Institutional Knowledge and Threat Actors

Institutional Knowledge and Threat Actors

I was reading about threat actors (bad guys who carry on cyber attacks) and the phrase “institutional knowledge” really popped… this relates to attacks done by insiders and very few people pay attention to them, even care about mitigating this very serious risk.

Anybody with an extensive knowledge of how your business works does not need much sophistication or super hacking skills Hollywood-style (most b.s. BTW), only needs to know enough like when Karen from Accounting leaves for a coffee break and forgets to lock her computer screen or if Bill from Sales has been sick for a week and left his password on a sticky note as he always does.

Food for thought…

Liked the post? Share the love!
What’s a VPN and how it can make you safer online

What’s a VPN and how it can make you safer online

In this hyper connected world we live in more and more people go online from places other than home or office; this means using public access points like coffee shops, hotel rooms, a friend’s house, libraries (yeah some people still use them, I personally love them), etc.

The issue with accessing the Internet from “untrusted” networks is exactly that, you really don’t know what level of security (if any) these places offer. In most situations, people simply give you their wi-fi password without even realizing their own network can also be compromised (I’ll write about wi-fi guest access on another post soon).

To add insult to injury, a lot of naive computer users access their on-line banking, email and cloud storage from unsecured and open networks that don’t require any passwords, despite the fact that their own computers label the open networks as unsecured, right there! Here, any bad guy with a medium knowledge of data spoofing can see pretty much everything you’re doing.

If you often connect on the go, then a VPN is the right solution for you!

What’s a VPN? VPN stands for Virtual Private Network and in simple terms, it creates a secured, encrypted “tunnel” between your computer and the Internet location (website or end-point) that nobody can see/hack/steal/spoof/sniff. VPNs were the sole domain of complex IT infrastructures years ago, but today providers like Tunnel Bear have made this technology super available and super easy to use.

In this graphic (courtesy of Microsoft), your computer connects using a “tunnel” to another network called Intranet that could be your online banking website, your Google Drive/Dropbox storage or your Gmail. It is important to mention that Google, Apple, Microsoft and the other big companies offer encrypted access to their servers, and your bank also has plenty of security measures in place to make sure their end of the equation is secured, but they cannot guarantee YOUR side of the connection and it is your sole responsibility to do so. This is why a VPN can serve as the ultimate “piss off” tool to keep hackers away.

In summary, why use a VPN? According to my favourite provider Tunnel Bear:

Hide Your IP Address & Location: Your IP address is the unique number that websites use to determine your physical location and track you across different sites. Use a VPN to keep your IP address private from websites, hackers and advertisers.
Secure Your Data: VPN shields your personal information from prying third-parties and hackers on public WiFi, ISPs and other local networks.
Safe & Convenient Travel: Safely access your email, favorite sites, domestic news and entertainment while travelling abroad. A VPN can bypass restrictions, keep your online activity secure and help you stay connected with life back home.
Block Online Trackers: There are countless ways you are being tracked by advertisers, social media and other companies. a VPN blocks many of the common ways you can be tracked and limit advertisers from tracking everything you and your family do online.

VPN services range from free to about $50-$80 per year. The BIG advantage of paying for a VPN is constant support, reliable service and the convenience of being able to use it on multiple devices (computers, tablets and smartphones). This is definitely a service you should pay for.

Liked the post? Share the love!
What is Malvertising?

What is Malvertising?

During our daily web routines (reading the news, doing some “Facebooking”, online banking or reading our Gmail) we are constantly visiting websites that show some sort of advertisement, usually on the right or upper side of the screen. Although I believe quality online content should not be free and qualified advertisement is a legitimate way publishers monetize their work, I am also concerned with the growing presence of malvertising.

Wikipedia defines malvertising as “the use of online advertising to spread malware”.

Malvertising is a fairly new concept for spreading malware and is even harder to combat because it can work its way into a webpage and spread through a system unknowingly: “The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from… infections delivered through malvertising silently travel through Web page advertisements” [Infosecurity]

What makes malvertising extremely effective (and dangerous) is the insane amount of technology attackers put into making infected ads appear on reputable and safe websites. There are many types of malvertising: pop-up ads, In-text or in-content advertising, web widgets, banners, third party ads, etc.

We browsers (Chrome, Firefox and Opera taking the lead) are now alerting visitors to sites with HTTPS security (SSL Certificates) that, even though the site might be “safe”, some parts or contents on the site might not be:

The problem is, it is very hard to know what parts of the site are unsafe, you probably really need to do something on that site and it takes around 4 clicks on very specific locations to even get to the message above. Regular users simply will not do this. I personally visit news sites like CNN on a daily basis and this warning is always there simply because they cannot guarantee all the ads that display on its site are not malvertising.

Any way to protect myself against malvertising?

Antivirus and anti-malware software are catching up with this trend and detection rates seem to be going up; however this only applies to premium or paid versions… with the freebies, well… nobody knows for sure.
Uninstall browser plugins that you don’t use like Adobe Flash.
Keep operating system and browsers up to date – this is now not as bad since almost all browsers update automatically and they tell you when to restart.

If you want to know more, check this excellent article from Forbes

Liked the post? Share the love!
3 biggest cybersecurity myths

3 biggest cybersecurity myths

No doubt cybersecurity is now part of our daily conversations – cryptocurrency hacking, election meddling, leaks and exposes, it is something that we all have learn to live with.

Unfortunately, there are still (many) people that believe cybersecurity is something “my geek nephew has to worry about, not me”.

Nathan House, a cybersecurity expert from Station X, published in his newsletter the 3 biggest cybersecurity myths and I found his insights a must-share with all of you:


#1 Small or medium sized businesses have nothing of value to an attacker

Many small businesses think they have nothing of value to an attacker so are unlikely to be a target, but the very opposite is the reality. I hear this “we have nothing of value to an attacker, why would they attack us?” question so often that it drives me bananas.

Small organisations are in fact perfect targets for attacks because they have weak defenses so are easily compromised.

A 2016 Government report confirms that 74% of small and medium-sized businesses (SMBs) reported a security breach and that only 7% of small businesses expect information security spend to increase in the next year.

Ransomware is the weapon of choice to attack small businesses indiscriminately, using it to encrypt the victim systems and files. Only when a ransom is paid are the files unencrypted.

All small businesses have something of value to themselves and it’s their own files and systems, which can be held for ransom.

Ransomware affects both SMBs and individuals alike. The attackers are now tailoring the amount of money demanded. They do not ask for a large sum from victims they know cannot pay. To unencrypt the files, they ask for a sum of money that is significant but “acceptable” to the victim.

In the case of an individual, it might be $100. For a small organisation, perhaps $500 is enough to make a nice income for the attackers and small enough that their victims are likely to pay.

Using ransomware to attack soft targets like small to medium sized businesses is becoming more and more prevalent. So not only is this a myth, it’s an extremely dangerous myth to believe and the one that is commonly held by management.


#2 Cyber security is an IT problem

This is another very dangerous myth if an organisations executives believe it.

IT staff should not be making risk decisions that can affect the success or failure of an organisation. That is the role of the executives.

There is no doubt that cyber security comes largely from implementing appropriate information technical based controls to safeguard information held within an organisation.

Therefore, IT are responsible for implementing and recommending security controls. But the final choice on if risks should be mitigated or taken should be down to the executives who understand the strategy objectives of the business.

Most organisations are not in the business of security. Security is just an enabler for the business to function within acceptable levels of risk. How much risk an organisation should take cannot be determined by IT as they simply don’t have this level of understanding about the organisation. It is for executives to set the level of risk tolerance.

An example might be that it could make good business sense to launch a product, so it can reach market in time and forgo some of the security. An IT person would not be able to make this sort of call.

Security is not an absolute. Its job is to inform the business and protect it to the level that is acceptable. Some organisations need to run with high levels of cyber risk in order to be viable as a business.

The risks from cyber attacks are not a technical problem. The recent attacks on TalkTalk, Sony, Target and others have resulted in serious financial damage being done to the company itself, and so the problem is now a boardroom issue that has to be managed at that level just like any other risk to the business.


#3 “Make my system 100% secure”

One of the most frustrating requests you can get as a security expert is being asked to “make the system 100% secure”.

There cannot be 100% security so the requester must define what “secure” means to them and they often have no clue.

People believe that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is “reasonable.” Complete security is not required or even realistic.

Studies show that it would require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business.

There is a fundamental paradox with regard to security efforts: As security protections increase, usability of the secured systems often decreases. That is, the greater the security, the less useful the thing secured will be.

It is, for example, possible to completely secure a mobile device, such as a smartphone. All that is necessary is to:

1. put the device into airplane mode,

2. place in a Faraday case and

3. lock the device in a secure safe

While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured.

There are many misconceptions in cyber security that we need to overcome and what we need to always concentrate on is reducing risk.


Liked the post? Share the love!
Beware of fake and dangerous Android apps

Beware of fake and dangerous Android apps

According to the Internet machine it is estimated there are more than 2 billion (yes, billion with a b) active Android devices in the world.

Now imagine for a second that you are an evil villain straight out a Bond movie with a super magical computer that could take control of those devices… what would you do?

Well, some people are finding very creative and dangerous ways to make that a reality.

Android users (different from Apple iOS) have the ability to install apps from the Google Play store and from what’s called third party developers. This brings up some great advantages but also opens the door for the bad guys to attack devices by playing the “user” card.

Good example? Android apps that promise “unlimited movies and TV shows” or “fast credit card approval”. Also, there are many fake apps that look almost identical to the real ones like the fake WhatsApp that was downloaded more than a million times before it was discovered and removed last year.

An installed fake or dangerous Android app is something that should not be taken lightly, specially based on the cold hard fact that most of us use our phones and tablets more than our laptops. A very well crafted Android malware can steal your data, login credentials to other apps and websites, use your phone as a bot to attack other devices or for cryptocurrency mining, among many others.

How can you protect yourself? Glad you ask.

  1. Stop looking for apps to watch free movies and TV! This is the best honeypot hackers use to lure and attack your devices.
  2. Take a close look at the Search Results: when you search for an app you’ll get many results – a fake app will use the same icon as the one its trying to pose of. In this case, check the ratings and the number of downloads and you’ll see the real one has more reviews and higher downloads.
  3. Read descriptions and look at the screenshots: bogus apps might have grammar errors, low quality or non-existing screenshots, etc.
  4. When in doubt… simply don’t install the app!

Finally, if you spot a fake or suspicious app be a good user and report it. Google has the option under Additional Information; also share with your social media peeps, this is the best way to create awareness.

Liked the post? Share the love!
SPECTRE and MELTDOWN CPU vulnerabilities – a basic understanding and what you need to know

SPECTRE and MELTDOWN CPU vulnerabilities – a basic understanding and what you need to know

December 2017 was a relatively slow month in cybersecurity, but something is for sure in this industry: nothing stays the same for too long…

2018 started with the disclosure of two security vulnerabilities that affect some Intel and AMD processors called SPECTRE and MELTDOWN. I will spare you the technical mumbo jumbo but what I will tell you is that this is a very serious issue that – if exploited and so far, it hasn’t been – can compromise virtually any computer, tablet and smartphone in the planet. Yes, you read it right… Skynet is coming for us ☹

According to security expert Aryeh Goretsky, “reportedly the issue is that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates)”. Bruce Schneier adds “They affect computers where an untrusted browser window can execute code, phones that have multiple apps running at the same time, and cloud computing networks that run lots of different processes at once. Fixing them either requires a patch that results in a major performance hit, or is impossible and requires a re-architecture of conditional execution in future CPU chips”.

What do you need to do? Since this is not a Windows-only issue, at this point there is not much. Apple recommends only to install applications from trusted sources like the Apple Store; Microsoft has released patch updates (hence the need to keep your computer’s operating system always up to date) and Google is actively posting information on updates (their Project Zero unit was among the researchers who found the flaw). Also, keep your antivirus running and updated. Other vendors are working very hard on patches that will get deployed automatically in the upcoming days.

Liked the post? Share the love!