Blog

Facebook, phones, privacy, oh my!

Last year Facebook was dragged before a senate committee hearing regarding privacy. The founder Mark Zuckerberg was challenged with questions regarding how Facebook keeps user records private, and how Facebook is able to access personal data beyond it’s documented reach. What does this mean?

In several videos, and in independent tests, it appears that Facebook as an application installed on your phone was granted by default (unless the user changes the settings) ability to access the phone’s microphone and the camera. Per Facebook, this is for items such as auto tagging what a user is listening to while making a post. The videos where people test this show something far more nefarious though. By placing a phone with the Facebook app installed near them, people intentionally discuss an item that they have never discussed or searched for. As an example, “taking a trip to South Africa”. Note that the Facebook app is simply installed, not running as an application. Lo and behold, the users start getting advertising for flights to South Africa, tourism trips in South Africa, etc. This is disturbing enough, but add in the actual privacy practices of Facebook….

Facebook sold private data to Cambridge Analytics, and that data was leaked. While the data in this case was not worse than say, the Equifax breach, it still shows a disregard for data privacy.

If Facebook is recording your voice conversations if you are near your phone, and is capable of selling that data that they store, could you be at risk? Client confidentiality breach? Trade secrets? Even if you didn’t intend to reveal that data to Facebook, they have it. And if they intend to keep it private, they can’t guarantee it.

Want to know what other risks you are exposing your company to? Contact us today!

Smartphones, computers, tablets….

Technology, according to Moore’s law will get faster, and smaller as time goes by. I am paraphrasing here in order to make the point. Years ago, cell phones were just that, phones. They had a small LCD screen, and they could make and receive phone calls. Some even had an address book that could store up to 1000 names and numbers! Today, the technology packed in to a high end iPhone or Android device is greater than that of computers from 10 years ago. The younger generations can’t live without their smart phone and in some cases conduct their whole live on a 3″x4″ screen.

With IoT devices in almost every home (think about smart devices in your home/business, such as a Ring Doorbell, a video camera, a smoke detector, a WiFi capable refrigerator, thermostat, you get the idea), your home or business is connected to everything. This includes the smart phones and tablets. The risk here is that these IoT devices and smart phones are the greatest attack surface of any hacker.

So what does this mean? Computer networks will always be a vector for bad actors, but there are new threats emerging that go after these pervasive devices. How does this work? Let’s see…

Let’s say you have Facebook on your smart phone, and you see a message from an old high school friend whom you haven’t spoken to in 20 years asking you to click on a link, or watch a video. You are on your phone, so it’s safe, right? Wrong.

You open the link and in the background malware downloads to your phone. Immediately you phone reaches out across the wifi network you are connected to in order to discover other devices on your network. Are you at work? You business is now at risk! Your IoT security cameras? Compromised. Your network is being attacked.

Want to know how to mitigate this risk? Contact us today!

How secure is enough?

There is often a counter balance between security and usability. On one end of the spectrum is a completely secure system, but not usable. To ever be completely secure; to ensure the bad actors can’t access your systems, an organization has to ensure that their own employees can’t be bad actors. A completely secure system is one that isn’t usable. A computer that is powered off inside of a locked safe is secure, but is it usable? No, not really.

If we take that paradigm and apply it to your company, there are ways to ensure that the company is secure, but your system also has to be used. As a real world example, let’s discuss company A, that makes toys. They have several computers that they use for designing the toys, ordering new materials, invoices, billing, email and employee records. To be secure, the company shouldn’t allow any outside communication that can be compromised, but they need those communications for their business. If “secure” meant that they have 100% assurance that no one could access the system, the company can’t do their jobs to make toys. So how much security should be applied to compay A’s computer systems?

The answer is “just enough”. Just enough access to perform the critical task, but not so much access that it could be an avenue for a bad actor to exploit. Each process, application, communication method, employee and login must be checked under the guise of security to ensure that it is necessary for the business, and it is secure enough.

But how much is enough? Well, that depends on the amount of risk that item poses if it were compromised, as compared to the value of that item being examined. This type of Business Impact Analysis is something that each and every business SHOULD conduct to understand their risk posture. The risk around the company’s “secret sauce” is probably more valuable than past material invoices, so the “secret sauce” should receive more scrutiny.

Want to know more? Contact us today!

Knowing is half the battle…

The key to security in any environment is to know what you have that needs to be secured. Seems simple, right? It’s not.

One of the most common ways that a organization or company is breached is through an unknown configuration. It could be a server that someone brought online for testing and left unpatched and forgotten, or a service account that has local admin rights but neglected and the password age is over a year. Perhaps it is a dual-homed server created to solve a specific problem, but left with little or no configuration.

It is often the case that after a breach detection, someone sees how it occurs and says “oh, gee, I forgot about that!” Or “I didn’t realize that was still online!” The reality is that when you are patching and doing your due diligence to make your organization secure, you can only do that for the assets and configurations you know about.

Enter configuration management. The process of configuration management is to create and maintain detailed documentation for all of your assets and all of their configurations as they currently are. This means an inventory of all of your servers, accounts, services, patch levels, switches, routers, workstations, vendor access etc. The reason you have this is so that when a critical vulnerability like BlueKeep comes out, and you want to apply patches, you can be sure you have patched everything in your environment.

On top of your configuration management system, it is important to internally audit your environment on a regular basis to discover any changes to your infrastructure that you weren’t aware of.

Want to know the most efficient ways to do this? Contact us today!

So you are in the cloud?

Like most businesses, the allure of using cloud resources is a smart decision. The cloud offers different types of flexibility to manage your business appropriately. Maybe you need to have a web server and don’t want the cost, maintenance and overhead of all of the infrastructure of hosting it yourself? Or perhaps you are using the cloud as a part of a online transaction processor? Regardless of your need for cloud, there is likely something you haven’t put a lot of thought towards… How secure are THEY?

The cloud provider is a business like any other, with servers, vendors, employees, IT staff, marketing people, contractors and likely at least one out-sourced service. It is smart business sense to regularly review your cloud provider’s security. You are trusting them with your data, your reputation, and in many cases they are assuming the risk of maintaining your IT services.

In a recent study following the suspected cyber attacks on the US Democratic party following the most recent presidential election, it was determined that the vendors were the way the attackers got in. By compromising a “trusted partner” of a business, attackers can then infiltrate any business attached to them. From a cloud vendor perspective you would hope they have the strictest security posture possible; but how do you know?

Every business that uses any type of cloud service should thoroughly review the security of the cloud provider they are trusting. Want to know more?

Contact us today!

The truth about Ransomware

There are many articles in the news about Ransomware today, which is a special type of malware. Ransomware is a way for the bad guys to get your systems to lock up so you can’t access the data, and then tell you that you can have your data back only if you pay them.

But, how do they do this?

It all starts with a breach of some type. Perhaps your employee is looking at their personal email on their work computer and they click on a link to log in to their bank account (which isn’t from their bank; in fact, it is phishing). Their computer is infected. This is the foot in the door. From here, that PC will “call home” to the command and control center for the malware, and the PC will begin scanning the network from the inside looking for other hosts to infect.

Once the malware has control of many or all of the PCs, file servers, databases, email servers, web servers and every critical business function, the command and control center will allow each PC to download a special exploit that will encrypt the hard drive of every machine.

When you come in Monday morning, grab your cup of coffee, power on your PC and you are presented with a screen stating that the hackers have your data and they won’t release it unless you pay them some large amount of money in bitcoins. You put down your coffee and pick up the TUMS as you realize all employees have the same screen, and you can’t access any data that makes your business work. All of your invoices, client contacts, contracts, billing information, etc. You haven’t just lost your data, but confidential data that belongs to your clients as well.

What do you do? Do you pay?

There is evidence to suggest that paying the ransomer may NOT get your back your data. Once you pay them, they can walk away, leaving you poorer. On the other hand, they could unlock your workstations and servers, but you now know that they have access to all of the confidential data you were trying to protect.

According to this research report from MIT, Ransomware has generated over $45 Million for the bad guys. The larger the organization, the more sensitive the data, the higher the ransom.

But you are covered, right? You have cybercrime insurance? Not all insurance companies will pay. Recently, some insurance companies decided that since the ransomware was “NotPetya”, which has been linked to the Russian government’s actions, it was deemed as an “Act of war”. Other companies refuse to pay for various reasons, citing that the target business should have done more to prevent these damages.

Could you be doing more? Contact us today.

Privacy and what it means…

Privacy is a touchy topic. For some people, it means having control over what you don’t want others to know. For example, you want to keep your social security number private, or your bank account number. But there are other things that we care less about being private, such as photos of ourselves on vacation that we post to social media. What if what you think is “private” really is just slightly harder to get to?

The world news is full of stories where someone’s privacy was breached, from leaked celebrity iCloud photos to identity theft. We believe that these incidents are isolated, but in fact everyone has had some level of privacy breach in their lives whether or not they know it. Recent data breaches from major corporations were released here. You can search for yourself and find out if your usernames and passwords were published.

Take for example, you have an iPhone and you use Facebook. According to several “experiments”, Facebook may be collecting information about all of the texts and phone calls you have made from the iPhone, they track all of your locations where you “check in” and Google has already admitted that they send telemetry location data every time you use a Google app, even if your GPS is turned off.

For a typical user, someone with access to this data can know where you were, when and what you were doing all the time. Maybe you think “I don’t care if Facebook or the government knows I bought a shovel from Home Depot on Saturday morning at 11:14AM for $28.34 and I used my Visa card ####-####-####-#### for it.” And maybe that is true, but did you volunteer that information? If I can gather that, what else can I get?

This type of data collection when coupled with “Artificial Intelligence” or “Deep Learning” can come pretty close to predicting what you are likely to do in the future. It is this part of “privacy” that becomes scary.

What if I could detail out all of the daily activities of your employees? What information can I collect about your business? Bad actors have long know that the easiest way to get in a door, is to ask a person with a key to open it for you. This is usually called “Social Engineering”, but with machine learning, and organizations like Amazon, Microsoft, Google and Facebook collecting every aspect of your life, the issue of privacy goes beyond what you choose to share and enters the realm of inference.

Protecting yourself means being vigilant with what information about you is available. Many people choose not to post vacation photos while they are away because it tells robbers that they aren’t home. Beyond that, does Facebook NEED access to your camera? Photo Gallery? Text Messages? Microphone? Does Amazon Prime need to know your GPS location? All of these apps have permissions that they ask you about. If it doesn’t seem right (why would Candy Crush need access to my Voicemail? Or my camera?) then it probably isn’t.

Want to know more about how to protect yourself and your company? Contact us today!

A preventative cure

As a small or medium business, you are concerned with what you need to do, which rightfully so, is all about your business! But while you are managing your employees, customers, products, and bottom line, who is watching the gates? Security starts and ends with everyone in your company being aware of how to behave like they are personally responsible for the company’s security.

Your employees have their own lives; they have Facebook, they watch cat videos on YouTube, they send text messages from their phones, and they email family and friends from their personal accounts, all from company resources. There are inherent dangers to this, perhaps more than you realize.

A single user logs in to a company computer, and opens Chrome or Firefox to their Gmail inbox, and they also open Facebook. While they are working, they are managing their daily lives as well. One of them clicks on an email from what appears to be their email contact to look at a file or click on a link. Wham! That email wasn’t actually from their email contact, it was well-crafted spam. Their company PC is now infected with malware. Behind the scenes, that malware is now collecting other computers their PC connects to, customer databases, moving to other coworker PCs, and collecting their information as well. Within a short amount of time, almost every PC is infected, and the bad actors have a treasure trove of information about you, your employees, their passwords to your internal systems, your customer data, and your company secrets.

The bad actor might try to exploit your business, locking all of your PCs using cryptoware, making all of your data inaccessible unless you pay them a large ransom. Possibly the bad actor will find some of your user’s social data, and start a social engineering campaign to learn their habits, and blackmail them in to divulging company secrets.

Scared? You should be. This type of behavior happens every day.

But what can you do? The front line of cyber security is awareness and education. If your employees practice safe behaviors, know how to spot phony emails, and suspicious phone calls, you can thwart the attacks before they start. This type of training and education should start right NOW before you are in trouble. You shouldn’t decide to go to school only once you apply for a job and turned down due to a lack education. The same applies here. Education and awareness are preventative measures.

As the cyber security industry changes, so should the training. A good practice is to have a solid cyber security training program for all new employees and a refresher program every six months.

A custom tailored program works best to reach your employees and management staff, and should be as important as skills training or HR policy signing. After all, it is the fundamental security of your business that is at risk!

Want to know more? Contact us today!

DNS Data Exfiltration

Are you aware of the potential for data to leave your organization? A company’s intellectual property is the key to profits. Whether you are a marketing company, an insurance firm, or a manufacturer, the “secret sauce” of your organization is what you are trying to keep secret. It is because of this that you have an awareness of ways that the data might leave your company unlawfully.

The first and obvious one is some type of hacker. Perhaps one or many of your machines have been infected with malware. That malware is the remote terminal for bad actors to work through your network looking for valuable data so that they can send your secrets back out and sell them. Perhaps instead you have a rogue employee, who is looking to make extra money and has taken a bribe from bad actors who will pay them a lot of money to send them your data.

The obvious avenues for this data exfiltration are avenues your have already thought about, like email, USB Drive, file sharing sites like DropBox. But most sophisticated exfiltrations are designed to go undetected. There are various ways that data can be sent out using techniques that don’t look like data is going out.

One such was is through DNS lookups. DNS queries are placed from the workstation to a DNS server in control by the bad actor. The DNS queries look like long invalid strings (because perhaps the data in encrypted), but the query itself is asking for the actual data being sent. For example, if I want to exfiltrate the Gettysburg address document, I might perform DNS queries to my own DNS server looking for “FourScoreandSevenYearsAgoOurfathers” and the next query would continue with “broughtforthonthiscontinent” and so on until I have essentially transmitted the entire document. Of course all of these queries will be denied because these aren’t addresses, but who would notice? DNS is necessary on the Internet and you expect to see DNS traffic.

Because DNS queries are quick and easy, this is becoming a more prevalent technique to move data out of the company to the network of bad actors. From the bad actor side, all I have to do is keep a log of the queries and reassemble them.

But what if I am talking about the source code to the software you develop? Or the customer data you hold? Credit card numbers? Social Security numbers? Internal documents that you don’t want your competitors to see?

Contact us to today to find out how we can help protect you and your company from threats like these.

Tax time threats

As tax time approaches, people are keen to fill out forms with all of their most personal information such as their relationships, the social security numbers, income, home address, job information, payment information, bank account numbers, phone numbers and email. There is rarely a time of the year more vulnerable for consumers and tax professionals alike.

As a consumer, it can be difficult to ensure that your data is safe and secure. If you are filing taxes on your own, you have to trust that your mail won’t be intercepted, or if you are filing online through a tax agency or even an online tax preparer, how can you trust that those companies will secure your data adequately? With the number of large company breaches in the recent past including Target, Home Depot, and Equifax to name a few, a consumer’s information being held by a tax preparer could be at risk if that company doesn’t secure their own network.

On the consumer side, there is an increase in the number of “fake” or scamming applications and website that are “free” ways for someone to file their own taxes. These sites and applications will not in fact file your taxes, but collect and sell your personal information to the highest bidder. As a safe guard measure for all consumers; use a professional tax service, or be hyper vigilant that you are in fact connected to a reputable site such as H&R Block, or TurboTax to name a few. You can also file directly from the federal and most state government sites online.

If you are a tax preparer, and you are in charge of the personal information of your clients, what are you doing to ensure that data is safe and secure? Is your data subject to HIPAA law? Are you securing your data and processes to ensure that not only are you not breached, but if you were, you can prove you were practicing due diligence and due care? Keeping the data safe from your clients is a critical function, and one that is essential to not only your bottom line, but also to the reputation of your firm.

Contact KidderSec Technologies today to see where you stand in the fight to keep the data of your company and clients safe.