Tag Archives: how not to be hacked

Welcome to The Internet of Compromised Things – How not to be hacked, routers

squid eating a router!!!

A good write-up by Jeff addresses a problem that has existed for several years, but only recently is starting to get malicious. A few hackers demonstrated how the software running common internet modems and routers were vulnerable to attack. A few good-minded-souls even wrote code to scan the internet; find them; and exploit them to install the update.

Of course, there were those who used those same routers to mine for crypto-currency and others who created attack bot networks. The article highlights how these unprotected devices are hacked and allow for anyone passing traffic through them to be infected with malware on their machine.

A good article with rather excellent tips for mitigation at the end. Very much inline with several tips I drafted for How Not To Be Hacked, the book, and some tips that didn’t make it due to complexity. If you only skim it … be sure to make it to the end where the tips are listed!!!

For security professionals Jeff raised one point that I thought was a challenge to our industry, and highlighted it below:

Buy a new, quality router. You don’t want a router that’s years old and hasn’t been updated. But on the other hand you also don’t want something too new that hasn’t been vetted for firmware and/or security issues

via Welcome to The Internet of Compromised Things.

How ridiculous our world is sometimes … buy a new router, but not too new … but also not too old. HAH… That fails the How not to be hacked, Can you explain it to your grandma test (something I learned in the Head Game). It is valid though … and reflects the challenge of security professionals.

Good write-up,

James

 

Advertisements

How Not To Be Hacked: The Definitive Guide for Regular People | RSA Conference

Live review

 

 

Ben Rothke, author of Computer Security: 20 Things Every Employee Should Know and a valuable contributor to the information security profession through sharing of research on Security Reading Room reviewed How Not To Be Hacked today. As in any moment when a person you respect reviews your work, I was struck with emotional anxiety and excitement when I saw the notification of the review. Ben’s review was honest, accurate, and I thought extremely helpful to anyone trying to uncover answers that will help their friends/family who do not hold 5+ certifications navigate the online world safely!

A snippet from his full review at RSA Conference Blog:

In How Not To Be Hacked: The Definitive Guide for Regular People, author James DeLuccia has written an extremely useful guide that offers 63 valuable tips on how and what users can do to avoid being hacked.

When the author says the book is written for regular people, he means those folks who don’t know a device driver from a digital certificate. The book is written with no techno-babble or jargon, which makes it an enjoyable read for the novice.

Posted again at How Not To Be Hacked: The Definitive Guide for Regular People | RSA Conference.

Thank you to Ben for taking the time to share his thoughts on the book!

Humbled and thankful,

James DeLuccia

Good guys win: International Criminal Sentenced to 13 Years For Identity Theft Scheme

The news is so full of the security failures and problems that it is worthwhile to pause and see the good. Ngo built a marketplace and sold identifying information about regular people – in packages that contained everything for an identity theft. He was caught and a number of his ‘customers’ in the U.S. were captured.

Details and full links below – if you were breached, consider the breach response task list from How Not To Be Hacked.

Ngo, 25, will serve 13 years in prison for hacking into U.S. business computers and stealing the information of approximately 200 million US citizens  to sell to other people as so-called ‘fullz’, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting U.S. Attorney Donald Feith of the District of New Hampshire and Director Joseph P. Clancy of the U.S. Secret Service announced.

The IRS confirmed 13,673 U.S. citizens had their information sold on Ngo’s websites, with $65 million in fraudulent individual income tax returns filed thanks to his services.

source: Massive International Hacker Sentenced to 13 Years For Identity Theft Scheme | Hacked.

Best,

James

Hacking Drones Close to Being Drawn up by Boeing and Hacking Team

Drone-HackedA high schooler could have done this, but these 2 didn’t get it done because of a NDA!?  Sad and shows sometimes progress can be derailed by the smallest of things. Passion is finicky and when pursuing the development of new ideas they need to be nurtured in and between organizations.

The technology already exists, and I’d bet for less than $2k it could be made operational. Perhaps we’ll see these at DefCon just to show how feasible and fun they can be in real life?

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

via Hacking Drones Close to Being Drawn up by Boeing and Hacking Team.

Ps.. I wrote a book to help Information Security professionals share Tips to the other 3.1 billion people in the world struggling to stay secure and safe online. I’d love for you to share the news and benefit from the book – How not to be hacked

Mobile ad fraud costs advertisers $1 billion a year, study says

Mobile devices are easy targets and when more dependency on wifi is enabled the conduct of fraud is easier to execute without detection. Also thinking this would be pretty to execute such advertising fraud, as described in the article, by installing similar tech onto all of the unsecured/patched/Internet of Things devices on the internet. Imagine this fraud with all of the consumer internet routers!

Details from the Fortune article:

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit…

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia.

Mobile ad fraud costs advertisers $1 billion a year, study says.

… My comments on this report (not posted on Fortune due requirement to link social media account):

It’d be valuable to know how those Apps identified for fraud were ranked in the ‘App stores’. This way we could identify the popularity and likely spread of these apps. The 12 million figure is large, but out of a possible 1.3 billion devices it is hard to understand the sampling effect.

I’d love more intelligence on the ‘what’, so that regular readers of the article and users of the devices could clean out these Apps off their devices.

Gotta love Blackhat and DefCon week! All the research docs are released.

James

1 Billion Data Records Stolen in 2014, WSJ

A nice summation of the Gemalto report regarding the data breaches in 2014.

Identity theft was by far the largest type of attack, with 54% of the breaches involving the theft of personal data, up from 23% in 2013.

Data records are defined as personally identifiable information such as email addresses, names, passwords, banking details, health information, and social security numbers.

via 1 Billion Data Records Stolen in 2014, Says Gemalto – Digits – WSJ.

Key points:

  1. 4% of the data breached was encrypted – demonstrating it’s effectiveness and it’s still lack of proper adoption
  2. 78% of breaches were from U.S. companies, followed by the U.K.

Lessons abound, and I am working on publishing a new piece on the evolution of these breaches, and how “we” have misinterpreted the utility of this data.

On a similar topic, please join me in pursuing to build leading habits for everyday user’s to minimize the impact of these breaches at – http://www.hownottobehacked.com my new research project.

Best,

James

How a leader works across teams – Battlefield Leadership series

La Fiere

At La Fiere Bridge and throughout Normandy on the day of the invasion, soldiers were separated from those that they had trained with for over two years. The leadership ranks and familiarity were lost. Most men were in the wrong place, unsure of their location, without their gear, and were forced to proceed alone. The training of regrouping and proceeding did not serve the Airborne well on that first morning of battle.

What could be described as a case study in disaster is instead one of success. These individuals proactively began to join up with other members of the Allied forces. As the groups grew from two, to four, to ten, and onward, the natural command structure came into force. The individuals became effective in their fields and began to seek out their objectives as a whole.

This was possible due to the training instilled in each other, the respect they had for service they were in, and the ingrained ‘take-the-initiative’ culture of each leader. This was certainly true for the Airborne, but also can be found with the Infantry landing on the beaches.

Business Reflections…

The success here is broken down to two main areas: respect and training. Each individual knew what was demanded of them and what was demanded of the individuals around them. There was an appreciation and respect for the chain of command and authority. This respect was carried from the training to the battle fields. Leaders demonstrated their experience and capability with the troops from the beginning up to the bitter end.

Following the military analogy in business, the battle at La Fiere Bridge conveys a need to have an organization that promotes respectable individuals based on skill and capability. Business success also requires some form of hierarchy that instills direction and command within the units. The hierarchy in some business can be quite flat but even in the flattest organization, there are those who are the ‘go-to’ employees due to experience, budget, and capability to make larger company decisions. This business structure also allows for the smallest of groups to function without the most-senior leadership, so long as there is some senior party involved.

If an organization establishes the first two baseline requirements (skill and capability), it is able to mix individuals and teams together on an as-needed basis. The caveat here is a shared awareness on the ‘command objective,’ or simply ‘the big picture.’

The potential to mix resources has proven highly effective in every branch of the military and is true in business as well. Deploying a team of pure technical individuals is a mistake, and one of only business-minded individuals is similarly at risk of failure. The benefits of diversity within an organization are innumerable. The key here is to instill a level of respect through authority, experience, and competency among diverse crowds.

Takeaways:

  1. Does your organization have a hierarchy that is based on merit?
  2. Is the culture of your business one that respects the established hierarchy?
  3. Is the command objective known?
  4. Is the capability and competency of all levels consistent to allow for the smallest teams to achieve command objectives?
  5. What is the effective size of the teams and what supports are offered to the teams?

What is Battlefield Leadership and what is this series about … 

This is the final paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James