Madeira Blogs

Security Awareness

rss

Security Aware, topics on information technology security.


Kent Gartside
Kent Gartside

Kent Gartside Security Blog.

Pwned or Owned

Pwn or pwned comes from the verb to own or meaning to conquer or gain ownership.  In the case of being pwned online, it typically means the hacker has your credentials to a Web site that has been hacked at some point.

What does it mean if I've been pwned?
Being pwned means that a hacker has your credentials to a Web site that you've once subscribed to.

For example, Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text.  Compromised data: Email addresses, Password hints, Passwords, Usernames.

LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.  Compromised data: Email addresses, Passwords

What can happen if your been pwned?
Blackmailed.  Yes actually blackmailed; follow me on this Hollywood screenplay.  

Day 1:  A particular Web site was hacked; we will call this Web site Alpha.  The Alpha Web site had some security holes and a hacker or group of hackers have subscribers email addresses, passwords, and password hints.

Day 2:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  In this example, the phishing attempts are links or hooks to inappropriate adult Web sites.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 7:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 86  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 211:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) clicks on the email.

Day 212:  The hacker is aware you clicked on the phishing link.  Remember the link is an inappropriate Web site.

Day 212:  The KEY DAY.  The hacker sends a message to the subscriber letting them know they are aware of the recent inappropriate Web site you visited.  And they give you the password they compromise when they hacked that site you subscribed to.  Key Point:  Knowing a previous password is a way of gaining trust that the hackers have something on you and they are legit.  The hacker then tells you to send them $3,000 in Crypto currency and they won't send your browsing activities to all your contacts within your contact list.

What should I do if I've been pwned?
Determine if the credentials you used on the site that was hacked is not the same credentials as a banking Web site. This is why banking and non-banking passwords should never be the same.  If your banking credentials are the same as the hacked site, change them immediately.  Refer to our Blog on New NIST password requirements on our Social Media page.

How to check if you've been pwned?
Goto https://www.haveibeenpwned.com/ then change credentials for sites that you have subscribed to.  Make sure your new passwords are not the same as your banking passwords.

The National Institute of Standards and Technology (NIST) has issued new guidelines regarding secure passwords.  We at Madeira Networks have adopted these standards with some modifications.  Below is a suggested algorithm or formula to a never-changing password and a happier end-user:

First, you never ever have to change your password unless:
1)  In a rare circumstance, you have given your credentials to someone and now need to change your password;
2)  You've been compromised or believe you've been compromised

Second, your complex password must be at least eleven characters and satisfy three of the four criteria:
1)  Uppercase
2)  Lowercase
3)  Number
4)  Special Character

Third, promote non-dictionary passwords.  Dictionary only passwords, for example Summer2019 will meet most password complexity policies, however dictionary passwords can be easily hacked.  The American Dictionary has approximately 350,000 words and malicious software can cycle through these in minutes.

Last and most important use password "black-list" technology so you are able to black-list specific words or phrases.  For example, Winter, Spring, Summer, Fall, Password...

Here are some examples of complex passwords that meet the above criteria.

Carb0HiH20!!
Trave!2Tr@velFar#
Bik3RiiderHar$

 

Protecting Your Organization from a security breach

Firewalls are an important key to protecting your network, but what about protection your network from your own users?

1.       Introduction

2.       Security Breach – how users could give hackers access to your network

3.       Determining your risk

4.       Minimizing risk and protecting the organization from your own users

5.       Summary and Recommendations

 

1.0      Introduction

This white paper discusses the potential risks companies have when users have too much control or leeway within the organizations network system.  This document will outline key practices that will help minimize a security breach within your organization.

We have heard over and over again from the news media and leading experts that anti-virus software and “paying attention to what you’re clicking on” will greatly minimize the risk of being hacked.  Although, these things are important, they are far from what is really needed to protect your organization from a security breach.

 

2.0      Security Breach – how users could give hackers access to your network

Most organizations without even knowing it, are allowing their users the ability to let anyone or anything into the network.

Hackers exploit computer systems typically using a program that runs on your network.  These programs want many things; some want money and some are recording Web sites you visit for marketing statistics.

Below is two examples of how users can grant hackers access to your network:

 

 

Example #1
Jim receives an email from his credit card company with an attachment called 2015DecStatement.pdf.  After double-clicking the attachment the PDF file doesn’t open and a program starts running.   After several attempts to open the PDF file, they discover the email wasn’t from their credit card company after all.  Is was from a hacker with a similar domain name as the credit card company.

This user has authorization to run an unknown application on the network.  As I will state many times, users should only be able to run applications approved by the organization.

Example #2
Mary visits a Web site and decides to download Google Chrome.  After clicking the Download link it asks if you want to “Run” the file Chrome.exe and you choose yes.  Expecting Chrome to install, a program Window flashes on the screen then disappears.  Not getting any confirmation the program installed successfully, Mary tries the install again.  Again, a program Window flashes on the screen then disappears.

This user also has authorization to run an unknown application on the network.

Security weakness and risk is at the “user level” and is a matter of if and when the organizations is hacked.

There have been many reports of a crypto-locker malware that encrypts your data, then demands money, usually through money exchanges like Bitcoin.  Once you pay the ransom, they send you the encryption key.  In addition to paying the ransom, you will have additional expense to secure and re-engineer your network.

 

3.0      Determining your risk

Determining risk is a responsibility all owners, C-Level Executives, and Managers should take seriously.  Allowing users to install and run applications at will raise the Risk Report’s blood pressure; tenfold.

Below is some basic check that will help you determine if users are a risk:

1.       Reviewing all installed Applications:  Review all installed programs and uninstall any applications not listed in the Corporate Application Set.

2.       Determining if users have “Administrative Rights”:   Determine if users have administrative rights on the local computer and/or domain.

3.       Restricting Users from running Applications:  Users should only be able to run the applications listed in “Control PanelèPrograms and Features” or any program listed on the Corporate Application Set.  i.e.  Users should not be able to install/run applications that would install Chrome or Dropbox.

 

4.0      Minimizing risk and protecting the organization from your own users

The good news is the above risks can be greatly minimized.  Below are some techniques that I find are underutilized within organizations of all sizes.

Determine your risk by checking the following:

1.       Reviewing all installed applications:  On the local computer or network terminal server, review the list of installed programs.  Go to Control Panel then Program and Features” and review and have approved the applications installed.  Organizations should adopt a controlled procedures and forms starting with an Application Set document.  This document lists the “approved” applications that users can use.   Remove any applications not approved per the Application Set.

2.       Determine if users have “Administrative Rights”:

2.1.    On the Local Computer:  If users are allowed to install applications, typically they are part of the Administrators Group.  Another way to determine if a user has administrative rights is to right-click on the “Computer”, then select “Manage”.  If you are not prompted for a user name and password, then congratulations you are an administrator on the local computer and your Risk Assessment’s blood pressure just went up.

2.2.    On the Domain:  Request your Domain Administrator verifies this.  This can be done on the Domain Computer (a Server) within the network.

3.       Restricting Users from running Applications:  User should only be able to run the applications listed on the computer or terminal servers Control PanelèPrograms and Features.  Some applications like Chrome and Dropbox can be installed and run by users that do not have Administrative Access.  Although these applications are sneaky that way, they are legitimate applications that can be installed by users that do not have Administrative Access.  This exposure is high to most organizations and is the most overlooked.

 

5.0      Summary and Recommendations

Although there are other areas of the network such as firewalls, switches, and servers that need to be looked at; not allowing users to have Administrative access and restricting the Applications users can run will drastically reduce risk of a security breach.

Another way to lower risk is to have end-user awareness training.  Educating users about safe computing and the solicitation by form of email or phone is highly important.

 

For more information contact Madeira Networks at (877) 562-3347.