Blog

This is the Blog of the technical experts at GEN and its companies

Just Don't

I've just returned from a new customer who has experienced a serious data breach and the ensuing blackmail and extortion that follows. We were introduced to this customer by recommendation after they were contacted by an unknown third party asking for money to return their confidential data and of course supplying proof in the form of attachments. The nature of the clients business is such that the confidential data, if in the wrong hands would present a significant risk to the business hence our involvement. So, not wanting to name any particular company, the previous 'supplier' of our new clients IT seemingly had no idea about security and probably wouldn't know a risk assessment if it hit them in the face and that annoys me, not only because we come across this situation on a very regular basis but because there's really no excuse for putting a companies very existence at risk by simply not understanding the sector in which you operate. In any industry there will always be suppliers who know the industry and those who don't but in IT the actions of one supplier can very literally mean the end of their customers business as potentially in the case that prompted this article. 

Start with this question, what is your data worth to someone else? If you sell washing machine spares, then its worth money to your competitors and the pain will be felt gradually as you loose customers for unknown reasons, but if your a solicitors, a financial organisation, a doctors, the value of the data goes far beyond its monetary value, there's the exposure, the embarrassment and the compensation that would ensue along with sanctions from regulators and so on. 

So, I will try my best to educate customers in what is and is not a good idea when considering IT and security. I have a list which isn't exhaustive but certainly covers some of the main issues...

  • If you have an internet connection, NEVER EVER under ANY circumstances connect a cheap Chinese router to your LAN. So if for example you have an internet service from BT and they supply you a cheap Huawei router, then never connect that directly to your LAN, just don't. These devices are cheap as chips and have about as much security as a paper bag. They are easily compromised, have absolutely no outbound security and their firewall is laughable, but they aren't supposed to be connected directly to your lan in most cases they are 'residential' quality and as a business your expected to understand the risks and mitigate them by either replacing them with a competent router or simply connect them to a separate security appliance. But trust me on this, just don't connect it to the lan, ever. 
  • Local services, and more specifically if you have a local (in your business) web server, or email server, then under no circumstances allow it to be connected to the internet directly. This is bad on so many levels, many of which are quite technical, but the key point here is that *IF* you allow it to be connected directly to the internet, then you have of course got to allow the internet into your network as communication is a two way process. This is the very attack vector (method of the data breach) that was used in the incident that prompted this article. The clients 'IT' supplied setup Microsoft exchange on a server and then opened ports on the cheap router which was directly connected to the LAN. The server was quickly compromised and whilst it was used to originate spam the hackers also vectored out from there to the company's NAS and downloaded the entire thing, how? well because the administrative account on the exchange server was the same account/password as the admin account on the NAS - seriously.
  • Never rely on free or bundled antivirus, and never on 'windows defender', they DO NOT STOP ANYTHING. A good antivirus solution will protect your network and its endpoints to a degree, but it can never be 100% no matter how much you spend. Our AV solution comes out at £2 per month per machine and includes support should you experience a virus event and require it which is also an important provision. But be aware that an antivirus solution will not protect you from poorly designed, poorly implemented network security. 
  • Never rely on the poorly implemented and weak VPN services built into cheap routers, just don't. PPTP is so weak it should be considered unusable. There are far better solutions for VPN and having a dedicated vpn appliance, or having it combined with your security appliance is the best option. Better still is to use a secure access service such as SAS or Juniper SA etc. 
  • Never install applications such as teamviewer, radmin, vnc etc, these applications will create tunnels through your weak firewall to the internet which are persistent (always there) and these can easily lead to additional attack vectors especially when combined with social engineering techniques. A good firewall will not even let these programs run and block them by default. If you do need remote access then use a secure VPN method as above. 
  • Wireless, when setup correctly can be very useful, but when setup poorly presents a significant risk to the business. This is of course because wifi isn't just in your office, its outside in the street, next door, other floors and cheaper wifi equipment has flaws that can be exploited to determine the wifi password and associate with the access point. Even more effective are social engineering techniques to gain a wifi password, and of course there's always Microsoft's wifi sense password sharing endeavour which we talked about before. So stick with high end Wifi access points, have centralised management and oversight, use WPA2 with TKIP or AES encryption and use mac based security as a second level of protection. 
  • Ports or not Ports; Almost all businesses have Category 3, 5, 7 or 8 cabling throughout, and these terminate at the wall with RJ45 jacks and that's great because this is where you plug your computers and phones into, but managing the availability and security of these jack points is a critical concern. Consider this scenario.... a business has cat5 throughout the offices including reception, canteen, locker room etc. A person pretending to be a potential customer enters the premises and whilst no one is paying attention plugs a small device no bigger than a thumb drive into a vacant cat5 port then leaves. You might think that'll never happen but I can tell you in the IS audits we do for our clients it HAS happened and will continue to happen. The device that is connected is a small battery powered wifi access point that doesn't broadcast its SSID (network name). With this the 'visitor' can, from the car park find a local IP address, and then initiate a network scan for services such as email, files and so on. With a little effort and some automated software a selection of attacks can be performed and if successful, systems and data compromised. The nice person who perpetrated this crime will then upload some software which opens a connection through your firewall to a remote server and waits for instructions. Everything from here onwards can be done from anywhere in the world and there is very little anyone can do to track this down. This is becoming an effective attack vector and awareness is the key. Don't have any ports live that don't need to be, have managed switches and allow lists by mac and some form of intrusion detection either in the security appliance or separate. 

The bottom line here is that any IT infrastructure should not in any way directly connect the public internet to your local network and likewise your local network should never directly connect to the public internet. This one is simple.

More challenging is making staff aware of vulnerabilities in your infrastructure and how to detect, and deal with them. We've touched on social engineering above but this is becoming more and more common and whereas you might be very good at spotting spam or fishing email's, suspect phone calls from 'it support', or are aware of the possibility of rogue devices and subversion, is everyone in your organisation?  in this modern world they need to be, through both training and auditing. No matter how secure your network is, with its expensive firewalls and security appliances, it only takes one member of staff to bring the whole thing crashing down - Staff are and will always be the biggest risk to any organisation, but trust me on the crappy router. 

Continue reading
  2333 Hits
  0 Comments
2333 Hits
0 Comments

Counterintuitive Security from Apple

Counterintuitive Security from Apple

I'm sure everyone likes to think their data is secure, and when you work closely with numerous apple devices then you'll know how important it is to keep the information they contain secure, but there's a fine line between effective security and counterintuitive security.

Apple, once renowned for their security have crossed that line to such an extent that my strong alphanumeric password has been replaced with a short easily typed one just to mitigate the amount of time each day I have to spend re-entering it. Update some App's = Enter your password, Share Photo's = Enter your password, reboot the phone = Enter your password, download a free App = Enter your password, often several times and that's just the daily annoyance, added to which is "Your AppleID has been disabled for security reasons", "Your iCloud Session has expired", 'Verification is required","Your account has been accessed from another computer or device" or some other meaningless message that just wastes more of my precious time.

Can I turn this off = No. The only way around it is a simple, easily typed password. I once found that my contacts that I'd entered on my iPad weren't syncing to my iPhone which was extremely annoying as I really needed one of the contacts whilst I was out and can you guess why? Verify your iCloud password on the iPad. It doesn't say, verify it or I'll just stop syncing everything but I suppose I should have assumed as much. 

Then of course after this message appears, your @icloud email suddenly stops working with something like "Login to server imap.mail.me.com failed." perfect. Now what are you supposed to do ? Unlock or Change the password again, via the long winded and time wasting password reset process at iforgot.apple.com? Yep. then what, well then you have to re-enter the new password on your iPads, iPhones, Macbook's and so on. I've stopped using my @cloud.com email now just to avoid one more annoyance. 

I did a little verbal survey in the office here of no more than 10 heavy Apple users, and not one person had a sensible password for their apple ID for the very reasons above. We all have to deal with this nonsense on a daily basis and it wears you down. 

So how much is too much? Well that's simple - anything that meets the criterial of ANNOYING is too much and that's every time for me. When I first turn on my device then fine, good idea. confirm the password, but then just REMEMBER IT! How hard can that be seriously? If some people want to have to re-enter their Apple id and password 20 times a day then let's have a setting for that so the rest of us can TURN IT OFF. I don't like having a weak password and it gives me a bad feeling but I simply cannot cope with the constant stupid pointless requests for the same password over and over again.

 

If you own a Macbook you'll be more than familiar with stupid dialogues popping up hourly like...

 

and even more annoying....

and Finally something like this...

The issue with repeated pointless requests for your password and the security code from your credit card (which I now have to write down in my wallet because apple asks for it that often) is that it just becomes a learned behaviour and when something asks for it you just put it in, don't even look to see what's asking anymore, just type it in. That's where counterintuitive comes into this sad story, you get so used to being harassed for your password over and over again that you'll type it into any dialogue asking for it without even thinking about it. On the other hand, if you had to enter it only once when your phone first turns on, then a random request for your password would immediately raise suspicion. This is why the Apple way is the wrong way to go about security. I've absolute confidence that I could write a program that would randomly pop-up a fake "verify your iCloud password" dialogue and everyone would just type it in without a second thought. I'm not going to, but I could, and If I can then so can anyone else is the point I'm trying to make. As I'm writing this article, an email has just arrived below (I've changed the email address)...

  

Your Account - xxx@gen.net.uk

 

*Resolution Verification Request:* #TI8CHG10918-ID92

*Date:* 14 - October - 2015

 

--------------------------------------------------------------------------------

 

*PLEASE PRINT THIS MESSAGE FOR YOUR RECORDS - PLEASE READ THIS MESSAGE IN FULL.*

 

Our users security means everything to us. That’s why we are contacting you 

today in reference to your Apple Account xxx@gen.net.uk with us. The Apple 

Privacy Policy was updated on September 17, 2014 and now requires members to 

update the information we hold on them because of changes to our KYC (Know your 

Customer) terms and conditions.

 

We tried to contact you on 2 previous occasions to confirm this information 

before the deadline on the 17th of September and did not acknowledged a 

response. This will be the final email before termination of your iTunes ID 

within the next 48 hours and all associated data.

 

Please follow the link provided to your profile.

 

 >>> Validate My Apple/iTunes Ownership 

 

 

Regards,

Apple Help

 

This is an automatically generated email – please do not reply to it.

*Copyright © 2015 Apple Inc.

3 Infinite Loop, MS 11172-DM, Cupertino, CA 93151.*

 

Now, I'm smart enough to know that's a scam just trying to obtain my AppleID and password, but I wonder how many people will just click it as they have done over and over again because its a learned behaviour. I doubt if we'll even know but I hope I've made the case? If it makes YOU think about it then my job is done. 

 

How many people have received another stupid apple message like 

When of course this isn't a new computer or a new device, its the same device you've been using for the last 3 years, but nevertheless your forced to re-enter your payment information, again and again. How counterintuitive is that? If your just used to Apple making the same stupid mistakes over and over, then no one every pays attention to the pointless email's they send out about 'a new device used xxx', you just assume its wrong like as usually it is. But if the Apple framework actually worked and it only produced these messages when a new device was used with you apple ID then that would actually be useful wouldn't it. 

 

Maybe I, and the rest of the office are alone on this one and everyone else in the world thinks its a good idea to have to re-enter your password and payment info again and again, tell me? comment and let us know? 

Where did the Apple go where everything just worked? Does anyone even remember that Apple ? I do! 

 
Continue reading
  3865 Hits
  3 Comments
Recent Comments
Guest — Ashford
YES!
Wednesday, 14 October 2015 15:16
Guest — Brian
You make a good point sir and I'm glad I'm not alone! I don't know why Apple has password crazy but it does make it an automatic b... Read More
Friday, 05 February 2016 15:29
Guest — smonkford
Well, i found my way here because the ipad i've been using for the last 24 months has suddently decided that my account has been a... Read More
Wednesday, 19 April 2017 20:56
3865 Hits
3 Comments