Tag Archives: security

Critical Infrastructure and Cyber attacks

I recently came across an article on a UK newspaper, the Guardian, about Mt Kaspersky predicting a riot. Well, not exactly. He is predicting a major cyber terrorist attack on UK soil which will disrupt major critical infrastructure.

http://www.theguardian.com/technology/2014/may/01/eugene-kaspersky-major-cyberterrorist-attack-uk

I find this interesting, not because it is new, it isn’t. I find it interesting because there has been an increasing media visibility and attention to this topic in the last few years. By the way, I am also a big believer of “it will happen soon”. The internet of things is not a secure affair.

And I also find it quite a coincidence that Mr Kaspersky is warning us about a real life Die Hard 4 risk scenario as only yesterday I came across that following article:

http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html?m=1

Where someone is about to demonstrate in an upcoming conference, in details, how to disrupt the traffic light system used in many countries. Something he has confirmed works and I would be surprised if he doesn’t get into trouble very soon!

The concept of the conference itself is interesting: Infiltrate 2014. No vendor, you do not wear a tag, no photograph, no video, etc.

http://www.infiltratecon.com/

(but then, they have past conferences speech’s videos…)

Bluetooth under attack

I have heard of Ubertooth for a while now and it seems it use to attack bluetooth devices keep growing. Once recent attack described HERE can leverage the Ubertooth sniffing capability to crack the encryption algorithm used by the Bluetooth Low Energy (BLE) standard. BLE is also referred to as Bluetooth Smart.

 

Sure, BLE/Bluetooth Smart is different from Bluetooth, but it is supported by most recent mobile devices (i.e.: the latest iPads and iPhone as well as some Android devices), and will be increasingly used in “smart” appliances, from toothbrushes to fridge if you believe this ARTICLE.

Nonetheless, if you were not convinced before that Ubertooth was a very useful piece of kit, you should reconsider it. Bluetooth is a technology that hasn’t seen much successful attacks until now, mainly because the attack vectors were limited to expensive kit or dark magic knowledge. This, may be about to change and it is as much a good think for driving better security, as it is worrying for  the integrity of all our accessories and smart devices we use every day.

Apple Security in the Enterprise

There is a good document from the UK government describing the different security features available in Apple Mac OS X 10.8 and the ones you should consider if using a Mac as an enterprise end point:

OS X 10.8 UK Gov security guidance document. 

In light of all the noise created by the NSA and GCHQ surveillance programs you might be tempted to dismiss governments’ position and view when it comes to IT Security. However, I found that document quite good and high level enough to be understood by mid-level management at least :)

They do refer to an MDM solution for some of the controls without specifying which one, so I assume they are referring to a OS X Server Profile Management solution as described by Apple HERE.

Is that the holy grail for critical systems?

Kaspersky Lab just announced they are working on their own Operating System for critical systems.

This is something that is increasingly needed, but is Kaspesrky the best entity suited to produce such OS? To contribute/review it, certainly. But to drive its development? I am not so certain. I would have thought that developing an OS requires more specific skills than just security ones. One could argue that making security the core skill used in developing that OS should make it more secure but I would argue back it could also introduce performance issues… And performance is a health/security risk on its own, especially when speaking about critical systems such as process control environments.

Kaspersky Labs is engaging with different vendors and ICS operators, so they should get some kind of expertise on what their systems require. Another interesting point is how Eugene Kaspersky ends his blog announcement, that “there will be some details that will remain for certain customers’ eyes only”. Should a truly secure environment be closed rather than open source?

Then there is the question of support and its backend infrastructure, longevity of the company, etc…

To conclude, this is a great initiative but creating an OS is not just like creating a new application…

New Dropbox Issues and a work around

More issues have been found with Dropbox, they were major issues and the researchers worked with the vendor to fix them before going public.
Although they are now fixed they highlight the time bomb Dropbox is for enterprise users as usage convenience and security risk ignorance means sensitive information is likely to be transferred centrally on Dropbox from many different companies and user profiles.

The 3 security issues discussed in the this article were:
– Hash value spoofing to access other customer’s data
– Stealing Dropbox hostID to access other customer’s data
– Potential replay attack when providing other customer’s data hash combined with any valid host ID (i.e.: the attacker’s host ID) to get access to the corresponding data.

One key point made in the article is that all this happens in the cloud, therefore the victims and/victims networks would be blind to these attacks.

There is no denial that Dropbox is very convenient, but those repeated security issues really means your data is at risk when hosted on their servers.

One solution, in this case, is encryption. I have listed a number of “on the fly” encryption solution in a previous post. But none of those solutions really ticked all the boxes so far, they either do not support enough OS, are not OpenSource and from very young and unknown companies, etc.

I have also previously said that using TrueCrypt would defeat the main attraction of Dropbox: seamless, streamlined and constant backups.

However, right now I see it as one of the only solution for securing Dropbox.

Why?
Because TrueCrypt is a well established encryption solution you can trust. Of course, other encryption tools such as PGP and co could fit the bill too, but I like TrueCrypt because it is free and OpenSource.

For using TrueCrypt with Dropbox and not trade off security for performance too much you would need to be more disciplined though…
In essence you need to break down your data into chunks in different containers so the TrueCrypt disks are as small as possible and the chunks of data that are not likely to change do not get sync up everytime you update a document which is unrelated to that data.

What worked for me is the following:
– Store data you consider as public into a public folder , you don’t have to share it with the world, but need to assume it could be.

– Separate your other data, the potentially sensitive one, into folders
i.e.: Subject1, Subject2, Subject3

– Within your folders create some subfolders about data that is likely to change and data that will not
i.e.: {Subject1_New, Subject1_Old} and {Subject2_New, Subject2_Old}, etc

– Keep the Change/New folders small

– Breakdown the Nochange/Old folders into sizes of around 500Mb or 1Gb maximum

– Create a TrueCrypt disk for each of the folders (Old and New).

– Ideally you will have a different passwords for each of the TrueCrypt disks but it depends on what process you use to remember those passwords!

– Store the public folder in Dropbox unencrypted

– Store all the TrueCrypt disks into Dropbox

Now, you will have access to your “public” data as before but for any potentially sensitive data you will have to mount the TrueCrypt disk before. You will also have to umount the disk before it can by synchronised back.

Because you have broken down your data into different chunks/encrypted disks, if you update or add a document into one of those disks it should not take long to synchronise back to Dropbox when you unmount it.
Also, the old/reference data which you are unlikely to change can be accessed by mounting those larger “old” disks without requiring for a large and lengthy re-sync.

What you are introducing with the method described above is added security through a check in/check out process while leveraging performance by dividing your data into chunks.

More importantly, you are securing your data without relying on Dropbox security.

The scary world of Social Media and geo tagging

As the saying goes, “it is never too late”, and it is only recently that I created a twitter account.
I was convinced to do so after attending a SANS training course (more on that soon) where the instructor told us twitter was the best way to keep up to date and in touch with a great online security community.

I am not new to social media, but after “playing” with twitter for a few days I am both impressed and concerned!

Impressed because it is slick and indeed a great way to follow up some topics and keep in touch.
Concerned because it is a mine gold for wanna be thief!

It has been well publicized that people share far too much information on Facebook, information that can sometimes be used against them (by employers, people who dislike you, ex lovers, etc).
I feel however the micro blogging format of twitter invites more its users at describing and sharing mundane information such as what you eat, what you think, what you do… and where you are!

It is actually a new trend on facebook and twitter… to geotag your status updates.
This, combined with the type of information and vastly public status updates, are what worries me.
Especially since it is easier than ever to geotag whatever you do with the new smartphones available such as iphones/androids.

To illustrate this, when trying one of the many twitter clients I found a “search twits near you” button.
This enables you to see all the public twits near you (or anywhere in the world in fact).
And sure enough, I could see many neighbors describing how they were going to see a football game in a few days, going to the movies, being in a coffee shop.

This type of information is scary! one could easily use it to find out when someone is home or not!
Scanning for twit near you in the evening in a residential area could quickly give you the twit names of who live in the area, just follow their twits the next day and find out when no-one is home or on holiday!

I was really surprised at the number of public twits around, in fact people think they are safe because they do not display their real names, but allowing geotagging gives much more dangerous personal information.

I don’t know the real name of that nearby neighbor, but I know where he lives, what he does, how he looks like and where he will be this Saturday…