Tag Archives: hackers

Appalling Violations of Basic Principles

Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated.  Some of which were:

  • Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
  • Failure to require secure passwords, and to change those passwords regularly, according to a schedule
  • Failure to install the necessary security & update patches
  • No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
  • Failure to encrypt data
  • Failure to monitor the network (again, IDPSs would be one component of doing this)

All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security.  It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.

Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.

It’s impossible to stop the hackers, or is it?

Knowing that I’m a professor of IT who teaches Cyber Security, one of the questions I am repeatedly asked (usually, it’s more of a statement than a question) is: “it’s just impossible to stop ‘them’ (substitute criminals, China, N Korea, etc. for “them”) from hacking.” Those who ask this (or perhaps, state it to me) just throw up their arms as if it’s a foregone conclusion.  But I posit that it’s NOT.  To quote the cartoon character Pogo (paraphrased from US Navy Commodore Oliver Hazard Perry in the War of 1812), “we have met the enemy, and he is us.”  That’s right, you just cannot remove people from the system.  And consequently, you just cannot remove the lunk-headed, misguided, or just plain ignorant (accidental) things that people do from a computer system.  When people click on links in spear-phishing e-mails, they’re compromising their entire network, because that link may drop malware onto their networked desktop.

In the opinion section of today’s CNN, in the article “Why the Cyberattacks Keep Coming,” Associate Professor Arun Vishwanath of the State University of New York at Buffalo makes that very claim – that we are the insiders who unintentionally, and accidentally, hand over the keys of the network to the bad guys.  He gives two good reasons why insiders (employees) accidentally give over the keys to the kingdom to hackers.  The second is something that I teach my students here at ASU over and over again, and I’ve made mention of this in several presentations and TV interviews:

The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.

I often teach that users need to “mouse over”  a link in an e-mail to see where it’s actually going before clicking on it.  Once you see that the e-mail came from some source other than where you thought it was coming from, you’ll know enough not to click on that link, and to delete the e-mail. He makes that point – that we need to train users how to spot a fraudulent e-mail.  I use the Sonicwall e-mail test in my classes (and presentations) to show people how to spot one.

We’ve all just become so used to technology that we expect anti-virus software, firewalls, etc., to do the job for us, when, in fact, we need to become more tech-savvy and do the job for ourselves.  Since so many attacks are caused by hackers looking for information that we have provided them, we all need to be trained to reject their advances and ensure that we don’t make their job easier by falling prey to their lures.

I’ll have a little hack with that latte

It’s become so easy to use our phones to pay for goods, especially on the go.  While many of us use our debit/credit cards, loaded into an app, to pay for an item from our phone, the proliferation of third-party apps that allow us to do this has made it even easier. Unfortunately, many of us don’t realize that there’s a double-edged sword to using those third-party apps . . . they can be hacked.

The latest victim in the never-ending fight to keep our data secure is the Starbucks app, which allows us to pay from our smartphone, whether it’s an Android or iPhone device.  As Bob Sullivan’s article (he has his own “Red Tape Chronicles” site) on NBCNews.com describes, hackers have found a way into the Starbucks app through the auto-reload feature of the app (and its associated gift card) to drain the Starbucks account, automatically reload the account against the registered gift card, and then drain that as well.

But what’s more insidious about this hack is that the auto-reload feature of the app, associated with the Starbucks card, is auto-reloaded from a linked debit or credit card.  So the perpetrators are stealing from the debit or credit card you used to auto-reload your Starbucks card (app). It’s so convenient to auto-reload from that stored card, you just don’t think about it.

Starbucks likes the app because it reduces credit-debit card interchange transaction fees and it improves customer loyalty.  And admittedly, although this hack has occurred, it’s not widespread.  In addition, Starbucks states that

“We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers,” said spokeswoman Maggie Jantzen. “Our customers’ security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks.”

Still, how can you protect yourself against this hack?  There are several things you can do:

  • Use good old cash to buy your coffee.
  • Use your credit card (although, as pointed out above, Starbucks doesn’t prefer that you use this method)
  • Use your Starbucks card/app, but limit the amount of money you have in it at any given time, AND, most importantly, do not implement the auto-reload feature AND do not tie it to any given credit or debit card.  In other words, DON’T SAVE YOUR CC/DC IN THE STARBUCKS APP.  You want to reload some $$ into it?  Fine, do it with a small amount of money (maybe $5 or $10) and DON’T save that CC/DC.  It may be annoying, but just manually enter it each time.
  • Or, better yet, brew it at home, and take it with you, or brew it in your office (if it’s allowed)

So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.

Danger lurks in the “Internet of Things”

In How the Internet of Things Opens Your Home to Cyberthreats, the article begins by stating that “Frankemeat” isn’t the only thing you have to worry about in your refrigerator.  And in our ever-connected world, what sounds like science fiction may (or, perhaps has) become science fact.  Maybe you want your refrigerator to send a message to your Android phone that you’ve run out of milk, but there’s a danger in that.  And that is that the same refrigerator that allows you to key in a list of items to purchase at the grocery, and sends it to your smartphone, must have an IP address to do it.  And any device that has an IP address and is not secured can be susceptible to malware.  I’m not sure what a hacker would do with your refrigerator itself, but just think if you posted what you thought were seemingly confidential notes on your refrigerator’s “notepad.”  A hacker could gain access to that list.

The concept of the Internet of Things (IoT) is growing.  More and more seemingly unconnected machines are becoming connected.  You just have to have a new car that allows you to connect to Facebook (forget the safe driving, driving while distracted issues for a minute), or Pandora.  How do you think that car’s console is going to make that connection?  Your car has an IP address.  What if a hacker gets into your onboard computer, and just shuts down your car while you’re driving?  OK, so that’s somewhat unlikely.  But you had to sign into Facebook, even in your car, with your userid/password combination.  And now what happens if a hacker, and especially a criminal hacker, can access that information.  All of a sudden, information that you thought was secure has now been compromised.

So before you start connecting all of your “things” to the Internet, you had better think about how you’re going to secure them.  Or . . . alternately, don’t connect them in the first place.