Password reuse in different smart home products

Researchers from Ben-Gurion University of the Negev have found that smart home devices can be easily hacked and then used to spy on their users. Omer Shwartz et al. in their research paper analysed the practical security level of 16 popular IoT devices ranging from high-end to low-end manufacturers.

Amongst other things, they discovered that similar products under different brands share the same common default passwords. In some instances, the authors claimed that such passwords were found within minutes and sometimes simply by a web search for the brand. Devices in their study included baby monitors, home security and web cameras, doorbells, and thermostats.  Using such devices in their lab, they were then able to for example, play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.

Exactly as I talked today in my PerCom’18 presentation in Greece, manufacturers should avoid using easy, hard-coded passwords, and should be held more accountable for their products and services. At the same time, the end-user as a countermeasure should try to change default passwords or to disable privileged accounts on the device. But, ultimately, security should never be an afterthought but bolted-in from the beginning of the development lifecycle.

In our work, we have identified hundreds of insecure smart connected cameras deployed on the Internet in different places in the world. Similarly, we observed that most of the vendors left their default passwords inside the devices, or had banner information with sensitive data, e.g., firmware version, ports numbers, manufacturer names, that can be used to compromise the security and privacy of householders, business owners, and more.


Data Privacy: 4 Tips to Protect Your Privacy

With the dawn of the digital age, we are readily sharing personal information without the blink of an eye. Seemingly, small decisions, like giving an application access to our social media account might seem of little importance, but could have perpetual negative effects on our life. The accumulation of rapid decisions is what ultimately puts us at risk.

Oftentimes, we post our life story online on social media, including the most mundane details. This begs the question: Do we as digital consumers value the right to privacy when we share information so freely? Most experts would argue that this is not the case. With that reasoning, companies may not be inclined to spend their efforts to protect something that is not valued or is rather undervalued.

In the current technology landscape, protecting our data may seem unmanageable, but it is not entirely the case. The below are four tips that we can follow to have better control over our data privacy:

Read and Learn: Stop absentmindedly agreeing to privacy and security settings. Take the time to read and learn about how your data is being collected and how it is being used.

Share with Care: Before you share any personal information, think about how sharing that data can be a vulnerability. The cost of unauthorised disclosure when measured makes us appreciate better the value of our identity.

Click with Caution: Phishing scams are a common way for malicious threat agents to steal our personal information. If a link or post looks suspicious, do not open it or simply delete it.

Make Smart Choices: When using technology, research, and select companies that are serious about privacy. Sometimes, it is best to pay a bit more than buying a cheap product. Loosing your personal data can be pricier than a cheap device.

Re-evaluate Your Settings: Take the time to reassess your privacy settings as they may be outdated. Ask yourself, how may an intruder exploit my current settings, and if so, what insights can they attain about me?

If you want to learn more about similar risks and more mitigations that you can adopt to protect your privacy subscribe to this blog, follow me on Twitter, and feel free to get in touch with me.


Risks to Consider Before Buying a Smart Home Device

People are increasingly buying voice-activated speakers (also called digital voice assistants or intelligent personal assistants) and other smart devices for added convenience, enhancing security, and also for entertainment purposes. But doing so blindly, without assessing risks involved with such technologies, can give intruders an accessible window into our homes and personal lives. Here are some risks that you may want to consider before purchasing a smart device for your house:

Listening In: Many new devices are being manufactured with built-in microphones. New generation devices falling in this category include for instance smart speaker systems such as Amazon Echo and Google Home,  and as well smart TVs, TV streaming devices, and Internet-connected toys. Many of these devices are constantly listening in for your commands and when they receive them they connect to corporate servers (can be located anywhere in the world) to satisfy your request.  What if you are having private conversations at home? Are these getting sent to the Internet without your awareness? Indeed, some devices just do that (yes, you may have unknowingly already accepted the vendor’s privacy policy or terms-of-use if that exists!). What can you do then? Well, devices typically have a mute function that disables the device microphone(s). But the question remains, can we actually verify what the manufacturer promises? Further to that, if data is sent over the Internet can it really be removed? I highly doubt that.

Watching You: Cloud security cameras let you check in on your pets, children, and your home status, when you are away, typically through your smartphone, tablet, and other handheld computing devices. Some devices routinely send video footage to online storage automatically while others do so when triggered, example by a motion sensor (typically signalling that an intruder or an unauthorized visitor is nearby). Reputable brands are likely to take security seriously, but no system is bulletproof. If you want to stay extra vigilant then you might want to turn the camera to face the wall or just unplug it altogether when you do not intend to use it. However, this is not a viable solution for many. Thus, my suggestion is that you should carefully inspect the device technical specification and assess whether the company is taking security and privacy seriously!

Digital Trails: Smart locks let you unlock doors from anywhere with an application installed on your digital devices. With this, you can let in guests even when you are away or when you have your hands full with other things (yes you can also connect your smart lock with a digital voice assistant). Similarly, landlords can automatically disable your digital key when you move out, and parents can keep an attentive eye on the time their beloved teens are coming back home. At the same time, intruders might try to hack the system not only forcibly with hardware tools but also through software hacking tools. Smart locks also pose a risk to privacy as usage of such keys leaves a digital trail. This trail can also be used in forensic investigation. This is an added attack surface that these digital devices bring into our lives, into our homes.

In this article, we scratched the surface of risks brought forth by smart devices. If you want to learn more about risks when purchasing smart home devices and as well about the different types of intruders spying on your home take a look at my paper.

Protecting your Organization from Ransomware

Ransomware will either encrypt the data on a device and demand a ransom to descramble it, or it will lock up systems rendering the entire device inoperable. In both cases, the effect can be huge, possibly bringing organisations to a grinding halt.

How can you avoid protect yourself against ransomware? It is an urgent question as organisations face a clear and present danger.

Protect yourself: Protection begins at the endpoint, with proper patching. In the interim, one can take advantage of ‘micro-patching’ systems that protect software applications without making changes to the binaries. However, for true protection one should adopt multi-layered (defence-in-depth) protection. Implemented properly this will secure the data even if endpoint or server anti-ransomware protection fails.

Cloud-based backup: Cloud-based backup is a potential solution, providing regular backups online to something other than network drives. Its advantages include the ability to program high-frequency snapshots, so that you can maintain a narrow recovery point objective should you need to restore after a ransomware attack. It can also be far easier to test a cloud-based backup solution than it is to test restoration from removable storage, because the cloud-based data will be available online.

Organize your files: Once you have established a solid backup workflow, it is time to establish your need-to-restore list. Look at how you are organising and tagging individual files, perhaps related to business processes or sensitivity. In assisting you here, a file tagging system, along with a complementary file discovery tool to gather and categorise your existing files, comes helpful. Finally, use a robust monitoring solution to ensure that the new file management regime you have put in place stays in place.

Ransomware is getting nastier, and more pervasive. So you have to get smarter, and more resilient. By putting multi-layered defences in now, you will save yourself some serious headaches in the future.


BYOD – Risks and Mitigations

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. This attracts and helps keep employees happy. At the same time, it saves a few bucks to the company as they may not need to procure new hardware. But BYOD implies that an employee can use his own device to access and use corporate resources.

This brings security risks to an organisation:

  • People outside the company can get access.  Access by company outsiders can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment.  Devices brought outside the company offices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be updated with the latest security patches.  BYOD devices might not be protected as extensively as the devices that are under direct control by the companies IT department.

 To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it.  A well thought out policy about BYOD allows an organisation to set rules that everyone understands including the reasoning behind them, that is why they are needed.
  • Have an active mobile device management solution.  Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods.  Strong authentication enables an organisation to identify and hold accountable the owners of stolen devices. Encryption can also keep communications and data safe from prying eyes.

BYOD allows a more fluid and flexible working environment. At the same time, it pokes the perimeter of a company with new security risks. In mitigating these, a strong cybersecurity policy and clear security controls must be implemented as we touched on in this article.

IT Practices That Put Enterprises at Risk

Many IT organizations are leaving their enterprises vulnerable to cybersecurity attacks because they overlook a number of simple tasks. Although no single solution or approach will keep organizations completely protected, there are some things to avoid so that IT teams can shore up their security posture and ensure continual improvement to match the advancing threat.

1. Using Old Printers: Surprisingly, office printers present three threat vectors. First, printers store images of documents. In addition, IT staffers often miss updates or news of exploitable office vulnerabilities. Tracking firmware updates and doing routine update checks is a great idea. If you can’t keep up with multiple vendor patches, make sure that you at least isolate printers on a separate VLAN with access limited to core protocols for printing. Finally, third-party vendor access can cause issues. Managed providers often have VPN credentials for enterprises to allow them access to perform maintenance and inventory. This is another gateway into your environment and is a third-party exposure that must be monitored. Limit their access as much as possible and require that access be handled via least privileged means.

2. Disregarding Alerts: The average enterprise generates nearly 2.7 billion actions from its security tools per month, according to a recent study from the Cloud Security Alliance (CSA). A tiny fraction of these are actual threats — less than 1 in a 100. Too many incoming alerts are creating a general sense of overload for anyone in IT. Cybersecurity practitioners must implement a better means of filtering, prioritizing, and correlating incidents. Executives should have a single platform for collecting data, identifying cyber attacks and tracking the resolution. This is the concept of active response — not only identifying threats, but being able to immediately respond to them as well.

3. Giving Away Admin Rights: Administrative rights arm malware and other unwanted applications with the authority needed to inflict damage to an enterprise. Forcing users to provide administrator credentials to deploy new applications tremendously cuts down threat exposure. This also creates an audit trail that lets security analysts rapidly identify issues, especially those that present signs of intrusion. Any form of administrator rights must come with a degree of risk analysis on behalf of the IT department. IT executives should consider what damage is possible if a user account is compromised, and what ripple effect would administrative rights have on secondary systems. Administrator access should be the exception, not the norm.

4. Ignoring Employee Apps: Do you really know what cloud services are being actively used in your network? Many organizations look the other direction when employees use social media and cloud services on their own. But the potential for an IT crisis can be quietly brewing as internal business users create their own IT infrastructure without any adherence to corporate policy. Monitoring cloud application connections can create increased visibility into unapproved software-as-a-service use, and limit the potential for a loss of intellectual property or sensitive information. Cloud access security broker solutions proxy outbound traffic to cloud applications and offer a detailed view into user behaviors.

5. Being Unprepared for Device Loss: Road warriors often fall victim to theft or accidentally leave a laptop or smartphone in a taxi, never to be seen again. This can be a non-event if the device is remotely managed and encrypted, but a major threat if the device contains unsecured sensitive data. IT administrators need to understand what data is being stored where. If it is anything sensitive, they should ensure that devices are properly encrypted and that remote access tools such as VPNs are in use and disabled in the event of a loss. Documenting that devices are encrypted and properly locked down will go a long way in the event of a data leak as well.

As cyberthreats have evolved, so has incident management. What hasn’t changed, unfortunately, is the need to address the simple and often tedious IT practices that, when ignored, can threaten enterprise security. From forgetting to revoke administrative privileges to providing third-party access to printers, the common cybersecurity challenges that enterprises face can be fixed, putting enterprises in the best position to address the current and evolving cyberthreat.

Protecting your online privacy

In recent years, products intended to deliver conveniences directly to our doorsteps have begun to present tacit privacy intrusions into the modern home. Always-on smart speakers, e.g. Amazon Echo, from online retailers make it easier than ever to order products, but they also enable those companies to listen to our every word. Those same companies are monitoring our behaviours across the  Internet.

“Google knows quite a lot about all of us,” said cybersecurity expert Bruce Schneier in a recent interview with the Harvard Gazette. “No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”

Giant corporations like Google aren’t the only ones intruding into our daily lives to collect our personal data for financial gain—cybercriminals are intent on doing the same. Crimes such as identity theft and extortion can be carried out with stealthy malware, such as remote access tools (RATs) used to spy on users via laptop webcams.

Until there’s a major shift in our society’s attitudes (and public policies) toward Internet privacy, the duty falls on individual users to safeguard their own private data, identities, and other sensitive information. Here are some tips to take back control over your privacy:

Configure your web browser to delete cookies after closing. You can also take control of other advanced privacy features in your web browser to have greater control of what you’re sharing with websites you visit.

Cover your webcam with tape, a sticker, or something else that can block the camera lens and also be easily removed when you need to use it.

Don’t share sensitive information on social media. Check your privacy settings on sites like Facebook and Twitter and make sure only your trusted followers can see your complete profile. For instance, do your Facebook friends really need to know your real birthday? Deliberately sharing a fake birthday on social media can be a crafty way to enhance your privacy.

Lock your screens. All of them. Losing a device like your laptop or smartphone could spell disaster if they were to end up in the wrong hands. Strong, uncommon PINs and passwords can lock down your devices from would-be thieves.

Use fake answers for password security questions. Honest answers to security questions can often be found with just a little online digging. Why can’t your mother’s maiden name be “7O7F1@!3kgBj”? This brings us to our next tip…

Use a password manager app to generate and store strong, unique passwords for all of your accounts. (A password manager can also safely store those fake security answers mentioned above.)

Use security software to monitor and protect your digital devices from threats like malware, spyware, and phishing attacks, which can steal your private data.

Cloud Recon

These days many organizations have migrated at least some of their IT services to a cloud environment. Cloud adaptation could be as basic as the use of Microsoft Office 365 on some workstations, or it could be much more comprehensive, such as the use of a fully integrated Azure or Amazon AWS infrastructure. With this increased importance comes an increased level of risk as well, which needs to be taken into account when allocating resources to security tasks. This is especially when it comes to regular penetration testing and vulnerability scanning of cloud services.

Reconnaissance and enumeration: When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information an entity has  about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration).

DNS Records: The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. The best way to do this is to query specific DNS records. DNS MX Records are used to direct email to a company’s e-mail servers for processing, which means they hold important information. If the records point to for instance, the target is likely using Office 365 for e-mail services. Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses for instance, the target is likely to use Amazon Simple Email Service. More information is available as well via CNAME, SPF and DFS records. There are a lot of tools available that can easily extract the required DNS information. Nmap, DNSEnum, and DIG are some of the tools that come pre-installed with Kali Linux .

Network and Application Scanning:  Traditional tools such as Nmap and Kismet scan the cloud perimeter without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask (you should always do this!) for written approval before starting scans, both to and from a cloud instance.

Cloud Specialized Tools: Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. However, there are a few useful cloud specific reconnaissance tools though. For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys.

Vulnerability scanning:  Finally, the most comprehensive, but the noisiest method or network reconnaissance is the use of a vulnerability scanner. Such a scanner simply runs through a standard or customized profile of passive and active scans and lists the detected vulnerabilities, sometimes alongside remediation actions. Such a scanner could be placed inside the cloud instance, such as the Qualys Virtual Scanner Appliance for Amazon AWS. Another option is to use the security services of the Cloud Service Provider, for instance in the form of Amazon Inspector. As with network scanning, prior written authorization from the Cloud Service Provider is required.

It is increasingly important for any company to know what network and security information is publicly accessible via the Internet. After proactively gathering this information, actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.


Protect Your Customers and Prevent Against CNP Fraud


Research conducted by AXA in 2016 found that in the previous year, 7 in 8 purchases in Europe were made online, and with phone payments and ecommerce on the up, the threat of Card-not-present (CNP) fraud will continue to rise. According to the Nilson Report , in 2015, fraud losses to merchants occurred overwhelmingly from CNP transactions, and the problem is only getting worse. Worldwide losses from card fraud are predicted to reach and eye watering $31 billion by 2020.

With this in mind, there are some key practices that businesses should be relying on, to protect their customers from CNP fraud. Here are our top six pieces of advice:

1. Use fraud detection software: There are a number of fraud prevention tools that merchants can use to pick up on fraudulent activity, including 3D secure payments and Web Application Firewalls. These can supplement your payment systems and help keep your customers’ data safe by detecting if any illicit activity is taking place.

2. Hide your data:  Holding some customer data, however, is sometimes unavoidable. To protect customer information from being hacked when it’s not in use, make sure it is obscured and encrypted. This means that any hacker trying to access personally identifiable information (PII) won’t be able to read it or use it for fraudulent activity.

3. Keep your employees informed: One common way that fraudsters can do a lot of damage is through the use of phishing emails. These emails may ask your employees to move money into a different account, enter their password, or send a customers’ personal details. It’s important to keep your employees informed about these sorts of risks, so they can always be on the lookout for fraudulent activity – and know when they need to report suspicious emails.

4. Be on guard against insider threats: While a hacker can do serious damage, the threats that sit inside your company can’t be ignored. Pause and Resume call recording, also known as stop/start, is a common data security solution used by contact centres. The technology works by pausing the call recording when your customer is reading payment card details out loud. The recording is then resumed once the sensitive information has been taken. But this practice means that employees could easily write down your customer data to use for their own fraudulent purposes, or even sell it to the highest bidder.

5. Stay on top of regulations: The Payment Card Industry Data Security Standard (PCI DSS) was created to offer increased protection to customers against card fraud. Compliance with this standard is not only compulsory for all organisations that take card payments, but many of its requirements are designed to help safeguard your customers’ card details. With the ever-changing regulatory landscape – the EU GDPR and UK Data Protection Bill are just around the corner – it’s important to stay on top of these regulations to keep customer data safe, and ensure your company doesn’t find itself facing a hefty fine.

6. Protect your contact centre: With more customers turning to the phone when it comes to making a purchase, your contact centre remains an integral part of your business. Therefore, making sure it has adopts a stringent approach to data security is extremely important. Companies can invest in technologies like Semafone Cardprotect, which reduces the risk of fraud by allowing customers to type their card details directly into their telephone keypad while staying on the line with the agent instead of reading them out loud.

To ensure your company is fully protected against the potential damage of CNP fraud – whether that’s reputational or financial – you need to have the right data security in place. Implementing these steps will help reduce the risk to your organisation.


Three Criteria for Evaluating Public Cloud Storage Providers

Prior to selecting a public cloud service provider, it is essential that you understand what each vendor offers and how their services can best meet your organization’s needs. A move to the public cloud is a major shift in an organization’s architecture, and it provides many computing and performance benefits that are not available from a locally installed storage network. But before selecting a public cloud storage provider, you must ensure its offerings are a good fit for your organization. Some factors to consider:

Cost.  In many cases, monthly billing may be the least expensive option. However, understanding how much public cloud storage your company needs upfront will make cost guidance with vendors easier.  Especially, knowing the types of applications that will be hosted in the cloud will also affect the total cost. Knowing how these applications work will enable you to determine if storage will go up slightly based on transactions and the amount of bandwidth (upload/download) used.

Architecture services. Providers offer different storage replication options. For example, some services replicate your data to multiple data centers that are geographically distributed. You should review these in detail to determine how each one could potentially affect your architecture and compliance, especially for storage of sensitive financial and personal data. Another consideration is how public cloud storage providers will back up data or have storage moved from less redundant disks to more redundant storage . Be sure to ask what type of hardware the provider uses, as well as the speed and IOPS of the storage.  Lastly, each cloud storage service provider offers certain unique services. Examples include cloud storage gateways, API management and long-term data storage. Review these to see which ones could help you manage your storage more efficiently.

Sovereignty and security. There are two major considerations when dealing with public cloud storage providers. Questions to ask include the following:

  • How does the provider handle ownership of your data?
  • How is data segmented in a public tenant space?
  • How is the data encrypted, and who has access to it?
  • In which region will your data be stored?
  • How is the data terminated if your organization decides to leave the public cloud service provider?

Failure to ask these questions could leave your organization feeling trapped by a provider.

When vetting public cloud storage providers, the security of its systems should be reviewed to see where it matches and, in many cases, possibly exceeds the security of your company’s internal storage network. Organizations in industries such as finance and healthcare must meet compliance standards for data that’s stored in the cloud. A cloud provider should have the appropriate documentation for meeting these standards. When making the move to public cloud storage, remember to include the security team and auditors in the decision-making process especially to help determine which compliance considerations are most important for your industry.