• Categories

  • Pages

  • Archives

The Three Biggest Security Threats We Face In 2016

hacker

 

Welcome, 2016 and here come the security threats!

Extortion Hacks

2014 brought us the Sony hack wherein millions of confidential records, including internal emails between corporate executives – that revealed the still-thriving prejudices that exist in Hollywood  – were illegal, electronically obtained and released to the public.  Because they (the hackers) could.

2015 progressed to extortion hacks; nimble-fingered computer criminals accessed private client information from Ashley Madison hack, taking down a CEO and exposed possibly millions of would-be cheaters to public ridicule and worse; and then the hack of InvestBank in the United Arab Emirates, which resulted in the exposure of customer account information.

Extortion hacks play to the deepest fears of companies and top executives everywhere.  If mishandled, company secrets run the risk of exposure, clients can file lawsuits and these very executives stand to lose their jobs. 2016 will see a massive rise in extortion hacks with astronomical demands.

 

Data Change/Manipulation Attacks

From Wired:

In testimony this year, James Clapper, the director of national intelligence, told Congress that cyber operations that change or manipulate digital data in order to compromise its integrity—instead of deleting or releasing stolen data—is our next nightmare. Mike Rogers, head of the NSA and US Cyber Command said the same thing. “At the moment, most [of the serious hacks] has been theft,” Rogers said. “But what if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?”

Data sabotage can be much more difficult to detect than the kind of physical destruction caused by Stuxnet. That’s because data alterations can be so slight yet have enormous consequences and implications. Anyone remember the Lotus 1-2-3 bug back in the 90s that would produce accounting miscalculations in spreadsheets under certain conditions? That was an unintentional error. But attackers could get into financial and stock-trading systems to alter data and force stock prices to rise or fall, depending on their aim.

Certain types of data manipulation could even result in deaths. In 1991 a Patriot missile in Saudi Arabia during the first Gulf War failed to intercept an incoming Scud missile due to a software glitch in the weapon’s control computer, allowing the Scud to hit an Army barracks and kill 28 soldiers. Again, this was an unintentional bug. But Chinese spies have invaded numerous US defense contractor networks in the last decade, raising concern among US military officials that they’re not just stealing blueprints to copy weapons, but might also alter or insert code to sabotage the integrity of weapons systems and change how they operate.

 

Chip and Pin Credit Card Hacks

From Tripwire:

Over the course of the last decade, major credit card companies have begun to implement EMV or “chip and pin” technology. This system requires that a card reader retrieve the customer’s information off of their card’s magnetized chip, which is followed by the cardholder entering in their PIN number.

As a result, chip and pin essentially constitutes a method of two-factor authentication (2FA) for payment card purchases. It is an added security measure that is designed to prevent credit card fraud if a card is physically stolen, so it is natural that VISA, Mastercard and others would switch to EMV technology – even despite the fact that many companies were just recently unprepared for the transition.

I just received my credit and bank EMV-embedded cards.  As the Tripwire article mentions, many merchants are still unprepared to process these cards but that’s the least of worries.  Given that 69% of most purchases utilizing these cards now occur online, the one-time code per transaction is irrelevant as neither the card or a PIN is required for online purchases.  So we are back to cyber criminals simply stealing the card numbers.

The good news is that law enforcement agencies are hiring in record numbers those with anti-hacking experience!

Be smart:  buy via trusted online vendors or use secure purchase transaction portals such as PayPal.

BNI Operatives: Situationally aware.

As always, stay safe.

 

Yahoo and Google Data Availability to Law Enforcement & For Legal Process

email magnifying glass

 

As we’ve surmised by now, Lois Lerner’s missing emails exist – somewhere.  There’s also now the availability of cloud hosting, a method of saving your email on the net that allows you 24/7  access from any remote location.  So, do you really know what happens to all of your subscription information, emails, attachments, etc., once you shut down an email account?  What if your information is requested by law enforcement or in anticipation of litigation?   What is the legal process in such a case?

We’ve conducted research into data retention by the two major service providers: Yahoo and Google:

YAHOO

yahoo data save

Compliance With Law Enforcement:    PRESERVATION

Will Yahoo! preserve information?

Yahoo! will preserve subscriber/customer information for 90 days. Yahoo! will preserve information  for an additional 90-day period upon receipt of a request to extend the preservation.   If Yahoo! does not receive formal legal process for the preserved information before the end of the  preservation period, the preserved information may be deleted when the preservation period expires.

 

GOOGLE

What kinds of data do you disclose for different products?

To answer that, let’s look at four services from which government agencies in the U.S. commonly request information: Gmail, YouTube, Google Voice and Blogger. Here are examples of the types of data we may be compelled to disclose, depending on the ECPA legal process, the scope of the request, and what is requested and available. If we believe a request is overly broad, we will seek to narrow it.

Gmail
Subpoena:

  • Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)
  • Sign-in IP addresses and associated time stamps

Court Order:

  • Non-content information (such as non-content email header information)
  • Information obtainable with a subpoena

Search Warrant:

  • Email content
  • Information obtainable with a subpoena or court order
YouTube
Subpoena:

  • Subscriber registration information
  • Sign-in IP addresses and associated time stamps

Court Order:

  • Video upload IP address and associated time stamp
  • Information obtainable with a subpoena

Search Warrant:

  • Copy of a private video and associated video information
  • Private message content
  • Information obtainable with a subpoena or court order
Google Voice
Subpoena:

  • Subscriber registration information
  • Sign-up IP address and associated time stamp
  • Telephone connection records
  • Billing information

Court Order:

  • Forwarding number
  • Information obtainable with a subpoena

Search Warrant:

  • Stored text message content
  • Stored voicemail content
  • Information obtainable with a subpoena or court order
Blogger
Subpoena:

  • Blog registration page
  • Blog owner subscriber information

Court Order:

  • IP address and associated time stamp related to a specified blog post
  • IP address and associated time stamp related to a specified post comment
  • Information obtainable with a subpoena

Search Warrant:

  • Private blog post and comment content
  • Information obtainable with a subpoena or court order

Note about general Gmail retention:  Even if you Purge your Trash email or shut down your gmail account, your email remains available for recovery for 20 days beyond when the mail is deleted or the account closed.

Please feel welcome to contact us with more specific questions regarding data retrieval from these two major service providers (and lesser used ISPs w/unique data product.)

BNI Operatives: Street smart; info savvy.

As always, stay safe.

 

 

Tactical Trainer, Christian Swann, on NSA-resistant Communication Encryption.

(This week, we bring you an informative article on protecting sensitive client data from our friend and one-woman whirlwind of accomplishments, Christian Swann (featured below): Christian is a writer, mom, edged and blunt tool instructor for law enforcement and the military, and a risk mitigation security and vulnerability assessment specialist.

christianswann

Be vigilant about protecting sensitive  client data with these tools.

 I wrote an article not long ago about protecting our personal and sensitive important information. As some of you are well aware, once your data is out there, it’s out there. From the first click of the “check out now” button, you are being traced, watched and analyzed. From how much you spend, where you shop, to your favorite products to your prime shopping time – you’re being tracked. But that’s just one aspect of this passive monitoring.   Big Brother (e.g. and fact, as we now all know,  the NSA) has the capability and may not only watching but also listening, recording and even transcribing your confidential client conversations.

What about when it’s not only your information that is being tracked, but your clients’ confidential information is at risk of also being recorded? As a risk and security director of a multi-million dollar company, it is one of the toughest questions and concerns I have. I’m in constant contact with high-profile clients and sensitive data.

The good news for lawyers, corporations and medical professionals, concerned about maintaining their duty of confidentiality is that there are tools and safeguards now to help them.

Legal and risk management specialists, such as myself, need to be very aware of the possibility (or now, probability) of  their communications being intercepted by empowered governmental agencies.  Given the ever-changing, nebulous status of agency data collection laws, legal professionals have to deal with the ambiguity of this usage of collected data –  while contending with the secretive nature of intelligence agency operations, as well as the U.S. Foreign Intelligence Surveillance Court that oversees surveillance warrants.

Lawyers –  and anyone for that matter – should assume all of their conversations are subject to covert surveillance an should  take steps to protect confidential information.

I can’t stress enough that all pertinent emails, electronic messages and communications should be encrypted. There is no shortage of available encryption hardware and software, and I highly recommend using an encryption service such as ZixCorp or the open-sourced TrueCrypt: (Warning: this is an open source method and may not be as stable as desired.) Platform-specific devices are also available, such as, Apple’s FileVault.

“One can also purchase self-encrypting hard drives such as the Seagate Secure and already-encrypted flash drives – e.g.,  IronKey from Imation Corp.  and encryption software such as Symantec Whole Disk Encryption and Sophos Ltd.’s Safeguard“, says Lina Maini of Beacon Network Investigations, LLC.

As for passwords, I recommend a more secure method of authentication, such as security tokens or USB tokens.

Perhaps apparently, I’m a big fan of firewalls, and encrypting everything networked – from email to any and all telecomm technology apps.   I’ve also become a huge fan of the company Silent Circle. One of my favorite features of Silent Circle’s service is the ability to program burn settings.  I.e., one I’ve  sent any type of message: email, text, audio, it is then encrypted and will burn itself at the pre-set time. I’ve chosen.

Many people forget that one a voice message, text or email  has bent sent, that data  has to go through a provider, e.g.,  Apple, and is then is transferred back to the end-user, therefore leaving data footprints that can be copied.

For professionals that mainly communicate via phone, relief from eavesdropping is on its way. This month: Spanish smartphone company GeeksPhone and software company Silent Circle launch Blackphone, an encrypted smartphone that protects phone calls, text messages, emails and Internet browsing. Using VPN technology, Blackphone promises to be an NSA-resistant phone.I’m looking forward to ours arriving soon.

%d bloggers like this: