‘It won’t happen to us’ is SMB’s attitude toward security

The optimism bias, the belief that bad things only happen to other people, seems to be alive and kicking within UK small- and medium-sized businesses (SMBs). That is the disturbing conclusion that can be drawn from a new report published today.

That belief flies in the face of reality according to the new survey undertaken by the Ponemon Institute and commissioned by Faronics. Fifty-four percent of the respondents have experienced at least one data breach in the last year; and almost one in five have suffered more than four. But what worries Faronics is that the remaining 46% of SMBs seem to demonstrate a real lack of awareness of the financial and long-term damage that a breach can have on a company.

One of the problems, Faronics’ VP of product management, Dmitry Shesterin, told Infosecurity is that “SMBs have a huge perception gap. People don’t usually pay attention until its too late and they have to pay the consequence – which is the core finding of the research in the UK.” Shesterin partially blames it on what he calls the FUD (fear, uncertainty and doubt) marketing of the security industry: users get astronomical figures on the cost of cybercrime from all sides, “and people just don’t believe it.” SMBs have difficulty rationalizing the warnings of £1 million cost for a single breach when their turnover is not much greater than that. But the research shows, he added, that breaches happen everywhere, “and it’s just a matter of time before it happens.”

What is surprising, he noted, is that despite (or possibly because of) all this FUD marketing, many of the SMBs don’t even use anti-virus software, which has been the first line of basic security for decades. FUD, it would seem, has had a negative effect: numbing SMBs against security precautions “and opening them up to attacks.”

Traditionally there are three reasons for the lack of security within SMBs: cost (security systems are too expensive to justify); capability (SMBs simply don’t have specialist infosecurity staff); and availability (most security systems target larger corporates rather than smaller SMBs). But, “the main reason I see,” suggested Shesterin, “genuinely and honestly, they do not care – they concentrate on business. The first thing that really jumps at me is that the SMB’s modus operandi for security is that it simply wants to be faster than the slowest person running from the bear.” So long as an SMB has minimal security, the attackers will go for the company with less security. “IT security is a necessary evil that needs to be done, but as cheaply and unobtrusively as possible – and primarily for regulatory reasons.”

A second problem that concerns Shesterin is that within SMBs it is not the IT department – nor any particular security understanding – that drives the security posture. “IT departments usually do security to get their CEO or CFO off their back. It’s not their own priority – they just do what they’re told. And they’re often told what to do because the business owner went to a trade show or has been talking to someone who is doing something and decides he should do it as well.” The implication is that what little security is done by SMBs is not necessarily the best security available.

The fact remains, however, that despite this head-in-the-sand approach by many SMBs, those same companies will be breached sooner or later – and possibly very soon. While disbelieving the FUD of some companies, SMBs are also ignoring the genuine costs of a security breach. The Ponemon research showed that the average cost of a breach to the SMB is nearly £150,000, and that it takes more than nine months to get back to normal.

“There really is no room for nonchalance when it comes to security strategies and it is completely irresponsible to assume the repercussions will be anything less than they are,” continued Shesterin. “Organizations need to know exactly what is at stake in order to readdress existing security practices and ensure they are as well protected as they can be.”



This article originally posted on http://www.infosecurity-magazine.com

Creating strong passwords is easier than you think

Even with smartcards, biometrics, and other multifactor authentication solutions, everyone still uses basic name/password log-on combinations. Security experts always recommend "strong passwords." But what qualifies as a strong password? And how do you avoid creating a password so strong you can't remember it?

According to NIST (National Institute of Standards and Technology), a strong password should contain no fewer than 12 characters, a rule adopted by the U.S. government in 2007 and further defined in the U.S. Government Configuration Baseline. Admin passwords should be 15 characters. Readers may sigh at those lengths, but they've been the recommended minimum for half a decade. Anything shorter is not considered secure.

Sure, many people can and do use shorter passwords. But you should be aware that as you increase the length, you provide greater protection over time. An 8-character password may be fine for a few days of protection, but a 12-character password is generally thought to be long enough to provide protection for a maximum of 90 days. A 15-character password is often considered good protection for up to a year.

The myth of complexity
Most security guidelines also insist on character complexity, which usually means that the password must contain multiple character sets, such as uppercase alphabetic characters, numbers, keyboard symbols, and so on. As I've noted in the past, however, complexity is less important than length. A password of sufficient length can defeat a password guesser or cracker, whereas complexity adds significant value only when the complexity is random or near-random.

Typically, when users are forced into complexity, they use the same types of characters in the same places. For example, when people are required to create an 8-character password with complexity, most will choose a root word in their country's language, with an uppercase first letter (usually a consonant), followed by a lowercase vowel. If they use a number, it will usually be a "1" or a "2" and placed at the end. If they use a symbol, it will usually be one of a handful of characters placed somewhere in the middle, often replacing a letter with a similar shape: an @ or a zero to replace an "o," an exclamation mark for an "i," and so on.

Password attackers know this, and their password cracking tools are optimized to guess at passwords using these patterns. Several security experts, including myself, have analyzed large dumps of captured passwords and found the password patterns I've outlined above to hold true again and again.

For complexity to add significant value, the password must be truly unique and random -- something like %Tv4$H@.<P. But if it's that ugly, people will either write it down or never remember it. Unfortunately, most security auditors and regulations (including PCI DSS) require password complexity. For example, I use a financial website with a maximum password length of six characters, but complexity is required. It makes me want to scream! I'd be much better off with a password of Dogdogdogdog or Iforeverlovedogs.

Some people like to use special password-keeping programs, but I prefer to do something else that is faster for me. I use the same root password (let's say TadPole) in all my passwords, but vary the beginning and the end. One website may be 44TadPole44. Another may be TadPole32, and yet another may be AmazTadPole32On. I have a method to my madness, so the pre- and post-portions make sense to me for particular websites.

Thanks to the common root method, I can keep passwords to hundreds of different websites in my head. Because each password is different, if an attacker compromises one of my passwords on one website, my password commonality remains unknown. Even if they figure out I'm using a common password root -- heck, I'm telling them right here -- they'll have a hard time figuring out the right pre- and post-portions aligned with other websites. None of the currently available password tools can handle that type of replacement complexity when trying different password combinations.

Lie in reply to password reset questions
Just as important as a good, strong password is making your password reset questions unguessable. There are lots of stories (remember the Sarah Palin email hack?) where people who were not even true hackers did a little research and guessed a person's password reset questions correctly. In general, the effort needed to crack reset questions is an order of magnitude less than guessing the actual password. It's the weakest link.

Do what I do and don't answer those questions truthfully. When they ask you your mother's maiden name, the brand of your first car, or your birthplace, you are not obligated to provide correct answers. Instead, pick a common password reset answer for each website and use my password root strategy, remembering to vary the common root word or phrase so you can remember it and associate it with each website.

Anyone can end up with a compromised password. It happens. Websites get hacked. Ingenious, targeted phish emails fool the best of us. But if you follow these recommendations, you can reduce the risk of successful password hack attacks.

One million Facebook users' names and email addresses: $5

Does this surprise anyone? Any data you put online is PUBLIC and can be used for whatever purpose. This is not illegal and will continue. The end user must stop trusting online services to safeguard their data and take these measures into their own hands, something we refer to as PERSONAL RESPONSIBILTY. As much as the companies such as Facebook depend on your valid information to survive as a company, they are not in your best interest! An "official" warns users not to use real information online.

Name and email addresses of Facebook users are available online at prices as low as $5 per million.

The dodgy trade was uncovered by Bogomil Shopov, an internet marketeer and blogger in the Czech Republic. Shopov said he approached the social network about the problem. He said Facebook asked him to forward and then delete the data, which came in the form on a compressed spreadsheet. Facebook representatives also wanted to know where he'd bought the data and what payment systems were used, he said, adding that he had been happy to answer.

However, the Czech blogger said he objected to requests he says were made by the Facebook representatives to keep his conversations with with them about the matter a secret. He said Facebook told him it was running an internal legal investigation but dragged its feet when it came to promising to advise users about how to avoid their data ending up in the hands of unscrupulous data brokers. "I asked if it was possible to tell what the problem was, after they finished the investigation, so that the users could protect themselves, but they they emphasised that it would be an internal investigation and they would not share any information with third parties," Shopov wrote in an updated blog post.

Shopov suspects the Facebook data, which contained Facebook profile URLs as well as email addresses and names on users of the social network, came from a third-party developer. Shopov said ads advertising the sale of the data were pulled soon after he tipped Facebook off about the issue. The Czech blogger was able to verify that at least some of the email addresses contained in the list were accurate.

Although internet services marketing site gigbucks.com has removed the offending ad, it can still be viewed via Google cache here, Ars Technica reports.

Shopov told El Reg that other sites are offering Facebook data for sale. "I know two so far and it seems the part of the data is (was) available in a post in Facebook," he said.

In a statement, Facebook said early indications were that the data was scraped from its site before being bundled with other information and sold online, probably illegally.

Facebook is vigilant about protecting our users from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site and combine the information with data publicly available elsewhere on the web.

We have dedicated security engineers and teams that look into, and take aggressive action on reports just like these. In addition to the engineering teams that build tools to block scraping we also have a dedicated enforcement team that seeks to identify those responsible for breaking our terms and works with our legal team to ensure appropriate consequences follow.

We continue to investigate this specific individual.

Shopov told El Reg that he didn't believe the data was scraped from Facebook. Whoever is behind the scam can expect to face sanctions from Facebook, up to and including the possibility of criminal prosecution.

Thriving trade in black market likes

In other Facebook-related security news, Imperva warned that it had uncovered a bustling trade in social network fraud on an online black market it monitors. The 250,000-member hacker forum plays host to a thriving black market for buying and selling illegitimate social network "Likes", followers, and endorsements, with particular attention given to the origin of these Likes and followers.

"Likes and followers can be used to gain rank, win competitions, and many other causes that can often be translated to monetary profit," Imperva explains. "Many forum discussions contain requests to buy Facebook friends and Likes, Twitter followers and other types of social currency. There are, of course, many who are willing to provide the service, for variable prices."

A thousand Facebook Likes can be easily purchased for $10 or less, with discounts for bulk purchases

Unprotected backdoor into industrial control systems

A software tool that is used to program the programmable logic controllers (PLCs) used in much of the critical infrastructure contains an unprotected backdoor that could be used by hackers to access any such device that has an internet connection.

PLCs are used in factories and control rooms to drive the machinery that drives the economy. Many are programmed in the ladder logic programming language. As with all software, this code periodically needs to be updated, changed or amended. This is often achieved via the CoDeSys software. The CoDeSys Programming Tool is free from Smart Software Solutions, and can be used for any industrial controller that has the CoDeSys runtime kernel installed. “This proven tool which is already in use by more than 300 OEM customers worldwide acts as a development environment for CoDeSys SP thus ensuring high user stability and safety,” says Smart Software Solutions.

But security researcher Reid Wightman, now with ioActive, says CoDeSys contains a backdoor that grants a command shell to anyone who knows the correct syntax. “There is,” he says, “absolutely no authentication needed to perform this privileged command.” 

It was access to the PLCs that allowed the Stuxnet attack on the Iranian nuclear facility – an attack that is generally considered to have caused severe damage that disrupted the Iranian nuclear program for many months. However, since the CoDeSys programming tool is free, it could be downloaded from Smart Software Solutions and used to remotely hack into any industrial controller that is internet enabled.

According to Ars Technica the supplier has recently issued an advisory recommending that users set a password, but Wightman says the advice is ineffective because it only protects code changes, not the backdoor. “As a result the hackers can easily circumvent the password protection without knowing the current password by using a backdoor shell command.”

It would be no understatement to say that the security industry is aghast. “It’s depressing that we're still seeing evidence of a gulf between ICS supplier thought processes and security-aware thought processes,” ESET’s David Harley told Infosecurity. It’s as if people think security only applies to consumers and big companies with secrets to steal, but isn’t relevant to critical installations. “It's the 21st century,” he added. “The online world has crept into all sorts of unexpected nooks and crannies.”

Trend Micro’s Rik Ferguson is of the same opinion. He told Infosecurity that this is “yet another example of the two important failings surrounding SCADA implementations: firstly that too often these systems, or important components of these systems, are not designed with security in mind – they are designed from the mindset that security is someone else's problem; and secondly, systems and networks that should never be connected to the public internet for reasons of security are often connected in exactly that way for reasons of convenience.”

“If  any system suffers from [such problems] then it is clear that a thorough security audit has not taken place, and should be undertaken as a matter of priority - however inconvenient it may be,” adds Graham Cluley of Sophos.

The only short-term solution is the inconvenient disconnection of all ICS from the internet – but it’s still worth remembering that Stuxnet leapt from the internet to a disconnected Iranian control system.

Government official advises users to use a false name online

There’s a row brewing in the UK after a senior security official at the Cabinet Office advises users to provide false personal information to websites such as Facebook. Opposition MPs and Facebook are not amused.

Andy Smith, in charge of security for the largest public services network in Europe, told the 2012 Parliament and Internet Conference yesterday that users should only provide their true personal details to trusted websites – such as government sites where they must and large commercial websites where they should. His concern is that criminals collate different scraps of information from different sources to compile an extensive dossier on targets, which they can then use for targeted phishing attacks and identity theft (see Jester’s warbag for confirmation on how easy this can be). Since surveys show that large numbers of users do not trust Facebook with their privacy, he is by implication suggesting that users give false details to Facebook.

Helen Goodman, opposition MP for Bishop Auckland, was “genuinely shocked that a public official could say such a thing.” Her view seems to be that anonymity leads to crime. “It is exactly what we don't want. We want more security online,” (which is, of course, precisely what Smith is suggesting will come from anonymity). Goodman’s concern is about the sort of anonymous cyber-bullying that led to the suicide of Amanda Todd, but she goes further and suggests that anonymity actually promotes such bullying.

According to the BBC, Lord Erroll, chairman of the Digital Policy Alliance, backed Smith’s comments. “He said he had always given his date of birth as ‘1 April 1900’.” 

Ed Vaizey, the Culture Minister, was more circumspect. He “wouldn't encourage people to put false identities on the internet,” but would rather “work with Facebook to ensure people feel secure using those sites and that there is not a threat of identity theft.” Facebook is less circumspect. Simon Milner, Facebook's head of policy in the UK and Ireland, “told the audience of industry experts and MPs he had a ‘vigorous chat’ with the Cabinet Office official afterwards to persuade him to revise his view.”

The issue is one that has been discussed by Sophos many times in the past. Graham Cluley feels no moral obligation to tell the truth even if a website’s terms of use demand it. He refers to a case where “a British man... was jailed after stealing £35,000 (approximately US$ 55,000) from his neighbours' bank accounts with help from personal information they had posted on Facebook.” Even though Facebook demands the use of true personal details, he adds, “Facebook and other sites like it have no way of verifying that you did tell the truth. They won't like me much for saying it, but why risk sharing too much personal information?”

Cluley’s advice is to lie about your date of birth, make up your mother’s maiden name and your pet’s name and the first street you lived on... On balance, he concludes, “I think we all need to be more careful about the information we share on the web - and realise that sometimes a little fibbing and reticence might go a long way to a safer online experience.”

Researchers Find Android Apps Leaking Personal Data

WHY WOULD ANYONE USE A FREE BANKING APPLICATION ON THEIR PHONE? Is it more convenient? Using your phone with FREE applications is absolutely discouraged, especially something like a banking application. These industry specific applications are a natural target and the benefit of using such an “app” does not outweigh the risk.  Simply put, do not use your phone to login to your bank!

Information such as bank account details or other important personal financial data could be leaking from insecure Android apps, according to researchers from Germany’s Leibniz University of Hannover and Philipps University of Marburg.

The teams identified 41 insecure apps from Google's Play Market that have been downloaded up to 185 million times. The scientists said they could gather bank account information, as well as PayPal American Express and other payment credentials.

Ars Technica explains in detail that the findings underscore the fragility of the SSL and TLS protocols which are the foundation of almost all encryption between websites and end users. The problem appears not to be the protocols, but the way they are sometimes implemented.

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a “static analysis.” Those tests checked whether the SSL implementations of the apps were potentially vulnerable to “man-in-the-middle” exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained “SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks….”

The paper lists a variety of ways SSL protection can be improved on the Android platform. One is for the type of static analysis they performed to be done at the time a user is installing an app. Another is to use a technique known as certificate pinning, which makes it much harder for an app or browser to accept fraudulent certificates like the ones used in the study. The researchers also recommended Google engineers develop new ways for Android to make it clear when the connection provided by various apps is encrypted and when it’s not.

Ars Technica ponders why only Android apps were tested and suggests it might be because of the closed nature of the competing Apple iOS platform which would make analysis harder to perform.

A copy of the paper “Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security” is available for download (PDF).

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles