Saturday, 24 June 2017

Facebook Live Oyster Pearl Party Scams

A little off-topic but recently I've been asked so many times about the Pearl Parties live broadcasts appearing all over Facebook status walls. If you haven't heard of Pearl Parties, they are sales broadcasts where the hosts entice viewers to buy sealed oysters which are opened live on the broadcast, any pearls found inside are sent to the buyer, and there always seems to be plenty of pearls found.

So after watching a few of these broadcasts, it becomes clear why these broadcasts are appearing all over Facebook, as the party hosts constantly offer the chance to win free oyster opening to all viewers that share the broadcast. After further investigation, it becomes even clearer these Pearl Party broadcasts aren't the harmless fun the presenters insinuate but are scams.
Oysters Originate from the Far East & Individually Vacuum Packed

The oysters you see opened on the Facebook live broadcast are real enough, they are bought in wholesale by the oyster party, but the copious pearls discovered inside them aren't quite as legit, rare and valuable as you might think. I have discovered two methods behind the high number pearls found inside them.  Either the freshwater oysters have been cultured, basically hacked and farmed into growing the pearls, or the oysters had the pearls inserted within them, after which they are dropped into a chemical bath to make them snap close, killing and preserving the oyster. With either method, the oysters individually vacuum packed before being shipped off from the Far East to the party hosts in bulk.
Cheap as Chips Oysters are bought in Bulk

On the Pearl Party broadcasts I observed, it cost £30 to £50 to open a batch of 5 oysters, which is a considerable markup from the direct online price of around £1 to £2 per oyster. Often the punters don't get the chance to buy a set number of oysters to be opened in the hope of receiving any pearls found inside, as there is a random based game to be played to determine how many oysters are opened for their set payment. These games involve rolling a dice or spinning a wheel to decide the number oysters open, which in itself probably breaks gaming licensing laws in many countries. This game is part of the scam, it is used to make buyers think they have won something and disguise the fact are paying well over the odds for the low grade nearly worthless pearls they end up receiving.

Pearl Party Sales are similar to the Shopping Channels

As the party host opens each oyster on the broadcast, they blag how wonderful the pearls look, using lightening and display techniques to make each pearl look as glamorous as possible, the same techniques employed the professionals on jewellery shopping channels, but with fibs. The reality is these pearls are nothing of the quality of actual rare high-value natural pearls. Some hosts will even measure, rate the colour and shape, and conclude a value for each pearl, which is always way more the buyer has actually paid, again all part of the con. If the host really thought the pearls were worth as much as they are saying, why on earth would they bother with the broadcast and just sell them directly themselves!

The host will also offer to set your pearls in jewellery, like earrings and necklaces, all for an extra cost of course.

I also found some hosts operate on behalf of companies in a pyramid-like scheme, where they pay a set amount in, oysters are supplied to them, the more they sell the more they rise up the pyramid ranks and the more money they make.

So be warned, don't participate in promoting these scams to your friends by sharing Pearl Party Facebook Live broadcasts. You'd think Facebook would do something about these types of illicit practices on their Facebook Live service, but apparently not. Given the lawless of Facebook Live, I think we can expect further scams of this nature in the near future.

Thursday, 1 June 2017

Cyber Security Roundup for May 2017

The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses store, process and/or transmits credit/debit card data (cardholder data). 

Hackers stole a copy of Disney's forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn't pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Friday, 19 May 2017

How to Stay Safe in the Cloud

No business or individual should ever assume 'Cloud Services' are sufficiently secure to protect their data and their cloud service provision. There are always elements of cloud service security responsibility which sit squarely with the service buyer (business) and users. Sage have put together a simple to understand InfoGraphic on Staying Safe in the Cloud, which neatly highlights the threats and the security pitfalls to be aware of when adopting cloud services.


Tuesday, 16 May 2017

WannaCry Ransomware Bite Sized Business Prevention Advice

The top three actions to reduce the risk and impact of a WannaCry type Cyber Attack at a business
  1. Perform regular Staff Awareness specifically on spotting Phishing Emails
  2. Have a robust Patch Management Processes. Ensure all Microsoft Windows systems have Microsoft Critical Updates applied quickly - they are marked as critical for a reason!
  3. Have Anti-Virus running on all Microsoft Windows systems, with AV definitions kept up-to-date
Security in Depth
There are further security risk-reducing steps like filtering web traffic, ensuring data is regularly backed up, security monitoring, and network segmentation, but the above three are the most simple and most effective in terms of prevention against this type of attack, especially within the SMB space where security budgets are limited. Expect further versions of the WannaCry ransomware.

The Reasons Behind this Advice
(1) The WannaCry ransomware infects an initial system via a phishing email, the user executes the malware within an attachment or through a weblink. The Microsoft security update will not stop the initial ransomware execution, (3) but updated Anti-Virus system now blocks the current strain of the malware from executing. (2) The Microsoft MS17-010 security update stops WannaCry from rapidly propagating (i.e. worm malware) from the initially infected system to other vulnerable Windows systems (without the MS17-010 update) attach to the local network.

For full details about WannaCry see my other blog posting - 

Monday, 15 May 2017

The IT Security Expert Blog is 10 Years Old

Ten years ago today I published my first ever blog post about a BBC news story titled "Home Network Security Scrutinised". A decade ago it was rare to see an IT security or hacking story make the news media, and back then the term 'Cyber Security' would conjure images of Dr.Who's metallically clad arch-villains in most people's minds in the UK.
The Face of Cyber Security in 2007

Fast forward ten years, IT security has long been rebadged as 'Cyber Security' and on Friday the top ten news stories on Sky News were all Cyber Security related, albeit about the same global attack, but how times have changed.

'I found the following article on the BBC news website, which happens to be exactly what I had been talking about in my presentations this week. None of the findings is surprising to me, but I find many people I talk with are in the dark about digital security. Anyway, I thought I'd write this post about it and start my own blog' - 15th May 2007
How times have changed since I started writing this blog, the use of computing devices has vastly increased, with IT systems and devices becoming ever more sophisticated, most of us possess powerful 'smartphone' computers in our hands and we have countless connected devices within our homes. It is clear our society has grown ever more dependent on information technology as evident by the NHS cyber attack on Friday, the loss of NHS workstations due a fairly simple ransomware attack led to cancelled operations and A&E closures.

Some of the highlights from the last Ten Years
  • 2007 Web 2.0
  • 2007 The iPhone is launched
  • 2007 HMRC loses unencrypted CD holding millions of UK citizen's personal details
  • 2007 WikiLeaks is founded (later to be used by Snowden and Manning)
  • 2007 ISPs using WEP (broken) Wifi encryption
  • 2007 Estonia DDoS of government websites and businesses
  • 2007 PCI DSS compliance is pushed
  • 2007 TJX Max 45 million credit card breach is disclosed
  • 2007 Nationwide fined £1m by FSA due to data breach
  • 2008 The Rise of Hacktivism: Scientology attacked by Anonymous
  • 2009 Heartland 130 million credit card data breach
  • 2009 The Gary McKinnon Extradition
  • 2009 The Conficker Worm infiltrates millions of PCs worldwide
  • 2009 Zeus trojan/bot becomes more widespread
  • 2011 EU Cookie Law
  • 2011 PlayStation Network Hack and 102 million Record Data Breach 
  • 2011 DUGU industrial controls virus
  • 2011 Play.com Third Party Breach
  • 2011 Lush credit card data breach
  • 2011 Bank of America had 85 million credit cards taken by a Turkish hacker
  • 2012 Flame cyber espionage malware
  • 2012 LinkedIn data breach, 165 million accounts compromised
  • 2013 65.5 Million emails and password leaked from Tumblr
  • 2013 Evernote had 50 million records compromised
  • 2013 Target breached by HVAC third party, 40 million credit cards stolen
  • 2014 Sony Picture DDoS over "The Interview" North Korea satire movie
  • 2014 General Data Protection Regulation (GDPR) agreed by the EU
  • 2014 The Heartbleed bug
  • 2014 Rambler 98 million accounts compromised
  • 2014 Yahoo 500 million accounts compromised
  • 2014 Homedepot 56 million credit cards stolen
  • 2015 TalkTalk Hacked
  • 2015 Rise of IoT insecurity
  • 2015 Jeep car hack
  • 2015 21.5 million personal records stolen from US Government
  • 2015 Superfish privacy invasion by Lenovo
  • 2016 Yahoo 1 Billion Personal Record Data Breach
  • 2016 $101m hack of the Bangladesh Bank
  • 2016 US electron hacking
  • 2016 Friendfinder 412 million accounts compromised
  • 2016 360 Million Stolen MySpace accounts posted online
  • 2016 67 million Dropbox accounts compromised
  • 2016 Massive DDoS attack against DNS provider reg-123
  • 2017 APT10 Cloud Hopper Campaign Threatens
  • 2017 Global Ransomware outbreak which severely impacted the NHS
Of course, cyber security is not ten years old! In 1903 Nevil Maskeylne disrupted John Ambrose Fleming's public demonstration of Macroncies wireless telegraph technology by sending insulting morse code messages through the auditorium's projector. In essence that was a successful hack of an information technology device.

The Cyber Security Game is afoot
The more devices and the more complicated they are, the more likely there are to be vulnerabilities which are exploited by criminals and nation-state actors hellbent on making money and causing mayhem. There is no winning scenario with cyber security, it is a continuous process and the challenge of staying ahead of the bad guys, knowing if you stand still for just a minute like the NHS not upgrading Windows XP systems and not applying Microsoft Critical Security Patches on time, you are going to lose the cyber game big time. So here's to another ten years...

Friday, 12 May 2017

WannaCry Global Cyber Attack Killing the NHS Explained & Help

A large-scale cyber-attack has impacted organisations around the world today, including badly affecting NHS services, with at least 25 NGS organisations hit by a mass ransomware outbreak. The ransomware responsible is known as WanaCrypt0r 2.0, WannaCry or WCry2, once it infects a system not only does it encrypt data on the host system, but it attempts to infect other computers over the local network. 

This aggressive malware uses an exploit method named EternalBlue, details of which was posted online by the Shadow Brokers dump of NSA hacking tools on April 14th, 2017. WannaCry exploits this Windows vulnerability (CVE-2017-0145) to enable it to spread quickly over the network (i.e. Worm malware), the vulnerability was security patched by Microsoft on 14th March 2017. More specifically, the vulnerability lies within the SMB protocol, which is used for network file sharing, which the WannaCry malware exploits to replicate itself to other vulnerable Windows devices also attached to the same network.

WCry2 Ransomware Demand

To avoid the WannaCry ransomware infection within a network environment, make sure Microsoft Critical Security Update MS17-010 is applied to all Microsoft Windows. The update was released by Microsoft on 14th March 2017, so if you have operated a good patch management process or allow Microsoft to automatically update your system and run anti-virus and kept AV definitions up-to-date, then you should be well protected from WannaCry mass outbreak. Failing an ability to patch your system, you can look into disabling the SMB service to prevent the malware from spreading.


The MS17-010 stops the WannaCry ransomware from spreading (within a network), it does not stop WannaCry ransomware from running when clicked upon within in a phishing email attachment or link.

To prevent execution update your anti-virus and be vigilant with scam (phishing) emails enticing to click on links or open attachments.

For the full Microsoft breakdown see https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ - Note Microsoft has specifically released the patch for non-supported Windows platforms, such as Windows XP and Windows Vista.

Controlling an ongoing WannaCry Mass Infection
Where there are multiple malware infections detected, the priority is to contain the spread of the ransomware and the subsequent impact. This means powering off any potentially vulnerable systems and disconnecting them from the network immediately. Before re-connecting any potentially vulnerable system, apply all the security updates and then run a full anti-virus (AV) scan to check for the presence of the malware, and make sure your AV product is able to detect WannaCry, which most common AV products now are.

Live global map of WannaCry of the infection spread https://intel.malwaretech.com/botnet/wcrypt

Worried about a Mass Infection at your Business
If your organisation is yet to be infected by this malware and you are concerned, ensure the MS17-010 update is applied on all Windows devices, check Anti-Virus definitions are up-to-date and consider disconnecting from all third party networks until you are certain all systems are fully protected.

Infected: Should I Pay the Ransom to get my data back?
I do not recommend paying a ransomware ransom. At this point in time, there is no workaround to decrypt WCry (.wcry) encrypted files. Bitcoin intelligence shows people are paying the WannaDry ransom, and according to reports those that are paying are slowly receiving working keys to decrypt their WannaCry data.

If you don't plan to pay and there is data encrypted (not backed up) you want to keep, I suggest keeping a backup or drive image of the infected systems/encrypted files, as it might be possible to decrypt the data in the future. 

Beware of bogus ransomware removal tools, there are plenty of dodgy websites offering fake ransomware recovery software or instructions to install further malware. Such illicit tools often come with a price and can destroy any hope of file recovery, so avoid any tools from untrusted online vendors.

WannaCry Removal 
I recommend completely wiping any infected system's hard drive, and recovering data from a recent 'non-infected' clean backup, and obviously ensuring all those Microsoft security updates are applied and anti-virus is running and up-to-date. If you do want to remove the WannaCry ransomware infection without wiping, see - WCry Removal Instructions.

Why is NHS so badly Hit?
Going off tweeted screenshots of the NHS WCry infections, there still appears to be many instances of Windows XP used within the NHS. Windows XP is a long outdated operating system and has been unsupported for security updates by Microsoft for a number of years. This means Windows XP is completely open to infection by WCry and other forms of malware, although Window XP's security can be beefed up using application whitelisting, I personally wouldn't recommend using it as an operating system due to its insecurity. 

To compound problems staff working within the NHS have been describing a flat network via social media, so instead of a network of firewalled ring-fenced small network segments, it suggests the NHS has a large open network, which allows network self-propagating malware like WCry to spread far and wide rapidly throughout the organisation. 

The advice initial advice is to upgrade away from Windows XP to a supported operating system ASAP, that's a bit tricky for a cash-strapped organisation like the NHS I know. However IT systems are critical components of the overall health service provision, and as such, they should not be neglected when comes to prioritising budgets. Given it is the NHS, I believe the political ramifications of this cyber attack are going to go on for some time, make no mistake what happened with the NHS today is a world-class landmark cyber attack, we'll be talking about it for years within the cyber security industry. 

Could it be Cyber Terrorism or a Nation-State Cyber Attack?
As reports of this global cyber attack initially flooded in, the first thought was it could be Cyber Terrorism or a Nation-State orchestrated, given the same ransomware type had been reported attacking organisations on mass. The fact 'national infrastructure' type organisations like Telefonica and utility gas firms like Iberdrola were hit could be seen as a smoking gun on a more sinister intent behind the attack than criminal money making. It certainly fits the objective of a cyber-terror attack, spreading fear by causing public mayhem, and placing lives at risk by closing down country-wide critical services, especially health services. However I believe these attacks are unlikely to be terror or nation-state related, we'll have to wait until more details about how the ransomware initially infiltrated these organisations to be certain. Ransomware is predominately a cyber-criminal tool, so perhaps this is a case the malware's 'network worm' propagating element being over successful, as all cyber criminals want is to get paid the ransom, not kill services, and in the case of WannaCry, we know the bad guys are getting paid ransoms.

Above all, today's cyber attack impact serves a harsh lesson to what can go wrong when organisations ignore years of warnings to upgrade unsupported operating systems, and the necessity to apply critical security patches soon after release.

Wednesday, 3 May 2017

Cyber Security Roundup for April 2017

In April the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda, which I have featured in a separate blog post - Detecting & Preventing APT10 Operation Cloud Hopper.

The InterContinential Hotel Group, a hotel giant best known for the Crowne Park Plaza and Holiday Inn in the UK, reported data breaches within 12 of its hotels, however, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected. A statement released on the hotel's website says that the malware, which infected the hotels' card payment systems, was identified between 29 September and 29 December 2016.

Payday loan firm Wonga reported a data breach which may affect up to 245,000 of its UK customers. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.

A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security". The BBC investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device's core code so he could examine it closely and found they were about to crack the device's simple passwords.


There was the usual raft of security updates which fixed security vulnerabilities in April, with Microsoft patches causing the most stir with security researchers, some of whom suggested the firm had held back patching some of its products.

News
Awareness, Education and Threat Intelligence
Reports
  • The 2017 Verizon Breach Investigations Report (DBIR) Released
    • 75% of data breaches are down to outsiders and a 25% are insiders
    • 73% are conducted for financial reasons with half involving organised crime.
    • 62% of breaches feature hacking, it still disappoints to see that 81% of hacking related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight% and errors were a factor in 14% of breaches.
    • Ransomware rose 50% compared to last year and accounted for 72% of all malware incidents in the healthcare sector. 
    • Financial services are the most targeted sector at 24%, while healthcare accounts for 15%, the public sector close behind on 12% and the combined total of retail and accommodation accounting for 15% of breaches.

Wednesday, 12 April 2017

Detecting & Preventing APT10 Operation Cloud Hopper

There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.   

Overview of the Threat
APT10, a Chinese-based hacking group also known as Stone Panda, MenuPass, CVNX, and Potassium is operating a hacking campaign known as Operation Cloud Hopper, which is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP's backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.

So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here. https://www.ncsc.gov.uk/cisp

PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.

APT10 is Active and Here to Stay
Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don't expect APT10 to be going away anytime soon, after all APT actually stands for Advanced 'Persistent' Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.

Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.

Tuesday, 11 April 2017

WinZip Encryption Password Security (2017)

9 years ago I wrote a post on WinZip Encryption Security, that post has received tens of thousands of visits over the years and continues to be pretty popular, but it is high time for that advice to be refreshed. The advice below also applies to 7-Zip, which also supports the same type of encryption as WinZip.

Do not use WinZip ‘Standard Zip 2.0 Encryption’
WinZip pre-version 9 only offered WinZip's own proprietary encryption algorithm called Zip 2.0 encryption, which is broken, so never use WinZip pre-version 9 or the “WinZip's Zip 2.0 Encryption” as an option, as passwords of any strength can very easily be recovered with third party cracking tools. WinZip versions 9 to 21 defaults to use the National Institute of Standards and Technology (NIST) scrutinised and US government agency approved encryption algorithm called the Advanced Encryption Standard (AES) - http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html . This is great, however, WinZip still includes the option to change the encryption to use the flawed Zip 2.0 encryption.

Use AES-256, but there’s nothing wrong with AES-128
The latest version of WinZip (Version 21) defaults to use the AES-256 encryption and also supports AES-128. There is hardly any noticeable speed advantage in encrypting and decrypting with AES-256 over AES-128 given the brilliant efficiency in the way AES cryptographic algorithm works, so given the lack of overhead, it makes sense to stick with the default and much stronger flavour of AES-256. 
However, both AES-128 and AES 256 are considered strong enough for commercial industry best practice and both are NIST approved to use until at least the year 2031. To put the strength of AES-128 into perspective, the '128' bit number equates to 3,400,000,000,000,000,000,000,000,000,000,000,000,000 possible keys, so guessing or cracking a key of that length is far from feasible at the moment. We also know the AES algorithm doesn’t have any sufficiently serious flaws to get around the encryption process, the Achilles Heel is the password you choose to generate that encryption key.

Use a Complex Password (Super Important)
I recommend the following password rules if you are serious about protecting your data with WinZip AES encryption, or any other AES encryption which uses a password for that matter, use a password that is:
  • at least 12 characters in length
  • is random i.e. does not contain any dictionary, common words or names
  • is not commonly known or guessable password i.e. P@$$w0rD1
  • has at least one Upper Case Character e.g. A to Z
  • has at least one Lower Case Character e.g. a to z
  • has at least one number e.g. 0 to 9
  • has at least one Special Character e.g. !,",£,$,%,@,#
Recommended Vs WinZip Default Password Policy

Why you need a Complex Password
WinZip’s AES encryption uses “Symmetric” encryption, as such the password is used to generate an AES private encryption key, if you know or can guess the password, you beat the encryption. So the complexity and strength of the password is by far the weakness point. An attacker in possession of a WinZip encrypted file has unlimited attempts at guessing that password to decrypt the WinZip archive, the defence is time, by using a password complex and long enough the thwart the unlimited amount of attempts at being successful. Hackers mainly use two attack types to crack WinZip encrypted file passwords, Dictionary Attacks and Brute Force Attacks. We'll save Rainbow table encryption cracking for another post.

A Dictionary Attack is as it sounds, the attacker tries commonly known to be used passwords and words found in a dictionary. Hackers build their own password dictionary databases by harvesting password uncovered in past data breaches which are freely available online and on the dark web, such as the recent account passwords dump following the Yahoo Data Breach. The attacker then uses a tool to script attempts, allowing thousands of password attempts from their dictionary databases to be tried in minutes.

Dictionary Attack Tool

Top Ten Account Password in Breached Yahoo Accounts
  1. 123456
  2. password
  3. welcome
  4. ninja
  5. abc123
  6. 123456789
  7. 12345678
  8. sunshine
  9. princess
  10. qwerty
The other common password cracking technique is a Brute Force Attack, in which every single combination of characters possible e.g. aaaa to zzzz is attempted, which is why I recommend using different character cases and specialist characters within lengthy passwords, as it serious extends the timeline for this type of attack to be successful.

Brute Force Attack 

Document names can be read within Encrypted Archives
There is one final issue to be aware of with WinZip encryption, an issue you don't have with other file encryption applications. Without knowing the password it is still possible for anybody to browse and read the filenames within encrypted archive, which obviously can give an attacker vital clues about the content and whether the encrypted zip file password is worth the effort to crack. One way around this is to double zip the archive, giving initial zip archive a random name, or use an alternative encryption tool following the creation of the zip file.

Anyone can read the Encrypted Zip Archived file names without the password

File Encryption Applications to Consider
There are plenty of other encryption tools you can use for file encryption as an alternative to using WinZip. 
  • TrueCrypt is free, multi-platform and has been my personal recommendation for many years. However after its development was discontinued in May 2014 following an audit, it caused controversy in the cyber security industry. Despite that, I think the latest version of TrueCrypt is still safe to use.
  • Verhttps://veracrypt.codeplex.com/aCrypt spawned out of TrueCrypt, an excellent and supported encryption tool which also works with Windows, Mac and Linux
  • AxCrypt is another free Windows-based encryption tool I recommend.
  • GNU Privacy Guard is an open-source version of the legendary Pretty Good Privacy (PGP)

Monday, 3 April 2017

Cyber Security Roundup for March 2017

Security researchers found there were able to find numerous sensitive documents by searching Microsoft’s Office 365 documents made publically accessible through the Docs.com website. Documents found included business confidential information, passwords and personal data. The issue was not caused by any security vulnerability in O365, but by its users misconfiguring or not understand the access permissions on their Microsoft O365 file storage, inadvertently permitting public access to their confidential data.  Businesses and users need to meet cloud services halfway when it comes to security, that starts obtaining a clear understanding of what security the cloud service does and does not do, so ensure your security homework is done before adopting the cloud.

A patch for a critical vulnerability in Apache (Server) Struts was released this month, the vulnerability, which is being actively exploited by cyber criminals in ransomware attacks, allows the remote execution of commands on the server. Non-Microsoft patches are more likely to be missed, given the patch process of Apache servers is often a manual one. It is essential to check any Apache server software facing the internet is constantly kept up to date, in this case, make sure the Struts framework element as used with Java EE web apps, is running a non-vulnerable version, either Struts 2.3.32 or Struts 2.5.10.1

It is the official 'goodbye Vista' next month as of 11 April 2017, Microsoft will no longer support Windows Vista, which means no further security updates to fix new vulnerabilities, either free or via paid assisted support options. So if you have Windows Vista, either upgrade or apply additional security measures such as application whitelisting to be safe. It is less overhead and cheaper long-term to upgrade to a supported Operating System in my view.

Finally, the UK Government Digital and Culture Minister, Matt Hanock, is pushing for further adoption of the Cyber Essentials scheme, insisting all governance contractors hold a Cyber Essentials certificate. A number of businesses have also agreed to require their suppliers to achieve Cyber Essentials, including Barclays, BT, Vodafone, Astra Zeneca, Airbus Defence & Space and Intel Security.  Hancock said   “We know the scale of the threat is significant: one in three small firms and 65% of large businesses are known to have experienced a cyber-breach or attack in the past year. Of those large firms breached, a quarter was known to have been attacked at least once per month.” Cyber-security is one of the seven pillars of the government's digital strategy, he said. “It's absolutely crucial UK industry is protected against this threat – because our economy is a digital economy.” 

News
Awareness, Education and Threat Intelligence
Reports

Thursday, 16 March 2017

10 Biggest Cyber Crimes and Data Breaches...so far

The good folk at The Best VPN have put together an Infographic summarising ten of the worst "known" cyber attacks and data breaches to date, its a good recap of the high stakes when cyber security goes wrong.

Infographic: 10 cyber crimes

Thursday, 9 March 2017

PCI DSS Fines? Cyber Insurance? How to Estimate the Cost of a Payment Card Breach

How much does a payment card breach cost? How large are the potential fines? What happens if we aren't PCI DSS complaint and suffer a cardholder breach?

Those are common unanswered questions which businesses accepting and processing debit and credit card payments raise, businesses which are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). In recent years a growing number of UK businesses are taking out cybersecurity insurance, and are more pressingly wanting to know whether their insurance coverage is sufficient enough to cover the cost of a payment card data breach.

It is not possible to produce a formula or calculator to provide precise payment card breach costs on a per card lost basis, as no two business payment operations are ever the same, and there are just too many factors that can impact the overall cost of a breach.  So instead I have put together the following six pointers to aid the estimation of a payment card breach.

Calculating the Approximate cost of a Payment Card Breach 
1. All Payment Card Data breaches must be investigated by PCI Qualified Forensic Investigator (QFI).  Depending on the technical complexity and scale of the breach, the cost equates to the number of investigator hours and days required, depending that expect to fork out around £20,000 to £100,000 for a QFI. It is worth noting should a business not play ball with the acquiring bank, card brands and card issuers in appointing a QFI, they can remove entire business' capability to take card payments altogether, so there is no choice but to dig deep from the outset upon a data breach discovery.

2. Following the forensic investigation, completion of remediation work and a successful PCI DSS level 1 QSA assessment is required. Remediation work and Qualified Security Assessor (QSA) assessment as a PCI DSS level 1 merchant or processor typically costs up to £100,000, depending on the environment that is in-scope of compliance. This will be a considerable new overhead for environments deemed as PCI DSS level 2, 3 or 4, as these would have previously been self-assessed by the business.

3. The cost per payment card breach is very subjective, however, Verizon's 2015 Data Breach Investigations Report page 30 figure 23, gives a good indication on the "cost per card lost", which I have converted from US dollars.

Optimists should read the left side of the table, pessimists should read the right side of the table.

4. Often there will be a penalty surcharge levied per transaction following a breach, adding an increase to every payment transaction.

5. Reputational damages, loss of customer and client trust in the business and brand, this is a hard figure to quantify, but it is worth noting most cyber insurance policies does not cover any business losses due to reputational damages following data breaches.

6. The Information Commissioners Office (ICO) regards payment card data as Personal Information, which means they can add an up to £500,000 per payment card data breaches. And from May 2018 when the new GDPR data privacy regulation kicks in, potential data protection fines will ramp significantly, especially for large enterprises, with fines of up to 4% of the global turnover of the entire business.

So take the worse case breach scenario, namely a compromise of all payment cards ever stored and processed, apply the above costs, and you should have a worse case scenario ballpark figure. If that number doesn't focus minds and incentivise a robust PCI DSS compliance programme and investment in cyber security, nothing will.



Why Passing a PCI DSS Assesment isn't a 'Get out of Jail Free Card'
No business operating in a PCI DSS compliant state is known to have been breached. Passing a PCI DSS assessment does not mean the business is actually PCI DSS compliant, and it certainly is not a 'get out of jail free' card or carries any weight if a breach occurs. A PCI DSS compliance business means the in-scope of compliance environment and operations meets every single PCI DSS requirement in a continual state of operation, 365 days a year, 24 hours a day, and for every single second.