Workshop: MEI Security’s Cyber Live-Fire Arena

MEI Security Training Room

Arena Workshop Prep Workstations Booted

MEI Security presents the alpha release of version 4.0 of our Cyber Live-Fire Arena.

On Thursday evening, March 14 2019 (pi day) MEI Security will sponsor an online and in-person workshop for the alpha release of Arena v4.0.

MEI Security’s Arena is a training environment for improving participant’s skills in attacking and/or defending servers in a live-fire environment.  Each team has a set of VMs running web servers which provide specific files to the scoring server every 2 minutes.  If an opponent gains access to your VM and places their team name in your score files, that opponent scores points for a successful attack while you do not score defensive points that round.  Teams may choose to focus on attacks & exploits, purely on defending their VMs, or both.  The goal is to have fun & polish skill sets in a riskless exercise.

This workshop will be for up to 8 teams with up to three people per team.  This exercise is held at no cost to participants.

Contact us before March 12 for your credentials to connect to the arena. You will receive a openvpn config files for connecting to the arena as well as identity files for connecting to ssh on your team’s machines.

The event will be held both online via google Hangouts Meet and in person at MEI Security’s offices in Stoughton, Massachusetts, USA. Seating is limited to 12 people at the office, and credentials for connecting to the arena whether in person or remote are limited to 24 people overall.

Please signup at the meetup page to attend in person and/or contact us via email to get your credentials for access to the arena.

Schedule:

Presenter: Vik Solem, President, MEI Security

Agenda: (Times are Boston local time)

6:30 PM – 7:00 PM : Networking and light refreshments

7:00 PM – 7:05 PM : Introductions

7:05 PM – 7:30 PM : Presentation: Training Cyber Security Defenders

7:30 PM – 8:30 PM : Demo/Workshop: MEI Security’s Cyber Live Fire Arena

This meeting will be available via google Hangouts Meet. https://meet.google.com/puh-vqqk-qsm
Please signup ahead of time to receive your credentials for connecting to the arena workshop online.

Preparing Your Kit

Whether it’s wildfires in California, storms hitting the Carolinas, or gas lines blowing up houses in Massachusetts, current events remind us that having a few extra supplies ready can make things much easier in case of an emergency.

The site ready.gov is a good starting point. The following list is from their page on building a kit (with comments from me). If your resources are tight, I’d recommend starting at the top of the list, and working your way down. If you get just one item per week then you will have a good, basic kit in less than three months. Remember, this is a long term planning task. It’s about spending time when you have it (before an event) so that you have resources when you need them (during an event).

These first three are excellent things to keep with you or near you every day.

  • Flashlight (Always good to have extra flashlights)
  • Cell phone with chargers and a backup battery (Having a USB charger and especially a charging cable for your phone is critical.)
  • Whistle to signal for help (A whistle is a great tool, and it can fit on a keychain.)

The next three are good things to keep in your room, apartment, vehicle, or house.

  • First aid kit (These range from tiny pocket-sized packs to briefcase sized full medical kits. If you raid it for band-aids and acetaminophen, remember to refill your supplies!)
  • Extra batteries (AA and AAA seem to be popular these days, but whatever you need, every time you buy one get an extra for your stash. Then you always have one when you need it.)
  • Local maps (Navigation systems are great, but your phone battery can die. No batteries are required for a good old map! If you go cheap and print your own be sure to laminate it. You want it to last should you need it.)

The rest complete a good starting point for a kit, whether it’s a small bug out bag for a dorm room or a stocking a basement.

  • Water – one gallon of water per person per day for at least three days, for drinking and sanitation (Bottled water is great, but having a purification method can be very useful, and it can be easier to carry. Options include filters like LifeStraw as well as water purification tablets of many types.)
  • Food – at least a three-day supply of non-perishable food (For a family this can be fancy prepper food with a shelf life of 25 years, or for smaller kits it can be a stack of energy bars. As you move from a simple emergency bag to a full house emergency kit the food requirements will change.)
  • Battery-powered or hand crank radio and a NOAA Weather Radio with tone alert (These start at around $17.)
  • Manual can opener for food
  • Wrench or pliers to turn off utilities
  • Dust mask to help filter contaminated air and plastic sheeting and duct tape to shelter-in-place
  • Moist towelettes, garbage bags and plastic ties for personal sanitation

There are lots more resources on this available from ready.gov, fema.gov, and other sites. Having even a few of these items can make it much easier to get through any crisis.

Password Management Tools

At last week’s Refuse To Be A Victim class we had a brief discussion regarding passwords. During that talk I mentioned a tool called LastPass. This tool helps you to maintain a collection of complex passwords which are hard for attackers to obtain via “brute force”. It also helps you have a different password for every place you need one. As we discussed in class, this is critical for keeping your accounts secure. If you have the same password in different locations then when one of those locations/companies is compromised you are at risk. This happens because the bad guys take all of the usernames/passwords that they get, and they use them to login to every other site that they can find. You can prevent this either by having different usernames or by having different passwords. A program like LastPast helps you do either one. Usually having different passwords is the easier method, but either way works.

There are other programs that do what LastPass does. KeePass is one. My personal favorite is PasswordSafe, but – as I mentioned in class – I am pretty far toward the “cautious” end of the spectrum, and the way I operate computers is not for everyone. LastPass is one of the programs that makes this easy for everyone to use, while still maintaining a good level of security.

The Equifax Breach: Why it’s big, and how to stay safe.

Yesterday, Equifax admitted publicly that they were breached, and that personal information was exposed for 143,000,000 U.S. Consumers.  While this is not the largest data breach in number of records exposed, it is arguably the worst data breach ever due to the type of data that criminals accessed.  Whether or not you believe that your information was exposed there are steps you can take to protect yourself.

Why This Breach is Historic

This breach involved personal information, not just credit card numbers.  If a criminal gets hold of your credit card information you can cancel the card, and if they are able to make any charges you can dispute those with the credit card company.  It’s slightly worse if a criminal gets your debit card information. In that case you can get a new card, but you may have to fight with the bank to get your cash back into your bank account.

In this breach identity information was stolen.  If a criminal gets hold of your identity information it’s much harder for you to change that, and the criminal can continue to use it for years.  Even if you are able to change your social security number (which may require proof of criminal activity) many companies will continue to have your previous number, and may grant access to your information based on that.

According to the information available today criminals gained access to names, social security numbers, addresses, and other information for more than one hundred million people in the U.S.  In some, or perhaps most, of these cases the people who are now at risk never had any dealings directly with Equifax.  Even so, the failure of Equifax to protect consumers’ data now costs time and money of millions of people.  Time and money which will be required to protect people and/or to react to criminal activity committed in their name.

Even worse is the fact that Equifax has been breached before!

And they’re not alone.  Experian has been in the news for its own share of issues.

Because of the number of people who are now subject to identity theft, this is quite possibly the worst data breach in history.

 

What You Can Do

Even if you haven’t been breached yet, there are at least two things you can do to protect yourself and to prevent criminals from using your information.  Note: option 1 is more expensive and is optional if you complete all of option 2; however option 1 is the easiest over the long term.

Option 1: Sign up for credit monitoring.  You may choose to do this via Equifax for free, or you may choose not to place your trust in the company that has lost control of consumer data 5 times in 5 years.  There are alternatives.  (e.g. Lifelock, Transunion, Fast3CreditScores, Experian Identity Works, Privacy Guard ) Numerous sites are available for evaluating these.

  • Pro:
    • You will receive alerts when anyone attempts to open a new credit account in your name.
    • Some of these credit monitoring companies will help you if your identity is compromised.  Choose carefully.
  • Con:
    • This is more expensive than the $15 per year for a freeze. (assuming you only apply for one new credit account per year)

 

Option 2: Contact each of the four consumer credit bureaus (Equifax, Experian, Innovis, Trans Union), and request a Credit Freeze.  This may cost up to $15 per bureau, depending on your state of residency.

  • Pro:
    • If a criminal attempts to open a credit account in your name they will be refused.
  • Con:
    • When you wish to open a new credit account you will have to do the following.
      • Ask the company from which you are requesting credit to tell you which credit bureau they use,  Equifax, Experian, Innovis, or Trans Union.
      • Contact that credit bureau and release the freeze.
      • Apply for the new credit account or loan.
      • Contact that credit bureau and request the freeze again – this will likely cost an additional $15.  If you do this less than once per season then this is much less than you will likely pay for credit monitoring.  It is of course less convenient.

Conclusion

Because of the large number of identities stolen (143,000,000) this is likely the worst data breach ever.  Whether or not your personal information was breached in this incident, there are steps you can take to prevent criminals from using your identity to commit crimes.

60% of Small Businesses Close After Cyber Attack

Running a small business can be hard enough, but cyber crime makes it even harder. According to multiple sources, once a business suffers a cyber attack there is a 60% chance that they will be closed, out of business within a year. [CS] [FC] [GM] This is a tough number to hear, especially given that small businesses have fewer resources available for I.T. Security.

Furthermore, 71% of small business report that they have been attacked, and back in 2015 the average cost of each attach was $20,753. [FC] How will it cost your business? How much should you spend to prevent attacks or to be able to survive a successful attack?

You don’t have to spend tens of thousands, and you don’t need to hire MEI Security (although we are happy to help). You can find options for lowering your risk. We sponsor free meetings, on the second Thursday of the month. Ours are in Stoughton, MA, but you may be able to find some in your area. We also have a list of resources that include free options for small to medium sized companies. Whatever your budget, there are steps you can take to protect yourself from cyber criminals. We urge you not to wait until after an attack. For 60% of small businesses that was too late for survival.

—————————————-

References:

[CS] DJ Jordan, Joel Hannahs, “Collins Subcommittee Examines Small Business Cyber-Security Challenges With New Technologies”, 2013-03-21, http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034

[FC] , “60% Of Small Businesses Will Close Within Six Months Of A Cyber Attack… Will Your Company Survive?”, 2015-10-22, http://www.financialcomputer.com/2015/10/60-of-small-businesses-will-close-within-six-months-of-a-cyber-attack-will-your-company-survive/

[GM] Gary Miller, “60% of small companies that suffer a cyber attack are out of business within six months.”, 2016-10-23, http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

New England Small Business Security Meetup

MEI Security is sponsoring the New England Small Business Security Meetup. Join us in Stoughton on May 11 at 7:00 PM. This month we’ll have another presentation on security solutions (including free ones) for small to medium sized businesses. As always, there will be time before and after for open discussions.
7:00 – 7:15 : Introductions
7:15 – 8:00 : Presentation:
8:00 – 8:30 : Open Discussion / Closing

Please RSVP, and let us know if you plan to arrive early for light refreshments at 6:30.

Has the Cyber Security Industry Failed

Illustration of insecure scripts

Request to run insecure scripts illustrates security problems.

In an article on www.cnbc.com Aneri Pattani appears to be saying that the cyber security industry has failed.  Aneri refers to breach-after-breach and points to the fact that simple, old-school expoits & attack methods continue to work against newly deployed software.  While the facts are true, I believe that Aneri has missed the point completely.  I suggest that the failure is not in the industry as much as in the people who choose not to take the advice of security professionals.  There are two components here.  First, Cyber Security professionals may need to improve how they educate people on the subject of risk.  Second, those in control of businesses must take ownership when things fail if the failure happened after they elected not to enact recommended security measures.  Blaming the Security industry for breaches is inaccurate and distracts from the real cause of security issues.

Regarding educating people on risk, let’s take one example. Aneria says “The best way to fight this cyberwar is to get back to basics, like knowing how many computers a company has and gaining control over them in seconds.”  This is true.  The industry has been saying this for years.  Take, for example, the SANS Top 20 Critical Security Controls, now the CIS security controls.  Number one on the list.  “CSC 1: Inventory of Authorized and Unauthorized Devices”  That would correspond to “knowing how many computers a company has”.  This simple step is the number one thing that companies can do, and yet many, many companies don’t do so.  (There’s a poster too, which I recommend.)

Regarding how companies encourage bad behavior while ignoring the security industry’s recommendations, let’s consider the very web page accusing the industry of failure.  The industry has said for years  that running lots of scripts on a web page increases risk.  Each time a user opens up their browser to run more scripts they have exposed themselves to more code from unknown sources.  For this reason many people, like myself, use script blockers as part of keeping our browsers secure from attack.  When I tried to read the comments on the cnbc.com article I specifically allowed scripts to run for the current page.  I did this three times.  Each time allowing more and more scripts to run.  In the end I was still not able to view the comments, and the page still wanted to run more scripts.  (Yes. I know that MEI Security’s web page asks for some scripts to run, but it does function with scripting disabled.)

In conclusion, the article proclaiming that the security industry has failed shows by it’s very nature that businesses continue to ignore the advice of the security industry, and they push for users to bring more risk into their own environments.  If you refuse to secure yourself then you’ve decided to take that risk.  When you are breached don’t blame the folks who told you not to take the risk in the first place.

MEI Security Logo

We’ve Moved to Stoughton

MEI Security Logo ICON_100After nine years providing consulting and training services to customers in Massachusetts, Rhode Island, and New Hampshire, MEI Security has moved into a new location with our very own dedicated training room.

Our new address is

630 Park St, Stoughton, MA  02072

Stay tuned for more information about our grand opening celebration.

That Cool Device on Your Wrist May Be Exposing Your PIN

Android Watch

CC Image courtesy Karlis Dambrans from Latvia

We’ve known for years that things like webcams and microphones can be used to spy on us and steal our passwords.  Now that cool wearable device on your wrist can give attackers your PIN.  Basically the movements of your hand can be recorded by the device and sent to an attacker for analysis.  Looks like that have an 80% chance of getting it on the first try.  From a technical point of view it’s a cool hack.  From a security point of view it’s another reason to be cautious about wearing a computer all the time.