Should you trust public wireless internet?

Don’t let me get bored. Ever. I tend to do things I probably shouldn’t. Sometimes it’s harmless like acting a bit quirky to get a laugh or a reaction, other times I’ll just casually scan an open network looking to see whether the IT guy has a clue or not.

This is a story about one of those times. The latter of the two.

A few months ago I attended a conference at a fairly well known venue on the Gold Coast. They had a bunch of speakers talking on various topics and when one of the presenters started talking about cash-flow management my attention span went flying out the window.

Maybe I’ve been spoilt by too many truly engaging speakers, but it does seem like this is one subject matter most fail to deliver in an engaging way.

ANYWAY. I’ve got about 5 1/2 minutes before the next speaker to kill and realise that the venue offers a free guest WiFi service. “HAZZAH! This should kill a few minutes!” I think to myself.

So I sign my mobile phone onto the wireless network and quickly open up my trusty network discovery tool to see if it’ll show me anything.

Let me stop here for a second and explain a few things.

Firstly, the tools I use are publicly available in the Google Play (Android) store. They are not some special hacking or penetration testing software. You can download them too. I use Wifi Analyzer and Network Discovery. Enjoy.

Secondly, a guest wireless service should enforce a few basic security features.

  • Captive Portal. A captive portal is a system which forces you to a web page to authenticate in some manner to get access to the internet. You will see one every time you visit a hotel, the Qantas Club, or wherever some form of guest WiFi service is available – free or charged.
  • Client Isolation. Client isolation blocks access between devices on the wireless network. Effectively no device can see another. This stops one device from trying to ‘break into’ (or infect) another device on the network, or perform simple man-in-the-middle attacks by telling every other device on the wireless service that ‘it’ is the router.
  • Restrict Access to Infrastructure. No client signed onto the wireless network should be able to see any of the businesses infrastructure other than the captive portal website and the internet itself. No access to the router, wireless access points, switches, servers, etc etc.

So with all this in mind, let’s continue…..

My network discovery comes back and there’s about 50 or 60 devices on the network. I take a closer look and realise that some of the devices are mobile devices and laptops signed onto the network, but that’s not all. I can see the network switch managing the network and a bunch of other pieces of infrastructure.

This is wrong Dave!!

If I wanted to be malicious I could have launched a simple ARP-based poisoning man-in-the-middle attack which would have tricked every device on the network to think I was the router, pushing all their internet access through my mobile phone (yes, my mobile phone!!). This in turn would have let me collect a dump of all internet access on that network and with a small amount of effort I can guarantee I would have obtained someones username and password for an email account or some system they used that wasn’t properly secured.

But I’m not a malicious person. Instead I took a bunch of screenshots of what I found and searched for the General Managers details. I found them on his current IT providers website (in the testimonial section), searched his name on LinkedIn and sent him an email outlining what I’d found. He in turn forwarded the information to his IT Guy, who then promptly fixed the problem. Or at least, that’s what he told me. I haven’t been back there to see if the problem is fixed.

I don’t want to point fingers, but I had to laugh. Shortly after I reported the security issue I noticed the IT provider had updated their website to offer “Security Audits”….

ANYWAY. This a prime example of why using free wireless services is dangerous. We talk about hackers setting up fake wireless networks, but this was the venues own service and it was completely open to the world.

In this particular instance it was a fairly prominent venue, which means there is an intrinsic expectation of ‘trust’ we give them. Trust that their infrastructure is secure. Trust that we are safe.

How long had this problem existed for? I don’t know. Since whenever the wireless service was installed or upgraded, or whenever the last technician made changes to it. Who knows.

Do I think someone could have already exploited this problem? Quite possibly.

Should the venue notify guests that their security could have been compromised? That’s a really tough call. But if we change the question to “Would I want to know if my security was potentially violated?”, I would hazard the answer would be a resounding “YES!”.

What can you do?

  1. Don’t just sign on to every public wireless internet service because it’s there.
  2. Make sure that every account on your devices uses encrypted communications.
    1. If you’re using older style email services like POP and IMAP, use POPS over POP, IMAPS over IMAP, SMTPS over SMTP.
    2. Don’t enter account details into unsecure websites (HTTP).
  3. Don’t sign on to a public WiFi service because it’s there. Yes I’m repeating myself. You have data on your phone!!!

And don’t just trust that every IT guy out there knows about security. If your business is in the spotlight, get an external contractor to pentest (Penetration Test) your environment regularly and make sure you’re not being lulled into a false sense of security. The ramifications of this particular issue could have been monumental.

Your Anti Virus Won’t Save You Now…

In the last week, two of our clients got hit with the latest variant of CryptoLocker. CryptoLocker (and it’s variants) is the notorious malware that encrypts all your data and holds the decryption key to ransom, sometimes for thousands of dollars.

There is no way to decrypt the data. The malware will scan your personal computer first, appearing to start with your Desktop, working through your My Documents folder and then scanning through any mapped network drives you have. This all appears to be done in alphabetical order. (This is based on our observation of the two incidents.)

If you get hit, you have two options – restore from a backup, or pay the ransom!

The scariest part of all this is that one of these clients had implemented a good anti virus program on every computer, all emails go through a cloud based spam and malware filter, and they have an advanced firewall that scans all internet traffic for malware.

The good news is that this client also had our Back-Up and Disaster Recovery (BUDR) solution in place, which backs up their data every hour – so it was a trivial matter of restoring their data to the hour before the incident; although the time between infection and data restoration was 4 hours. Half a day of business that was lost, which could have otherwise been avoided.

How did this virus get in?

The 2nd client told me she had received a speeding infringement in her email, and even though she was dubious – she clicked it.

Ironically as I sat down to write this email I got a notification from our spam filter that an email from the “Australian Federal Police” with subject “Driving infringement notice” had been held in spam, I like to live on the edge, so I went ahead and released it from the spam quarantine so I could take a closer look.

NOTE: Don’t try this yourself. I used an isolated computer in a quarantined network. And this is the email that hit my Inbox shortly after.

It looks rather legit, although if you look closely the Engrish isn’t great and some of the words are spelt wrong. (“You’ve got been recently given having a drive intrusion” and at the bottom “Austrlian……”)

Taking a deep breath and clicking the link brought up the following website.

And lo and behold, entering the captcha (it actually did check to see if it was correct) allowed me to download a ZIP file called notice_262897.zip, which contained a single file. The file inside the ZIP archive has a display icon that mimics the icon used by PDF documents (Adobe Acrobat/Reader).

And here’s where the wheels fall off the cart….

At some point in the last 10 years, Microsoft wanted to make Windows “tidier” and thus hides the extensions of “known file types” by default. We as Users are so used to identifying a file type by the little picture, and this little sucker preys on that.

With “show file extensions” turned on, we realise that this PDF is not a PDF, but actually an EXE (Executable Program File).

And because I’m crazy like this. I ran it.

And sure enough, CryptoLocker strikes!

I didn’t have much on the computer, but whatever data files I had (Word, Excel, ZIPs, PDFs, etc) were all now encrypted (extension .encrypted). Attempting to rename them didn’t resolve the issue.

That computer has now been blown away. I don’t trust that the malware didn’t install something in the background to come back and attempt further malicious activities.

Why are we losing the war on modern threats like CryptoLocker?

I was at the Queensland Police “Fraud & Cyber-Crime” symposium last year and got chatting to an Iranian white-hat hacker (they’re the good guys). He basically told me that anti virus software as we know it is useless to modern attacks.

Why is that?

Cyber-Crime, the billion dollar industry it is, sells software that allows cyber-criminals to create new variants of the virus/malware at every run. The problem here is that even if they only created one new variant every 24 hours, for your anti virus to be able to detect the threat, the virus companies have to get their hands on a copy of the virus, analyse it, identify it’s unique signature, update their anti virus databases, AND THEN your computer has to download those updates.

That process generally takes longer than 24 hours, even if your anti virus software updated itself every hour.

So by the time your computer can detect the threat, it’s already been changed several times over. It’s a never ending game and you, the end user, aren’t going to be the winner.

That’s the first problem.

The second problem is that these attacks prey on our fear.

Since when did the AFP send out traffic infringement notices? I’m not intending to make you feel stupid. The bottom line is that the people sending out these attacks are extremely clever and they have worked out that if they focus on people’s fears they will get a better hit rate.

My own accounts lady got a number of emails that appeared to come from ME, asking her to organise a wire transfer. When she hit reply the return email address was [email protected] (not @insane.net.au). She very nearly replied to the email, except she was quick enough to notice the email address had changed!

So how do you protect yourself against modern threats like CryptoLocker?

You can have all the advanced defenses in the world – anti virus software; anti malware software; email filtering; internet scanning/filtering firewall; even lock the computers down so no one can change a thing or install anything and yet these threats can still hit you.

The #1 defense in this war is Education.

Your team need to better understand these threats, where they come from, how they target them, and how to work more safely.

We can help you with this. We can provide your business with a group training session designed to educate you and your team on these threats, how they attack you and how to be more vigilant. And this is information you can then go on and help educate your own clients with – which helps raise your profile as the “Trusted Advisor”, which is especially valuable in Business 2 Business relationships.

If you’re interested in a group training session for your business on the topic of Computer Security, give us a call on (07) 5539-6116. Group sessions are $240ex per hour and must be booked in advance.

What about the fundamentals? Do we still need anti virus?

Even if modern threats are not detectable by current anti virus software, there are still a lot of viruses, malware and spyware that cause problems for your computers that are detectable, by so no means should you give up on having the best protection you can afford for your business.

Our best practice for our clients is to have:

  • Up to date Anti Virus software on every computer.
  • Unified Threat Management (UTM) firewall scanning all internet traffic, limiting Internet access to approved, work related websites. (And blocking access to anything that is unknown or not approved!)
  • Spam and Virus filtering for Email.
  • Show file extensions for ALL file types and educate your team on what each of them means!
  • Block access to staff installing software themselves.
  • Block access to staff making changes to their computers.
  • Block access to USB sticks (Yes, I know everyone uses these for real business reasons).
  • Block ZIP, RAR, EXE, VBS, TAR.GZ and other email file attachments.
  • Use DropBox* or some other system to transfer files to and from clients/other businesses.
  • A reliable backup strategy that will allow you to recover your files quickly in the event of an outbreak.

And if you get hit, TURN THE COMPUTER OFF IMMEDIATELY.

Don’t leave it sitting there. Most of these attacks install other malicious code that try and use your computer as a launch point for their next attack, or leave something around that they can re-activate later or use in a BotNet to launch a distributed attack on someone else.

NOTE: The other day I got sent a link to an attachment that was hosted by a DropBox account. The file was a ZIP file, with an executable program in it. I didn’t run this one, but my money is on it being another threat.

If you’re wondering how protected your business is, give us a call on (07) 5539-6116 and we will come out and provide you with our proprietary 90-Point Network Assessment, which looks at all aspects of your business technology, and not just the physical equipment!

Importance of spyware removal and protection on a business network

Spyware:

Spyware is a program that installs itself into the hard drive of a user and obtains and transmits information about the user’s activities.

Some of the commonly known spyware are

  • Keyloggers
  • Trojans
  • Botnets

Spam, Ads, Popups:

While it isn’t necessary harmful, it does affect the performance of the system. Also known as adware, their presence isn’t welcome in a business network leading to a slowdown and poor business output.

Expert Help:

These ‘creepy crawlers’ can cause data theft and network problems. In any security arrangement, protection against spyware is instrumental for smooth functioning of the system. Hiring an IT support firm well-versed in security issues is always the right call.

Basic Safeguard:

Some traditional ways of shielding against threats are installing anti-virus software and online filters. This may be an effective way to combat basic threats but it isn’t enough for larger threats.

Advanced Persistent Threat:

Advanced Persistent Threat (APT) is a set of stealthy and constant computer hacking methods to sabotage business data.

Methods to combat APT:

Network/Data security audit:

Conduct a full network sweep to conduct an analysis and proceed with the security strategy that will work best for the system.

Educate Employees:

Making employees aware of data security threats and having a workshop on how to be safe against network attacks can be a helpful tool in eliminating a major chunk of the problem at the grass root level.

Data Encryption:

A simple and easy way to secure data from being misused.

Regular Backups:

Regular backups should be mandatory as a business owner can’t afford to lose business data.

For security solutions and IT services; visit: http://www.insane.net.au

Tips for Maintaining Greater Security on a Cloud Server

Offering greater flexibility, performance and scalability of data, cloud computing on the Gold Coast has emerged as a great strength for business purposes over the last few years. In today’s world people are more concerned about cloud computing security, despite a lot of inbuilt security features in all methods of cloud computing.

Cloud computing security can be enhanced to further levels by users if they manage to adopt certain simple practices.

Here are a few security enhancement techniques, take a glance

Choose a reliable Cloud Vendor:

The prime step towards reliable security is to find a reliable cloud vendor. Trustworthy vendors are likely to adopt a wide range of security features to ensure that the data stored on the cloud is kept safe and secure.

Additional security measures you adopt are of no use if your cloud service is provided by an insecure service provider.

Firewall:

It is recommendable to use a firewall and update it regularly. An effective working firewall is good enough to prevent potential attacks and frequent server crashes leading to data loss.

Install only relevant software:

It is a fact that the vulnerability of your cloud data increases with the installation of more software. Therefore, it is good to avoid the installation of unnecessary software and look at using applications delivered via SaaS platform’s which can be used directly without installation.

Choose the Right OS:

Always choose an operating system that can offer reliable security features in adherence to its performance. Avoid certain OS’s which are simple to work alone but built with lower levels of security.

Adopting these simple features and keeping all features of the server updated will ensure that your cloud setup will be free from data threats and disturbances.

Internet Explorer Security Risk

Overnight, news has broke out about a security fault in Microsoft Internet Explorer – the web/internet browser that comes installed in Microsoft Windows.

This “Zero Day” exploit is believed to exist in all versions of Internet Explorer. Microsoft is yet to release a patch for it.Continue reading

Data Security for Small Business

With the increasing number of cybercrimes including data theft and hacking, business owners need to be really careful not to get caught. It is important even for small business owners to dedicate time towards data security and continue to improve it, to prevent undesired problems related to their confidential data.

Have a look at a few important security measures which are ideal for data protection.

Use and Update Passwords:

Data access can be provided to employees only after password verification. It is important to review periodically all passwords which are being used in the system and make password revisions if any of them are not secure.

Secure the network:

Most small business have adopted wireless network, however these network services on the Gold Coast are more susceptible to attacks if left unsecured. Therefore use reliable encryption techniques and strong passwords for network security.

Isolate sensitive data:

Keep sensitive information available only to a few numbers of computers or servers and segregate it from the rest of your network.

Consider the cloud:

It is ideal for small business to use the cloud and store information under a robust cloud provider. This eliminates the chance of attack and also is an effective back-up method on event of a disaster.

Encrypt your Data:

Use a secure encryption technique if you are using any in-office or on-site data. Encrypted data cannot be read by unauthorized users if it is stolen.

Firewall and Antivirus:

It is important to have a good firewall and an updated anti-virus and anti-spyware. Avoiding using the latest versions of anti-virus and anti-spyware opens the door for security breaches.

It is better to adopt security measures early and make the data secure, rather than to have to fix the problem after an attack.

Passwords, Passwords, Passwords

Quite frankly, these are the bane of most peoples existence.

Your bank requires you to keep a PIN for your savings card and your credit card, you’ve got passwords for your computer, your emails, your Facebook account and every other internet based service you use.

And if you’re like a lot of people, these passwords often appear in multiple places.Continue reading

CryptoLocker: What is it and how do you protect yourself?

There is an increasing number of reports about businesses being the victim of the CryptoLocker malware, but what exactly is it, is your business at risk and HOW do you protect yourself?

CryptoLocker is a type of malware (virus) which encrypts your files and then requires you to pay a ransom within a certain amount of time to get your files decrypted.

Research analysts have claimed that due to the complexity of the encryption used it would be near impossible to attempt to recover files encrypted by CryptoLocker yourself. As a result, many businesses who did not have a suitable backup strategy in place have been forced to pay the ransom to recover their files – which at last report was USD $300.

The malware is typically spread via an email attachment. The attachment is usually a ZIP file which appears to contain a PDF document, however this file is actually an executable which when run infects the computer, encrypting files on the local computer as well as any network drives.

Once your files are encrypted CryptoLocker displays a ransom message on your computer screen to tell you that your files have been encrypted and begins a countdown timer. If you fail to pay the ransom before the countdown ends the recovery fee goes from USD $300 to over USD $3,500!

So how do you safeguard your business against this threat?

  1. Make sure you backup every day! Use a backup solution that allows you to keep multiple versions of your data for an extended period of time, whether that be an online backup service or some form of portable media (tape, hard-drive, USB, etc).
  2. Consider blocking ZIP file attachments in emails. Encourage the use of systems like YouSendIt and DropBox for the distribution of files instead of email.
  3. Be careful opening attachments! In all my years I’ve seen more instances where someone working in the accounts department of a company has inadvertently opened an email attachment or clicked a link in an email they were sent than in any other area of the business – and the worst part is that staff in your accounts department usually have access to just about everything!!

If you’re unsure whether your current backup strategy could withstand a hit by CryptoLocker then please Contact Us immediately on (07) 5539-6116.