Thursday, 19 November 2015

What is Tor and Should your website block Tor users?

Great infographic by State of the Internet which raises an interesting question, should websites block Tor users?  Certainly one for debate, my view is it depends on your website 'marketplace', function and risk, in other words perform a risk assessment, a lazy answer I know.

But if like me you find yourself often explaining what Tor is to business folk, so they can perform those risk assessments properly, you'll find this infographic comes in quite handy. As it does a simple job of explaining Tor; who uses it, how it provides anonymity online, and how cyber criminals are embracing the tool for various illicit purposes.

I recommend checking out the State of the Internet website for further info, statistics and reports on Web and DDoS attacks, which continue to blight the Internet.

Friday, 23 October 2015

TalkTalk Hacked (again) - Consumer Advice

A lot of TalkTalk customers have been contact with me today asking for my advice following TalkTalk's announcement of yet another major data breach.

The TalkTalk press release states "there is a chance that some of the following data may have been accessed:

Date of birth
Phone numbers
Email addresses
TalkTalk account information
Credit card details and/or bank details"

And given TalkTalk are unable to confirm whether any of this data was encrypted when assessed, if you are a TalkTalk customer you should take this statement seriously and assume your personal information, bank account and/or credit card details you held with TalkTalk are now in the hands of cyber criminals and fraudsters.

What to Do
In summary all TalkTalk customers must be extra vigilant in checking their bank and credit card accounts for fraudulent transactions, and for attempts of fraud by covert cyber criminals using their personal information against them.

Statement Checking
From this point on all TalkTalk customers should regularly check bank and credit card accounts shared with TalkTalk for fraudulent transactions. Transactions such as multiple mobile phone pay-as-you top-ups transactions, online casino and betting payments are common ways in which cyber criminal cash out on stolen account details. Even legitimate looking transactions with companies you know for low amounts need to be verified, as often criminals will test a stolen bank account or credit card by performing a transaction for a low amount before committing further fraud at a later date. Criminals tend to go for lower transaction amounts at first, as they tend to go under radar of some bank fraud detection systems. Some banks and credit card providers are better than others at detecting fraud, but it is important not rely on any bank or credit card company to detect the fraud for you, as they are far from 100% in their detection.

If you do find any fraudulent or even suspicious transactions, contact your bank or credit card company immediately. Do not report it to the Police, TalkTalk or the company for which the fraudulent transaction was made, only the bank and the credit card provider can take immediate steps like cancelling your card/account and reissuing new one, and they are best placed to investigate the fraud and are ultimately the party in a position to return your money, even if they can't get the cash back. Do not worry you will quickly get your money back as long as you have done nothing wrong.

Identity Theft
You may wish to consider registering yourself with a credit checking company to ensure no one is using your stolen personal information to take out finance in your name (identity theft). Expect to pay £10 to £15 a month for privilege, you never know TalkTalk might provide this service to you for free as way of an apology.

Beware of Phishing and Phone Scams
Criminals may use your stolen personal information against you, for example they could use your information to send you highly realistic and personally customised email, enticing or scaring you into visiting a compromised website, or opening an attachment which installs malware onto your computer or smart phone, or general messaging that attempts to harvest further personal and financial data from you. These targeted email scams are known as spear phishing in the cyber security industry, and can even originate from criminals that don't have your TalkTalk info, but are seeking to take advantage of the situation by impersonating TalkTalk, guessing you are a TalkTalk customer.

Beware of phone call scams where criminals use your stolen information to convince you the call is genuine, as we know TalkTalk customer phone numbers have also been compromised in this breach. These types of phone scam attacks are known as vishing attacks in the cyber industry. Always hang up on such calls and call the contact number on your bills and statements if you are concerned.

The TalkTalk statement doesn't say that passwords were compromised in this breach, but I strongly advise to not take any chances and to change your TalkTalk password immediately. Also make sure you aren't using your old TalkTalk password with any of your other online accounts, especially your email account and bank/credit card online accounts.

Choose Who you Share Your Personal and Financial Information With
Consumers should always consider the “cyber security hygiene” of companies that they intend to trust with their personal and financial information before using them. This is the third data compromise TalkTalk has reported in the last 12 months, in my experience these types of cyber attacks aren't carried out elite master hackers, the real cause tends to be due to companies under investing in protecting your information properly. Indeed encrypting financial data is considered an industry security best practice, while encrypting debit/credit card data at rest is a fundamental requirement of the Payment Card Industry Data Security Standard (PCI DSS), which for the last 9 years is a security standard which all companies handling and storing debit/credit card data are suppose to comply with.

Tuesday, 29 September 2015

Top security best practices for IoT applications - Combating IoT cyber threats

I have written the following article for IBM which was published today on IBM Development Works.

The Internet of Things is changing the way that businesses operate, especially in the areas of warehousing, transportation, and logistics. These changes make the security of IoT devices even more crucial, given the time and money that is required if a hacker breaks through the defenses. This article outlines the best practices for securely developing robust IoT solutions.

Wednesday, 10 June 2015

To Firewall or not to Firewall – Trusted & Untrusted Networks

The big danger of firewall deployments within a complex dynamic network infrastructure (a typical enterprise) is you end up with placebo network security. It is a problem that creeps in with each firewall rule change over the course of time. No one ever seems to be concerned when adding a new rule to a firewall ruleset, but removing a rule is a fearful business, so often it is not risked, so not to break anything.  The general adhoc adding of rules without first understanding the entire ruleset is what seriously weakens firewall security, it makes rulesets hard to understand and can mushroom into an ineffective firewall configuration. So instead of allowing a network range through on specific set of ports as a single rule, you end up with tens of rules allowing individual IPs each on a specific port. I have seen firewall rulesets with thousands of unnecessary individual rules, caused by a combination of poor firewall management, lack of change control, lack of ruleset documentation and to be honest a lack of staff expertise.

Lets roll back to the fundamental purpose of a network firewall, which is to control network traffic between trusted and untrusted networks, only allowing specific required and trusted network communication between an untrusted and trusted network segment.  The obvious example is the Internet (untrusted) and the office LAN (trusted). However the textbook Internet facing firewall is not typically where the issues are in a complex internal network infrastructure, where often there are countless individual networks making up a WAN.
It is important to define what we mean by an ‘untrusted’ network in the context of the ‘trusted’ network we seek to protect. I would define it as such, an untrusted network is any network you do not have the ability to control or manage.  So (typically) an external client network is untrusted, a third party service provider network is untrusted, but as for networks within the enterprise WAN, well that all depends on whether they are controlled and managed, in other words are they secured to same degree as the trusted network you seek to protect. 

In the context of a WAN, we should not overlook internal network security is a part of a layered security approach, and that data transit through the networks are also are controlled logically at the application layer (access control) and perhaps even encryption. However this multi-layered security approach may not suit the needs and risk for internal network interconnectivity. To understand where firewalls are required it must start with assessing which networks are considered as untrusted and which ones are consider trusted.

Some network environments won't be as simple as the duplex of an untrusted and trust network, however they can still be logically defined in a levelled trust relationship model, allow zones of trust within the network infrastructure, a bit complicated to explain fully in this post but for example:
  • Network A: Network B & C are trusted (untrusted zone)
  • Network B: Network A is untrusted, Network C is trusted (trusted zone level 1)
  • Network C: Network A & B are untrusted (trusted zone level 2)
A network firewall device may not even be necessary to segregate networks, as an adequate degree of network security to a firewall can be provided by network devices, for instance by creating Access Control List (ACL) on a Managed Switch, and a Router can be used to secure network traffic between networks.

Finally, firewall deployments and the network layer security needs to be tested and assured. I recommend regular firewall ruleset reviews, however the most effective way is test the security like a hacker or malware would, by performing regular network discovery and vulnerability scanning, which help ensure firewalls continue to secure communications between trusted and untrusted networks as designed. Internal network discovery and vulnerability scans can even be a fully automated process by using tools such as Outpost24's Hacker In A Box (HIAB)

Friday, 5 June 2015

Enviable Business Cloud Adoption & Cloud Security

I was quoted in an interesting discussion type article on Business Cloud Adoption at 

How Line Of Business Is Driving The Move To The Cloud

I have picked out my quotes which underlines my view that IT and Security functions must be agile and accommodating to the business cloud wants. While the business in turn must be careful not be so bamboozled by the efficiency & cost saving gains, and all those sexy sales buzzwords, they neglect the security question when procuring cloud services.

On Cloud Adoption
“Quite often businesses adopt cloud services outside the IT function whether is it Sales using Salesforce or HR using LinkedIn for recruitment, or general staff using Dropbox,” said UK-based Information Security Expert Dave Whitelegg. “The traditional internal-facing IT department can be quickly left behind by buy-and-go cloud service adoption"

On Cloud Security
“Cloud data security concerns should be addressed by IT carrying out due diligence and risk assessments with the cloud service provider, an approach often neglected when business departments decide to go commando and adopt loud services on their own,” said Whitelegg."

However, he added that the onus should be on IT to move with the times and make sure solutions put forward by Line of Businesses (LOB) are properly considered.

“The IT function definitely needs to come down from the ivory towers, stop saying no and tune into the addressing the business requirements and the benefits cloud services can provide.”

Monday, 1 June 2015

Security Today - Cyber Information Security News Stream & Alerts Twitter Feed

I was an early adopter to Twitter, opening my @securityexpert account back in October 2008, I found Twitter has been an excellent tool for picking up and sharing information security news, articles, major breaches and critical vulnerability alerts. As well as making my own contributions I often retweet tweets of InfoSec interest, education and intrigue, however I have always had a strict policy of never allowing my @securityexpert account to send any automated tweets, every tweet is manually sent or is retweeted by yours truly. Once you go down that road the personal nature of the account goes. I recognise that many of followers of the account are interested are in the latest news, so with that in mind I have launched a new Twitter account to provide a more comprehensive and more regular stream of InfoSec news.

@securitytoday has been launched to just tweet cyber information security related news and alerts. The account steadily tweets information/cyber security related news, articles and critical vulnerability alerts from a variety of sources. Most of the tweets are from a world wide context, but the service also has a focus on providing news and alerts from the UK InfoSec space. For example it picks up specific UK cyber threats & incidents, and the latest news from the UK & European Data Protection legalisation space.

If you are looking for a steady stream of cyber news or wish to drop into a snapshop of what's going on in the world of information security at any point in time, rather than security snip-bits tweets which are intertwined with what someone has eaten for breakfast, @securitytoday will be for you.

Follow @securitytoday and dive into the a news stream of cyber / information security tweets at your convenience.

Wednesday, 27 May 2015

Snoopers’ Charter Law Eroding our Digital Privacy is Sneaking In

The UK parliament re-opened for business today with a new UK government, which means a new raft of laws. While the media and the public were pre-occupied with rights eroding laws on unions to take strike action, and the possible replacement of the Human Rights Act, there was another proposed law in the list which seriously erodes another fundamental human right, our right to privacy. In the last coalition government the Liberal Democrats blocked this law on privacy grounds, but with the LibDems blown away in last month's general election, there is nothing to stop a Conservative majority government placing the Snoopers' Charter law.

Anti Austerity and Pro Union Protesters in London after the opening of Parliament

The Snooper's Charter is actually the nickname for the Communications Data Bill. The intended bill will grant ‘official’ permission for UK government agencies to read our email, listen to our phone calls and access our web browsing history. The law requires all UK ISPs and mobile phone operators to store our internet browsing activity, social media usage, emails, voice calls, internet gaming, and mobile phone messaging information for 12 months. Lets not kid ourselves that the UK security services don’t presently have such capabilities for themselves, just read the Edward Snowden leaked documents on GHCQ's snooping activities. 

Everyone has a legal right to (digital) privacy; any law that impedes on this fundamental human right has to be fully scrutinised and expertly debated. You only have to listen to the rubbish that comes out of our politicians mouths when it comes to digital privacy and security to be very concerned, the Prime Minister said he wanted to ban online encryption, which is utter nonsense. The Snoopers' Charter is being pushed by the UK security services, taking in politicians because they don’t understand the subject matter and they believe such laws are necessary to prevent terrorism. If there is one thing we all should have learnt from the Snowden circus, is our security services need to be held in check when comes to them freely trampling over digital privacy. I don't believe there will be enough counter argument to the Snoopers’ law, especially with the LibDems voice of privacy reason gone. I fear the political debate will gloss over the privacy infringement aspects of the law, focusing only on the terrorism prevention reason. There is a very delicate balance between security and privacy, it is for society to determine how it should be balanced, never the security services.

From a data protection perspective, hanging onto personal data longer than is required is a major ‘no no’. The changes in law will force many companies to store our most private information when previously they didn't have to. I think we can expect to see this new personal data storage leading to some serious data breaches in the future, especially by the smaller businesses involved, which quite frankly lack the security expertise, funding and so ability to secure sensitive data to high standard. We certainly can expect this data to be targeted by online fraudsters, as it will be of high exploitable value to them, and the data will even be targeted for the purpose of fame and notoriety by anti-government hacking groups, how ironic.

Finally any talk of passing laws which weaken encryption strength to permit UK security services to snoop is both nonsense and none enforceable, as by definition if you weaken security to let the UK government in, you weaken security for everyone.

Sunday, 22 March 2015

EU Data Protection Tsunami Warning

I attended a couple of data protection conferences this month, I heard a significant amount of naivety about the proposed EU Data Protection regulations. I listened to supposedly expert DP speakers talk about lobbying for changes to the EU regulations, and a general denial that many of the new requirements were actually going to happen, hence my tsunami warning analogy.

UK Business needs to prepare to surf EU DP Regulation Tsunami

Seismic ‘once in a lifetime’ privacy Law Change
By end of this year, or early next year at the very latest, the European Parliament will enshrine into European law the biggest shake up in data protection and privacy legalisation we'll probably ever see in our lifetimes, it is that huge of a deal. Granted it will likely take another two years before it comes into force. 

Today we are standing on the beach, those that look will observe the dark spectre of a tsunami approaching far on the horizon, it is coming in, first we need to accept it is heading to our shores, then we need to accept we can’t change its scale or course, but what we can do is start preparing business for its arrival. 

The warning shot was the “EU Cookie’ law, an EU wide law that no EU citizen actually cares about, but nether-the-less nearly all major UK websites have annoying pop-up cookie banners in order to comply with it. The new EU regulations has some serious teeth by the way of huge financial penalties for any non-compliance with any of requirements, this makes the EU Cookie Law look like a drop in the ocean. Many of the legal requirements go beyond just the protection of personal data, here are a few bullet points of the rough ride in store for UK business in the data protection space in 2018.
  • Regulation Not Directive - This means the requirements are not open to any interpretation by member states (as current DPA laws are) as they pass it into local country laws; as the requirements are written so they shall be done
  • Data Breach Disclosure - All personal data breaches are required to be reported and so publicly disclosed, likely to be within a 48 hours of them occurring. Also applies to data processors, no more hiding behind data controllers for them. Presently only public sector organisations in the UK have to report personal data breaches to the ICO.
  • Major Fines for Non-Compliance - Fines of up to 5% of global annual turnover is enough to rock any boardroom with concern.
  • Data Processor liability - A Data Processor will be on equal par to a Data Controller. This will be a major concern to cloud service providers.
  • The Right to be Forgotten - Businesses must abide by data subject (EU citizens) requests to erase their personal data.
  • The Right of Portability - Businesses must be able to provide any held personal data in a format which lends itself to moving/sharing with other organisations upon the request of the data subject.
  • Data Protection Officer - Most UK businesses will be required to appoint a Data Protection Officer
  • Applies to Non-EEC business processing EU Citizen Data - Even if the UK opt of the EU, UK business which touch European Citizen personal information will still need to comply with the EU regulations. Also means US companies that process EU citizen data must comply as well, no matter where their data centres are, bad news for hte likes of Facebook, Microsoft, Apple and Google.
My point is whether you agree with these regulations is a moot point, some may say the privacy horse has bolted and long left the stable, while others say its high time we turn the tide on our 1984 society. But what is crystal clear water, is the present DPA law is seriously outdated, it was drafted long before the internet and digital data usage took off, so it is difficult to argue that an update to our data protection law is long overdue. Now we can debate whether these changes go too far or are not at conferences until the cows come home, but that's not going to change the fact these major changes will happen and will significantly impact UK businesses, so now is the time to stop debating, take our heads out of the sand and start preparing the business.

Thursday, 19 February 2015

Lenovo's Superfish is Adware at Best and Malware at Worst

Since the middle of 2014, Lenovo have been pre-installing a piece of software commonly known as 'Superfish' onto its new laptops and PCs. In recent days the "Cyber Security" press has questioned the validity of Superfish, saying that it invades personal privacy, and that it exposes Lenovo users to data theft, they do have a point. Although Lenovo aren't the first to covertly push the privacy boundary for commercial gain, and they won't be the last either.

Adware at Best
Superfish operates fairly covertly in the background of the operating system, as you search online the software returns related advertisements back onto the desktop. These advertisements are chosen by Lenovo, and provide revenue to Lenovo when clicked upon. This is in affect adware, namely a user unwanted and unnecessary piece of software running on the operating system, it appears to be of no benefit or aid to the user, its main purpose is to provide an income for Lenovo. If we needed any additional help with our online searches, I am sure Google would have thought of it first and have provided it. Therefore I can only conclude, Superfish has to join the long list of adware software, which includes every browser search toolbar under the sun, as they simply aren't necessary, if anything they slow your web browser and searches down, for what? to make money for a non-welcome third party. Yes, adware is unwelcome on any system.

Malware at Worst
Superfish goes beyond being just adware, and has a more serious privacy and security concern, the software opens up users to the possibility ofprivacy snooping directly by Lenovo and by malicious third parties.  When you access a encrypted (https) website through a web browser, the browser sets up an end-to-end encrypted communication channel directly to the website, protecting all traffic sent to and from. This encrypted communication is vital security requirement to protect online banking, e-commerce, social media, and even web searches from being spied upon and stolen by third parties. Superfish installs a self-sign root certificate on the operating system, this allows Lenovo to intercept web traffic between the web browser and with any https protected website. The reason behind this is to allow the Lenovo advertising system to read and analyse the data, as sent by the user over the encrypted channel, so appropriate advertisements of interest can be placed onto the desktop. In wake of the Snowden relations, the internet has rapidly adopted encrypted website connectivity, even search engines like Google now provide https encryption connectivity by default to protect their user's privacy, this is why Lenovo need to use this dodgy method to break the Google website encryption to access their customer's search data, a goldmine of commercial exploitation for Lenovo.

The Superfish method of breaking https is nothing new, and has been used by malicious actors for years, it is commonly known as a "man in the middle" (MITM) attack. 

The Superfish method, as with any MITM attack, most users are oblivious that their secure https web connection has been compromised, and their private data is being snooped upon by a third party. With Superfish, we need to trust Lenovo, a Chinese company, will be completely ethical with this power, and not use Superfish to snoop people's private information. Given Lenovo's keen interest in directing advertisements for profit at its customers, the abuse of this power has to be a concern. But it gets worse, Superfish opens up the possibility of malicious actors taking advantage, by creating malware that exploits the Superfish software, cyber criminals may be able to use the Superfish root level certificates to MITM attack any website accessed through the Lenovo host system by the user.

Current Situation with Superfish
After receiving user complaints Lenovo announced it had "temporarily removed Superfish from consumer systems". 

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues. - Lenovo Forum AdminThere have been a few other statements made by Lenovo since the negative publicity, saying they will remove Superfish from new machines and disabling it from others. However Lenovo are being far too coy for my liking. Therefore I suggest Lenovo users check for the presence of Superfish, and if it is there, remove it themselves.

How to Detect and Remove Superfish
Not all new Lenovo Laptops and PCs had Superfish pre-installed, so first determine if you have Superfish installed, there are several methods, here are three...

  • This website will test for the presence of Superfish
  • If you notice while searching a "Visual Search Results" section and "powered by Visual Discovery", it is certain you have Superfish running.
  • Press the "Windows Key" & "R" to open the Run tool, then enter certmgr.msc and run to launch Window's Certificate Manager. Then click the "Trusted Root Certificate Authorities", next click "Certificates". if you see a certificate which says "Superfish, inc".

Example of the Superfish Certificate

There are several methods to stop and to remove Superfish, but the sure fire way to make sure your Lenovo system safe is to delete the Superfish Trusted root certificate..
  • Press the "Windows Key & R" for the Run tool, enter certmgr.msc and run to launch the Certificate Manager, then select "Trusted root certificate authorities", next click "Certificates", find the Superfish entry, right click it and select "Delete".  Also make sure to check under each user account on the system. I recommend using a registry cleaner to make sure all instants of Superfish Certificate are gone. Finally to ensure it has gone, visit the test website