisations, from small to large, it offers help to those seeking to implement a robust data security strategy in order to protect both themselves and their clients.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet. Most cyber attacks are basic in form and are often implemented by unskilled individuals. The controls, suggested by the Cyber Essentials platform, are designed to prevent such attacks. Cyber Essentials comes in two formats:

1. Cyber essentials – a self-assessment application that addresses basic threats and helps to prevent the most common attacks.

2. Cyber Essentials Plus – this is the same as for Cyber Essentials but rather than being self-assessed it Instead, requires verification of cybersecurity, carried out independently by a Certification Body. This is a more rigorous form of certification.

I am a great advocate of the Cyber Essentials platforms. Adopting these measures can bring many benefits, including the ability to tender for contracts that require a Cyber Essentials Certified supplier, enhanced customer trust and confidence, the provision of market differentiation and competitive advantage, protection of company assets and IP, the mitigation of common cyber threats and reduced insurance premiums. In addition, becoming accredited helps to meet the requirements of GDPR. For example, GDPR talks about controlling who has access to data and understanding where PII data is held. Cyber Essentials covers this and therefore, is able to provide evidence for your GDPR statements/policies that as an organisation you have considered these areas and have had the controls verified by an independent accessor.

Frankly, what’s not to like? In these times of ever-increasing cyber threats, we all need to take responsibility and action in the fight against these criminal actions. The Cyber Essentials Platform is just one way of starting that journey.

To read this article & more from Professional Security Magazine online, please click here.

Can your data be held hostage?

Info Security Magazine April 2019:    

It seems as if we are awash with ransomware stories these days. Many caused by users inadvertently clicking on a link within an email triggering the ransomware program and hey presto, the user is then unable to access their data without paying for it. Ransomware victims paid an average of $6,733 in the fourth quarter of 2018, according to ransomware incident response firm Coveware.

A more insidious attack is now appearing, where a company’s data or network is compromised by a cunningly hidden attack. A company’s data may include secret formulas or recipes that a product depends on and should someone alter that data, they haven’t theoretically stolen it, but suddenly the product is not being made to the correct formula or recipe.

Such attacks fall under the banner of commercial espionage and attackers range from competitors, disgruntled employees and even nation states. Once in the network, the attacker remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally we have seen a rise in data modification that has resulted in very expensive product recalls and loss of market confidence, which ultimately could have led to the business failing. It is likely that such attacks will evolve into a blackmail scenario, where the victim is advised of the infiltration and possible data modification ramifications, should ongoing payment not be forthcoming.

These attacks generally occur due to the poor monitoring of network access and missing unusual events that are happening within the infrastructure. Frequently, incidents are flagged up, but due to the busy nature of many IT departments, they go unchallenged.

The difficulty in preventing these data protection rackets is that the route into the system can be varied. It is no longer simply about a user clicking on a link within a random email, these attacks are targeted to order. They can come from carefully crafted email infiltration, by manipulated links on what appears to be genuine websites or they could be physical attacks where access to the network is gained from within and the exploit payload delivered, effectively by hand.

Read the full article in Info Security Magazine Here

IoT regulations: fact or fiction?

Network Security Magazine, March 2019:

New gadgets and, increasingly, connected homes, vehicles and even smart cities open up a whole host of possibilities. Connected devices now control entire homes and offices, including door locks, children’s toys, cameras and medical products. All are available and connected through the Internet, making access very convenient for the user but also for the bad guys.

The Internet of Things (IoT) has a poor cyber reputation. Manufacturers often don’t install appropriate data access safeguards on their products and consumers fail to change default passwords or update the pre-installed software on their network.

This is why the UK Government has introduced a new code of practice for manufacturers of smart devices that connect to the IoT. The code is voluntary, but large manufacturers, including HP and Hive Centrica, have already signed up. However, this will not be enough to truly bring cyber security rules to all devices now available.

Non-binding guidelines are helpful, but unlikely to make substantial changes. Most of the IoT manufacturers are located abroad in developing countries and will continue to focus more on costs than on customers’ privacy or security. Most manufacturers do not even adhere to the bottom line of security, such as strong passwords. We have even tested devices where the master reset does not remove any previous entries, such as Wi-Fi passwords, allowing the next owner of a device to take the Wi-Fi details from the device and use them to hack into the previous owner’s network.

Imagine, the multitude of Wi-Fi kettles being sold on online auction sites, all still holding their former owners’ passwords – very scary!

In California, the state government has made it mandatory for IoT devices to be secure. Under its Security of Connected Devices Bill, weak default passwords are illegal, and all devices must have unique default passwords that automatically for the user to change the password when the user installs them.

Read the full article in Network Security Magazine here on page 20

 

Using simulated disaster management to tackle the security skills gap

Computer Weekly Magazine March 2019:

With the increasing need for cyber security professionals, organisations are turning to new ways to address the skills gap facing the security sector

Academic qualifications, such as Cyber Security & Computer Forensics BSc (Hons) and Cyber Security MSc, provide cyber security professionals with the necessary knowledge for their career, but nothing compares to real-world experience when dealing with potential network threats.

There is a line in a Star Wars film: “I should think that you Jedi would have more respect for the difference between knowledge and wisdom.” This is just as true in cyber security, where experience is equally as important as qualifications.

“When you are in a disaster recovery situation, you do not want the new person trying out the wings,” says Bruce Beam, chief information officer at (ISC)².

Unfortunately, the number of cyber security positions outweighs the number of available cyber security professionals. The demand for cyber security professionals has outpaced supply in recent years, due to emerging threats and organisations increasing the amount of business they conduct online.

According to a study, the number of organisations that reported shortages in the cyber security skills of their staff has increased over the past four years. In 2014, approximately 23% of organisations indicated this was a challenge, but this has now risen to more than 50%. Much of this rise has been due to the increasing workload of cyber security teams.

Continuing professional development (CPD) has been used to ensure that skills remain relevant. However, some training is purely academic and offers little real-world experience. “It is not like training someone to be a welder and giving them the basic skillset,” says Beam.

In order to overcome this challenge, organisations are turning to various ways to provide their cyber security interns with the necessary experience to tackle the online threats facing organisations. One way has been through mentoring schemes, where organisations assign an intern to an experienced cyber security professional. Mentoring allows a company to preserve their staff’s experience against retirement and poaching, however a drawback is that it can inadvertently reinforce bias.

Simulated disaster management

Some organisations are turning to simulated disaster management scenarios in order to provide their staff with the experience they need. Just as fire drills are used to assess how personnel respond to a potential incident, simulating critical failures allows organisations to see how their staff respond to such events.

“I always go back to my military training and one of the things we learned was to train like you are going to fight, because you will fight like you train,” says Beam.

Simulations allow cyber security personnel to experience critical failures, without any risk to the actual network or company data. These simulations can vary from disaster recovery scenarios to white hat hackers probing a company’s network defences to see how their IT teams respond to the perceived threat.

“Too many organisations talk about disaster recovery, but never really test it and make sure it is working the way they think it is working,” says Colin Tankard, managing director of Digital Pathways.

Simulated disaster management provides a replica of an organisation’s network architecture, thus providing a real-world experience, thereby making responses second-nature.

This allows cyber security teams to use the security tools that they would use in a genuine situation and to experience the network setup and traffic. In order to be effective, disaster scenarios need to be accurately simulated, including advanced, evolving threats, targeted malware and ransomware.

A more complex version of simulated training is to use white hat hackers to probe the network defences to see how soon the cyber security team are aware and how they respond to the threat. “I have heard of white hat teams spying on organisations to see where they can get in,” says Tankard. “That has been very successful for companies as they have seen how their people are reacting.”

Read the full article in Computer Weekly here

Connectivity in the smart city

Smart Cities World January 2019:

Smart buildings and cities are becoming less of a rarity, attracting both tech-savvy entrepreneurs and established businesses.

The smart city environment fosters thriving communities, where businesses can excel and their people can work happily, achieving their full potential. More than this, they help businesses to cut costs, streamline operations and increase profit margins.

One of the key factors in today’s productive workplace is access to a fast, secure and reliable Internet connection. In fact, it is usually among the top ‘wish list’ items for prospective tenants.

Without it, productivity can decrease, communication, both external and internal, is compromised, stress ensues and profits can drop. But how can businesses be sure, when deciding upon a smart city space, that your connectivity will be all they need it to be?

Certified connectivity

According to Emma MacLeod of Hurley Palmer Flatt, a building services and engineering consultancy, connectivity certification is an increasingly sought-after element for prospective tenants.

MacLeod said: “Companies such as Wired Score and Honeywell provide systems that allow criteria to be measured, so that tenants can have an overview of a building’s connectivity, which can also be compared against others.

“This type of information can be used as part of an active marketing strategy in order to attract prospective tenants, as well as providing reassurance. Such certification allows for better understanding of performance, together with the promotion and improvement of digital infrastructure.”

Cybersecurity

Whilst good connectivity is a priority, how many businesses consider how secure their Internet connection is?

Cybersecurity certification could be helpful, given the increasing number of cyber-attacks we now see. For example, I wonder how many people stroll the corridors of a building searching out an unsecured Wi-Fi router to log on to? What if an unauthorised person gains entry to floors where they may be able to obtain access to a network: are they able to view all of the information, or have good data security and physical access systems been installed? Are all of the packets of data that are travelling around the ‘backbone’ of the network encrypted? How about a shared access communications room? Security of cable control and management systems is critical since, once on to the ‘backbone’ of a system, untold damage can be done by eavesdropping on network cabling.

It is also good practice to offer two types of Internet connection, one for those employed by the company and one for its guests. This way, the business is able to manage the areas visitors can access, protecting any sensitive information, which is particularly pertinent now given the arrival of the GDPR.

Read the full article here in Smart Cities World

Marriott hit by hack but where was their log management?

Global Security Magazine December 2018:  

Marriott International Inc is the latest hack to be announced and this one could be the largest breach in corporate history.

Details of some 500 million guests were accessed from the company’s reservation database at its Starwood unit. This included passport numbers, mailing and email addresses and even some credit card details.

The breach reputedly happened in 2014, which begs the question, why was no one checking the logs? Was there no log management system, were their system administrators negligent in their duty, or worse still, the incident ignored?

A log management system collects data from servers, computers, routers, applications, databases etc. and generates information on what is happening in each system. All this diverse information is gathered together and, by looking at the trends or events happening on each system, an administrator can detect unusual behaviour, identifying a possible hack.

If these incidents go unchecked, a hacker has a free journey around the entire network, gaining access to more and more valuable resources such as personal data.

According to Colin Tankard, Managing Director of data security company, Digital Pathways, “when a hack occurs there are usually three stages. First, the primary hacker gains access and takes what they want. Second, the way- in to the network is shared by the primary hacker to their colleagues and community. They then ‘pick over the bones,’ much like a vulture does after the lions have had their fill. Finally, login details are shared openly to all hackers on various websites and then all the wannabe hackers come in to ‘have a party’ inside the network. The most damage is often done at this point.”

The second question to raise is, where were the encryption keys being stored?

According to Marriott the data was encrypted but the encryption keys were taken, so the data could be read.

“There should always be separation of duties between administrators and security as well as encryption key storage and the systems the encryption is being used on,” says Tankard. “ Any system that does not have this in place has a major flaw in its data security strategy. I always advise that encryption keys should be stored in a High Security Module (HSM) administered by the security team.

“The HSM is a server which creates encryption keys, stores them and when needed by an application, passes the encryption key for use. The key is never stored permanently in the application” explains Tankard.

He adds, “it is also very important to change the encryption key on a regular basis, this is called key rotation.

“There is simply no cutting corners when it comes to data security, especially in today’s climate where cyber-criminals are on the increase and strident legislation, such as GDPR, is in place.

“Where personal data is being stored, robust data security systems must be in place but not only this, they must be managed in a responsible and timely way.”

Read the full article here in Global Security Magazine

The Future of Network-Connected Device Security

Computer Weekly December 2018:

The proliferation of poorly secured network-connected devices has prompted the UK government to publish new best practice guidelines. Do these go far enough?

Wireless functionality has improved workplace efficiency and organisations are no longer restricted by cabling access. Unfortunately, many of these devices are poorly secured and rarely have their firmware updated.

The vulnerabilities in internet of things (IoT) devices have led to smart devices being part of botnets and incidents such as cardiac devices being vulnerable to hackers.

“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically,” says John Sheehy, vice-president of ioActive. “Compromised devices can be used by threat actors for anything from listening in on conversations and harvesting sensitive data, to cryptomining and jumping to traditional IT systems.”

Incidents where hackers have been able to exploit poor device security to obtain sensitive data have resulted in significant reputational damage, as happened to vTech in 2016. Such incidents could now – under the Data Protection Act 2018 – see companies fined.

As such attacks have become more frequent, the UK government has decided to step in. Earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) published the Secure by Design report and later the Code of Practice for Consumer IoT Security – a guidance document advising on the best practices for securing IoT devices.

These guidelines are currently voluntary and are broken down into thirteen steps, as follows:

  1. No default passwords – all IoT device passwords should be unique and not resettable to any universal factory default value.
  2. Implement a vulnerability disclosure policy – all companies that provide internet-connected devices should provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

To read all 13 steps click here to read the full article in Computer Weekly.com

Guideline benefits

For all of the challenges that come with this, organisations can nonetheless benefit from following such guidelines. In a survey by Bain and Co, it was discovered that executives would be prepared to spend 22% more on IoT devices that were proven to be secure.

“If a product has followed these guidelines, and has been independently checked, then people would pay more,” says Colin Tankard, managing director of Digital Pathways.

This increase in income could be used by manufacturers to offset the costs associated with following these best practice guidelines. Furthermore, reputation of the company would be protected by having secured their devices appropriately.

Can you trust one free app to keep all your passwords safe?

The Mail Online November 2018:

How to navigate the world of virtual storage vaults as hackers target providers.

A password manager can be a vital tool to keep your personal information out of the hands of online criminals – giving you a single log-in to an app that saves you having to remember lots of different codes.

Once you have signed in, you can use the app to store passwords for all your online accounts securely, or even log in to them directly from the password manager itself.

But there is a potential dark side to this technology as it could be a target for hackers.

If a fraudster were able to steal your master password, they could gain access to key financial details all at once. So should you trust a password manager to keep your information safe?

The apps use software to store all an individual’s passwords in a ‘virtual bank vault’. They are then accessed via the single hard-to-crack master password.

Experts including the National Cyber Security Centre – part of the Government Communications Headquarters intelligence service (GCHQ) – believe a password manager makes an individual’s data more secure.

But it has not stopped criminals targeting these password vaults. Last year, password manager LastPass discovered a flaw in its software that was fixed without it affecting the service. In 2015, it also had to fend off a cyber attack.

Password manager OneLogin also ‘detected unauthorised access’ last year but it was able to block it in time.

Colin Tankard, of Harlow-based data security company Digital Pathways, says a password manager does not offer bullet-proof security because it will always be a target for hackers.

Read the full article in The Mail Online here

The chilling email threatening to share embarrassing information that is ‘driving people to suicide’

Essex Live November 2018:

“It breaks up perfectly stable relationships and causes untold misery”

A shocking email is reportedly being sent round to random victims threatening that embarrassing information will be shared online unless large sums of money are paid.

The ransom messages are even believed to be leading some victims to the brink of suicide, according to cyber security expert Colin Tankard.

He told the Mail on Sunday that the hackers are claiming to have set up malware on particular porn websites that have recorded what is happening on a person’s computer screen, while also recording them via webcam.

In one particular incident, a member of the public was warned that unless they made a “donation” of $3000 (or £2300), the embarrassing material would be leaked online to their contact list.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

There doesn’t appear to be any set group that is being targeted, with victims being selected at random.

Tankard added that in these situations, the worst thing that you can do is to pay the demand as it could then lead to that person’s contact details being put on a ‘sucker list’.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

It is thought that around £30 million per year could be made from threatening innocent people.

One person who was randomly targeted by the scam was Mail on Sunday journalist Sarah Hartley, who said: “Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.”

The scam involves two payments to the sum of £500 or more that is paid in anonymous bitcoins, which creates problems in trying to track down the hacker.

Read the full article here in Essex Live