Hacking is a two-way street.

Usually we hear of attacks being launched against American websites from outside the country. But the opposite is true as well.

In recent days there have been reports that attacks were launched against Iranian computer networks that support that country’s air bases, likely in response to the June 20th attack by Iran’s Islamic Revolutionary Guard  Corps on a U.S. military drone in the Persian Gulf.

And now there are reports that hackers working for an alliance of intelligence agencies broke into Yandex, the large Russian-based search engine, in an attempt to find technical information that reveals how Yandex authenticates user accounts.  The hackers used Regin (QWERTY), a malware toolkit associated with intelligence sharing that has often been utilized by the intelligence alliance (made up of the USA, Canada, UK, Australia and New Zealand).

Interestingly, Yandex acknowledges the hack, which happened back in 2018. But whereas it claims the attack was detected by the company’s security team before any damage could be done or data lost, outside observers believe that the hackers were able to maintain their access to Yandex for several weeks or longer before being detected.

Reportedly, the information being sought could help spy agencies impersonate Yandex users, thereby gaining access to their private messages. The purpose?  To focus on espionage rather than the theft of intellectual property.

These actions, which are coming to light only now even though the events in question happened last year, underscore how much much future “warfare” between nations will be conducted in cyberspace rather than via boots on the ground.

Welcome to Cold War II — 21st century style.

E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

Yahoo’s Terrible, Horrible, No-Good Month

ybb

Aren’t you glad you don’t work at Yahoo?

Where to begin … For starters, the Associated Press is reporting that Yahoo disabled its e-mail forwarding service effective the beginning of October.

Yahoo has a rather benign statement in its Help Center “explaining” why the service has been disabled:

“Automatic forwarding sends a copy of incoming messages from one account to another. The feature is under development.  While we work to improve it, we’ve temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses.  If you’ve already enabled Mail Forwarding for new forwarding addresses in the past, your e-mail will continue to forward to the address you previously configured.”

This hardly passes the snicker test, of course.

Disabling the auto-forwarding feature for new forwarding addresses came at the same time it was revealed that a 2014 hack of Yahoo’s platform resulted in the theft of ~500 million e-mail accounts including information on addresses, phone numbers, passwords, security questions and answers, plus birthdays.

It doesn’t take a genius to conclude that the reason Yahoo disabled its automatic forwarding function for new forwarding addresses was to deter concerned or frightened Yahoo Mail users from making a mass exodus to rival services.

But this is only the latest in a string of stumbles by the company in just the past few weeks.

For one, Yahoo is now defending a class-action lawsuit accusing the company of security negligence in the wake of 2014’s half-billion e-mail accounts theft.

There’s also a report from Reuters that for the past 18 months, Yahoo has been scanning all incoming Yahoo Mail messages for a wide range of keyword phrases — all on behalf of our friends in the federal government.

And if those weren’t enough, the much-ballyhooed announcement this past summer that Verizon was planning to acquire Yahoo for $4.8 billion has devolved to this: Verizon is now asking Yahoo for a $1 billion discount on the purchase.

It’s little wonder some people are calling the company “Whowee” instead of “Yahoo” these days …

Have we become too complacent about cyber-security threats?

cyber warfareThe scandal involving the security risk to U.S. State Department e-mails is just the latest in a long list of news items that are bringing the potential dangers of cyber-hacking into focus.

But of course, we’ve seen it before — and it involves far more than just “potential” risk.  From Target, Best Buy and other retailers to Ashley Madison customer profiles, IRS taxpayer information and the U.S. government’s personnel records, the drumbeat of cyber-security threats that’s turned out to be all-too-real is persistent and ongoing.

In the realm of marketing and public relations, recent breaches of PR Newswire and Business Wire data gave hackers access to pre-release earnings and financial reports that have been used to enrich nefarious insider traders around the world to the tune of $100 million or more in ill-gotten gains.

These and other events are occurring so regularly, it seems that people have become numb to them.  Every time one of these news items breaks, Instead of sparking outrage, it’s a yawner.

But Jane LeClair, COO of the National Cybersecurity Institute at Excelsior College, is pleading for an organized effort to thwart the continuing efforts — one of which could end up being the dreaded “Cyber Pearl Harbor” that she and other experts have warned us about for years.

“We certainly can’t go on this way — waiting for the next biggest shoe to drop when hundreds of millions — perhaps billions — will be looted from institutions … It’s time we stopped making individual efforts to build cyber defenses and started making a collective effort to defeat … the bad actors that have kept us at their mercy,” LeClair contends.

I think that’s easier said than done.

Just considering what happened with the newswire services is enough to raise a whole bevy of questions:

  • Financial reports awaiting public release were stored on the newswires’ servers … but what precautions were taken to protect the data?
  • How well was the data encrypted?
  • What was the firewall protection? Software protection?
  • What sort of intruder detection software was installed?
  • Who at the newswire services had access to the data?
  • Were the principles of “least privilege access” utilized?
  • How robust were the password provisions?

In the case of the newswire services, the bottom-line explanation appears to be that human error caused the breaches to happen.  The attackers used social engineering techniques to “bluff” their way into the systems.

Mining innocuous data from social media sites enabled the attackers to leverage their way into the system … and then use brute force software to figure out passwords.

Once armed with the passwords, it was then easy to navigate the servers, investigating e-mails and collecting the relevant data. The resulting insider trading transactions, made before the financial news hit the streets, vacuumed up millions of dollars for the perpetrators.

Now the newswire services are stuck with the unenviable task of attempting to “reverse engineer” what was done — to figure out exactly how the systems were infiltrated, what data was taken, and whether malicious computer code was embedded to facilitate future breaches.

Of course, those actions seem a bit like closing the barn door after the cows have left.

I, for one, don’t have solutions to the hacking problem. We can only have faith in the experts inside and outside the government for determining those answers and acting on them.

But considering what’s transpired in the past few months and years, that isn’t a particularly reassuring thought.

Would anyone else care to weigh in on this topic and on effective approaches to face it head-on?

Data breaches: Target is just the tip of the iceberg.

Target data breachI’m sure we aren’t the only family who’s had to suffer through the aftershocks of Target’s infamous Great Thanksgiving Weekend Data Breach that occurred in late 2013.

According to news reports, as many as 40 million Target credit cards were exposed to fraud by the data breach.  And as it turns out, the initial reports of nefarious doings were just the beginning.

Even after being given a new credit card number, my family has had to endure seemingly endless rounds of “collateral damage” for more than a year since, as Target’s very skittish credit card unit staff members have placed card-holds at the drop of a hat … initiated phone calls to us at all hours of the day … and asked for confirmations (and reconfirmations) of merchandise charges.

Often, these unwelcome communications have occurred on out-of-town trips or whenever someone in the family has attempted to make an innocuous online purchase from a vendor based overseas.

It’s been altogether rather icky — in addition to being a royal pain in the you-know-where.

But our experience has hardly been unique.  Consider these scary figures when it comes to data breaches that are happening with businesses:

  • On average, it takes nearly 100 days to detect a data breach at financial firms. 
  • It takes nearly 200 days to do so at retail establishments.

Those unwelcome stats come to us courtesy of a multi-country survey of ~1,500 IT professionals in the retail and financial sectors.  The study was conducted by the Ponemon Institute on behalf of network security and software firm Arbor Networks.

The next piece of unsettling news is that, even with the long “dwell” times of these data breaches, the IT professionals surveyed aren’t optimistic at all that the situation will improve over the coming year.  (Nearly 60% of those working in the financial sector aren’t optimistic, as do a whopping ~70% in retail.)

It’s doubly concerning because companies in these sectors are such obvious targets for hack attacks.  The reason is simple:  The amount and degree of customer data stored by companies in these sectors is highly valuable on the black market — thereby commanding high prices.

It makes it all the more lucrative for unscrupulous people to make relentless attempts to hack into the systems and extract whatever data they can.  IT respondents at ~83% of the financial companies reported that they suffer more than 50 such attacks in a given month, as do respondents at ~44% of the retail firms.

The impact on companies isn’t trivial, either.  Another study released jointly just last week by Ponemon and IBM, based on an evaluation of ~350 companies worldwide, finds that the average data breach costs nearly $160 for each lost or stolen record.  And that’s up over 6% from a year ago.  (The Target breach cost substantially more on a per-record basis, incidentally.  And for healthcare organizations, the average cost is well over $350 per record.)

dbWhat can be done to stem the endless flood of data breach attacks?  The respondents to this survey put the most faith in technology that monitors networks and traffic to stop or at least minimize these so-called advanced persistent threats (APTs).  More companies have been implementing formalized incident response procedures, too.

As Dr. Larry Ponemon, chairman of the Ponemon Institute has stated, “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”

Clearly, more investment in security tools and operations would be advisable.

Anyone else care to weigh in with opinions?

Software and security flaws: Even mighty Google isn’t immune.

Here’s a bit of news that doesn’t make one feel very reassured about cyber-security.

Gmail email accounts compromisedIt turns out that a major flaw has existed in the security of Google’s Gmail service for an extended period of time.

And that flaw could have been exploited to extract millions of Gmail addresses – potentially every single one of them, in fact.

What’s even more unnerving is that this flaw wasn’t uncovered by Google’s own engineers, but instead by security researchers in Israel who were kind enough to bring it to the company’s attention.

Thankfully, it was the “good guys” rather than the “bad” who made the discovery.

Evidently, the flaw resided in the sharing feature of Gmail that allows each user to delegate access to his or her Gmail account.

By “tweaking” the web address, the security researchers were able to reveal a random user’s e-mail address.

Once this procedure was proved out, scaling the hack was relatively easy.  By automating character changes using a software tool called DirBuster, the researchers were able to harvest approximately 37,000 Gmail address inside of two hours.

Oren Hafif, one of the security researchers involved in the exercise, blogged recently about the potential scope of the flaw:

“I brute-forced a token in a Gmail URL to extract all of the e-mail addresses hosted on Google.  I could have done this potentially endlessly.  I have every reason to believe every Gmail address could have been mined.” 

While the hack would not have exposed passwords explcitly, it could have left email accounts open to password-guessing attacks — not to mention unwanted spam mail or phishing.

Potentially, the breach could have affected not only personal users, but also businesses that use Google to host their email platforms.

Helpfully, the Israeli security researchers decided to inform Google of their discovery, preferring to be part of the solution rather than let the company twist in the wind.

So … are you ready for the kicker?

Reportedly, it took Google one full month to fix the software bug after being informed about it.

For a core service like email that is so central to the entire Google experience, one wonders why it took one of the world’s largest and most powerful companies weeks rather than just days to fix the problem.

If you’re looking for a redeeming or staisfying finale to this story … there really isn’t one.

Why?  Because in its infinite generosity, Google decided to reward Mr. Hafif for bringing the software flaw to its attention, in the form of a cash award.

One that really, really expressed thanks and appreciation for what he did.

Reportedly, the award amounted to US$500.