Telecommunications Tech Blog January 2015
Why There's No Way to Secure Your Company's Data, and
What to Do About It
I wrote a blog in October about hackers using a phone system automated attendant
/ voice mail to get into a company's phone system, costing it $166,000 in
fraudulent long distance charges over a single weekend:
Hacking a phone system is probably
easier than hacking into many computer networks. The phone system hackers are
primarily looking for default passwords on VM accounts. There are many to be
found out there!
Hackers are working at a job. As they
get better at their job they move up the ladder into harder tasks. Like hacking
into a company's network. Most hackers are hacking to make a living for
themselves and their families. Most start doing it for fun and some keep doing
it for that reason, but most have to eventually make a living.
In the old days companies would hire
criminals to break into their competitor's offices to plant listening "bugs."
Especially in the board room. Competitive intelligence is very valuable!
the thugs who break into companies to plant bugs or rifle through file drawers
aren't working as much. It's safer to break into a company's network to get all the
information they'll ever need. And you can substitute "government" for "company"
in the sentence above since most governments get their information on other
governments and bad guys the same way.
The break-in and telephone bugging at
Watergate may never have happened today because it wouldn't have
required crooks to physically break into the office. Just some hackers in the
comfort of their own home, or maybe the White House?
I asked James Atkinson from the
Granite Island Group ( http://www.tscm.com ),
one of the top Technical Surveillance Counter Measures (TSCM) companies in the
country, whether the bug sweeping business is down? He said it's not down but in
the last decade requests are now coming in from senior top executives, as
opposed to the
security or facilities department at a company in the past.
I wonder if planting
bugs these days makes more sense because everybody thinks bugs are out, and
hacking is in?
You can't listen to the news these days without another company reporting a
"data breach," usually concerning credit cards.
What you don't hear about is that the
same hackers often downloaded emails and other private company information while
they were mucking around in the company's network, including financial, sales and HR data for that company, their
customers and even their vendors and partners.
Hackers don't just get into the
network, grab the credit card data and go. They are often there for weeks or
months. They have to figure out where the data is and then download it rather slowly to avoid
clogging the company's bandwidth... making someone start looking for what's
Sometimes an IT guy has a pretty
good idea that someone is hacking into his company's network but they don't
want to tell their boss because they think it will make them look bad - or they
may even lose their job. Or the IT boss doesn't tell upper management for the
There are computer security companies
out there who advise companies on how to secure their networks, detect
hackers and do penetration testing where they try to get into a company's
network or web servers. Some of
the security companies even try to get login credentials from employees by
sending emails with "malware" or just talking to employees to try to trick them
into giving up their login credentials.
I'd guess that all of the bigger companies who've been hacked have
paid computer security consultants a whole lot of money before they were hacked.
They may have been hacked because they didn't take the advice of the security
consultant? Or maybe the IT department simply hired the consultant to be able to
say they did it, but didn't implement any suggestions?
I first started programming in the
early 80's. I would come home from work and lock myself in my bedroom for hours.
My girlfriend at the time didn't appreciate my new "hobby." She found my bedroom
door locked after work one day, put her fist through the bedroom door, and moved
out. I can't blame her.
I think I'm pretty good at computer
security, but there's no way I could charge someone for my advise because
the only way to really secure a network is draconian (nobody's
going to like the inconveniences of real security measures):
• Disconnect the internal network
from the Internet.
• Only use intra-company email on the network
(that's not connected to the Internet).
• If there's any chance a network
will be connected to the Public Internet don't use Access, Microsoft SQL, My
SQL, Oracle or any other popular database. Hackers see these popular
databases everyday and are often expert database administrators. They can
look at most databases for a minute or two and see what types of data it
contains. A unique database would make getting the data out of it a job too
big for most hackers, who will simply move on to hacking into another
• For outside
email and browsing use a computer that's not connected to the company
Intranet. Two computers and monitors for every desk? Computers and monitors
are cheap. The trick is to make sure the IT guy doesn't put a patch cord
between the secure and outside facing network out of convenience, or by
• Don't let employees connect
work or personal laptops or phones to the intra-company network that's not
connected to the Internet. They can use a guest WiFi that's not connected to
the Intra-net, and a limited number of files can be shared by email or a
Dropbox type program on a need to know basis.
• It's normally very
difficult or even impossible to clean malware off a PC. Image every computer in the
company when it's setup so if it does get malware you can just restore the
image, then restore any data files from a backup. If there is a backup?
• Disable all USB ports and CD
readers/writers on PCs. That more difficult if you're using USB
keyboards and mice, but most business grade computers still have PS2 DIN
connectors for the mouse and keyboard. USB ports can be disabled in BIOS on
most PCs, and a password set to get into the BIOS settings so they can't be
turned back on by the user.
Note that disabling the PC USB ports will
prevent employees from plugging a USB Cellular 3G/4G/LTE modem or USB Wi-Fi
device into their
desktop computer that's not connected to the Internet.
• A favorite method for infecting
networks is to leave a CD or thumb drive laying around outside, like in the
parking lot. Maybe it will be labeled HR Payroll Report? An employee
picks it up and promptly plugs it into their work PC. It automatically
installs the intended malware and the hacker owns your
company's data from that moment on.
• If the company takes credit
cards, every credit card terminal should be connected to a phone line (or a
pool of real phone lines) which dials a real merchant services company.
Not authorized over the Internet or stored locally.
Everything a company doesn't do in
the list above adds a layer of risk, usually for convenience. Some things may be
necessity for a company that's a web based business?
Sometimes the risk is taken just
because they've always done it that way. Sometimes because everybody else does
it that way. At some point all those layers of risk traded for convenience is a
recipe for a network where private information is stolen.
Because real security is inconvenient, someone has to monitor that the
security plan is being
followed religiously. A tough job!
Just because something is technically
possible doesn't mean it should be done. There aren't many companies weighing
the risks of what's possible these days. They just put it all out there and hope
for the best?
The recent Sony hacking isn't rare.
What's rare is that the hackers just went ahead and released the information
What usually happens is that stolen
credit card data is sold on the Internet. There are so many hackers out there
stealing credit card data and the personal data on card holders every day that the
cost of buying stolen data has gone way down.
It's cheap and easy for anyone to buy
my stolen credit card data from a hacker to go out and buy stuff at brick and mortar stores, or over the
Internet. Getting my social security number and address with
my credit card data will let someone steal my identity
to buy a car or even a house (which they won't pay for), and which will then go against
my credit history.
But credit card data is a
minor part of what hackers steal. Not even the most profitable anymore. They get emails,
sales, HR and company financial information
which they use to blackmail the company they hacked. They contact the hacked
company, show them some samples of what they can release or sell to a
competitor, and ask for some money from the hacked company. The hackers usually
get paid quickly!
We seldom hear about
blackmail. In the case of Sony the hackers, who probably were not
North Koreans but were working for them doing state sponsored hacking, didn't
even ask Sony
for money. It seems like they wanted the movie about killing
the leader of North Korea killed forever?
State sponsored hacking is a totally
different animal since the results are often more directed, and less easily
discovered. Bank fraud departments are now automated to figure out where the
stolen card numbers came from, and are the warning system to indicate that a
company has been hacked (after the fact). If there are no credit card numbers stolen and
used, the hacking may never be detected?
All nations sponsor the hacking of
other states and companies all over the world. China is probably
the best known, most prolific, and most dangerous (at least to
If those same hackers hadn't been
hired by North Korea to hack Sony, if they weren't state sponsored the they
would have simply sold Sony's
credit card data and personal information, then blackmailed Sony for money.
all over the world many times, every hour. Why don't we hear about it? Obviously
the companies don't want anybody to know they've been hacked, but
if it relates to credit cards US law says they have to release
information about the credit card hacking.
If you're a contractor to one of
those companies that's been hacked the private information that the company has
about you, like how to pay you, is now in the hands of the hackers. The hacking
is effecting all of us. We usually don't know our personal and company information is in the
hands of hackers.
Getting HR information means hackers have a whole lot of private
information about the company's current employees, as well as former employees.
Pretty serious at a company like Sony who's been around forever.
Why would anybody pay the hackers to
not release hacked data? It's a no-brainer to pay them, after which
everybody goes on with their lives. Releasing news that a company has been
hacked could kill sales and reduce stock prices. If it costs maybe $250,000 to
keep it out of the news, that's really cheap for most hacking targets.
The ability to pay a ransom
determines where the best hackers put their energies. They aren't going to mess
with getting credit cards from dry cleaners because they won't make much money
doing it. And, most dry cleaners have their credit card machine attached to a
real phone line.
If the dry cleaner is using Square or some other tablet based app to take
credit cards it's not as secure, but because of their size it might not be a big
deal? It probably is a big deal at a giant coffee chain, where
credit card swiping dongles that are plugged into the headphone jack of tablets
are a big security hole.
Another popular method for hackers to
extract a ransom, mainly from larger companies with the money to pay them, is a
Distributed Denial of Service Attack (DDoS or DoS). This is done by a hacker who's in
control of a bunch of computers at homes and offices that are compromised with a
special type of malware (a botnet), that are told to go to a particular website or web
page at the same time.
Since very few servers can handle
thousands of visitors at once, it effectively brings that website down so nobody
can get to it. If the owner of the website pays the desired ransom, the DoS
attack stops. At some point the hacker will give up and go for an easier target
if the ransom isn't paid, but that could cost the owner of the website a lot of
money while the site is down.
There are companies out there who say
they can provide protection from DoS attacks. Sometimes putting a website on a
Content Distribution Network (CDN), where the single website is served by many
servers distributed around the country or the world, can also protect a website
from a DoS attack (that depends on the size of the botnet available to attack a
A few years ago there was a big push
to put all our medical records on the Internet so all the doctors and hospitals
would have accurate information to treat us. Then we didn't hear about it for a
while. There's a new push today to put (electronic) patient health records on the Internet
(called EHR). Some companies will make big bucks
implementing it. Then others will make big bucks mitigating damage from the
hackers. There may be a way for us to opt-out of putting our health records on
the Internet. It doesn't look like it will be opt-in?
All I know is that there is a 100%
probability that hackers will get our health data, and do something with it to
make money. There is also a 100% probability that one of your credit cards will
be hacked if you use it online or in a chain brick and mortar store that uses
the Internet, not phone lines, for their credit card machines.
To top it all off some chain stores
are now scanning (making a copy of your driver's license which is stored on
their computer servers) or swiping a license to get the data off the magnetic
stripe on the back of the license, before you buy liquor. Is there any
reasonable business reason to do that? No. And you know their servers will be
hacked and the hackers will have your license data sooner or later.
In the old days it was a little
harder for hackers to get paid a ransom. Today there is Bitcoin, which can't be traced to the hackers. We're living in the golden age of hacking. Hackers can do
all their hacking from the beach in a hacker friendly foreign country, sipping
umbrella drinks. It's a job. And it looks like a nice one at that.
You've probably heard about the
CryptoLocker malware which is sent in an email that when opened, encrypts all the
data on a computer. Once it's encrypted the user gets a popup
message that you have X hours to send the hackers a ransom of $X by some kind of
money card from Walmart, or Bitcoin. Or all the data will be lost forever. That's the personal version of what
hackers are doing to many companies every day. It's just business for the
My guess is that most professional
hackers are very upset about the way the Sony hack has been handled. It will put
a lot more heat on them, making their job harder in the near future. On the
other hand they know that companies are never going to disconnect their internal
networks from the Internet. Having it connected is so darn convenient! In six
months Sony will be forgotten and the hackers will be back to having a really
easy job. By the way, this is the second time Sony's network has been hacked.
So why are hackers so good at getting into
networks that are pretty well secured?
Because humans use the networks. And of
course humans are only human.
It's easy to control a computer. It's
made to be controlled by humans. It's very difficult to control a
herd of humans. None of us likes to be told what to do, and most of us won't do
something if it makes our lives harder.
Almost every hacking attempt uses
some form of "social engineering." Social engineering in this case is:
Getting a user to give their login
credentials to the hacker
without the user knowing they're giving them up.
This is obviously very easy, or hacking would
be very difficult.
In the past most social engineering
was done face to face. Or often face to monitor where there was a Post-it-Note
with the user's login information. Or by telephone, where it was incredibly easy
to call into a company, reach someone's desk, say you're from IT and you need
the user's password to check on a problem they had reported last week.
Today, the bulk of the social
engineering is done via email. There's a 99.999% chance that if you send an
email with malware to every employee in a company, at least one of the employees
will open it... and the malware will be on the network from that moment on.
Probably undetected for months or years?
Kevin Mitnick was a hacker who
was caught years ago after hacking into some of the biggest companies in the
country. And the phone company. He was caught and went to jail. When he got out
he wrote a book and became computer security expert for hire.
His first book "The Art of
Deception" and his later book "The Art of Intrusion" teaches how to
use social engineering to get into computer networks (click the book to see
it on Amazon):
These books are the bibles for today's hackers, who still primarily use social
engineering to get into a network. Once they're in it's mainly boring IT work to
steal all the data. Pretty much the same thing they'd be doing if they were
working in IT at the company they're hacking.
If you're a Chinese or Russian
hacker, phoning up a company to get a password doesn't work well if you can't
speak English. So foreign hackers have "associates" in the US who speak English
and are very good at schmoozing people - which is really the only expertise
needed to get the credentials to get into a network. They don't have to know
anything about computers to do social engineering. They're just regular crooks.
Can companies prevent social
engineering from opening their networks to hackers? Sure. But humans don't like
it so very few companies have implemented a cheap and easy security method. A
portable token generator for two factor authentication gives you a one-time
password to enter. Like this one from SafeNet:
There are many versions of these
dedicated password generators. There are even ways to create the one-time use
password on a cell phone. That's less secure since all the information to use it
is probably stored in the contacts list or an email on the phone, but better
You probably didn't know that PayPal
will let you use their Security Key devices to get into your PayPal and Ebay
accounts using two factor authentication, or on your cell phone:
Click HERE for Paypal's Security Key Page (only the credit card sized
Key is available now, I think)
If your company makes a lot of money
from a PayPal account and you'd like more control over who can get into the
account to transfer money, you may want to get one of these?
As a phone man I've seen these used
since the late 80's in data centers at banks where I was working on phones. It was a
much more expensive solution than it is today. Back then there were very few humans who
needed them to access the bank's mainframe remotely (through modems).
feasible to make everybody who needs to log into your network or access your
email use one of these? Is it worth taking the chance not to make them use it?
Or do you just close the barn door after all the horses are out?
A casualty of companies taking the
easy way out and putting everything out on the public Internet is that older
more secure technologies are going away.
Many companies use Frame Relay and
ATM networks to connect their area networks (WANs) together. That
type of WAN could be quite secure, often not being connected to the public Internet.
The primary vendor for the equipment
being used at phone companies to provide Frame Relay and ATM announced that they
were no longer going to make the stuff. That means the phone companies have to
stop offering the service since they can't get the equipment to provide the
When will the same thing happen to
channelized voice T1, because everybody has switched to VoIP? Channelized voice
T1s and PRIs are very secure and dependable. But it won't matter when few
companies are using them and it's not profitable for the telcos and equipment
manufacturers to continue supporting them.
Because many companies are more
concerned with saving money and the convenience of having everything connected
to the Internet, more secure technologies will be gone sooner or later. All of
the phone companies have said they are going to be converting everything to
VoIP / IP as soon as they can legally get away with it.
What many companies are doing today
is incredibly insecure and easy to hack. I don't see any of them changing
direction, at least not until after they're hacked. A couple of times. Or go out
There are quite a few big companies
who have been hacked more than once. The only thing we really hear about is
their losing credit card data, because it's the law to disclose it.
Want to learn more about telephone
bugging that you probably can't protect yourself from? Take a look at our
Telephone Line Bugging Tech Bulletin: