Nobody likes being tracked. Still, most people store a detailed account of their movements on their phones, often shared with multiple apps. If you can get access to some of these user accounts you can track their whereabouts down to a relatively detailed level. In real time.
Tracking People – Google Maps Style
Google Maps: tracking your movements. These are my movements, the light blue ones are on foot, the darker color is me driving a car. I’ve taken the real movement patterns and moved them to Seoul for the sake of not showing you all of the things I did yesterday (I was not in Seoul last night – so this is #FakeNews). They track where you go, when you go there, how long you stay at each location, and stuff you add to your Google account at various locations, like pictures.
I have a 9-year old son, and one night I was watching the news with him. There was one story that got him curious, and almost angry, and rightly so. It was about a smartwatch for kids that was becoming popular as a gift from parents. This particular smartwatch allowed surveillance of the kids’ whereabouts via GPS, and they could also call their kids on the watch instead of giving them a phone. Parents can also turn on a one-way audio channel that allows them to eavesdrop on their kids’ conversations. My son told me he thinks this is unfair and outrageous – and I completely agree. He felt somewhat better when I told him that he is not going to get a watch like that (he has an analog wristwatch, a ting with no internet). More kids should care about privacy too.
Note to parents and teachers: when we teach kids it is OK to be spied on, they will be less concerned with privacy in adult life too. Surveillance is a key feature of authoritarian regimes, and our world is increasingly moving in the wrong direction here. Don’t teach your kids it is OK for people to spy on them. Protect our democracies by teaching your kids to take care of their own privacy.
Next I asked him if he believed people could be spied on using their cell phones. The answer was “maybe”. I told him that they can but most parents don’t know how, and hopefully have no wish to do so. He has an Android phone – and I told him that I’ve made the settings on that phone such that it does not store his location data in a Google account but that most people who use Android never think about this. And the same goes for Apple. He was skeptical about this, so I told him I would turn on the “timeline” feature on my own Android, and show him later what the app stores on Google’s servers. Afterwards I showed him what they track (including where I was, how much time I spent where, the photos I’d taken, and the like).
Take-away points
Think it through if you choose to turn on features like Google’s timeline. Or rather, think it through if you are not taking steps to turn it off – it is on by default.
Talk to your kids about privacy. The habits they learn now is what they bring with them into adulthood. Teaching your kid about privacy is an important contribution to safeguarding democracy and freedom of speech.
The example here was using Android phones. The story is the same on other platforms, and with other mapping and location based service providers than Google.
If your password is leaked, change it immediately.
What do you think about this? Let me know in the comments! Especially – do you think it is OK to track your kids like the watch described above? Are you OK with Google and their competitors storing such detailed location data about you?
Most cybersecurity advisors will tell you that the most important of all security measures is to keep your software up to date by installing patches as soon as they are available. Most exploits that hackers use is old – they are not zero-day vulnerabilities being exploited. The reason this works is because people are so slow in updating their software; the average time from a patch is made available until it is installed in a corporate environment is 6 months – that is a big Window for wrongdoers to do their thing. This is cause for worry, especially when you also consider the fact that the time it takes from a vulnerability is made public until an exploit is available through frameworks such as Metasploit is only days. Days vs. months, in favor of the bad guys.
Keeping track of all the vulnerabilities that exist and the necessary patches or configuration changes that you need to apply to keep your organization safe is a daunting task. That is why you need automation, and you need open data. There are many open CVE (common vulnerabilities and exposures) databases available – and the typical go-to source is the one provided by NIST. This is a big database compiled for you, free to use. It has a web interface where you can search for software that you own – but of course this is tedious. Let us do it anyway, just to see what kind of information you can expect to get from this database. Searching for the word “outlook” gives 147 records. By random we select this result; CVE-2016-3278. We see that the vulnerability is described with a lot of information; it applies to Outlook in all versions since 2010, it has received a CVSS v2 base score of 9.3 (which means that this is essentially bad and you really want to protect yourself from it), and a link to the relevant Microsoft technical bulletin. OK, so the CVE database gives you a description of the vulnerability, and assessment of how bad it really is (the CVSS score) and a link to the vendor so you can find the relevant patches.
This is all good, but what if you have a system with thousands of assets you need to track? You need an asset database, and you need automation of the tracking of vulnerabilities. You can buy systems that do this for you from your favorite asset management vendors, or you can roll your own system based on open data. The latter is of course more interesting!
The NIST CVE database does not only come in the form of a search engine; it also has an API, or more correctly, it pushes its data in XML files kept up to date regularly. You get two files: one complete file with more than 82.000 vulnerabilities, and modification files that you can use to update your mirror of the database locally without downloading a humongous XML file again. You find the NIST data feeds here: https://nvd.nist.gov/download.cfm.
Of course, when you have the vulnerabilities, you need a foreign key relationship between your asset table and the vulnerability table. This is where another nice little trick comes into play: the CPE syntax (common platform enumeration). This is a standardized syntax for describing software assets that is used in the CVE database to indicate which software versions and configurations are threatened by a particular vulnerability.
It is relatively easy to write a web application to do this using your favorite backend – see the flow chart for one possible architecture you can use. Python is a good choice as backend because it is easy to render XML files using the fantastic module ElementTree, which makes parsing XML easy and quick (and the implementation is very fast as well).
This is the backend – what you put in the Web UI is up to you. You probably want some nice dashboards, alerts, and issue tracking. Now – go out and play!
Cybersecurity awareness training has become a central activity in many firms. It takes time, requires planning and management follow-up, and is very often mandatory for all employees. But does it work? That depends – first and foremost on people’s feelings towards cybersecurity.
A very informal survey in my network shows that most people don’t receive any awareness training at all at work, and among those that do, there are more people who say it does not change their behaviors, than those that think it has had a positive impact.
The results of a simple survey show that most people receive no cybersecurity awareness training, and that among those that do, people do more often than not judge it to be of little value.
At the end of last year I participated in a local meeting in the Norwegian Association for Quality and Risk Management, where I heard a very interesting talk by Maria Bartnes (Twitter: @mariabartnes) from SINTEF on user behaviors and cybersecurity training. She argued that training is only effective if people are motivated for the training – and for that they need to have beliefs and goals that are well aligned with the organization they are a part of. She portrayed this in a matrix with various employee stereotypes, with “feelings towards policies and company goals” on one axis and “risk understanding” on the other axis – which I found was a very effective way of communicating the fact that all employees are not created equal 🙂 . You have people ranging from technical risk experts that love the company and policies they are working for, and you have people who don’t understand risk at all, and at the same time are feeling angry or resentful towards both their company and its policies – and you have everything in between.
Another issue is that many organizations tend to make training mandatory and the same for all. It makes little sense to force your experts to sit through basic introductions that are second nature to them anyway – a lot of knowledge workers experience this when HR departments push e-learning modules to all employees.
What does it all mean?
Some people have argued that security awareness training is completely useless. This is probably going a bit too far but there are clear limits to what can be achieved by “training” of any kind when it comes to changing people’s behaviors. We use computers by habit – the way we act when we read e-mails, research the internet, write Word documents or compile code – it is all “second nature” when you are experienced at it. Changing those habits is hard and it does not happen automagically through training.
Focusing on motivation and feelings is a good start – without the motivation to do so, it is very unlikely that users that exhibit risky behaviors will make any effort to change those behaviors.
Continuous effort is needed to change behaviors, to create new habits. This means that employees must not only receive the knowledge about the “why” and the “how”, but they must also attain practical knowledge by doing. When we realize that, we see that it becomes very important not to demotivate employees that already have positive feelings about cybersecurity. Forcing the highly motivated and technically competent to take very basic e-learning lessons may kill that motivation – and thus increase your organizations risk exposure.
It also becomes very important to motivate those that are feeling resentful, both the technically competent ones, and those in the “worst-case corner” of resentful and low technical competency. Motivation comes before technical know-how.
For cybersecurity awareness training to have a positive effect it is thus necessary to tailor the contents to each employee based on skills and motivation. Further, the real work really starts after the training – it is the action of “doing” that changes habits, not the mere presentation of information about phishing e-mails and strong passwords. This means you need leadership, and you need change agents.
Use your technically skilled and highly motivated people as change agents. They can help motivate others, and they can exemplify good behaviors. Let the these supercyberusers support management, and educate management. And bring the managers on board on following up security regularly – not to outsource it to the IT department. Entertaining abuse cases for discussion in meetings can help, as well as publicly praising employees that make an effort to bring the maturity of both their own security practices, and the security maturity of the company as a whole to a new level.
Summary
Make sure you adapt your training to both motivation and technical skills of those who receive it. See maturity work in the area of cybersecurity as a part of your organization’s continuous improvement program – embed it in the way your organization works instead of relying solely on information campaigns. Use change agents and inspiring leaders in you organization to change the way the organization behaves from the individual to the firm as a whole. That is the only way to success with building security awareness that actually changes behaviors.
Maintaining security is an ongoing process which requires coordinated effort by the whole organization. Without backing from the top management levels and buy-in through the ranks there is little chance of building up resilience against cyber attacks. As organization complexity increases and value creation becomes distributed it will be necessary to have an integrated approach to security; your company needs an information security management system. ISO 27001 is an international standard that sets requirements to such as system based on what has been internationally recognized as best practice.
ISO 27001 [external link] is a management system standard that follows many of the same principles as other ISO standards such as ISO 9001 for quality management. Assuming that the client has a ISO 9001 compliant system in place, the information security management system should be built on the existing processes and workflows. This means that existing auditing systems and reporting requirements should be appended, rather than building everything from scratch.
The following are key elements of information security management system establishment. First we look at the activities that need to be performed in the order of appearance of requirements in ISO 27001. Afterwards, we summarize the bare minimum that you will have to do in a table.
Under which regulatory regimes does the organization operate?
Who are the main threat actors based on the external context? (Script kiddies, hacktivists, cyber criminals, nation states, etc.)
Internal stakeholder definitions
Who are the system owners?
Who are the system users?
Which process owners depend the most on the information assets?
Who are responsible for maintaining security?
Identify main information assets
What are the critical information objects?
Why are they critical in the context of operations?
Are there assets that require security due to external stakeholder situations (legal or commercial requirements, or due to risk drivers)
The most efficient approach for this type of context development is a working meeting with the organization’s top management where these key issues are identified.
Building a management system requires the involvement from the whole organization. Focusing on business strategy, key stakeholders and the value chain in terms of core competence, contracts with the supply chain and how to drive compliance (e.g. through auditing) is key to securing the organizations’ assets in the long run.
Policy development and leadership
(ISO 27001 Section 5)
Top management must be involved in policy development, and promote its integration in the overall management system of the organization
A policy should be developed and be sanctioned and signed by top management. The policy shall include the following:
Policy objectives
Should commit the organization to compliance with infosec requirements, and to continuous improvement. It should therefore refer to the organizations existing systems for compliance measurement and continuous improvement processes, as well as to internal information security standards with more practical requirements.
The policy shall be documented and made available and communicated to all users
Top management shall assign responsibility and authority for follow-up of information security, and for reporting to top management. In most organizations a single role is recommended for this, and a person competent in both the organization’s core activity and in information security principles should take this role. In most commercial organizations this role is designated as CISO.
Policy objectives should conform to the requirements of Clause 6.3 of ISO 27001. In order to identify these goals when building a new system it is recommended to write the policy after an initial risk and vulnerability assessment has been performed.
Recommended practice is to develop the policy in cooperation with the assigned CISO (if existing at this point). A policy document should be written and discussed with top management before it is updated. The policy should be dated, and an expiry date should be set in order to guarantee regular reviews (this is not an ISO 27001 requirement but is considered good practice for security critical process documents).
Information security risk management planning
(ISO 27001 Section 6)
Define a process for information security risk assessment. The recommended elements of this process:
Requirements to documentation of [USERS, HARDWARE, SOFTWARE, NETWORKS]
Requirements to performing risk assessments
Risk acceptance criteria. It is recommended to keep this at a coarse level and use qualitative descriptors
HAZID-type risk identification (use of guidewords)
Control planning methodology (ref. to Annex A of ISO 27001)
Perform a risk assessment for all applicable systems (Scope definition à HAZID à Risk ranking à Risk treatment planning)
Produce a statement of applicability for the controls in Annex A of ISO 27001
Formulate infosec objectives (ref policy development). These objectives should be measurable, or at least possible to evaluate with respect to performance. The objectives should align well with the overall criticality of the information assets (ref. risk context). Annex A of ISO 27001 is a good guidance point for developing objectives. Also, the organization should not choose objectives that are inconsistent with the maturity and capabilities of the organization.
The risk assessment procedure should be written in a practical way, such that the organization can apply it with the available resources. It should include examples of format for reporting, and also the recommended guidewords/threat descriptors.
A key difficulty for infosec risk assessments is the risk ranking. There are several ways this has been approached, varying from using “complexity of attack vector” as an proxy for probability and generic ratings for impact, to context related impact assessments in operationally relevant categories such as revenue loss, legal and litigation consequences, or reputation loss. The probability dimension can also be treated using aggressor profiling techniques, which is recommended for sophisticated organizations with a good understanding of the threat landscape. You can read more about that technique in this blog post from 2015: https://safecontrols.blog/2015/09/08/profiling-of-hackers-presented-at-esrel-2015/
Support
(ISO 27001 Section 7)
The organization must perform a competence requirements mapping with respect to infosec for the various roles in the organization. This work should be performed in cooperation with the organization’s HR department, and set verifiable requirements for groups of employees. Responsibility for following up this type of competence should be given, preferably to the HR director or similar. Typical employee groups would be:
Senior leadership
HR and middle management
Information system users
IT personnel
Specific roles (CISO, internal auditor, etc.)
The organization must develop an awareness program. The awareness program should as a minimum include:
Making employees aware of the policy
Why complying with the policy and the procedures is necessary and beneficial
Implications of non-compliance (up to and including employee termination and criminal charges in serious circumstances, depending on local legislation)
Information security aspects should be included in the communication plans for both internal and external communication.
For document control and similar processes, it is assumed that the organization has an appropriate system. If not, see ISO 27001 Section 7, Clause 7.5.3, as well as ISO 9001 requirements).
The awareness program should be made the responsibility of either the CISO or the training manager /HR. These departments must cooperate on this issue.
The communication plan for information security can be integrated in other communication plans but shall be approved by the CISO. It is recommended to develop a specific plan for information security that other communication plans can refer to. This is especially relevant for communications during incident handling, which may require tight stakeholder cooperation and maintaining good public relations and media contacts.
Operations and Performance Monitoring
(ISO 27001 Section 8-9)
The organization must implement and document the performance of the risk mitigating controls. A lot of the proof can be extracted from data from technological barrier functions, whereas other measures may be necessary to document organizational controls.
Information security aspects should be included in the organizations change management procedures (ref. ISO 9001 requirements)
Information security monitoring should be implemented based on control and objectives
Information security auditing should be included in the internal auditing program. It is recommended to build up on the existing system, and to include requirements to competence for the subject matter expert assisting the head auditor (ref. back to competence management and HR processes). Some extra reading about auditing and what it is good for can be found here, but for the context of reliability engineering. It should be equally applicable in the context of cybersecurity: Why functional safety audits are useful
Include infosec in management review. In particular ensure efficient reporting on infosec objectives. It is recommended to create a simple and standardized reporting format (e.g. a dashboard) for this use.
Continuous Improvement
(ISO 27001 Section 10)
Include infosec into the existing non-conformance system
Assign CISO as owner of infosec related deviations
Activity summary and sequence
Building a management system requires multiple activities that have interdependencies, as well as dependencies on other management system artifacts. The following sequence is a suggested path to developing an information security management system from scratch in a robust organization.
Note that it should be expected that some iterations will be needed, especially on:
Policy and objectives
Risk assessment procedure and risk and vulnerability study (the procedure is updated based on experience with the method)
Objectives and measurements will need to be reviewed and updated based on experience
Note also that a consultant has been included in the “People” category. For organizations that do not have sufficient in-house competence in management system development it can be beneficial to contract a knowledgeable consultant to help with the project. For organizations with sufficient in-house capacity this is not necessary, and it is not a requirement for compliance with ISO 27001.
Main activity
Sub activities
Inputs
Outputs
People
Context development
Stakeholder mapping
Customers/users, organization charts, suppliers, partner lists, etc.
Information in technical note on Context: stakeholders. Should include who, why, what and how with respect to the information security risk.
Top management
Consultant
Context development
Inventory mapping
Network topologies, asset lists, document systems
Prioritized inventory description as section in technical note on Context.
CISO
IT department
Archiving department
Consultant
Context development
Threat actor assessment
Outputs from previous activities.
News and general media. Experience from previous incidents.
Open security assessments from police and intelligence communities.
List of threat actor categories with descriptions of motivations and capabilities.
CISO
Consultant
Risk procedure development
Risk assessment procedure document
CISO
Consultant
Risk assessment
Scope definition for risk assessment
Context note with inventory.
Topology drawings. Organization charts. Use cases.
Scope presentations
Consultant
System owners
CISO
Risk assessment
Risk identification
Use of guidewords for each scope node, ref risk assessment procedure.
Risk identification table (HAZID table)
Consultant
System owners
CISO
Risk assessment
Risk evaluation
HAZID table.
Risk ranking.
Consultant
System owners
CISO
Risk assessment
Mitigation planning (including ISO 27001 Annex A review)
HAZID table with risk ranking.
List of actions and controls to be evaluated or implemented.
Consultant
System owners
CISO
Risk assessment
Reporting
HAZID table and risk mitigation results.
Risk and vulnerability report.
Consultant
Statement of applicability
Review each control in Annex A
Context note. Risk and vulnarbility report.
Statement of applicability (report)
Consultant
CISO
Objectives development
Suggest objectives based on previous activities and maturity of the organization
Risk assessment, context, statement of applicability
Information security objectives, including measurement and review requirements in technical note or procedure.
Consultants
Objectives development
Review of objectives with key stakeholders
Objective note.
Revised objective note.
CISO
Top management
Consultant
Policy development
Develop draft policy for information security.
Objectives, statement of applicability, risk and vulnerability report, context, policy templates.
Draft policy.
Consultant
CISO
Policy development
Review draft policy in meeting with top management. Top leadership needs to be involved and take ownership, headed by the CISO.
Draft document
Revised policy
Top management
CISO
Consultant
HR Integration: competence management
Develop competence requirements for roles
Role descriptions
Updated competence requirements in role descriptions
HR
CISO
Consultant
Awareness program
Develop awareness program, tailored to competence requirements of groups.
Updated role descriptions
Awareness program plan
HR/Training responsible
CISO
Consultant
Internal auditing requirements
Update internal auditing requirements
Infosec policy and procedures, objectives
Updated audit plans and competence requirements for subject matter expert
CISO
Internal auditor
Consultant
Other integrations
Update change management system and management’s annual review reporting requirements
Infosec policy and objectives
Updated change management procedure
Updated reporting format to top management.
CISO (recommend that this is done internally unless consultant’s assistance is needed)
After the management system has been established, it is recommended to perform an internal requirements audit to identify gaps.
After the system has been in operation for 6 months an internal security audit with focus on evidence of use is recommended.
Summing up what you just read
You have determined your company needs a security management system. This blog post gives you a blueprint for building one from scratch. Keep in mind that the system with its processes, governing documents and role descriptions only provide a framework to work within. Key to getting value from this process is starting to use the system.
Building a management system from scratch is a big undertaking, and for many companies it makes more sense to do it piece by piece. Start with a minimum solution, start using it, and improve on the processes and documents based on your experience. That is much better than trying to build the system to be fully compliant from day 1 – and you will start to see real benefits much sooner.
A term that is often used in the cybersecurity community is threat hunting. This is the activity of hunting for intruders in your computer systems, and then locking them out. In the more extreme cases it can also involve attacking them back – but this is illegal in most countries. Threat hunting involves several activities that you can do to find hackers on your network. The reason we need this is that the threats are to some extent intelligent operators who adapt to the defenses you set up in your network – they find workarounds for each new hurdle you throw at them. Therefore, the defense needs to get smart and use a wide arsenal of analysis techniques to find the threats; meaning analysis of data that can indicate that an intrusion has occurred. Data on user behavior, logins, changes to files, errors, and so on can be found in the systems logs. In addition to things that can be automated (looking for peaks in network traffic, etc.), threat hunting will always include some manual inquisitive labor by the analyst – both for understanding the context more deeply, and perhaps utilizing statistical and data science tools for special cases. Based on successful hunts, automated signals can be added to improve future resilience. The interplay between automated red flags, context intelligence and data science is shown below.
Threat hunting is active search for threats, instead of waiting for an attack to occur and react after the fact. It means you need to tie together a number of activities, both automated scans, threat landscape intelligence and context development, and smart use of machine learning, data science and creative data exploration.
The conglomerate joint venture deal: a potential source of an advanced persistent threat?
Johnny the Hunter was going to work as usual in the morning. He got a cup of coffee at sat down at his computer to start his day. As most office workers, Johnny first skimmed his e-mails, and checked his Twitter feed for any interesting news. He noticed one e-mail that stood out, from one of the sys.admins, who told him that one of the application servers had rebooted without any good reason last night. No functionality had been lost, and no significant downtime was recorded – it was just a simple reboot. The logs on the server did not show any suspicious activity.
This triggered Johnny’s curiousity – what had casued the reboot? Was it some random hardware issue? Was it a software bug causing a kernel crash? Probably not, that would have been recorded in the server logs.
Johnny decided to make this the starting point for a hunt. First, he checked all automated surveillance systems; there were a few orange flags (detected abnormal activity but not something considered critical). He decided he needed to review the newest intelligence data they had on the threat landscape. There was nothing from the typical providers that caught his attention, so he turned to the intranet to check if something was going on internally in the company. He noticed the CEO had posted a video explaining that they were negotiating with an Asian conglomerate about buying up one of the conglomerate’s competitors as a joint venture. They had not yet agreed on who would be the controlling company in the joint venture. He didn’t notice any other big news.
He then called HR to ask if there were any new hires onboarding that would have anything to do with the Asian deal. The HR director told him that they had several applicants, all coming from the Asian conglomerate, and they were all highly qualified. It seemed a waste of talent not to hire at least one of them but the CSO had told HR to hold it off.
Johnny decided to start looking at network logs from the last 2 years, to have a baseline, and then to look for anomaly’s after negotiations about the buy-up started. For this he collected logs not only from the application servers, e-mail servers, web servers and network security devices, but also news items and social media posts. He deciced he would use supervised learning to correlate news events with network anomalies and called up Sin Jing, the head of their internal big data and machine learning R&D unit to discuss how best to do this.
Using a range of techniques Johnny investigated behaviors and could find a correlation between news and strange network activities from the last 4 months. Prior to that there was no such correlation. He also tracked down the activity to two user accounts in the accounting department, and the activity was always managed over VPN outside of normal office hours. He had a lead on the threat actors – and decided to discuss it with the HR department to assess the possibility of this being an insider threat, or if the compromised accounts were simply compromised accounts not detected by their endpoint security solutions.
This is threat hunting – and for the most advanced threats it is the only way to decrease detection time, and to effectively reduce the attack surface.
Protecting your personal data is important, whether you are a teenager or in retirement. A lot of people are confused about what they can do to avoid becoming victims of internet fraud. Cyber criminals use phishing attacks – email scams where they trick you to click a download link to viruses, or to open attachments that are no good for you. This is by far the most common way to steal someones data, and to abuse it.
Keep the criminals away from your personal data!There are two common ways hackers steal your money;
They hold your computer hostage by using a virus type known as ransomeware or cryptovirus. What this does is it locks your computer files with a password, and they demand money to give you the password back. Sometimes they make you pay several times and don’t give it back to you anyway.
They steal your payment data, like a credit card. Malware that monitors your purchases can send your credit card data to the hacker, who then abuses the credit card by buying things or paying to himself by setting up a merchant account with a credit card processing company like PayPal.
The question is: what can you do to avoid this? The following list contains about the same information that big companies are offering their employees as cyber awareness training. If you follow these 6 rules you will reduce the risk of this type of cyber attack by around 90%:
Always be critical of e-mails you receive and don’t open links or attachments you are not sure about. Check the actual internet address of the link and see if it makes sense before opening it. Copy and paste it into your browser instead of clicking it to see this. Don’t visit the site if it looks suspicious.
Keep all of your software up-to-date. Software upgrades are normally security fixes – they are removing vulnerabilities hackers need to attack your software. Only use software from reputable sources.
Don’t use public open wifi without a virtual private network (VPN). A VPN creates a protected path for your data communication with the internet, making it impossible for hackers on the network to read your data traffic.
Always have antivirus software running on your computer, and a firewall.
Regularly back up your data. You can use a USB drive for this, and disconnect it when you are done backing up. This way hackers can’t lock your files away from you, because you have a safe backup they cannot reach.
Don’t use the same passwords for many online sites. Sites on the internet are hacked quite often, and if you have used the same email and password on many sites, they get access to everything. ID theft is a big problem, partly because people use the same password everywhere.
A few days ago, I asked my followers on Twitter if they used the two-factor authentication on Twitter, or if they knew what two-factor authentication was in the first place. The result was that almost no one is using this. Most accounts that are hacked, are hacked because users are stupid and use terrible passwords, and they use the same passwords on every site where they have an account. This means that whenever some news site with terrible security is hacked, the hacker has access to more or less all these users’ accounts, including e-mail, social media and their favorite online stockbroker… This is admittedly bad.
Two-factor authentication comes to the rescue – using this, you cannot log in simply because you have the password and the username. You also need to have some third-party security token, like an app on your phone, a confirmation SMS sent to you, or a code generator device. If the hacker does not have access to this third-party token, he or she cannot take over your account. That is, at least, the design intent.
So, how can a hacker bypass the need for a third-party security token, or getting your leaked password in the first place? They can use a good old phishing attack. Set up a web page that looks like the one you want to log in to, trick you to go to the fake site and enter the login data, and then use these to access the real page. This process is illustrated below.
First, you need to trick the user to visit your fake login page, typically by sending some form of e-mail asking to log in and update something. The user submits username and password in the fake view, that you transfer to the real view in order to generate the third-party confirmation code. The real page, believing it is communicating directly with the legitimate user, sends the confirmation code to the user’s call phone. The user then submits this through your fake login view. Then you, as the hacker, will have access to the confirmation code, and you can take over the account. Depending on the type of site you can execute actions, or at least gain insight to the user’s personal data. For very poorly secured financial applications you can even steal the user’s money.
Of course, this is much more complicated to get to work than simply stealing a username and password, or brute-forcing a weak password, so 2-factor authentication makes a lot of sense. But like all barriers you put in place in risk management, it is not a magic pill solving all headaches. You still need to keep your guard up – don’t fall for phishing scams, don’t use the same password on multiple sites, use strong passwords and keep up to date on security features on the sites you are using and that are critical to you. Sites like Facebook and Google’s products can send you an e-mail or text you whenever there is a new login, with location and type of computer/browser. This is a very good extra layer of security.
To sum it up: use two-factor authentication, but also don’t forget to follow other common good security practices.
REMA1000 did not use any form of authentication on their customer database used by a loyalty program. They claim that this is nothing to worry about. I disagree. Identity theft, blackmail and potential surveillance are threats worth worrying about.
REMA1000, a Norwegian discount store chain, recently released a new customer loyalty program they named ‘Æ’. The letter ‘Æ’ is also the local word for ‘I’ in the Norwegian dialect in the area where Rema1000 is headquartered (Trondheim, the city where I live).
The Æ app promising you discounts. And previously it was exposing your data to the world.
The way the loyalty system works, is that you install an app on your smartphone, and register your debit card in the app. Whenever you make a purchase they will register what you have bought, and you are offered a 10% discount on the 10 items you spend the most money on, as well as on all vegetables and fruits. Sounds like a sweet deal, right?
The problem is only that the app was launched without requiring any form of authentication between the app and the backend database. This is reported by the Norwegian newspaper Aftenposten.no today. The vulnerability would allow anyone to download customer data from their database, down to each item purchased, as well as key customer data such as phone mumbers and partial credit card numbers. The vulnerability was discovered by infosec professional Hallvared Nygård, who spoke to Stavanger Aftenblad about the issue (another Norwegian newspaper).
In a comment to Aftenposten, Rema1000 claims that they “take the situation seriously”, and accuse the security researcher of having obtained access to the information in an illegal way. They say customers have no reason to worry with regard to security with regard to the data they leave with the stores.
This attitude shows a lack of understanding of security risks from REMA1000. First of all, lack of authentication between frontend and backend in a web application is close to inexcusable. It would be disovered by any reasonable web app security scanner. Protecting database access through secure authentication is the core concept of web application security and should be taught in any introduction to secure development class at your nearest university. Even more worrisome is perhaps that REMA1000 claims customers have nothing to worry about. Identity theft, blackmail and surveillance is pretty serious stuff to worry about if you ask me. On top of this, REMA1000 is seemingly looking to blame the security researcher for reporting the vulnerability.
During the American election campaigns in 2016 fake news was the new big thing, with Russia being accused of orchestrating an intelligence campaign to influence the outcome of the presidential election. Regardless of what Russia did or did not do, spreading the message efficiently requires both that traditional media pick it up to grant it credibility, and that people share it on social media platforms to get as much coverage as possible. Machine learning can play many roles in this, and we will look at an obvious use case, which is pretty much the same way recommendations work on Netflix or Amazon – by use of feature-based labelling.
Any “news” article will have several features. Examples of features are:
Language style (using a readability metric)
Length of article (word count)
Use of celebrities (none, light, medium, heavy)
Visual intensity (none, light, medium, heavy)
Shock factor (none, light, medium, heavy)
Let us say we consider a news article successful if it receives more than 100k shares on Facebook, or if it is quoted on CNN. So, our news articles can be SUCCESSFUL or NOT SUCCESSFUL depending on these criteria.
One simple but often efficient way we can use machine learning to understand what makes an article successful is to use existing data to train a decision surface. Say we have a collection of 200 news articles, and that we can check whether they are successful or not (they are labelled). This is our training set. Based on that, we can use statistics to find out which features will help us predict which label to apply to which data point. If we boil this down to two factors (language style and word count), we can create a scatter plot of these articles. By analyzing our set of training data, we seek to learn how we can exploit the factors to make our fake news spread. We have plotted our training data in a scatter plot to inspect it visually.
What we learn from simply looking at the plot is that the article should be fairly short, and intermediately difficult in readability (seems to be somewhere between 60 and 80 on the Flesch index, corresponding to articles that can be read by high school graduates).
Using a classification algorithm like the Naïve Bayesian classification algorithm, we can generate a decision surface based on our data.
Everything that falls into the red region will be predicted as successful. Giving up on the ability to plot the features in a single scatter plot, we can feed the algorithm with our full feature set, allowing it to figure out more factors we should care about when creating our fake news campaign.
This shows that the same methods used to drive recommendation engines, can also be used to learn how to best influence people – useful both in marketing, and in trying to “rig elections”. By the way, this simple labeling of data using classifiers like above is one arm of machine learning, known as supervised learning. The data set used in this post was randomly generated – so it didn’t really teach you how to create efficient fake news articles – but it did show you how you can find out.
You have probably (hopefully) been told that open wifi is insecure, and that you should use a virtual private network to encrypt and protect your traffic. Most people don’t do this, perhaps because it seems hard to do?
Opera software now offers free VPN. It is built into the browser on the desktop, and a standalone app on smartphones. It also comes with the ability to block tracking cookies! Those are cookies that track the pages you look at on the web – for commercial purposes (or so they claim). An old but nice nontechnical write-up on tracking cookies is found at geek.com. The difference from back then is that big data and AI have amplified trackers abilities to spy on you and analyze your online life.
How many trackers are you exposed to by visiting high traffic news sites? Here’s what Opera VPN reported after visiting CNN.com and Bloomberg.com without clicking a single link on those pages.
40 trackers? I have no interest in feeding ad networks with my online habits. I suggest you go ahead and activate VPN and cookie filters on you mobile in addition to your desktop, also when browsing on secure networks!
safecontrols 