Make it public or private…how secure is your profile online?

Part 1

Did you ever ask yourself if you care what personal information you give out online or in exchange for a “free” service?  Do you really want to mix your colleagues with a friends or family on social media? Do you really want to leak some information about your life and interests to strangers? (Yes, strangers because you don’t know your online audience and how it may use information released by you against you.)

Some people don’t take their online privacy and security seriously. They prefer to ignore it or say that they have nothing to hide. On one hand, they have some degree of concern and on the other hand they don’t apply simple privacy restrictions to protect their personal information online. The web holds a huge depository of personal information that is open to the public.

Maybe it is harder to imagine that you are being spied upon when you are in a virtual environment rather than the physical world. People make themselves vulnerable by allowing friends, colleagues or other people to track their daily life activities, habits, religious beliefs, sexual orientation, shopping or other consumer preferences.

This happens because many of us even don’t realise how we could be tracked and profiled online. The Internet never forgets: data about our online activities is recorded and archived.  People tend to change their opinions or views on certain things over time, or after certain life situations, but those previously expressed opinions might be used against you depending on your actions or views in the future.

Unfortunately, the Internet and the applications running on it were not designed for privacy, which means anyone using them can potentially be tracked online by governments, security agencies, Internet service providers (ISPs), corporations, hackers and other parties. Here are some examples of the different purposes that tracking and collecting data can be used for:

  • Marketing or advertising

Search engines and email providers are some of the biggest players in data collection. Their business model is mainly focused on advertising and selling collected data.  It is based on tracking their customers for advertising purposes. They provide “free” services to their users and in return, they collect data about users in order to monetise it. We may pay a higher price for services like flights, hotels, insurance based on our browser history, geolocation, online searches, email communication and other information about us because the history of our online activity has been sold to the service providers and they know in advance about our needs and interests.

  • Apps

These programs may do more than just provide us with services or information. Apps can trace our online behaviour, have full access to the contact list, regularly track our location, automatically send information about your device, and even activate a device’s microphone and speakers.

  • Government and law enforcement programs.

These bodies have access to a large amount of online data and special equipment to process it, enabling them to build a profile of the Internet user and their usage habits. Details about the US Government’s PRISM data collection surveillance program, and of information collected via PRISM and its information providers can be found here. Mass surveillance data can be narrowed to specific target surveillance if individual has a different views on religion, politics and so on.

  • Online profiling of Internet users.

Profiling is built from browsing history, search engine searches, emails communication, geolocation information, chatting history, even posts of your contacts and friends. One of the biggest screening tools used by employers and other individuals to build a profile of the Internet user is Facebook.

The Psychometrics Centre within the University of Cambridge conducted interesting research called “Apply Magic Sauce “, where user’s online behaviour and digital footprints were translated into psychological profiles.

Stylometry is another way of identifying people from their writing style and it may be used in social media for personality prediction and de-anonymization of online users. Here is an example of a program that was designed to perform a stylometric analysis and text comparison for author identification, and you can read more about stylometry here.

  • Hackers

Hackers usually prefer to access confidential data about businesses or individuals through social engineering attacks. Revealing too much personal information online could make users vulnerable to different and creative hacking scenarios and phishing scams. Attackers may also get personal information to steal a user’s identity and compromise their bank account. They usually look for information like your date of birth, home address, mother’s maiden name, information about your family and friends, PPS numbers and geolocation.

  • Stalkers and other strangers

I would like to say a few words about stalkers because some people may still not realise how stalkers can affect their quality of life or make them vulnerable to online harassment. A stalker’s main goal is to affect their victim’s social or career growth. Even knowing some limited information about an individual could be enough for a stalker to create or change that person’s profile.

The most vulnerable groups to this kind of cybercrime are children and people over 55. It is in your hands to protect yourself, your children, or even elderly parents and relatives from becoming a victim of stalkers. People tend to make silly mistakes in their teens. You probably remember some of your own. But if those are recorded online, remember that the Internet never forgets. Who knows when and how posts that were posted in childhood or teenage years can be used in the future?

In my next post, I will talk about what methods are used for tracking and how can we restrict our information online and protect ourselves from invasions of our privacy.

BH Consulting February 2017 Newsletter Now Online

The latest edition of our newsletter is now online. Our SecurityWatch Newsletter gives you updates on what has been going on in BH Consulting, highlights some upcoming events, and focuses on some stories we think are of use to you. This month we have tips on how to secure your email, highlight CEO fraud to your staff, and link to two interesting reports on the current threat and risk landscape. The SecurityWatch Newsletter is online here.

Busy Weekend

News coverage can often be like waiting for a bus. You can go a long time when nothing really happens and then suddenly lots of them arrive together. This weekend was one of those occasions when BH Consulting was in various media outlets.

Firstly, my latest article for HelpNet Security Magazine was published. The article focuses on the skills shortage that we are currently witnessing in the cybersecurity industry. I argue that we need to stop looking at technical skills to bridge this gap but rather look at other disciplines which complement what we are looking to achieve in our field.  You can read the article at the HelpNet Security Magazine website.

I was also interviewed by the Sunday Business Post and the Journal  to discuss the security and privacy risks that may arise from the revelations that various Irish Government ministers use private email platforms to conduct some of their business. The Sunday Business Post article is here and The Journal article is available from here.

Finally, the recent coverage of the controvery surrounding Garda Sergeant Maurice McCabe also resulted in me being interviewed to discuss the technical aspects relating to the terms of reference for the Charleton Inquiry and accessing data from mobile phones. I was interviewed and appeared on the RTE This Week program and also for the Sunday Business Post.

It Could Happen to Anyone – A CEO Fraud Primer

There has been a lot of media coverage lately over various organisations falling victim to CEO fraud. Basically a scam whereby criminals using email fool a target within an organisation into redirecting funds into bank accounts under their control. We have worked with some companies who have fallen victim to this and we also wrote about the rise in this type of attack in an earlier blog post CEO Fraud Attacks Continue to Rise.

We came across the below video released by Barclay’s Bank to educate people on how this fraud works and we though it was worth sharing with you.

As outlined in our own advisory we recommend that companies take the following steps to avoid becoming a victim of this scam;

  • Ensure staff use secure and unique passwords for accessing their email.
  • Ensure staff regularly change their passwords for their email accounts
  • Where possible implement two factor authentication to access email accounts, particularly when accessing web based email accounts
  • Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to and trusted numbers, to confirm any requests received via email.
  • Be suspicious of any emails requesting payments urgently or requiring secrecy.
  • Implement technical controls to detect and block spam emails and spoofed emails.
  • Ensure computers, smartphones, and tablets are updated with the latest software and have up to date and effective anti-virus software installed. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts.
  • Provide effective cybersecurity awareness training for staff

If your company falls victim to such as scam you should firstly report the issue to your financial institution and then report the issue to An Garda Siochana or appropriate Local Law Enforcement Agency.

Contract Risk Analyst Role Available

Due to our continued expansion and growth, BH Consulting have been engaged by a blue-chip client to recruit a Risk Assessment Analyst. The Risk Assessment Analyst is a strategically important role within this clients organisation with responsibility for executing the risk management methodology in line with the NIST Security Framework, ISO27001 and PCI Standards. Ideally a successful candidate will possess strong knowledge and experience with industry standards, risk analysis, risk mitigation, business function process flows, project plan development together with excellent reporting, communication and presentation skills.

Responsibilities:

  • The Risk Assessment Analyst will be part of the senior Risk Management program. This program is critical to the organisation’s risk management framework and provides the foundation for defining and evolving the Risk Management strategy and enhancing current security controls, business continuity capabilities and security practices.
  • This position has global purview and will be responsible for driving the execution of Risk Assessments across several geographical regions and business units.
  • Maintenance and coordination of the organisation’s threat taxonomy.
  • Work with the many inputs for Risk Assessment defined in the organisation’s Risk Assessment method.
  • Interface with internal functional towers to collect and correlate results of Risk Assessment inputs.
  • Complete Risk Assessment documentation and engage with key stakeholders to develop Risk Mitigation plans.
  • Schedule and conduct cross functional meetings as required ensuring Risk Assessment exercises have the necessary pre-requisites in accordance with the organisation’s standards.
  • Perform all departmental administrative activities, including staff meeting attendance, status reporting, documentation and other activities, as assigned, in a timely manner.
  • Program Management – execute and direct the day to day program operations, plan and deploy long term vision, direction, and sustainability
  • Support the Policy Exception Program Manager as part of the Risk Movement lifecycle.
  • Work with external auditors for industry certification to present Risk Assessment methodology, findings and risk lifecycle.
  • Travel as required (not frequent)

Qualifications/Experience: 

  • 3+ years in Risk Management related positions with high-level problem solving and technical project management experience.
  • Experience of both governance and hands-on execution.
  • MS/MBA/MA degree or equivalent experience desired
  • CISSP/CISA/CISM/CRISC or similar certified
  • Minimum 5 years of experience in Risk Assessment, Business Continuity Management and/or Disaster Recovery Management in large enterprises.
  • Ability to lead risk assessment activities across multiple business units.
  • Demonstrable background in Security controls assessment.
  • Experience in conducting business impact analyses and Risk Assessments
  • Excellent verbal and written communication skills are required.

If you feel this role is for you then send your CV to [email protected]

Welcome to the BH Consulting Team Stephen

We are delighted that our team at BH Consulting continues to grow and earlier this month we welcomed Stephen Rouine to the company. Stephen joins us as a Cloud and Cyber Risk specialist and will be working with our clients in assisting them protect their core business assets.

Welcome on board Stephen and we look forward to working with you to

Setting up DMARC to Defeat Email Abuse

The CERT EU (the Computer Emergency Response Team for the EU institutions, agencies and bodies) released a very informative paper called “DMARC – Defeating Email Abuse”   on how to configure DMARC (Domain-based Message Authentication, Reporting & Conformance) to reduce the level of email abuse.

Properly implemented, DMARC can reduce the amount of spoofed emails which according to the whitepaper can in turn be used to reduce;

  • spear-phishing e-mails, where the attackers want to impersonate well-known, trusted identities in order to steal passwords or other financial/personal data or download malicious files and exploits;
  • fraudsters who want to cover their tracks and remain anonymous;
  • computer worms;
  • brand name impersonation

Anyone responsible for managing email services should take the time to download and read this whitepaper.

How to build your first digital forensics lab on a budget

Some companies set up a digital forensics lab in order to carry out internal checks for workplace misconduct, to support disciplinary proceedings, to carry out incident analysis and damage assessment, or else to provide digital forensics services for profit to others. Demand for digital forensics is growing: Transparency Market Research has forecast that the digital forensics market will be worth $4.97 billion by the end of 2021, showing CAGR of 12.5%

Setting up a new digital forensics lab often involves high cost for companies, however, and forecasting this cost is not always easy – especially for smaller companies. So, I would like to share a few tips about how to build your first digital forensics lab on a low budget.

  1. Research current trends, requirements, and what other companies in your sector are doing. The infosec community is very open and, often, a request for help will result in many replies. This should help you to identify the digital forensics services you are planning to provide, such as computer forensics, mobile forensics, e-discovery and so on.
  1. Do an overview of the proposed services you plan to provide. Evaluate your capability and availability of resources. Do a SWOT analysis to determine your strengths, weaknesses, opportunities and threats.
  1. Find more about digital forensics best practices standards and operating procedures from reliable sources like those listed here. This should help you to determine the requirements for your digital forensics lab and tools.
  1. Determine the following:
  • What digital forensic services you have to provide
  • What you need to have
  • What you plan to have
  • What you would like to have.
  1. Prepare a list of provisional expenses (see ‘what you need to have’, above) for your digital forensics lab. List all software and hardware required for your services.
  1. Evaluate software/hardware by cost, reputation, support, service and so on. Check for open source tools which you could use for your digital forensics needs. There are many well recognised digital forensics frameworks and tools available for free use, including:
  1. Prepare a shopping list based on your needs, findings and evaluation.
  1. Make sure that staff have necessary training, resources and qualifications. Prepare your incident response guidelines and investigation procedures documentation to incorporate your digital forensics capabilities.
  1. Test and review: regularly check your new lab by performing all steps of the digital forensics process. This stage is very important because you could determine some missing links in the process chain. It’s better to discover any issues with your processes during testing than in an actual case. Remember to update your policies and procedures to reflect the findings of your testing.
  1. Prepare a development plan for your digital forensics laboratory to enhance its capabilities over time. Write down goals and targets with projected dates. Having this focus will help you to improve the services you provide to the business (or to external clients) over time. It also provides you with the opportunity to review new developments in digital forensics investigation.

Good, reliable digital forensics tools are key requirements for your digital forensics lab. This table shows an example of basic software requirements for a digital forensics lab, from cost-free to around €750 (NB: BH Consulting is not promoting any of the tools mentioned here, nor do we earn any benefit or profit from them). You could significantly reduce your software expenses by using open source tools (thank you to all the community developers for their hard work!)

Software Details Price range
Raptor Imaging tool with a write blocker that prevents the operating system from mounting the targeted
hard drive.
FREE
DD (stands for Data Duplicator) Open source tool for copying and converting data. It enables to
quickly clone or create exact raw disk images.
FREE
Hashcat Open source password cracking tool FREE
John The Ripper Open source password cracking tool FREE
Autopsy/Sleuth Kit Open source digital forensics tool. FREE
OSForensics Great digital forensics tool which has
multiple capabilities: the ability to recover deleted files, collect system information, extract passwords, view active memory, search files and within
files and much more.
Professional edition:
US$899.00
(around €860)

 

BH Consulting Joins No More Ransom Initiative

Information security specialist BH Consulting has been accepted onto the No More Ransom initiative, a collaboration between law enforcement and industry to fight one of the fastest-growing cybercrime threats of the past year.

No More Ransom was launched in July 2016 by the Dutch National Police, Europol, Intel Security and Kaspersky Lab. BH Consulting is one of 20 new partners from across the public and private sectors which has joined the fight against a high-profile risk to many businesses.

BH Consulting will work with other partners in the anti-ransomware initiative to increase awareness of the risks posed by ransomware, how to manage those risks, and how best to deal with ransomware should a company fall victim to it. BH Consulting’s technical experts will also cooperate with other organisations to identify ways to detect, prevent, and recover from ransomware.

“Ransomware is rampant – we’re seeing more and more companies and individuals falling victim to it,” said Brian Honan, founder and CEO of BH Consulting. “No More Ransom is a great example of why reporting cybercrime is important. Law enforcement have reacted to this problem and worked with private industry to gather information from agencies around the world so victims have a resource to look at in the event they get hit by ransomware.”

According to Intel Security, ransomware incidents grew by 169% in 2015. Figures from the FBI show that criminals extorted $209 million from victims in the first three months of 2016. Ransomware is usually installed through a social engineering attack and then infects a victim’s computer by blocking access to their files unless they pay to have them released.

Some strains of ransomware raise the stakes further by threatening to destroy files permanently for every hour the ransom isn’t paid, increasing the pressure on victims to give in. Some targets have been forced to pay thousands of euro to try and retrieve their data.

The No More Ransom website (www.nomoreransom.org) provides information in several languages about how ransomware works and how to protect against it. It also hosts free tools to help victims decrypt their blocked devices, which more than 5,000 people have already used successfully.

Although these free tools block some forms of ransomware such as TeslaCrypt, Chimera, CoinVault, Rakhni and Wildfire, many other variants are emerging all the time. “Awareness of the problem is one of the most effective ways to stopping a ransomware infection,” added Honan. “There are several techniques an organisation can use to avoid this from happening. For example, ransomware uses peer-to-peer network traffic to communicate to the criminals, so businesses should block that traffic at their firewall. Backing up data systematically can also help to recover from ransomware. We also advise that organisations need to test those backups regularly,” he said.

“We recommend that victims don’t pay the ransom. It doesn’t guarantee that they will get their data back in 100% of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch,” Honan said.