Why There's No Way to Secure your Company Data, and What to Do About It
I wrote a blog in October about hackers using a phone system automated attendant / voice mail to get into a company's phone system, costing it $166,000 in fraudulent long distance charges over a single weekend:
Hacking a phone system is probably easier than hacking into many computer networks. The phone system hackers are primarily looking for default passwords on VM accounts. There are many to be found out there!
Hackers are working at a job. As they get better at their job they move up the ladder into harder tasks. Like hacking into a company's network. Most hackers are hacking to make a living for themselves and their families. Most start doing it for fun and some keep doing it for that reason, but most have to eventually make a living.
In the old days companies would hire criminals to break into their competitor's offices to plant listening "bugs." Especially in the board room. Competitive intelligence is very valuable!
Today, the thugs who break into companies to plant bugs or rifle through file drawers aren't working as much. It's safer to break into a company's network to get all the information they'll ever need. And you can substitute "government" for "company" in the sentence above since most governments get their information on other governments and bad guys the same way.
The break-in and telephone bugging at Watergate may never have happened today because it wouldn't have required crooks to physically break into the office. Just some hackers in the comfort of their own home, or maybe the White House?
I asked James Atkinson from the Granite Island Group ( http://www.tscm.com ), one of the top Technical Surveillance Counter Measures (TSCM) companies in the country, whether the bug sweeping business is down? He said it's not down but in the last decade requests are now coming in from senior top executives, as opposed to the security or facilities department at a company in the past.
I wonder if planting bugs these days makes more sense because everybody thinks bugs are out, and hacking is in?
You can't listen to the news these days without another company reporting a "data breach," usually concerning credit cards.
What you don't hear about is that the same hackers often downloaded emails and other private company information while they were mucking around in the company's network, including financial, sales and HR data for that company, their customers and even their vendors and partners.
Hackers don't just get into the network, grab the credit card data and go. They are often there for weeks or months. They have to figure out where the data is and then download it rather slowly to avoid clogging the company's bandwidth... making someone start looking for what's going on.
Sometimes an IT guy has a pretty good idea that someone is hacking into his company's network but they don't want to tell their boss because they think it will make them look bad - or they may even lose their job. Or the IT boss doesn't tell upper management for the same reasons.
There are computer security companies out there who advise companies on how to secure their networks, detect hackers and do penetration testing where they try to get into a company's network or web servers. Some of the security companies even try to get login credentials from employees by sending emails with "malware" or just talking to employees to try to trick them into giving up their login credentials.
I'd guess that all of the bigger companies who've been hacked have paid computer security consultants a whole lot of money before they were hacked. They may have been hacked because they didn't take the advice of the security consultant? Or maybe the IT department simply hired the consultant to be able to say they did it, but didn't implement any suggestions?
I first started programming in the early 80's. I would come home from work and lock myself in my bedroom for hours. My girlfriend at the time didn't appreciate my new "hobby." She found my bedroom door locked after work one day, put her fist through the bedroom door, and moved out. I can't blame her.
I think I'm pretty good at computer security, but there's no way I could charge someone for my advise because the only way to really secure a network is draconian (nobody's going to like the inconveniences of real security measures):
• Disconnect the internal network from the Internet.
• Only use intra-company email on the network (that's not connected to the Internet).
• If there's any chance a network will be connected to the Public Internet don't use Access, Microsoft SQL, My SQL, Oracle or any other popular database. Hackers see these popular databases everyday and are often expert database administrators. They can look at most databases for a minute or two and see what types of data it contains. A unique database would make getting the data out of it a job too big for most hackers, who will simply move on to hacking into another company.
• For outside email and browsing use a computer that's not connected to the company Intranet. Two computers and monitors for every desk? Computers and monitors are cheap. The trick is to make sure the IT guy doesn't put a patch cord between the secure and outside facing network out of convenience, or by mistake.
• Don't let employees connect work or personal laptops or phones to the intra-company network that's not connected to the Internet. They can use a guest WiFi that's not connected to the Intra-net, and a limited number of files can be shared by email or a Dropbox type program on a need to know basis.
• It's normally very difficult or even impossible to clean malware off a PC. Image every computer in the company when it's setup so if it does get malware you can just restore the image, then restore any data files from a backup. If there is a backup?
• Disable all USB ports and CD readers/writers on PCs. That more difficult if you're using USB keyboards and mice, but most business grade computers still have PS2 DIN connectors for the mouse and keyboard. USB ports can be disabled in BIOS on most PCs, and a password set to get into the BIOS settings so they can't be turned back on by the user.
Note that disabling the PC USB ports will prevent employees from plugging a USB Cellular 3G/4G/LTE modem or USB Wi-Fi device into their desktop computer that's not connected to the Internet.
• A favorite method for infecting networks is to leave a CD or thumb drive laying around outside, like in the parking lot. Maybe it will be labeled HR Payroll Report? An employee picks it up and promptly plugs it into their work PC. It automatically installs the intended malware and the hacker owns your company's data from that moment on.
• If the company takes credit cards, every credit card terminal should be connected to a phone line (or a pool of real phone lines) which dials a real merchant services company. Not authorized over the Internet or stored locally.
Everything a company doesn't do in the list above adds a layer of risk, usually for convenience. Some things may be a necessity for a company that's a web based business?
Sometimes the risk is taken just because they've always done it that way. Sometimes because everybody else does it that way. At some point all those layers of risk traded for convenience is a recipe for a network where private information is stolen.
Because real security is inconvenient, someone has to monitor that the security plan is being followed religiously. A tough job!
Just because something is technically possible doesn't mean it should be done. There aren't many companies weighing the risks of what's possible these days. They just put it all out there and hope for the best?
The recent Sony hacking isn't rare. What's rare is that the hackers just went ahead and released the information they stole.
What usually happens is that stolen credit card data is sold on the Internet. There are so many hackers out there stealing credit card data and the personal data on card holders every day that the cost of buying stolen data has gone way down.
It's cheap and easy for anyone to buy my stolen credit card data from a hacker to go out and buy stuff at brick and mortar stores, or over the Internet. Getting my social security number and address with my credit card data will let someone steal my identity to buy a car or even a house (which they won't pay for), and which will then go against my credit history.
But credit card data is a minor part of what hackers steal. Not even the most profitable anymore. They get emails, sales, HR and company financial information which they use to blackmail the company they hacked. They contact the hacked company, show them some samples of what they can release or sell to a competitor, and ask for some money from the hacked company. The hackers usually get paid quickly!
We seldom hear about blackmail. In the case of Sony the hackers, who probably were not North Koreans but were working for them doing state sponsored hacking, didn't even ask Sony for money. It seems like they wanted the movie about killing the leader of North Korea killed forever?
State sponsored hacking is a totally different animal since the results are often more directed, and less easily discovered. Bank fraud departments are now automated to figure out where the stolen card numbers came from, and are the warning system to indicate that a company has been hacked (after the fact). If there are no credit card numbers stolen and used, the hacking may never be detected?
All nations sponsor the hacking of other states and companies all over the world. China is probably the best known, most prolific, and most dangerous (at least to Americans).
If those same hackers hadn't been hired by North Korea to hack Sony, if they weren't state sponsored the they would have simply sold Sony's credit card data and personal information, then blackmailed Sony for money.
It's happening all over the world many times, every hour. Why don't we hear about it? Obviously the companies don't want anybody to know they've been hacked, but if it relates to credit cards US law says they have to release information about the credit card hacking.
If you're a contractor to one of those companies that's been hacked the private information that the company has about you, like how to pay you, is now in the hands of the hackers. The hacking is effecting all of us. We usually don't know our personal and company information is in the hands of hackers.
Getting HR information means hackers have a whole lot of private information about the company's current employees, as well as former employees. Pretty serious at a company like Sony who's been around forever.
Why would anybody pay the hackers to not release hacked data? It's a no-brainer to pay them, after which everybody goes on with their lives. Releasing news that a company has been hacked could kill sales and reduce stock prices. If it costs maybe $250,000 to keep it out of the news, that's really cheap for most hacking targets.
The ability to pay a ransom determines where the best hackers put their energies. They aren't going to mess with getting credit cards from dry cleaners because they won't make much money doing it. And, most dry cleaners have their credit card machine attached to a real phone line.
If the dry cleaner is using Square or some other tablet based app to take credit cards it's not as secure, but because of their size it might not be a big deal? It probably is a big deal at a giant coffee chain, where credit card swiping dongles that are plugged into the headphone jack of tablets are a big security hole.
Another popular method for hackers to extract a ransom, mainly from larger companies with the money to pay them, is a Distributed Denial of Service Attack (DDoS or DoS). This is done by a hacker who's in control of a bunch of computers at homes and offices that are compromised with a special type of malware (a botnet), that are told to go to a particular website or web page at the same time.
Since very few servers can handle thousands of visitors at once, it effectively brings that website down so nobody can get to it. If the owner of the website pays the desired ransom, the DoS attack stops. At some point the hacker will give up and go for an easier target if the ransom isn't paid, but that could cost the owner of the website a lot of money while the site is down.
There are companies out there who say they can provide protection from DoS attacks. Sometimes putting a website on a Content Distribution Network (CDN), where the single website is served by many servers distributed around the country or the world, can also protect a website from a DoS attack (that depends on the size of the botnet available to attack a website).
A few years ago there was a big push to put all our medical records on the Internet so all the doctors and hospitals would have accurate information to treat us. Then we didn't hear about it for a while. There's a new push today to put (electronic) patient health records on the Internet (called EHR). Some companies will make big bucks implementing it. Then others will make big bucks mitigating damage from the hackers. There may be a way for us to opt-out of putting our health records on the Internet. It doesn't look like it will be opt-in?
All I know is that there is a 100% probability that hackers will get our health data, and do something with it to make money. There is also a 100% probability that one of your credit cards will be hacked if you use it online or in a chain brick and mortar store that uses the Internet, not phone lines, for their credit card machines.
To top it all off some chain stores are now scanning (making a copy of your driver's license which is stored on their computer servers) or swiping a license to get the data off the magnetic stripe on the back of the license, before you buy liquor. Is there any reasonable business reason to do that? No. And you know their servers will be hacked and the hackers will have your license data sooner or later.
In the old days it was a little harder for hackers to get paid a ransom. Today there is Bitcoin, which can't be traced to the hackers. We're living in the golden age of hacking. Hackers can do all their hacking from the beach in a hacker friendly foreign country, sipping umbrella drinks. It's a job. And it looks like a nice one at that.
You've probably heard about the CryptoLocker malware which is sent in an email that when opened, encrypts all the data on a computer. Once it's encrypted the user gets a popup message that you have X hours to send the hackers a ransom of $X by some kind of money card from Walmart, or Bitcoin. Or all the data will be lost forever. That's the personal version of what hackers are doing to many companies every day. It's just business for the hackers.
My guess is that most professional hackers are very upset about the way the Sony hack has been handled. It will put a lot more heat on them, making their job harder in the near future. On the other hand they know that companies are never going to disconnect their internal networks from the Internet. Having it connected is so darn convenient! In six months Sony will be forgotten and the hackers will be back to having a really easy job. By the way, this is the second time Sony's network has been hacked.
So why are hackers so good at getting into networks that are pretty well secured?
Because humans use the networks. And of course humans are only human.
It's easy to control a computer. It's made to be controlled by humans. It's very difficult to control a herd of humans. None of us likes to be told what to do, and most of us won't do something if it makes our lives harder.
Almost every hacking attempt uses
some form of "social engineering." Social engineering in this case is:
Getting a user to give their login
credentials to the hacker
without the user knowing they're giving them up.
This is obviously very easy, or hacking would be very difficult.
In the past most social engineering was done face to face. Or often face to monitor where there was a Post-it-Note with the user's login information. Or by telephone, where it was incredibly easy to call into a company, reach someone's desk, say you're from IT and you need the user's password to check on a problem they had reported last week.
Today, the bulk of the social engineering is done via email. There's a 99.999% chance that if you send an email with malware to every employee in a company, at least one of the employees will open it... and the malware will be on the network from that moment on. Probably undetected for months or years?
Kevin Mitnick was a hacker who was caught years ago after hacking into some of the biggest companies in the country. And the phone company. He was caught and went to jail. When he got out he wrote a book and became computer security expert for hire.
His first book "The Art of Deception" and his later book "The Art of Intrusion" teaches how to use social engineering to get into computer networks (click the book to see it on Amazon) :
These books are the bibles for today's hackers, who still primarily use social engineering to get into a network. Once they're in it's mainly boring IT work to steal all the data. Pretty much the same thing they'd be doing if they were working in IT at the company they're hacking.
If you're a Chinese or Russian hacker, phoning up a company to get a password doesn't work well if you can't speak English. So foreign hackers have "associates" in the US who speak English and are very good at schmoozing people - which is really the only expertise needed to get the credentials to get into a network. They don't have to know anything about computers to do social engineering. They're just regular crooks.
Can companies prevent social
engineering from opening their networks to hackers? Sure. But humans don't like
it so very few companies have implemented a cheap and easy security method. A
portable token generator for two factor authentication gives you a one-time
password to enter. Like this one from SafeNet:
There are many versions of these dedicated password generators. There are even ways to create the one-time use password on a cell phone. That's less secure since all the information to use it is probably stored in the contacts list or an email on the phone, but better than nothing.
You probably didn't know that PayPal
will let you use their Security Key devices to get into your PayPal and Ebay
accounts using two factor authentication, or on your cell phone:
Photo from randykisch.com
Click HERE for Paypal's Security Key Page (only the credit card sized Key is available now, I think)
If your company makes a lot of money
from a PayPal account and you'd like more control over who can get into the
account to transfer money, you may want to get one of these?
As a phone man I've seen these used since the late 80's in data centers at banks where I was working on phones. It was a much more expensive solution than it is today. Back then there were very few humans who needed them to access the bank's mainframe remotely (through modems).
Is it feasible to make everybody who needs to log into your network or access your email use one of these? Is it worth taking the chance not to make them use it? Or do you just close the barn door after all the horses are out?
A casualty of companies taking the easy way out and putting everything out on the public Internet is that older more secure technologies are going away.
Many companies use Frame Relay and ATM networks to connect their area networks (WANs) together. That type of WAN could be quite secure, often not being connected to the public Internet.
The primary vendor for the equipment being used at phone companies to provide Frame Relay and ATM announced that they were no longer going to make the stuff. That means the phone companies have to stop offering the service since they can't get the equipment to provide the service.
When will the same thing happen to channelized voice T1, because everybody has switched to VoIP? Channelized voice T1s and PRIs are very secure and dependable. But it won't matter when few companies are using them and it's not profitable for the telcos and equipment manufacturers to continue supporting them.
Because many companies are more concerned with saving money and the convenience of having everything connected to the Internet, more secure technologies will be gone sooner or later. All of the phone companies have said they are going to be converting everything to VoIP / IP as soon as they can legally get away with it.
What many companies are doing today is incredibly insecure and easy to hack. I don't see any of them changing direction, at least not until after they're hacked. A couple of times. Or go out of business.
There are quite a few big companies who have been hacked more than once. The only thing we really hear about is their losing credit card data, because it's the law to disclose it.
Want to learn more about telephone bugging that you probably can't protect yourself from? Take a look at our Telephone Line Bugging Tech Bulletin :