Category Archives: cybersecurity

Workshop: MEI Security’s Cyber Live-Fire Arena

Posted on by
MEI Security Training Room

Arena Workshop Prep Workstations Booted

MEI Security presents the alpha release of version 4.0 of our Cyber Live-Fire Arena.

On Thursday evening, March 14 2019 (pi day) MEI Security will sponsor an online and in-person workshop for the alpha release of Arena v4.0.

MEI Security’s Arena is a training environment for improving participant’s skills in attacking and/or defending servers in a live-fire environment.  Each team has a set of VMs running web servers which provide specific files to the scoring server every 2 minutes.  If an opponent gains access to your VM and places their team name in your score files, that opponent scores points for a successful attack while you do not score defensive points that round.  Teams may choose to focus on attacks & exploits, purely on defending their VMs, or both.  The goal is to have fun & polish skill sets in a riskless exercise.

This workshop will be for up to 8 teams with up to three people per team.  This exercise is held at no cost to participants.

Contact us before March 12 for your credentials to connect to the arena. You will receive a openvpn config files for connecting to the arena as well as identity files for connecting to ssh on your team’s machines.

The event will be held both online via google Hangouts Meet and in person at MEI Security’s offices in Stoughton, Massachusetts, USA. Seating is limited to 12 people at the office, and credentials for connecting to the arena whether in person or remote are limited to 24 people overall.

Please signup at the meetup page to attend in person and/or contact us via email to get your credentials for access to the arena.

Schedule:

Presenter: Vik Solem, President, MEI Security

Agenda: (Times are Boston local time)

6:30 PM – 7:00 PM : Networking and light refreshments

7:00 PM – 7:05 PM : Introductions

7:05 PM – 7:30 PM : Presentation: Training Cyber Security Defenders

7:30 PM – 8:30 PM : Demo/Workshop: MEI Security’s Cyber Live Fire Arena

This meeting will be available via google Hangouts Meet. https://meet.google.com/puh-vqqk-qsm
Please signup ahead of time to receive your credentials for connecting to the arena workshop online.

Critical Infrastructure Security In A Hostile World

Posted on by

At MEI Security we frequently cover the Ukrainian power grid attack in our work with clients. This successful attack clearly demonstrates vulnerabilities in critical infrastructure. Whether it is electrical power, water treatment and delivery or communications including telephones and internet service, reliable functionality of infrastructure is critical to the smooth function of our society. This infrastructure is managed through Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems. The Ukrainian power grid attack took advantage of well-known weaknesses in humans and in ICS & SCADA hardware to succeed. Once in, the attackers planned to disrupt the system and simultaneously increase the difficulty of recovery.

The attack began with spear phishing email campaign to administrators. The malicious traffic exploited a well known feature of Microsoft Word to deliver malware and gain an initial foothold in the target network. With this foothold the attackers pivoted to other systems, spending months exploring the network environment and harvesting credentials undetected. Among these credentials were those used by staff to connect remotely by VPN to the SCADA networks. Once in the SCADA networks, the attackers were able to overwrite control system firmware making recovery much more difficult when the trap was finally sprung. This attack even included a denial of service phase which flooded telephone lines with bogus calls, thus impeding swift, cohesive incident response. Based on the scope and sophistication of the attack, many security professionals suspect the attackers were at least aided by (if not fully supported and directed by) a hostile nation state.

There are lessons to be learned from this and other attacks. As our environments become more and more digital, as our infrastructure controls become more networked, they are simultaneously exposed to additional risk. While private industry is often quick to adjust their budgeting, Federal, State and Municipal organizations often exhibit a more measured approach to change. A recent story in SC Magazine1 highlighting the failure of the US Department of the Interior’s to comply with respected industry standards illustrates the point. Regardless of this example, it is clear that we have a long way to go to achieve a more robust and resilient cyber security posture – especially for our critical infrastructure.

 

 

1https://www.scmagazine.com/us-department-of-interior-cio-office-fails-ig-cybersecurity-inspection/article/757547/

The Equifax Breach: Why it’s big, and how to stay safe.

Posted on by

Yesterday, Equifax admitted publicly that they were breached, and that personal information was exposed for 143,000,000 U.S. Consumers.  While this is not the largest data breach in number of records exposed, it is arguably the worst data breach ever due to the type of data that criminals accessed.  Whether or not you believe that your information was exposed there are steps you can take to protect yourself.

Why This Breach is Historic

This breach involved personal information, not just credit card numbers.  If a criminal gets hold of your credit card information you can cancel the card, and if they are able to make any charges you can dispute those with the credit card company.  It’s slightly worse if a criminal gets your debit card information. In that case you can get a new card, but you may have to fight with the bank to get your cash back into your bank account.

In this breach identity information was stolen.  If a criminal gets hold of your identity information it’s much harder for you to change that, and the criminal can continue to use it for years.  Even if you are able to change your social security number (which may require proof of criminal activity) many companies will continue to have your previous number, and may grant access to your information based on that.

According to the information available today criminals gained access to names, social security numbers, addresses, and other information for more than one hundred million people in the U.S.  In some, or perhaps most, of these cases the people who are now at risk never had any dealings directly with Equifax.  Even so, the failure of Equifax to protect consumers’ data now costs time and money of millions of people.  Time and money which will be required to protect people and/or to react to criminal activity committed in their name.

Even worse is the fact that Equifax has been breached before!

And they’re not alone.  Experian has been in the news for its own share of issues.

Because of the number of people who are now subject to identity theft, this is quite possibly the worst data breach in history.

 

What You Can Do

Even if you haven’t been breached yet, there are at least two things you can do to protect yourself and to prevent criminals from using your information.  Note: option 1 is more expensive and is optional if you complete all of option 2; however option 1 is the easiest over the long term.

Option 1: Sign up for credit monitoring.  You may choose to do this via Equifax for free, or you may choose not to place your trust in the company that has lost control of consumer data 5 times in 5 years.  There are alternatives.  (e.g. Lifelock, Transunion, Fast3CreditScores, Experian Identity Works, Privacy Guard ) Numerous sites are available for evaluating these.

  • Pro:
    • You will receive alerts when anyone attempts to open a new credit account in your name.
    • Some of these credit monitoring companies will help you if your identity is compromised.  Choose carefully.
  • Con:
    • This is more expensive than the $15 per year for a freeze. (assuming you only apply for one new credit account per year)

 

Option 2: Contact each of the four consumer credit bureaus (Equifax, Experian, Innovis, Trans Union), and request a Credit Freeze.  This may cost up to $15 per bureau, depending on your state of residency.

  • Pro:
    • If a criminal attempts to open a credit account in your name they will be refused.
  • Con:
    • When you wish to open a new credit account you will have to do the following.
      • Ask the company from which you are requesting credit to tell you which credit bureau they use,  Equifax, Experian, Innovis, or Trans Union.
      • Contact that credit bureau and release the freeze.
      • Apply for the new credit account or loan.
      • Contact that credit bureau and request the freeze again – this will likely cost an additional $15.  If you do this less than once per season then this is much less than you will likely pay for credit monitoring.  It is of course less convenient.

Conclusion

Because of the large number of identities stolen (143,000,000) this is likely the worst data breach ever.  Whether or not your personal information was breached in this incident, there are steps you can take to prevent criminals from using your identity to commit crimes.

60% of Small Businesses Close After Cyber Attack

Posted on by

Running a small business can be hard enough, but cyber crime makes it even harder. According to multiple sources, once a business suffers a cyber attack there is a 60% chance that they will be closed, out of business within a year. [CS] [FC] [GM] This is a tough number to hear, especially given that small businesses have fewer resources available for I.T. Security.

Furthermore, 71% of small business report that they have been attacked, and back in 2015 the average cost of each attach was $20,753. [FC] How will it cost your business? How much should you spend to prevent attacks or to be able to survive a successful attack?

You don’t have to spend tens of thousands, and you don’t need to hire MEI Security (although we are happy to help). You can find options for lowering your risk. We sponsor free meetings, on the second Thursday of the month. Ours are in Stoughton, MA, but you may be able to find some in your area. We also have a list of resources that include free options for small to medium sized companies. Whatever your budget, there are steps you can take to protect yourself from cyber criminals. We urge you not to wait until after an attack. For 60% of small businesses that was too late for survival.

—————————————-

References:

[CS] DJ Jordan, Joel Hannahs, “Collins Subcommittee Examines Small Business Cyber-Security Challenges With New Technologies”, 2013-03-21, http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034

[FC] , “60% Of Small Businesses Will Close Within Six Months Of A Cyber Attack… Will Your Company Survive?”, 2015-10-22, http://www.financialcomputer.com/2015/10/60-of-small-businesses-will-close-within-six-months-of-a-cyber-attack-will-your-company-survive/

[GM] Gary Miller, “60% of small companies that suffer a cyber attack are out of business within six months.”, 2016-10-23, http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

Has the Cyber Security Industry Failed

Posted on by
Illustration of insecure scripts

Request to run insecure scripts illustrates security problems.

In an article on www.cnbc.com Aneri Pattani appears to be saying that the cyber security industry has failed.  Aneri refers to breach-after-breach and points to the fact that simple, old-school expoits & attack methods continue to work against newly deployed software.  While the facts are true, I believe that Aneri has missed the point completely.  I suggest that the failure is not in the industry as much as in the people who choose not to take the advice of security professionals.  There are two components here.  First, Cyber Security professionals may need to improve how they educate people on the subject of risk.  Second, those in control of businesses must take ownership when things fail if the failure happened after they elected not to enact recommended security measures.  Blaming the Security industry for breaches is inaccurate and distracts from the real cause of security issues.

Regarding educating people on risk, let’s take one example. Aneria says “The best way to fight this cyberwar is to get back to basics, like knowing how many computers a company has and gaining control over them in seconds.”  This is true.  The industry has been saying this for years.  Take, for example, the SANS Top 20 Critical Security Controls, now the CIS security controls.  Number one on the list.  “CSC 1: Inventory of Authorized and Unauthorized Devices”  That would correspond to “knowing how many computers a company has”.  This simple step is the number one thing that companies can do, and yet many, many companies don’t do so.  (There’s a poster too, which I recommend.)

Regarding how companies encourage bad behavior while ignoring the security industry’s recommendations, let’s consider the very web page accusing the industry of failure.  The industry has said for years  that running lots of scripts on a web page increases risk.  Each time a user opens up their browser to run more scripts they have exposed themselves to more code from unknown sources.  For this reason many people, like myself, use script blockers as part of keeping our browsers secure from attack.  When I tried to read the comments on the cnbc.com article I specifically allowed scripts to run for the current page.  I did this three times.  Each time allowing more and more scripts to run.  In the end I was still not able to view the comments, and the page still wanted to run more scripts.  (Yes. I know that MEI Security’s web page asks for some scripts to run, but it does function with scripting disabled.)

In conclusion, the article proclaiming that the security industry has failed shows by it’s very nature that businesses continue to ignore the advice of the security industry, and they push for users to bring more risk into their own environments.  If you refuse to secure yourself then you’ve decided to take that risk.  When you are breached don’t blame the folks who told you not to take the risk in the first place.

Source Boston 2016 Promotion

Posted on by

MEI Security wants to see YOU

at the Source Boston conference, May 18 and 19.

Join us where Security and Business come together at Source Boston 2016, and drink in the Security know-how.

Each person who signs up with the affiliate code “AFFILIATE_VIKSOLEM” gets a portable USB battery, a slide-able webcam cover, and their choice of an MEI hat or T-shirt.

Here’s what to do

  1. Sign Up – Sign up for Source using the affiliate code “AFFILIATE_VIKSOLEM” – which gets you a $50 discount right off the bat!
  2. Email Us – Email us at source2016@meisecurity.com, let us know you signed up with our code, and indicate (1) your choice of logo and (2) your choice of hat or T-shirt (and T-shirt size).
  3. Learn and Enjoy – Go to the conference and drink in the security know-how!

 

Don’t forget to pick a logo (Consulting or Training) for your battery, webcam cover, and hat/T-Shirt.

 

Logo_consulting_vs_training_600_or

 

We will have your battery, webcam cover, and hat / T-shirt at the conference or delivered to you afterwards, depending on availability.

Two Cyber Security Secrets about the FBI v Apple Case

Posted on by
Hush

Hush

Speaking as a cyber security professional, there are two “secrets” about the FBI v Apple case that seem obvious but don’t appear to have much visibility in the news.  (1) If you want to break into an encrypted device you hire people who do that for a living not the manufacturer, and (2) if a back-door is built into any system it will be used by those who don’t care about obeying the law.

There are many specialties in cyber security.  Picking three for illustration, there are companies that unshred documents – see our upcoming post on how to use a shredder properly.  There are companies that specialize in breaking into online sites.  And there are companies that break into mobile devices.  If you need documents rescued from the shredding bin you call a deshredding company, not the shredder manufacturer.  If you want to see how vulnerable your web site is to attacks then you hire a company that does that all day every day, never hire the company that built the web site – especially if you built it yourself!  And if you need to break into a mobile device, in this case an iPhone, then you hire a company that breaks into these devices all the time.  You do not go to the manufacturer.  (Of course, if your goals is swaying public opinion instead of breaking into the phone then perhaps you make a federal case of it.)   SECRET #1: If you need to break into something you hire a specialist who does that for a living.

Knowing that a back-door exists completely changes how you try to break into something.  As long as a secured container is thought to be secured, the attacks against it are typically frontal assault / brute force attacks or coercion / candy-for-your-password attacks.  The moment that a back door is known to exist the known “attack surface”  changes, as do the methods of attack expected to succeed.  If a back door were to be built into a class of mobile devices (e.g. all iphones) then that back door would become the area of focus for getting into the phones.  Instead of breaking into a single phone, one successful exploit gets an attacker into all phones (of a certain version etc.)  The idea that the special back door will only be used when appropriate (e.g. with a warrant) is just silly.  Once the back door has been built, the security of the system is broken, and government funded (possibly not the U.S. government) and criminally funded attackers will get the key.  Yes.  I said “will get” not “might get”.  If it exists they will obtain it, and they don’t care about warrants or other legal issues.  What started as a Law Enforcement Only back door will then be use to steal private information for use by other governments and criminals around the world.  How would a foreign intelligence agency use “private” text messages and emails against a government employee having money trouble or family issues?  How useful would it be for a burglar to know the precise location of every member of your family at all times? Breaking the security of the iphone – or of any ecosystem – is a serious loss for all good people.  The notion that law enforcement or apple can keep the secret key a secret is immaterial. The very existence of a back door makes it a very valuable targe. SECRET #2: Once a back-door key exists the back-door becomes the attack point, and attackers will get in, no warrant required.

The very notion of asking a manufacturer to break into their own device indicates that the goal is not the data on that one device, and if the manufacturer provides that access then it opens up all devices to those who (unlike law enforcement) don’t care about the rule of law, freedom, or personal privacy.

How to Get Control of Your Accounts

Posted on by

As we continue to use services of different companies, we end up with more and more accounts.  Getting control of all of those accounts can be a very difficult task.  Here we mention one method and explain an second one in detail. Both will work, but each one has strengths and weaknesses.

The list of accounts that each of us has gets out of hand very quickly.  Online banking, email account, store loyalty card, sports team registraion, etc.  There are two good ways of getting the accounts under your control.  One is electronic and one is not.

The electronic method can be very useful, but it has its own risks.  In the past some password manager sites have themselves been hacked, exposing their users’ passwords.  There are a few things to keep in mind about storing your passwords electronically.  It is similar to writing your passwords on a paper, with two exceptions.  First, the “piece of paper” lives in cyber space, and it can be sent to places you never intended.  Remember, if your password manager doesn’t save the file to the cloud then if you lose access to it (e.g. if it’s on your phone and you lose your phone) then you will not have access to any of your passwords.  If your password manager synchronizes to the “cloud” then your “piece of paper” is now copied onto multiple computers in multiple locations, and is exposed to attackers is those attacker break into any one of the locations where your “piece of paper” has been copied.  Second, while the “piece of paper” is protected by encryption, it is thus protected by three things.  (1) the strength of your password, (2) the encryption algorithm used, and (3) the secure programming abilities of the programmers who implemented the encryption algorithm.  You can control the first, and you can select the second, but you have little control over the programming abilities of the people who implemented your program. The best you can do there is to select a program written by an organization with a reputation for secure programming.  The easiest way to do this is to select open source programs that have been tested by the industry for many years.  My personal favorite here is PasswordSafe, but there are others.  Your best methods for protecting your passwords is to choose a good password for your password manager and to change all of your passwords every three to six months.

The paper method is especially useful for people who don’t trust their phone, their computer, the cloud, or any electronic device that can break.  Unlike hacking a phone, server, or network, hacking into a person’s house must be done in person, and that makes it far more difficult (though not impossible) to do.  Securing your passwords in this manner takes some doing.  First, you must have a secure location for storing your passwords.  A notebook in your desk is usually not the best location.  Who can get access to your desk?  Do you have an alarm system and video cameras recording when you are not at your desk?  A small safe is a good first step.  You want to take every reasonable step that makes it harder for someone to quickly grab – or simply photograph – your paperwork.  A small safe (sometimes called a document safe or a gun safe) locked inside a desk drawer, or physically connected to a wall is a good start.  If you live in an apartment where you can’t drill into a wall or floor to connect the safe, you can bring in a few long pieces of wood, place them in a closet, and then connect the safe to that.  You want to make it extremely difficult for an attacker to grab your safe, drop it in a back pack and walk away.  For the first six months that you own it you should open the safe daily or at least weekly.  This will make the combination easier to remember after the six month period.

Now that you have a “safe” location let’s talk about the paper.  Whether you use a pad of paper, individual sheets, or a notebook, you want to be sure that the whole stack goes into the safe.  You do not want to write your secrets on the top page of a pad of paper, rip if off, and place it in the safe.  An attacker could use a pencil to expose your password from the indentations made when you wrote them down.  Now this may seem extreme, but never give any attacker a gift.  Today you may not expect anyone to be searching your home for your passwords.  Five years from now you may have different friends who bring with them their friends on a visit, and now you have people you’ve never met inside your home.  Taking extra steps ahead of time can only help you prevent problems later.

Now, you have the paper and a secure location for storage.  You’ll want to start by listing all accounts that you can remember.  Ideally you want to save the location of the account (web site, cell phone, etc.) along with the username, the password, and the answers you gave to any “secret questions”.  (Remember each secret question can be answered like a password if you want, but you must save the answers you give.)  Another piece of data that can be very useful is the date when you set the password.  This will need to be updated when you change your passwords, but it will be very helpful if you ever have a problem with the account.  If you have an opportunity to use a phone number for additional security for the account then you’ll want to note that here.  It’s a good reminder that you’ll need the phone when you connect to the account.  As you remember more accounts (sports registration, gym membership, theater tickets, store loyalty card) you’ll want to add them to the paper.  For the first run take note of all the accounts you remember. Then keep the paper in the safe.  As you remember other accounts you can take note of them  – just the account – and keep that separate until you have an opportunity to sit down with the master list and add the new accounts.  That keeps your master list safe, since you don’t have it out all the time.

In summary you want a secure location, physical or cyber, and you want to keep a complete list of all accounts.  We have suggestions on how to choose passwords and how to answers secret questions, but that’s for another time.

Apple vs FBI – After They Break The Encryption

Posted on by

Let’s assume that Apple does help the government subvert the security of iPhones by getting them into this one device.  This is not Apple’s specialty.  I wouldn’t hire a safe builder to crack into a safe.  I’d hire a safe cracker, but that’s just more about how the government is being disingenuous when it says this is about just one phone.

Anyway – once the government has access then we live in a world where all iPhones can be opened.  At first it will take a court order to get access to a phone.  Then the code will leak out, and it will leak out.  Consider who has been compromised in the past.  Places like Sony, OPM, IRS, and even the Pentagon.  Once there’s a program that is a back door to all iPhones, it will be stolen.  Once that happens all iPhones can be opened.  Will Joe Criminal continue to use iPhones? Of course not!  Criminals will do a google search (Yes.  Criminals have heard of the Internet.), and they will use some other technology to keep their communications secret.

Let’s say that the politicians get involved.  They talk about how this encryption stuff is obviously dangerous, and it must be regulated.  Remember, we did this before.  Let’s say that they require all products sold in the U.S. to have back-doors built in so that law enforcement can have access to all encrypted secrets.  They’ll say that it’s only law enforcement, but later it will be any well funded group like China, ISIS, or perhaps a political party looking for dirt on people.  What will happen next?  The same thing that happened when the U.S. government declared encryption to be a munition and regulated it.  All people and organizations that value privacy will use encryption that’s not broken.  They’ll get it from outside the U.S.  But wait!  You say congress is smarter than that.  They will make it illegal to use such encryption.  Once that happens, all people who obey the law will use broken encryption.  All people who value privacy and who are criminals (terrorists, drug dealers, etc.) will use encryption that works.

Breaking the encryption never hurts criminals over the long run.   It always hurts good, law-abiding people.

When terrorists in Mumbai used cell phones there was talk about how cell phones can be dangerous.  Yet we understand that the devices do far more good than bad.  Privacy likewise does far more good than bad.  Without privacy we are open the whims of those in power.  If the government has access to the private communications of all citizens then what happens when our next President decides to use an executive order to punish those who pollute, or those who own firearms, or those who speak ill of another religion.  Privacy protects us all.  If we sacrifice privacy in the name of security then we’ve lost both.