Sunday, November 26, 2017

When being ONLINE costs you $250,000. A warning thats good for all businesses (and IT people)



Being online is the big trend (obviously).  Everything has to be connected, fast, immediate.



I'm writing this short post to warn people about a common (it turns out) mistake.


Every time I leave on a business trip, I get an emergency call.  Every single time.


I'm in Paris, it's 1:25am, I just got here a few days ago and am still jet lagged, and I get an emergency call from a trusted contact that one of his clients is in trouble.  I have just enjoyed a series of good wines in the hopes of falling asleep and moving into this timezone and now I have to talk a jumper down from the ledge (just kidding, this client was relatively calm).


Well, this "trouble" I have seen 4 times in the last 3 weeks which I'm starting to find alarming.


Ransomeware is the culprit.  The difference is this time, a longer then usual series of mistakes has led to three interconnected companies to being infected.  A real lottery winner in the world of Ransomeware.

The initial ransom requested :  $250,000  (20 bitcoins)


So this is my forth case in three weeks..... what do they all have in common......  Online backups.


- Some have disk to disk live backs


- Some have a large USB key stuck in something somewhere and thats their backup


- Some have online (Internet) backup but only pay to keep one full copy (crappy service in my mind).


In this day and age, the fact that companies are failing at one of the oldest IT issues (a fondamental one) is still surprising me.


Live (always connected) backups usually means no backups when the right failure takes place.


CALL TO ACTION


So if you "think" you have backups, check if they are offline.  Check if they would survive a ransomware attack.


And by check I mean have a "real" security expert validate your backup architecture.


You see, when you have good backups, you don't have to pay large sums of money to criminals to get your data back.


Wow.... what a novel idea.  Backups that work!


This reminds me of a legal case from many years ago between a large and respected (cough cough) IT firm that had screwed up one of their important clients backup.


In the court hearings, the IT service provider actually said the following:  "Our contract stipulates that we take backups and makes no guarantees that we can restore them".   Can you imagine being told that after you've lost all your data.


Trust but verify.


I'm going to bed now, before my wine stops making me happy.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


   

Tuesday, November 21, 2017

UBER ! Oops. My Bad. 57 million records lost. Finally some good news.





I've been waiting for this.

Waiting a long time.

Finally someone has dropped the soap and come clean in a direct and "appropriate" way.

Obviously plenty of criticism is coming down the road for why it happened, why it took so long to let customers know, etc.

That's really part of the game.


What would you expect when Uber's Chief Security Officer is a Lawyer instead of a trained security expert.

There are still some funny things to laugh at.

For example paying the hackers $100,000 to delete the data.   Honour amongst thieves perhaps.  After all, we are all allowed to believe in Santa.  Some us believe more in Satan, oh well.


However here are some really nice tidbits that I find very positive:


"None of this should have happened, and I will not make excuses for it," he added (CEO). 
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
I love it when people just come clean and tell you they dropped the ball, very inspiring.
The only problem with the last statement, is that they ended up fined for a much smaller breach in 2014 and it appears... they still needed to learn from those mistakes.
So now, they will have to face the music for not disclosing when they uncovered, but once again, the lawyer(s) certainly had a large role in holding that off.
Perhaps many enterprises could re-visit their choice of CSO to ensure that the position is handled by a "real" security expert, but lets face it, traded companies focus on the shareholder and their return on investment.  So I guess most boards would go the route of a hardened politician, Lawyer, or Music Major since the talent they most want is not "security".  So I guess in this case, as is also the case in many other enterprises, this is pretty much the ingredients they wanted.  Some will call it "plausible deniability" some will call it "willful blindness".   Some will call it a Tuesday.
Note to my friend Robert M.  You wanted a positive post out of me.  Well this isn't it yet ;-)



Now on an even more positive note.  Maybe some people are starting to grasp that sensitive data in the cloud requires more then nice words and a pretty logo.   

Lesson learned:  Regardless of the size and glamour of the cloud provider, "Trust but Verify".  Or don't use it.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, November 16, 2017

Airplanes falling out of the sky - Part deux it seems


You guessed it, people are once again claiming that airplanes could be hacked over wifi and that the sky is falling.

https://www.theregister.co.uk/2017/11/15/airplanes_vulnerable_rf_hacking/

This time, they are talking about the Boeing 757 which it seems was hacked while parked at an airport.

Some interesting things about the Boeing 757.  First off, it isn't a fly by wire aircraft.  This means that you cannot hack it out of the sky or have it fly sideways as it is mechanically impossible to take over the controls from the pilot.

Most aircrafts have provisions for pushing updates and sending off flight data while they are on the ground.  This means that sensors are on the landing gear to detect weight on wheels in order to allow system updates to take place.

The big stink it seems is that the pilots hadn't been told that the aircraft was more vulnerable on the ground.

These journalists keep talking about how planes are more vulnerable because we have added wifi to the entertainment system and other rather silly claims.

Just to be clear, no commercial aircraft has their entertainment system talking freely to the avionics suite used by the pilots.

In other words, you can hack away at the entertainment system all you want, you CANNOT hack the plane in flight.

The data flow simply isn't there.   Flight data can be sent unidirectionally to the entertainment system, but the electronics to send data the other way simply isn't there.

Also, you cannot flash upgrade the avionics suite without weight being on the wheels as stated earlier.

This means, that a malicious actor would have to attempt to push this update while the plane is on the ground.

So lets take that and make it the worst possible scenario.

You are in flight and your GPS stops working, your autopilot stops working, everything techi stops working.

Wow, what an attack.

Does the plane fall out of the sky ?

No.

You see, in most modern aircraft you have something really old school.   A pilot.  Actually two of them.

The pilots have many responsibilities including overseeing the overall functionalities of the aircraft to ensure it's safety.

This means that if a pilot looks at the GPS and then looks at the MECHANICAL altimeter and notices that the GPS claims to be at 38,000 feet and the mechanical altimeter says 2,000 feet you are going to have two very motivated pilots looking into the problem.

They would identify that the GPS is faulty, turn it off, note it in the aircraft log and probably report it in flight to headquarters to have someone fix it when they land.

So what happens when two, three or four airplanes call in with the same problem....  The fleet would be grounded until someone figures out what went wrong.

So now I already hear the septics screaming yeah but what if they hack the autopilot to take over the plane and crash it.



Well, good news.  The autopilot isn't a steroids jacked up cocaine infused weight lifter that will immobilize the pilots and force the plane into the ground.

As soon as the pilots would feel the plane change altitude or veer to one side or another, they would notice.   Thats right folks, just like driving a car, when the sound of the engine changes.... you notice.

So what would happen.... they would hit this button called POWER on the autopilot and this button, by design, is not computer controlled.  It is a mechanical interrupter that kills the power to the autopilot.   If that button failed, the pilot would push or pull on the controls and overtake the autopilot.  The mechanical autopilot is not designed to be stronger then a human, you can override it because you are stronger then it's designed strength.  And they wouldn't have to do this long, just long enough to find the FUSE for the autopilot and pull it.  And yes, they simulate this.

That folks is what you call SECURE DESIGN.  Something lost in most markets, but very present in aviation.

So what if the pilots don't notice that they are descending lower and lower and lower....

Well, I'm a pilot.  And I can tell you that air traffic control doesn't appreciate it when you file a flight plane for a certain altitude and they see you at the wrong altitude.   They will even have the audacity to humiliate you on the radio by asking you to confirm altitude and altimeter settings.

You see, their job is to keep airplanes separated along flight paths.

They have a set number of airplanes under their watch, and they do indeed watch.

As one of my good friends "J" once expertly described while we both gave a conference on this very subject.  Airplanes like every complex mechanical system, have security weaknesses.  However these to not translate into a SAFETY issue because of the overall safe engineering of the entire ecosystem.

Aircrafts are extremely SAFE.

Take the radio system for example.  Any idiot can purchase an aviation band radio for a couple hundred dollars and learn to PLAY control tower.



This in the cyber security realm is called a non authenticated communication.  No username, no password.  Really the worst case in computer security.

So a rogue individual could call out to an airplane, make themselves sound like the control tower, and crash an airplane.

Well.... No.

Once again, we have something called "the pilots" who are the "BOSS" of that airplane.  The "Tower" isn't the boss.  The pilot is.

So hearing an order come in from a fake tower that results in an unsafe action wouldn't work, and also the real tower that hears the fake tower would most certainly call out that something is wrong.

So if the tower says "Air Canada Flight 1505 please descend at your discretion to 10,000 feet" while they are actually flying over the rockies.... I'm pretty sure the pilots would know that this isn't ideal.

As they would descend, the other safeguards in the airplane would start setting off alarms.

The GPS screen would turn RED.

The ground radar would starts saying "TERRAIN"  "TERRAIN"

So the unauthenticated radio communications is certainly a security issue....  but it isn't a safety issue, so we don't really care.

Here is a cockpit photo of a modern, extremely technology dependant aircraft, and I have highlighted the devices that are old school mechanical and are impossible to hack via wifi... or via any computer.



Don't let the headline grabbing journalists frighten you from flying.  It remains extremely safe, and my favourite way to get to where I'm going.




_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...