Tag Archives: Warwick Ashford

Cyber breach at the Australian Bureau of Meteorology

5 December 2015

When I read the headline of Warwick Ashford’s report ‘Australia blames China for cyber-attack on supercomputer’ my first thought was: Why would anyone go after a number cruncher? It can’t be all that bad, because under normal conditions number crunchers don’t store business critical information.

In the evening I started gathering information about the attack and found some really worrying details.

In Ashford’s report we read ‘The BoM supercomputer contains a lot of research, but could be viewed as a potential gateway to a host of government agencies that have even more sensitive information.’

In an ABC report one reads ‘In the event of a conflict, compromising Australia’s ability to accurately forecast weather would affect the operation of military and commercial aircraft. Beyond that, the bureau provides a gateway to other agencies.’

The Bureau of Meteorology (BoM) provides services to other agencies. Since a login is required, it is very likely that login credentials have been compromised. This makes attacks on other agencies very likely because login credentials are frequently re-used across services.

In addition both sources report that the BoM provides a gateway to other services. Hopefully the networks of the Australian government agencies are better isolated from each other than the OPM network from other U.S. agency networks. If properly isolated it’s much harder for the attackers to move across the gateways into other networks.

In ‘Cyber breach at the Bureau of Meteorology: the who, what and how, of the hack’ we read

‘The damage is actually … to then make sure that the hackers have not left behind any software that is continuing to spy or providing hackers with renewed access, …’

The author talks only about confidentiality issues, but what about integrity issues? Who checks whether the results of the computations are still the same as before the attack? Slight changes to algorithms may have a major impact on forecast information and could end up in the worst case in a plane crash.

Have a good weekend.

TalkTalk warns customers about personal data breach

4 November 2015

When Warwick Ashford’s report about the TalkTalk data breach popped up in my mail box on 23 October I was busy with holiday preparations. Thus I skimmed only through the report. On Saturday morning at the airport I read the report in peace and searched for more information.

UK phone and broadband provider TalkTalk was hacked. The company announced the attack on 21 October on their website. Attackers may have accessed data of in the worst case 4 million customers.

What surprised me was that this was the second attack in this year.

But what really concerns me is the proposed solution:

“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,”aid panellist Frank Weisel, regional sales manager at Vormetric in Germany.

Data encryption as an isolated protection measure is just irrelevant in this and many other cases. Because once the attackers managed to get on the victim’s network they are authorized users. And authorized users have access to the data and the encryption keys.

Whether the initial attack is performed via SQL or command injection, an unpatched server or a phishing attack is of no interest. Only the result counts.

Alan Solomon took the same line some days later in his post “TalkTalk was hacked. But it’s silly to ask if the data was encrypted”.

In my opinion the basic problem comes from the inherently weak user authentication technology. It became again clear to me when I collected my rental car at Funchal airport.

Although the desk operator had my reservation details on his screen I had to authenticate myself with my passport and a valid driver license to get the car key. When it comes to safety Two Factor Authentication (TFA) is taken for granted.

From my point of view it’s time to secure the access to business critical company data with a second authentication factor. For all employees who have a stake in the data, and for every session, and, of course in addition to encryption, patching, secure application development, etc.

This will hinder attackers massively in getting access to a company’s secrets.

Have a good day.

Cyber security innovation is crucial

17 October 2015

I had some unpleasant discussions this week about the importance of basic security. In my opinion most of the companies could raise their level of security by about 50 to 60 percent by just getting the basics right. The best Advanced Threat Protection (ATP) technology is useless once the attacker is on your network. Then it is important to hinder the attacker in searching the network for the credentials of the domain administrators.

Warwick Ashford’s post ‘Cyber security innovation is crucial, says security evangelist’, published on Tuesday on ComputerWeekly.com saved my day:

“Basic cyber hygiene is typically lacking, and just by getting the basics up to scratch companies could reduce 90% of their cyber risk

This report gives you great arguments for adjusting the budgets in favor for the basics. I hope you enjoy reading it.

Have a good weekend.

Back door Linux/Cdorked.A – An old friend returns

7 May 2015

Yesterday evening I found the link ‘Hackers open malware backdoor in Apache webservers‘ in my email. In this E-Guide Warwick Ashford talks about a new threat named Linux/Cdorked.A that targets Apache web servers. Although back door Linux/Cdorked.A is known for years the attack vector is still not known. In addition Linux/Cdorked.A appears to be hard to detect because

‘All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis.’

I fully agree, this behaviour makes it really hard to detect the back door. Nevertheless, sometimes it is required to restart a server or at least the httpd daemon. If the backdoor would only live in memory it would not survive the next restart. To become persistent it is necessary that the httpd executable is modified. And this is the weak point of the back door.

If set up on a clean Linux installation and well configured and maintained, integrity checkers like AIDE or OSSEC are able to detect changes to whatever executables. However, most important is, that the log files written by the integrity checkers are regularly checked for integrity breaches, and alarms are directly processed. And this is the weak point of system administration.

Don’t panic… and focus on right and important things.

Premera hacked – 11 million financial and medical records stolen

19 March 2014

When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.

On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:

“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”

Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.

But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.

In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.

Take care!

Review: Poor password practices put 60% of UK citizens at risk

4 December 2014

Poor password practices put 60% of UK citizens at risk.

Warwick Ahsford’s report is really alarming.  ‘More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.’

But the worst is yet to come. They are using also weak passwords: ‘Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.’

Passwords are definitely inappropriate for authentication in the age of cyber crime. The news of the past weeks show that major players on the IT market like Twitter, Microsoft or Google developed technologies to address this problem.

FIDO U2F Security Key

FIDO U2F Security Key

The FIDO U2F standard (FIDO = Fast Identity Online Alliance, U2F = Universal second Factor) appears to be a quantum leap towards secure authentication in the world-wide web. Google has already integrated this standard in the Chrome browser. The second factor is established by a security key attached to a USB port.

Unfortunately it comes to fruition only after login into your computer, phone or tablet Computer, and only for Chrome.

And that’s in my opinion the crux of the matter. In a perfect world, I would like to login to my computer with a PIN or fingerprint and the FIDO U2F security key attached to the device.

A central, world-wide available and trusted identification authority verifies my identity and creates my identity token, which is valid for the duration of my session.

All services like Google, Home Depot, Amazon, the city council or the tax office rely on this identity token. For reasons of security the identity must be checked again before critical transactions are carried out.

Sounds fantastic, doesn’t it?

Look forward to a world without passwords!