Are we already at war?

Are we already at war?
This is the first (of two) articles taking a look at the hacking and cybercrime that’s taken place in 2015. Part 2, to be published soon, looks at the simple steps we can take to enhance our security and minimise the threats from cybercrime.

2015
Cost of Cyber Crime in 2014Although we’ve yet to reach the end of 2015, there’s already been an unprecedented number of data breaches and hacks compared to previous years, measured by both the number of breaches and the amount of data exposed.

The graphic on the right shows the estimated cost of cybercrime for 2014. In 2015 the cost has increased by 14% according to the “Cost of Cyber Crime Study: UK“, conducted by the Ponemon Institute and sponsored by HP.

The institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cybercrime for businesses. and the latest news is that the very recent TalkTalk hack has cost the company £35m so far

Major data breaches in 2015

FebruaryBillion dollar cyberheist
Up to 100 banks were penetrated and more than $1bn stolen
  US health insurer Anthem
80 million patient and employee records including date of birth, social security
numbers, home and email addresses, employee information and more
May 2015 – BlueCross, US Health Insurance provider
11.2 million names, birth dates, email addresses stolen
    US office of Personnel Management
21.5m US Federal employees confidential data was accessed and presumed
stolen
June 2015Kasperski Labs (yes, the security vendor) was hacked
Technical information was stolen, thought to be industrial espionage by a
sovereign Nation State
July 2015 – Harvard University
One of 8 universities hacked in 2015 but it’s not known what information was
accessed (and stolen)
   Hacking Team
Hacking Team develop spy tools for government agencies and the breach
exposed 1 million emails including those of a sensitive nature from a number
of security agencies around the world
US Army National Guard
850,000 social security numbers, home addresses, names and other
personal information stolen
August – Ashley Madison
32m member’s data stolen and posted on the dark web for sale. The
ramifications are ongoing
September – John Brennan
CIA Director had his personal AOL email account hacked
October – TalkTalk
Major hack of the TalkTalk website and a lot of user data was stolen

In the US it is a legal requirement that all hacked companies make a report to the appropriate government department, however similar legislation has yet to be enacted in Europe so the reported incidents may just be the tip of the iceberg – and that’s assuming that hacked companies know that they’ve been hacked.

So who was behind these hacks and what was their goal?
hacker at laptop?At the time of writing, 4 people had been arrested, and bailed, for the The TalkTalk hack – 3 teenagers and a young adult although no charges have been brought.

Some hacks might be carried out by the stereotypical “spotty teenager in a bedroom” just doing it for fun, however the majority are likely to be carried out by more worrying groups, ranging from organised crime to extort money to government organisations.

The Ashley Madison hack looks to have been for the purpose of extortion, of both Ashley Madison themselves and their members (pay us £xx or we’ll let your friends and family know where you spend your time” etc).

Others will be industrial espionage, companies looking to gain a competitive advantage whilst the remainder might have been carried by departments acting for “state security” and it’s believed, although almost impossible to prove, that the Kasperski, US National Guard, US Office of Personnel Management & Hacking Team hacks were conducted by sovereign Nation States, believed to be North Korea and/or China.

These attacks by non-friendly sovereign nation states on infrastructure may even be attacks seen as acts of war.

Safer Internet DayWhy do hacks occur?
For some, it’s simply for fun, the challenge and the bragging rights.

However, there’s a lot of money to be made from the theft of intellectual property and business sensitive materials, and nations stand to learn a great deal about their friends and enemies. It’s widely believed, for example, that China has been “inside” US military design systems for many years which could explain why their military have made extremely rapid advances with the design and manufacture of new military equipment, including stealth planes, missile defence systems and drones in recent years.

Towards the end of 2015 we’re seeing that China is negotiating two way, anti-hacking, arrangements with a number of major economic partners, including the UK, USA and Germany, theoretically enshrining in law that the countries won’t attempt to hack China and China won’t try to hack them. However, even if the above is true they don’t need to hack any further if they already have access to core systems.

A cynic might also say that history indicates that China may not stick to it’s side of the deal, and even if they do – they can always ask their friends to do it for them.

Protecting your business and yourself.
Although I’ve mentioned high-profile attacks,  SMEs are also at great risk and so in Part Two I’ll be looking at some simple steps that you can take to maximise your security and minimise the risk that you are exposed to.

Has Anti-Virus software reached its “Best Before” date?

CrowbarFor many years, the security mantra has been

  • Mac good – invulnerable to viruses and hacking.
  • Windows bad – very vulnerable to viruses and hacking

 The reason was two-fold, whilst it’s true that the Apple operating system IS harder to infect with a virus, the main reason was popularity (or lack thereof). When 97% of the world was using Windows, why bother writing viruses and other malware for the extreme minority.

The traditional Windows solution was to install an anti-virus program from one of the many vendors and, for real “belt and braces” safety, protect your internet connection with a firewall. Hopefully all would be well and good, so long as you paid your annual anti-virus subscriptions and ensured that the virus definitions were regularly updated so your anti-virus program could identify the threats and keep you safe. (Free anti-virus programs for home users did a similar job, again provided they were kept up to date)

Crypto-LockerSignificantly Increased Risk of Infection

However, the upsurge in Apple popularity over recent years means that Apple devices are also targets of the cyber-criminals. And it’s not just Apple computers and iDevices that are at risk, the virus writers are also targeting Android devices, Microsoft phones and tablets and devices running Linux devices.

Anti-Virus is dead!

Brian DyeLast year, Brian Dye, Senior Vice-President for Information Security at Symantec (the company behind Norton Anti-Virus solutions) said, in an interview with The Wall Street Journal, that “Anti-Virus is dead”. What he meant was that cyber criminals were now able to write malicious software faster than Norton could be updated.

Whilst Norton, and all the other anti-virus programs, are not yet ready for the scrapheap they only detect around 45% of all attacks. As well as that rather disturbing stat, research by FireEye (A cyber-security provider)  indicated that 82% of malware detected by their security solutions stays active for just one hour and 70% of threats surface just once before disappearing and being re-written to avoid detection by the AV companies.

So, what should you be doing?

Security-padlockWell, I’ve said it before, but it’s always worth reiterating, security starts with education. Then you add as many layers of additional protection as you feel necessary, depending on how you use your devices and the level risk you feel you are faced with.

  • Never open an attachment unless you are expecting one and you know, and trust, where it came from.
  • Keep your Anti-Virus software up to date and continue to renew your subscriptions, it may only block 45% but that’s nearly half of all threats stopped before they have a chance to install.
  • Install a security App on your phone and tablet
  • Explore the new offerings from the traditional anti-virus vendors that look to protect your web browsing and protect you against spam, phishing attacks and other cyber crime threats.
  • Be alert for anything that doesn’t feel “right” and if something looks too good to be true – that offer of a full version of Microsoft Office on CD for £50.00 for example – remember, it probably is!
  • Use a different, complex, password for each website that you have to log in to. An App such as LastPass will help you create passwords, securely store them and “auto complete” the log-ins when you log in to those websites. (other password tools are available)
  • Ensure your Social Media accounts privacy settings are set to an appropriate level
  • Look at Bitdefender Safego,a free anti-scam service for Facebook and Twitter
  • Remain cautious when using any internet connected device

Safer Internet Day 2015

2014 Top Passwords1,2,3,4 is the start of The Beatles “I saw her standing there”, it’s the way you “declare a thumb war” and it’s also the 7th most popular password of 2014, up from 16th the year before.

10th February 2015 is the 12th “Safer Internet Day” and we’d like to make it a day where people change their simple passwords for something much more secure.

Why is it important?
Safer Internet DayEvery day millions of websites come under attack, ranging from simple personal sites to complex e-commerce sites and online email service providers.

Just think about your information that’s “out there” and what could happen if your business or personal security was breached.

What’s in your Gmail, Hotmail, Outlook.com mailbox, how valuable would that be to a cybercriminal? What if they hacked your email account and sent emails to your contacts and connections, as you, then tried to use your email address for more nefarious purposes?

How about if, after hacking your email account, they used your credentials to try to break into your bank account, your building society account, your credit card account  or use them to set up fake accounts that they can then use to steal your identity, borrow money in your name and have it sent to their bank accounts, buy products online that are delivered to them and billed to your address – the list goes on and becomes even worse if it’s business data that has been stolen.

Business bank accounts typically have more money in them with longer lines of credit, your servers may contain enough information for the cyber criminals to target your customers, there may even be ideas, designs and other pieces of Intellectual Property that could be sold or misused in a  variety of other ways, all to your disadvantage.

You know it makes sense to have stronger passwords but a lot of people, as evidenced by this list, obviously can’t be bothered – maybe they deserve what comes their way?

We don’t think they do, which is why I’ve published this blog post as part of “Safer Internet Day” and we’d ask you to review your password policy, both internally and personally and follow these simple tips and guidelines to minimise your risk.

Password BoxWhat should you do?

Don’t use the same password on every site you log in to, ideally, each site that you have an account with should have its own, unique, password. We know that sounds hard but it’s remarkably easy if you use one of the many, secure, password creation and storage sites such as KeePass, LastPass or PasswordBox. These will automatically create strong and unique passwords and save them in your databank and automatically fill in the boxes whenever you are on one of your sites that require secure access.

Many also come as Apps for installation on your phones and tablets so that you can always access the sites you need to, whenever and wherever you are.

They run in your browser so that you can access your passwords and other log-in data from any internet connected computer, at home or abroad, on holiday or business trip – just make sure you remember to logout if you’re using a public computer.hacking.jpg

If you don’t want to use an App then make sure your passwords are at least 8 characters long and are comprised of a mix of UppEr cAse and loweR case, 1nclud3 a numb3r or 2 and m@ke use of spec!al character$ wherever possible. You can check the strength of your password at HowSecureIsMyPassword

If you are concerned about any of the security aspects for your business, then send me an email, andy@enterprise-oms.co.uk  or give me a call on 01793 238020 for a hack free, zero obligation chat and I’ll be delighted to see whether I can help secure your business from cyber criminals and make sure that you don’t become a victim, like Sony did at the end of 2014.

Not so Civil Servants

As the new inquiry in to the Hillsborough disaster got underway a number of disturbing facts came to light.Whitehall - home of the Civil Service

One that hit the news late in April was the discovery that civil servants had been making “sickening” edits to a variety of Wikipedia pages, starting in 2009 – the 20thanniversary of the tragedy.

In one instance “Blame Liverpool fans” was added to the Hillsborough section of Wiki.

In 2012, computers again accessed Wikipedia to make edits from Whitehall’s secure network, changing “You’ll never walk alone” to “You’ll never walk again”

Although Wikipedia has been able to identify the IP addresses used to make these edits, all this serves to demonstrate is that they originated from Whitehall – there’s no way to identify who, out of the hundreds of thousands of users on the network, actually made the edits.

Unless they own up, or someone else who knows who made the edits provides the names it’s highly likely that the culprits will evade any action

Similar problems exist within our education establishments, thousands of incidents of cyber-bullying have been reported with many posts being made by children of school age during school time, inferring that they took place whilst the posters where on school premises – potentially using the school’s IT network.

Now there’s a solution. The latest security appliances from Cyberoam not only secure networks from external hacking and intrusion but enable IT managers to log all internet access, blocking sites with black lists, allowing sites via whitelisting and recording individual activity – enabling any improper web access to be traced back to the perpetrator.

If you are worried about the security of your IT network then please get in touch to explore the issues, discuss your concerns and find solutions. Drop me an email – andy@enterprise-oms.co.uk or give me a call, 01793 238020, for a free and confidential chat about your concerns.

123456 is not an exercise in counting

We are only 2 months in to 2014 and there have already been a significant number of major news stories about data theft and online security so I thought I’d round some up and give some tips that will help you to stay safe.

  • February 25th 2014, cyber security company Hold Security LLC said that it had uncovered 360 million sets of customer account data available for sale through cyber black-markets. These are new discoveries and represent a fresh risk to security.

Typical data includes email addresses, user names and passwords.

Hold Security LLC believe that these thefts are yet to be publically reported by the organisations who were hacked.

  • February 14th 2014 Tesco announce that the details of more than 2,200 Club Card accounts were published on the internet and a number of Club Card points had been stolen.

It’s important to understand that Tesco has not been hacked. Rather, criminals purchasing data related to other security leaks will simply run email address and passwords combinations against websites such as Tesco’s Club Card site to see which of them work. A small number obviously do and have permitted unauthorised access to user accounts.

  • February 14th 2014 Barclays announce the theft of 25,000 customer files, including sensitive information such as passport and National Insurance numbers as well as account data.

Popular PasswordsIt’s going to get worse before it gets better!

How do we know? Well, a number of companies have looked at stolen data and it’s been revealed that the No.1 password in use during 2013 was “123456”. The No.2 password was “password”, No.3 “12345678”, No.4 “Qwerty” and No.5 “abc123”

So how do you minimise the risk to yourself.

Well, it’s really easy – you just need to use a different password for every different website and account that you have. I know the message is old but it’s becoming increasingly clear that the message is not getting across and people are getting hit.

Of course, it’s challenging to remember the tens or hundreds of passwords that we use on a daily/weekly basis so you need a tool to make the task easier.

The two most popular approaches are either to use a Password Vault – a piece of software that runs on your computer/phone/tablet which securely stores all your vital information and, in some cases, can be used to produce a really strong password every time you need one or you could use a “Seed” word or phrase that you amend every time you need a new password.

For a seed you could think of a line from your favourite song, perhaps the first line of Bridge Over Troubled Water – “When you’re weary, feeling small” for example. Take the first letter from each word – Wywfs and substitute a letter with a number, 5 for s for example, so your seed is Wywf5.

Now let’s image that you want a password for Tesco, take “Tesco”, substitute numbers for letters  – T3sc0, split it and add the letters to be beginning and end of your seed,  T3Wywfs5c0. Now have a password that will take 6 years for an average PC to crack. Add a symbol, such as “!” to the end, T3Wywfs5c0! and it will take 4 million years for the average desktop PC to crack.

That’s your personal security dealt with. If you are worried about security for your business, I can help there too. To learn more please give me a call on 01793 238020 or email andy@enterprise-oms.co.uk to start the ball rolling.

 PS. Just make sure that you have a remote wipe utility installed on your phone/tablet so that you can remotely erase the data should your phone be lost or stolen.