Eric's InfoSec Blog: 2016

Tuesday, March 1, 2016

Are we sharing too much, and who is sharing it on our behalf !

If you haven't heard of TAKE THIS LOLLYPOP it is worth your time. A great educational experience.

http://www.takethislollipop.com

It is an interactive film which accesses the viewer's Facebook profile and locates the viewer's home from data in their profile. It depicts the dangers in posting too much personal information on the Internet.

Information gathered is then deleted which makes the film different for each viewer.... and safe....

it is an eye opener for both techies and non techies and it is extremely well done.

Perhaps if everyone realized that not everyone on the Internet or in this case social media is your friend, information would be disclosed far less openly.

The more open and full your Facebook profile is, the more the film will hit home and make you think.

Come on Sandra you don't really have 1700 friends whom you trust with your personal information do you ?????
(reference to one of my Facebook friends, her name replaced to protect the innocent)

Now this applies to corporations also, after all, if your enterprises password retrieval security questions rely on voluntarily leaked information such as hometown, birthdate, or favourite sports team, then you're exposed and chances are.... you don't realize it.

That is the thing with security (or insecurity), a malicious person will take the time to navigate the search engines and find all sorts of tidbits of information that can be accumulated to perform more intrusive social engineering attacks.

As a manager or senior executive, shouldn't you KNOW what information can be gathered or derived from your employees ? I certainly think so.

There are tools out there, like Harvester.py which is a simply python script to dig through Google, Bing, LinkedIn and gather email addresses that have been leaked (published voluntarily).

Other interesting ones include:
PunkSpider which indexes web pages with identified vulnerabilities
Shodan.io which lists IoT (Internet of Things) devices found on the Internet
Censys.io which does something similar...

Are you listed in any of these ? Is the information you uncover a surprise....

99.9% of enterprises have no idea what information about them is out there. A determined attacker will find more then enough information then is required to breach your enterprise security.

A good example is this article about a journalist who challenged (as in asked for) a group of hackers to violate his digital world at Defcon23.

This is him, amazed at what a social engineer is getting out of his own cell phone provider.

A video and article worth taking a look at.

http://fusion.net/video/271750/real-future-episode-8-hack-attack/

There are privately developed tools that make use of multiple sources to look for meaning and collisions and help float to the top the most important elements. My own company has a toolset that does just that, and so far, we have had a blast identifying leaks in seemingly prestigious and "secure" companies.

Now here is an idea.... we need an interactive TAKE THIS LOLLYPOP movie that targets enterprises..... That sounds like a great summer time project.

Any takers ?

Call me !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:

Twitter @ericparent

LinkedIn : EVA-Technologies

www.eva-technologies.com

Friday, February 19, 2016

How disconnected are the cerebellums of the CIA and FBI?

The last few weeks have been significantly active in the security world, constantly providing sitcom writers material to last a decade. And.... I'm not even going to talk about Donald Trump.

The FBI is sending out court orders to get Apple to put in back doors in an iPhone....

Hillary Clinton is being investigated by the FBI for her "sensitive email" issue....

And the FBI arrests a teenager for hacking into senior CIA & FBI officials emails....

Lets take a quick look at these events, and lets all realize how much we are being taken for fools.

First off, the FBI does not need Apple to get into the insides of an iPhone. John McAffee is even offering to do it for free. Thanks John. In fact, I will offer to do it for free too, great publicity.

No worries since the FBI will not let anyone try to get into that iPhone. This case is about the government putting in place the mechanisms for killing privacy in general. So don't be fooled by their request looking all normal because they need Apple to get into a terrorists phone. Whatever Apple could do, the United States Government can do, or get done.

But lets take a look at the MAJOR security issue around the Hillary Clinton and CIA/FBI email scandal.

Certainly we should be concerned that a senior government official who is representing "the people" and is supposed to be smart would expose sensitive information on her personal email system.

However, something much worst is not being discussed by the media.

How can someone, anyone, take top secret documents from a high security ecosystem and bring it into a less secure ecosystem (like Hillary's email server).

Someone should be getting fired, and charged with some form of criminal negligence.

But WAIT ! It gets worst.

This week, HackerNews reported that a 16 year old hacker was arrested for breaking into emails of both the CIA and the FBI.

Take a look at these details (taken from the article):

Hacked into the AOL emails of CIA director John Brennan.
Hacked into the personal email and phone accounts of the US spy chief James Clapper.
Broke into the AOL emails of the FBI Deputy Director Mark Giuliano.

What the hell is going on at the CIA and the FBI ???? Do they not have any security policies or "RULES" ? Can anyone just do anything over there ?

Well, rest assured, if a normal person working at the CIA or FBI did anything this stupid, they would face the full power of the US government (sorry Snowden). Yet in this case, just like Hillary, it will be a joke.

What am I referencing exactly... Senior staff using PERSONAL EMAIL SYSTEMS (like AOL) to handle sensitive data.

These clowns are the real problem. They knowingly allowed sensitive information to transit through insecure systems therefor violating the agencies CLEARLY DEFINED POLICIES.

Strangely, John Brennan, James Clapper and Mark Giuliano are not being charged, and have not been arrested...

Yet a 16 year old is being arrested.

Doing enterprise security assessments is often accompanied by attitudes that ressemble this.

What people to not understand is that the security risk is coming from these individuals, not the 16 year old.

In fact, strange enough, the 16 year old exposed the issue, brought it to light, and showed no strategy for making use of the information collected aside from foolishly publishing it.

Who is to say that someone truly malicious had not been reading these imbeciles emails for months or years ?

The 16 year old went out and published what he found and got caught.

The spies who are taking actions on US soil do not publish their findings for the world to see. They gather the intelligence and take well educated actions.

Like corporate America, these senior executives are the weakest link, and will significantly and negatively impact security.

So when the FBI is done roasting the 16 year old, I hope they get their heads out of their asses and have the common sense to take legal action against their own clowns.

In the security industry, we call that the ROOT CAUSE.

You can't fix stupid, but you can fire stupid.