Jumping from Android to Apple…

These days, buying a smartphone is a lot like buying a car. Whether you get a Hyundai Getz or a Ford Focus doesn’t really matter in terms of driveability. Both will get you from A to B, both have 4 wheels and you can choose whatever colour you like. Which one you decide to get depends on one factor: Which one you like better in terms of looks and a gut feeling of ‘this is it’.Continue reading

Should you trust public wireless internet?

Don’t let me get bored. Ever. I tend to do things I probably shouldn’t. Sometimes it’s harmless like acting a bit quirky to get a laugh or a reaction, other times I’ll just casually scan an open network looking to see whether the IT guy has a clue or not.

This is a story about one of those times. The latter of the two.

A few months ago I attended a conference at a fairly well known venue on the Gold Coast. They had a bunch of speakers talking on various topics and when one of the presenters started talking about cash-flow management my attention span went flying out the window.

Maybe I’ve been spoilt by too many truly engaging speakers, but it does seem like this is one subject matter most fail to deliver in an engaging way.

ANYWAY. I’ve got about 5 1/2 minutes before the next speaker to kill and realise that the venue offers a free guest WiFi service. “HAZZAH! This should kill a few minutes!” I think to myself.

So I sign my mobile phone onto the wireless network and quickly open up my trusty network discovery tool to see if it’ll show me anything.

Let me stop here for a second and explain a few things.

Firstly, the tools I use are publicly available in the Google Play (Android) store. They are not some special hacking or penetration testing software. You can download them too. I use Wifi Analyzer and Network Discovery. Enjoy.

Secondly, a guest wireless service should enforce a few basic security features.

  • Captive Portal. A captive portal is a system which forces you to a web page to authenticate in some manner to get access to the internet. You will see one every time you visit a hotel, the Qantas Club, or wherever some form of guest WiFi service is available – free or charged.
  • Client Isolation. Client isolation blocks access between devices on the wireless network. Effectively no device can see another. This stops one device from trying to ‘break into’ (or infect) another device on the network, or perform simple man-in-the-middle attacks by telling every other device on the wireless service that ‘it’ is the router.
  • Restrict Access to Infrastructure. No client signed onto the wireless network should be able to see any of the businesses infrastructure other than the captive portal website and the internet itself. No access to the router, wireless access points, switches, servers, etc etc.

So with all this in mind, let’s continue…..

My network discovery comes back and there’s about 50 or 60 devices on the network. I take a closer look and realise that some of the devices are mobile devices and laptops signed onto the network, but that’s not all. I can see the network switch managing the network and a bunch of other pieces of infrastructure.

This is wrong Dave!!

If I wanted to be malicious I could have launched a simple ARP-based poisoning man-in-the-middle attack which would have tricked every device on the network to think I was the router, pushing all their internet access through my mobile phone (yes, my mobile phone!!). This in turn would have let me collect a dump of all internet access on that network and with a small amount of effort I can guarantee I would have obtained someones username and password for an email account or some system they used that wasn’t properly secured.

But I’m not a malicious person. Instead I took a bunch of screenshots of what I found and searched for the General Managers details. I found them on his current IT providers website (in the testimonial section), searched his name on LinkedIn and sent him an email outlining what I’d found. He in turn forwarded the information to his IT Guy, who then promptly fixed the problem. Or at least, that’s what he told me. I haven’t been back there to see if the problem is fixed.

I don’t want to point fingers, but I had to laugh. Shortly after I reported the security issue I noticed the IT provider had updated their website to offer “Security Audits”….

ANYWAY. This a prime example of why using free wireless services is dangerous. We talk about hackers setting up fake wireless networks, but this was the venues own service and it was completely open to the world.

In this particular instance it was a fairly prominent venue, which means there is an intrinsic expectation of ‘trust’ we give them. Trust that their infrastructure is secure. Trust that we are safe.

How long had this problem existed for? I don’t know. Since whenever the wireless service was installed or upgraded, or whenever the last technician made changes to it. Who knows.

Do I think someone could have already exploited this problem? Quite possibly.

Should the venue notify guests that their security could have been compromised? That’s a really tough call. But if we change the question to “Would I want to know if my security was potentially violated?”, I would hazard the answer would be a resounding “YES!”.

What can you do?

  1. Don’t just sign on to every public wireless internet service because it’s there.
  2. Make sure that every account on your devices uses encrypted communications.
    1. If you’re using older style email services like POP and IMAP, use POPS over POP, IMAPS over IMAP, SMTPS over SMTP.
    2. Don’t enter account details into unsecure websites (HTTP).
  3. Don’t sign on to a public WiFi service because it’s there. Yes I’m repeating myself. You have data on your phone!!!

And don’t just trust that every IT guy out there knows about security. If your business is in the spotlight, get an external contractor to pentest (Penetration Test) your environment regularly and make sure you’re not being lulled into a false sense of security. The ramifications of this particular issue could have been monumental.

Your Anti Virus Won’t Save You Now…

In the last week, two of our clients got hit with the latest variant of CryptoLocker. CryptoLocker (and it’s variants) is the notorious malware that encrypts all your data and holds the decryption key to ransom, sometimes for thousands of dollars.

There is no way to decrypt the data. The malware will scan your personal computer first, appearing to start with your Desktop, working through your My Documents folder and then scanning through any mapped network drives you have. This all appears to be done in alphabetical order. (This is based on our observation of the two incidents.)

If you get hit, you have two options – restore from a backup, or pay the ransom!

The scariest part of all this is that one of these clients had implemented a good anti virus program on every computer, all emails go through a cloud based spam and malware filter, and they have an advanced firewall that scans all internet traffic for malware.

The good news is that this client also had our Back-Up and Disaster Recovery (BUDR) solution in place, which backs up their data every hour – so it was a trivial matter of restoring their data to the hour before the incident; although the time between infection and data restoration was 4 hours. Half a day of business that was lost, which could have otherwise been avoided.

How did this virus get in?

The 2nd client told me she had received a speeding infringement in her email, and even though she was dubious – she clicked it.

Ironically as I sat down to write this email I got a notification from our spam filter that an email from the “Australian Federal Police” with subject “Driving infringement notice” had been held in spam, I like to live on the edge, so I went ahead and released it from the spam quarantine so I could take a closer look.

NOTE: Don’t try this yourself. I used an isolated computer in a quarantined network. And this is the email that hit my Inbox shortly after.

It looks rather legit, although if you look closely the Engrish isn’t great and some of the words are spelt wrong. (“You’ve got been recently given having a drive intrusion” and at the bottom “Austrlian……”)

Taking a deep breath and clicking the link brought up the following website.

And lo and behold, entering the captcha (it actually did check to see if it was correct) allowed me to download a ZIP file called notice_262897.zip, which contained a single file. The file inside the ZIP archive has a display icon that mimics the icon used by PDF documents (Adobe Acrobat/Reader).

And here’s where the wheels fall off the cart….

At some point in the last 10 years, Microsoft wanted to make Windows “tidier” and thus hides the extensions of “known file types” by default. We as Users are so used to identifying a file type by the little picture, and this little sucker preys on that.

With “show file extensions” turned on, we realise that this PDF is not a PDF, but actually an EXE (Executable Program File).

And because I’m crazy like this. I ran it.

And sure enough, CryptoLocker strikes!

I didn’t have much on the computer, but whatever data files I had (Word, Excel, ZIPs, PDFs, etc) were all now encrypted (extension .encrypted). Attempting to rename them didn’t resolve the issue.

That computer has now been blown away. I don’t trust that the malware didn’t install something in the background to come back and attempt further malicious activities.

Why are we losing the war on modern threats like CryptoLocker?

I was at the Queensland Police “Fraud & Cyber-Crime” symposium last year and got chatting to an Iranian white-hat hacker (they’re the good guys). He basically told me that anti virus software as we know it is useless to modern attacks.

Why is that?

Cyber-Crime, the billion dollar industry it is, sells software that allows cyber-criminals to create new variants of the virus/malware at every run. The problem here is that even if they only created one new variant every 24 hours, for your anti virus to be able to detect the threat, the virus companies have to get their hands on a copy of the virus, analyse it, identify it’s unique signature, update their anti virus databases, AND THEN your computer has to download those updates.

That process generally takes longer than 24 hours, even if your anti virus software updated itself every hour.

So by the time your computer can detect the threat, it’s already been changed several times over. It’s a never ending game and you, the end user, aren’t going to be the winner.

That’s the first problem.

The second problem is that these attacks prey on our fear.

Since when did the AFP send out traffic infringement notices? I’m not intending to make you feel stupid. The bottom line is that the people sending out these attacks are extremely clever and they have worked out that if they focus on people’s fears they will get a better hit rate.

My own accounts lady got a number of emails that appeared to come from ME, asking her to organise a wire transfer. When she hit reply the return email address was [email protected] (not @insane.net.au). She very nearly replied to the email, except she was quick enough to notice the email address had changed!

So how do you protect yourself against modern threats like CryptoLocker?

You can have all the advanced defenses in the world – anti virus software; anti malware software; email filtering; internet scanning/filtering firewall; even lock the computers down so no one can change a thing or install anything and yet these threats can still hit you.

The #1 defense in this war is Education.

Your team need to better understand these threats, where they come from, how they target them, and how to work more safely.

We can help you with this. We can provide your business with a group training session designed to educate you and your team on these threats, how they attack you and how to be more vigilant. And this is information you can then go on and help educate your own clients with – which helps raise your profile as the “Trusted Advisor”, which is especially valuable in Business 2 Business relationships.

If you’re interested in a group training session for your business on the topic of Computer Security, give us a call on (07) 5539-6116. Group sessions are $240ex per hour and must be booked in advance.

What about the fundamentals? Do we still need anti virus?

Even if modern threats are not detectable by current anti virus software, there are still a lot of viruses, malware and spyware that cause problems for your computers that are detectable, by so no means should you give up on having the best protection you can afford for your business.

Our best practice for our clients is to have:

  • Up to date Anti Virus software on every computer.
  • Unified Threat Management (UTM) firewall scanning all internet traffic, limiting Internet access to approved, work related websites. (And blocking access to anything that is unknown or not approved!)
  • Spam and Virus filtering for Email.
  • Show file extensions for ALL file types and educate your team on what each of them means!
  • Block access to staff installing software themselves.
  • Block access to staff making changes to their computers.
  • Block access to USB sticks (Yes, I know everyone uses these for real business reasons).
  • Block ZIP, RAR, EXE, VBS, TAR.GZ and other email file attachments.
  • Use DropBox* or some other system to transfer files to and from clients/other businesses.
  • A reliable backup strategy that will allow you to recover your files quickly in the event of an outbreak.

And if you get hit, TURN THE COMPUTER OFF IMMEDIATELY.

Don’t leave it sitting there. Most of these attacks install other malicious code that try and use your computer as a launch point for their next attack, or leave something around that they can re-activate later or use in a BotNet to launch a distributed attack on someone else.

NOTE: The other day I got sent a link to an attachment that was hosted by a DropBox account. The file was a ZIP file, with an executable program in it. I didn’t run this one, but my money is on it being another threat.

If you’re wondering how protected your business is, give us a call on (07) 5539-6116 and we will come out and provide you with our proprietary 90-Point Network Assessment, which looks at all aspects of your business technology, and not just the physical equipment!