Penetration Testing Basics

penetration_testing

As computer networks become more complex, they become more vulnerable to hackers. These weak points can take the form of hardware, operating system bugs, software and users who don’t adhere to security policies. One of the best ways to uncover them is to get a hacker to break in.

What is Penetration Testing?

It’s essentially a legal form of hacking carried out as a test of the target organization’s defenses. The target company either has their IT staff try to break into the system or hires an outside security firm that specializes in this form of attack. While the attacker may be just one person or an entire team, for ease of reading let’s stick to referring to them as a single individual.

The main goal of the test is to see if a hacker can get in, and if they can how far into the system they can get. The testing process itself is either done manually or by using automated software. Penetration testing generally breaks down into several categories, depending on the conditions of the test being performed.

Types of Penetration Testing

White box testing gives the hacker access to information about the internal details of the network. The goal is to provide them with as much information as possible so they can base their test around knowledge of the network’s strengths and weaknesses. This approach minimizes testing time and provides a deeper, more comprehensive test. The drawback is it doesn’t mimic the (lack of) information a real hacker would have.

Black box testing is the closest to a typical hack. The attacker receives no information about the network and must figure it out and gain access on their own. The drawback here is testing times are more unpredictable, and some parts of the network may not get thoroughly tested.

Gray box falls between these two extremes, with the attacker getting certain information such as they might receive by breaking into a normal user’s account.

Penetration testers can also run scenarios based on whether or not someone on the opposing team is aware of the attack and can take steps to thwart the intrusion.

Once the test is complete, the attacker compiles a complete report, including all the steps they took and vulnerabilities they noticed. Companies can then assess these vulnerabilities and prioritize getting them fixed.

Is Penetration Testing for Me?

If your business network is connected to the Internet, odds are hackers have at the very least made attempts to get in. There are crawler applications out there that allow hackers to systematically find vulnerable networks. Some company servers receive thousands of attacks an hour.

Some industries have regulations that require penetration testing on a regular schedule for security purposes. Other do them sporadically when requested. The most unfortunate ones do them after they’ve been attacked and had their systems compromised and they’re facing a PR nightmare. You don’t want your business in the last group.

Visit www.bvsystems.com for wireless security products and subscribe to our 2 Minute Cyber Security Briefing video podcast on Youtube & iTunes.

Fighting Phone Cramming

ATT-Cramming

Cramming is the term for adding an unauthorized charge on your phone bill. It’s most common on mobile phones, but land lines can fall victim as well. The phone company or mobile carrier may add charges the customer doesn’t recognize later. However, the vast majority of cramming complaints come from third-parties for “premium text messaging.”

These services started back in the days of feature phones, before smartphones were common. They provided a way for users to get information, wallpapers and ringtones to ordinary phones before they could browse the web. Some people still use these premium messaging features, but smartphones have made them largely irrelevant.

How Does It Happen?

In the case of charges added by the phone company, a sales rep might unintentionally cram when the customer activates a line or changes their plan. For example, the rep add may a paid feature that starts with a free month without warning the customer it’s not a free feature. The customer overlooks the free feature the first month, then notices once it starts charging.

Cramming by third-parties usually starts when the customer enters their phone number into a web page run by scammers or sends a text message to a number advertised in movie theater and late-night television ads. However, it’s not always possible to tell exactly how the charges were added. Some customers have been scammed without doing any of these things.

What Do If I Notice Unauthorized Charges?

If you notice you are getting spam texts or see unauthorized charges on your bill, contact the phone company or carrier immediately. A live representative can usually credit back the charge, but make sure they also remove the feature or it will return on your next bill.

What Are Companies Doing About Cramming?

Cramming has been a problem for many years, and some companies have been the target of lawsuits over the practice. AT&T was recently ordered to pay $80 million to the Federal Trade Commission for customer refunds

First-party cramming will likely remain an issue as long as there are overenthusiastic sales reps, but there has been progress on blocking third-party cramming. Some companies have abolished premium messaging charges, while others make you request a block. Ask your phone company if they allow premium messaging services, and how to prevent them if they do.

How Can I Prevent Cramming From Happening to Me?

Somewhere on your phone bill is an itemized list of features, taxes and fees. Look through the list every time you get a bill, especially if your bill changes from month to month. It’s easy for a small charge to slip by unnoticed if your bill isn’t static.

Be careful where you enter your mobile number on the web and when sending text messages to commercial services. If a service offers something free in exchange for your number, read the fine print carefully. It’s often easy to sign up and very difficult to cancel.

AT&T Cramming Charges
What hidden charges has your carrier crammed down your bill?

White House Breached

White House Hacked

On October 29th, White House spokesman Josh Earnest confirmed an attack on computer systems used by top aids. The actual attack happened several weeks before the announcement, and the White House has released few details on the attack. Anonymous sources told the Wall Street Journal the attack was detected by an unnamed ally that passed the information along. Government sources claim no classified information was stolen. If nothing was stolen, why is the attack a big deal?

The Possible Russian Connection

While government officials declined to name the perpetrators, many security experts believe the attack originated in Russia. Tensions between the Russian government and the United States have been growing due to the armed conflict in the Ukraine.

Similar attacks by hackers linked to the Russian government have hit United States defense contractors, the NATO and the Ukrainian government. The attackers in these events exploited a previously unknown flaw in the Windows operating system.

Types of Malicious Hackers

Hackers attack for many reasons, but malicious hackers generally fall into three categories:

Cyber criminals are out for financial gain. This is the type of hacker responsible for attacks on consumer bank account and businesses like retailers and financial institutions. Their end goal is to steal money or information they can sell. They may operate solo or be connected with an organized crime group.

Hactivists are hackers who either have a cause or just want to cause trouble. The group Anonymous falls into this category. They might cause disruption and damage to their victim’s image, but they’re not looking for financial gain. Their main goal is to attract attention and punish people or organizations they see as their opposition.

Espionage agents are hackers who work for foreign governments. Some of them see their efforts as a way to help their country, others are directly employed by the state. They are out to gather intelligence, damage equipment and steal classified information. These hackers usually target foreign government agencies and the contractors that work with them. When they do attack businesses, they generally don’t steal money.

Why Don’t We Have More Information?

There’s no doubt the White House networks and other government computer systems are attacked constantly. Details are hard to come by, because the last thing a target wants is to tell the enemy their attack was successful.

When hackers find a zero-day exploit, there’s no way to prepare because it’s a problem the developer or manufacturer is not yet aware of. The best the target can do is harden their network as much as possible and make sure they have the latest security updates.

How do you test your network for vulnerabilities? That’s something we’ll be looking at next week.

The Battle Over Digital Payments at the Cash Register

Apple Pay vs. CurrentC

Apple has launched their their new digital wallet service, but not all North American retailers are on board with the new service. Retailers that are members of the Merchant Customer Exchange (MCX) organization are developing an alternative based around an app that uses visual QR codes. The app is called CurrentC, and is currently in a pilot program scheduled to last through the end of 2014.

MCX members include Walmart, 7-11, Best Buy, Rite Aid, CVS and Target. Merchants that sign up for CurrentC cannot use other digital wallet services. Members that previously had the near-field communication (NFC) hardware used by Apple Pay and Google Wallet have removed it from their stores, a move that has upset some Apple and Android users.

Why Do Some Retailers Want CurrentC Over Apple Pay?

There are three major reasons. The first is Apple Pay still uses credit cards, meaning retailers must pay up to 3% percent of the charged amount to the credit card issuer. CurrentC access the user’s bank account directly, meaning the retailer can keep more of the money.

Apple Pay NFC

The second is due to the importance retailers place on customer data and demographics information. CurrentC collects and shares more data about the people who use it than Apple Pay and other digital wallet services. Customers can set their privacy levels in the app, but most will probably just leave it at the default settings. The MCX has claimed CurrentC has better security than its competitors, but whenever there’s valuable information there are people looking to steal it.

The third reason relates to hardware costs. Retailers that want to use services like Apple Pay must install expensive NFC readers at each register. In contrast, CurrentC is software-based and uses the same technology as the familiar UPC barcode. When retailers start changing over to more secure credit cards next year, those that have not signed up with a digital wallet service may opt to go with NFC when they upgrade.

CurrentC Hacked

On October 29th, the MCX announced CurrentC unknown hackers had broken into the service and gained access to user email information. The MCX PR agent claimed many of the email addresses were dummy accounts used for testing, and no other customer data was stolen. They also stated neither the CurrentC app or user devices were affected.

Stealing email addresses isn’t a serious breach in itself, but it is an embarrassment to the fledgling organization. Especially given Walmart specifically stated they went with CurrentC over Apple Pay due to better security. It could also show the MCX needs to focus on securing the information they are storing.

If you choose to use CurrentC on your device, make sure you browse through the security dashboard and disable the settings you don’t want to share.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube or our video Podcast on iTunes for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

Apple Pay or CurrentC?
What payment platform would you prefer and why?

Is Chinese Government Behind Apple iCloud Attacks?

China_MITM_iCloud_Attack

The October 17th launch of the iPhone 6 in China was overshadowed by a hack attack aimed at stealing Chinese users’ iCloud login information. Less than 24 hours after the release of the highly-anticipated smartphone, anti-censorship advocates in China tweeted about the attack. On the 20th they posted more information on a blog at greatfire.org accusing the Chinese government of being behind the attack.

How did the attack take place?

The hackers used a black hat technique known as a man-in-the-middle (MITM) attack. When a computer or device accesses a secured web page through the browser, the remote server provides a security certificate verifying it is the correct site. MITM attacks reroute the Internet traffic through another server that uses a fake certificate to fool the device into thinking it is communicating directly with the original site. When a user puts in their login name and password, the middleman can intercept the information.

Similar MITM attacks have occurred recently against Chinese users of Google, Github, Microsoft and Yahoo. The Apple MITM was the most serious, as it was nationwide in scope and occurred while many users were setting up their new devices. The hack only affected a single iCloud server IP address, and Apple was able to block the attack by directing Internet traffic to a different IP address.

Why do security experts believe the Chinese government is involved?

Like other aspects of the media, the Internet is heavily censored in China. The Chinese government regularly spies on private citizens looking for signs of political dissent. Apple stores iCloud information outside of China, out of the direct control of the Chinese government.

Since the Chinese government owns and operates the country’s telecommunications and wireless services, the attack may be an attempt to get around officials not being able to access iCloud information directly. It could also be in response to the iPhone 6’s increased security safeguards and the recent anti-government political demonstrations in Hong Kong.

How can you protect yourself against MITM attacks?

iCloud Safari verified

Unlike browsers commonly used in China, Safari uses an encrypted connection to iCloud

MITM attacks are difficult to orchestrate on such a large scale without deep access to public telecommunications networks. The latest hack may have been limited to Apple users in China, but smaller-scale MITM can happen anywhere. Here are some easy ways you can protect your information.

  • Use two-factor authentication when possible. Without the second piece of information, attackers won’t be able to access your account even if they have your username and password.
  • Watch for browser pop-ups alerting you to an expired or invalid certificate when you visit a secure site. If you receive a notification, view the certificate and verify the information is correct.
  • Do not access sensitive sites over open WiFi networks without using a virtual private network (VPN). MITM attacks are much easier to pull off over open wireless networks, and some criminals even set up their own WiFi hotspots just to steal data. A VPN prevents these attacks by setting up an encrypted connection between your device and the VPN server.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

Has Apple Pay Put An End To Credit Card Security Issues?

Apple Pay

All across America today, retailers have begun to accept Apple Pay purchases using secure encryption, Touch ID and Apple iPhones. So is cash still king or have we crowned a new form of payment winner?

Apple’s new smartphones and iPads use an NFC wireless module to communicate to a merchant’s payment terminal. Once connected, a tokenized transfer occurs, whereby shoppers only transfer a special, single-use digital token that the Point-of-Sale system will decode using a shared secret. At no time does a user’s credit card information ever actually leave the secure enclave contained on their device. This patent pending method also requires Apple’s Touch ID biometric fingerprint verification in order to verify the shopper is who they say they are. Since the Touch ID data is stored in a secured enclave and is also a hash, or a numeric value that represents the data, it’s almost like having 2-factor authentication built in without the hassle of pass codes for the user to enter.

Here is another way to look at it. Your phone and your merchant’s terminal agree upon a secret passphrase, and when that’s successful, they pass the info onto the payment provider or bank which then authorizes payment. Only you and the payment card provider ever know the credit card number used but the merchant’s terminal only ever knows the passphrase, which is unique and automatically generated for one-time use.

Apple does this so that even if the NFC communication is hacked and intercepted by a 3rd party, the data stolen is completely worthless. It’s a measure designed to alleviate the fear that transferring any kind of payment information wirelessly sets a user up for attack, which is likely one of the factors involved in slow adoption of NFC payment methods thus far. Google Wallet and many Android smartphones have been supporting NFC for a few years now but consumer fear and most U.S. merchant’s unwillingness to upgrade to NFC terminals has stalled mass adoption. This is all poised to change now that Apple has addressed some ease of use issues for consumers as well as secured partnerships with over 500 banks and 220,000 stores including Target, Bloomingdales, Duane Reade and of course Apple own retail stores.

Credit card and debit card fraud resulted in losses amounting to $11.27 billion during 2012. And that doesn’t even factor in identity theft and the hassle and cost of issuing new cards for every fraud report. Credit and debit cards trade security for convenience due largely to the fact that most cards are still using 40 year old technology. Is Apple Pay the major overhaul needed to secure an aging retail transaction system? Only time will tell.

Cybersecurity Insurance & What You Need To Know

insured

Every company that uses computers or the Internet needs to protect their assets, but how can companies prepare for threats that are so new they’re not even recognized? New technology can open security holes that aren’t detected until after cyber criminals have already broken in. Hackers develop new viruses and other malware every day, faster than security tools can keep up. With the ever-increasing number of cybersecurity threats, some companies are turning to cybersecurity insurance designed to protect them.

What is Cybersecurity Insurance?

The Department of Homeland Security defines cybersecurity insurance as “insurance designed to mitigate losses from a variety of cyber incidents.” It is meant to cover the company’s financial losses in the event of a data breach, not to take the place of robust digital security. A data breach can have long-lasting effects on the business that no insurance policy can cover. For example, the costs of intellectual property loss and damage to the company’s public image can be difficult to estimate.

Types of Cybersecurity Insurance

Because there are so many possible threats, ways your network can be breached and related costs few companies can afford to cover everything. There is no universal standard for coverage, but cybersecurity insurance falls into two categories.

First-party insurance covers direct losses such as network infrastructure damage, business interruption and sometimes damage to the business’s reputation. Third-party insurance covers liability and secondary costs such as customer notification and compensation, forensic investigation, legal defense, lawsuits and regulatory fines.

Insurance companies offer both first and third-party cybersecurity insurance. In the United States, data-breach notification laws make third-party insurance more popular, while businesses in Europe favor first-party. That may change as the European Union begins requiring businesses to notify customers in the event of a data breach.

What to Consider Before Buying Cybersecurity Insurance

Cybersecurity policies can be complex, and it’s important not to rush into the decision. Making the wrong decision can leave your business paying for coverage you don’t need or worse, finding the policy didn’t cover what you thought it did when you need it.

Before considering a cybersecurity insurance policy to protect your network and data, review your existing insurance. Determine what is already covered by your existing policies, where the gaps are and which uncovered assets need the most protection.

Work with an insurance broker and don’t be afraid to ask questions. Because cybersecurity insurance is relatively new compared to other types of insurance it is subject to frequent changes. Policies are in flux due to changes in laws, regulations and best practice recommendations. A savvy broker who is familiar with cybersecurity insurance can help you avoid pitfalls and provide the necessary clarity to make the right decision.

J.P. Morgan Chase Breach Affecting Up To 83 Million Accounts

JP Morgan

It seems every few weeks, another organization announces a big data breach putting their customers at risk. This time it’s the largest bank in the United States. J.P. Morgan Chase announced a breach on August 27th, but initially believed the number of compromised accounts was much smaller. It wasn’t until October 2nd that they revealed 76 million households and 7 million small business accounts were compromised.

The breach lasted from mid-June through mid-August and compromised more than 90 servers. It affected bank customers who accessed chase.com and JPMorganOnline on their computer or mobile device. While the breach itself lasted two months, it’s not clear how far back the records went, so customers who accessed the site before but not during the breach may also be at risk.

What are the risks for customers?

J.P. Morgan Chase has stated the hackers did not get any information that would allow them to access customer accounts, but they did get names, contact information and email accounts. At this point the most likely threat customers will face is phishing attempts where scammers send emails with links to fraudulent web pages designed to install malware or capture their banking login information.

Identity theft is a possibility, but because the hackers did not get customer birthdates or Social Security numbers they would not have all of the information they need. However, if a hacker has a customer’s email address and contact info they could attempt to break into the email account. As I mentioned in a previous post (Gmail Account Hack Shows Why Strong Passwords Are A Must), breaking into the customer’s primary email account can give cyber criminals access to a lot of sensitive information.

How did the hackers get access?

J.P. Morgan Chase, the Federal Bureau of Investigation and the Secret Service are investigating the attack. According to anonymous sources familiar with the matter, the hackers used a compromised employee account to break into a web-development server. From there they were able to worm their way into other servers and access the sensitive data.

What can companies do to combat hackers?

Switch to two-factor authentication. Two-factor authentication requires a password and an additional step such as a code texted to the user’s phone. According to the sources close to the investigation, the vulnerable server only required users to supply a login ID and password. It is possible using two-factor authentication would have prevented the breach altogether.

Be more open about sharing best security practices. During my Bloomberg TV appearance last week, I discussed how cyber criminals collaborate and share information. Companies that are targets for hackers should share more data about their best practices and how they are stopping these attacks. It’s not a matter of helping competitors, because when major data breaches come out they can make customers more hesitant to trust their information with your company as well.

Printers Are the Invisible Security Risk on Your Network

squirrel

The days of printers as simple unsophisticated devices are long gone. Today’s printers are specialized computers that have their own processors, RAM and storage. They also have easy setups and internal web pages for adjusting settings and updating firmware. The printer manufacture’s goal is to make their devices faster, more versatile and more user-friendly to set up and use.

Unfortunately, printer security has not kept up with these advances. When printers were dumb devices, the worst that could happen was an unauthorized person seeing a print job sent to the wrong printer. Now a printer can leak confidential information and provide hackers with a route into your network.

Printers Can Allow Data Out

The security risks printers pose don’t end when you get rid of them. Many printers have internal hard drives or flash memory that can store recently printed documents. Some store the information in unencrypted formats that are easy to retrieve. When a company or consumer sells, retires or recycles a printer they often neglect to clear out this storage area.

printer_input_output

Printers can allow data out as well as in

This is not a hypothetical risk. In 2010 CBS News purchased four used photocopy machines at random and used freely-available recovery software on their hard drives. A printer security expert uncovered everything from copied checks and patient medical records to design plans for a building near the World Trade Center.

Printers Can Allow Hackers In

Printers can also be a vulnerable point on your network. A white hat hacker named Michael Jordan demonstrated security vulnerabilities on a Canon Pixma MG6450 by getting it to run the 90s computer game Doom on its LCD screen. He showed off the hack at security conference 44Con in London earlier this month.

The Pixma is a line of all-in-one printer/scanner/fax machines popular with home users and small businesses. He used the Pixma’s unsecured web interface and lax encryption to install hacked firmware and control the printer over the Internet.

Getting a printer to run an old video game might seem like a curiosity, but the stunt was just to put a humorous spin on a very real problem. Jordan stated after uploading the hacked firmware, he could have used the printer as a gateway to attack other devices on the network instead. Since the Pixma also has an integrated scanner, a savvy hacker could have used the flaw to have it send them a copy of any image scanned without the user knowing.

Canon has released a firmware update for the Pixma line aimed at closing the security loophole, but other printers also have web interfaces and may be vulnerable to similar tactics.

Few people think of a printer as a security risk, but you should treat your printers with the same care as any other network-connected device.

Printers Are the Invisible Security Risk on Your Network
How worried are you about your printer's security?

Sources:

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

http://www.theguardian.com/technology/2014/sep/15/hackers-doom-printer-canon-security

Gmail Account Hack Shows Why Strong Passwords Are a Must

Gmail

On September 9th a hacker published a list of 5 million Gmail accounts with associated passwords. The passwords may not have been the password for the account in question, and there’s no telling how old the passwords are or where they originally came from. For example, if the account came from the LinkedIn hack from a couple of years ago the data might be the Gmail address on the user’s account and the LinkedIn password.

When the breach was announced, Google tested the Gmail/password combination and found only 1-2% were still valid. Even though the passwords may not be useful for Gmail, there’s still a risk. People frequently reuse passwords on different sites across the web. According to Symantec, a typical user has 26 password-protected accounts, but only 5 passwords.

Have a unique password for all of your important sites. If one site gets hacked, the hacker may test your login information on other sites. For example, if you use a password on a forum, don’t reuse that same password for your primary email address.

Create strong passwords. A good password should contain at least 12 characters and have a mix of numbers, symbols and uppercase and lowercase letters.

Do not select passwords or security questions that someone might be able to guess by following your social media accounts such as your mother’s maiden name, your pet’s or children’s names or your school.

Don’t substitute symbols or numbers for word. P@$$w0rd is an example of a weak password that might appear strong at first glance. Acronyms or word combinations make good passwords that are easy to remember.

Change your sensitive passwords regularly. Most people don’t change their passwords often enough. Change passwords on sites storing sensitive information at least once every 3-6 months.

Think you’ll have trouble remembering all these new passwords? Download a password management utility that stores your passwords in an encrypted file. There are password managers for every platform of PC, tablet and smartphone.

Enable two-factor authentication for sites and services that store sensitive information such as your bank, your cloud storage, your email and online retailers that keep your credit or debit card on file. Two-factor authentication requires you enter your password and another verification step such as a PIN texted to your cell phone.

Limit the number of password login attempts. Some sites allow you to set a maximum number of tries before your account is locked. Enable this feature if the site offers it.

Unfortunately there are no foolproof solution to password security. If someone who has the skills wants to get in, they will. Just like in the real world, security is about making your car or password as difficult to steal as possible to break into so a thief moves on to an easier target.