alt tag

Posts from November, 2015


The Future of Fingerprint Authentication… Is There One?

Tuesday, November 24th, 2015

fingerprint-150159_640

Earlier this year, the U.S. government revealed a massive cyber security breach which may well bump the infamous Target and Sony attacks down to “small potatoes.” The database of the Office of Personnel Management (OPM)—essentially a central HR department for most federal agencies—was hacked multiple times over several months, exposing the personal records of 21.5 million individuals. Current and former federal employees, job applicants, and contractors who had undergone various levels of security background checks represented most of the victims. The suspected culprits of the attack are the Chinese, in the midst of an ongoing “cyber cold war” with America.

Most of this stolen data includes the usual personally identifiable information—addresses, birth dates, Social Security numbers, and more—routinely trafficked on the international black market, or “dark web.” But a couple months back, the OPM dropped the other shoe: Also compromised were 5.6 million digitally stored fingerprints, dating back to 2000.

Biometrics

Fingerprints are at the core of modern biometric authorization.

If you’ve bought the latest smartphone, you know it scans your thumb to unlock. At least one large health club chain has eliminated barcoded membership cards in favor of electronic fingerprint scanners. If Microsoft had their way, they’d entirely replace your computer’s passwords with biometrics—though the necessary 3D camera/scanner hardware may be slow to market.

Biometrics may still be in its infancy today, but how common will it be tomorrow? Besides logging in to your personal devices, will it become the preferred login option for secured email accounts, online banking transactions, medical records, or other sensitive data? One thing’s for certain: Legions of hackers around the world are obsessed with cracking the latest cyber security measures right now.

Sooner or later, everything becomes vulnerable.

Identity Theft

If you’ve discovered you’re the victim of identity theft, most of the damage can be fixed. A compromised password can be changed in minutes. A new credit card number is a phone call away. At worst, you can go through the painstaking process of wiping fraud from your credit reports.

But it’s biologically impossible to get new fingerprints—the fingertips you were born with are yours for life! Whether they were stolen last week or 20 years ago, once a victim’s electronic fingerprint records fall into the wrong hands, they can never really be “un-stolen.”

We can draw two takeaways from the OPM breach:

  • As we’ve discussed, America’s cyber security still lags far behind hostile threats—from hackers and cyber crooks to perhaps even adversarial governments. As in the Wild West, it’s ultimately up to you to protect yourself.
  • At first glance, biometrics offer the ultimate personal security. But unless we’re assured they will be 101% hack-proof, they may actually go the way of QR codes—a neat idea that just doesn’t catch on in the real world.

For more information on how you can protect yourself personally and professionally, get in touch with us today.

Mobile Security Exploits: Surviving the BYOD Environment

Thursday, November 19th, 2015

telephone-586266_640

IT professionals are more concerned than ever about malicious software infections since smart mobile devices hit the mainstream. Many businesses have been relatively open to the idea of integrating smart devices into their workflow as a way to increase productivity. But news headlines have been quick to cover the many significant security exploits of the last few years. The most troubling part, perhaps, is the period of months or years that some of these security holes existed before anyone noticed.

BYOD, by nature, eliminates a level of control that IT departments are accustomed to having when protecting employee devices.

These devices often store saved passwords and even confidential company information—and, if compromised, can provoke an expensive disaster. Working with a managed service provider can help your business develop comprehensive best practices for mobile device security.

Stagefright

Android’s Stagefright is an example of an exploit affecting 900 million devices that can completely compromise security control. This particular hack uses Multimedia Messaging Service text messaging to upload malicious code and take over a device. A hacker that succeeds in controlling the device has access to everything on it—including confidential emails and financial accounts.

Google has put in the work to solve this issue, but it won’t do users any good unless they can install the patch. The three-tier Google to manufacturer to service provider patch approval and implementation process can delay updates for months.

You can confirm whether a specific device is vulnerable using one of the many Stagefright detector apps in the Play store, including this one by Lookout Mobile Security. If you find that your device is vulnerable to the hack, you can protect yourself by disabling MMS auto downloading in the Messaging app options. While it’s inconvenient to approve each MMS that comes through to your device, you can ignore messages from unrecognized numbers (which will make it very difficult to compromise the device).

Samsung SwiftKey

Samsung’s SwiftKey app implementation exploit also received substantial attention in the press over the 600 million vulnerable devices. This security hole allows a hacker to exploit the device update functionality within the SwiftKey app so they can upload custom firmware and take over. Samsung integrated the SwiftKey app into the phone’s software so it can’t be deleted to block the exploit. Samsung has updated their software to patch this hole—but, as with Stagefright, it is up to the carriers to push the update to impacted devices.

Fortunately, there’s an IT consulting tip that can minimize your exposure odds to the SwiftKey exploit: Do not update your device when connected to a public Wi-Fi network. The exploit actually requires that the hacker and the device be connected to the same compromised public Wi-Fi network to activate. Additionally, the device user would need to manually confirm that they want to apply the update for the hack to work, so simply refusing all updates while connected to public Wi-Fi at restaurants and stores will protect you.

iOS Exploits Exist

While Google’s Android operating system seems to take most of the heat for mobile device exploits, iOS devices don’t get off scot-free. In May 2015, hackers discovered a text message code that could be used to force iOS devices to crash and reboot when reading the message. Some devices were stuck in an annoying reboot loop. While not a security issue, this exploit could be a major productivity killer, rendering the device temporarily unusable. Apple was able to quickly patch this exploit, and updating the iOS device eliminated the issue.

Apple’s strict app approval process has done a fantastic job of keeping malware out of the App Store. However, in September 2015, hackers were able to sneak malware past the App Store approval process by supplying unsuspecting app developers with compromised code. Fortunately, Apple was able to identify and remove the affected apps before they became a widespread issue.

Working with an MSP is a great way to help protect your employees’ BYOD devices. In an ideal world, every device would be impervious to malicious attacks. But the next best option is to learn best practices to protect you from common attacks.

Email Encryption: The Basics

Thursday, November 12th, 2015

post-403145_640

Chances are you probably have a few USPS “forever” stamps that have been sitting in your desk drawer for a while. When was the last time you actually used them to “snail mail” something—a bill payment or an important letter? Most bills are paid online these days, and most of our day-to-day correspondence is done via email.

Remember postcards? When you were vacationing in some far-off locale—Europe, Hawaii, or Vegas—you probably bought a few picture postcards to send to friends and family back home. The postcard had space to write a short message. You tried not to write anything too personal on the postcard, because anyone could read it—from the postal carrier who delivered it to a stranger who might eventually find it in the trash.

Not so long ago, all email was a virtual postcard—unsecure and easily “eavesdropped” on by anyone who knew how to access it between points on a network, via a hacked username and password.

Encryption = Protection

How can email be shielded from “prying eyes”? The most effective method has proven to be encryption—essentially converting plain text messages (as well as file attachments) into mathematically-scrambled gobbledygook. Common forms of encryption revolve around digital certificates or “electronic keys” which encode messages from the sender and decode them at the recipient’s destination. This essentially upgrades the “postcard” to a sealed envelope, accessible only by the sender and recipients.

Commercially available email encryption solutions range from all-in-one hardware peripherals plugged into an email server which automatically encode and decode scrambled emails, to software applications, either downloaded in full or available as on-demand services. Most incorporate standard encryption protocols such as Transport Layer Security (TLS) or Secure Multipurpose Internet Mail Extensions (S/MIME).

What to Encrypt

Is encryption necessary for every business email? No. Only about 15% of commercial email is currently encrypted. While simple everyday correspondence doesn’t require encoding or decoding, advanced encryption is essential for confidential or proprietary data, including:

  • Legal documents
  • Medical records (as required by HIPAA)
  • Contact lists
  • Banking and billing records
  • Customers’ personally identifiable information (PII), including credit card and Social Security numbers

Email security begins with a clear policy regarding which specific information automatically requires email encryption.

The sheer number of encryption products on the market—from the “big names” to smaller vendors—is staggering. Planning, deploying and maintaining the most effective solution requires careful analysis of a company’s unique security needs.

How familiar are you with your current email encryption methods? Are you confident they’re the best defense against a costly data breach? Contact us for a free assessment.

Treat Your Network As If It’s ALREADY Been Hacked

Thursday, November 5th, 2015

sherlock-holmes-147255_640

Weak IT security generally revolves around the following theory: “We’ll keep hackers out of our network—everything’s okay until something bad happens.”

But strong security operates from an assume breach mindset: The hackers have already infiltrated our network, probably for a while now—where and how do we find them?

Paranoid? Probably. But in today’s ever-evolving threatscape, absolutely necessary.

Antivirus Software Will Never Be Enough

The ugly reality is that even the best antivirus programs will always lag a step behind those worldwide legions of malicious hackers who can often disguise the detectable “signature” of malware with a just few altered lines of code.

While antivirus vendors diligently try to update their products regularly with the latest virus signatures, a new version of malware can infect a network within hours of the last update. Or a virus can simply—and silently—disable those updates or completely shut down firewalls, allowing an attacker free reign over the entire network—unleashing even more trouble.

Hacking and Malware: Hidden Clues

A single virus-infected PC is usually easy to spot; the user can immediately see that something’s wrong. But intrusive malware hidden inside a network can lay dormant for days or months before wreaking havoc. Have you experienced any of these network malware symptoms recently?

  • Your company bandwidth slows down during certain periods of the workday for no apparent reason. There may be something on the network that shouldn’t be there—and combing through your sensitive data.
  • Your inbound network connections spike at odd overnight hours. Your users are probably home asleep at 3:00 a.m., but hackers on the other side of the globe are wide awake.
  • One or more workstations—or the entire network—make a lot of outbound connections that don’t make sense. A firewall normally ensures your mail server exclusively handles STMP (email) traffic, while other network traffic is limited to your DNS servers. Seemingly “illogical” STMP/DNS connections—such as STMP connections to an unfamiliar IP address—signal the network may have been hacked. Your company data is in danger, or spam may be discreetly spewing from your hijacked email server.

Detective Work? Where to Begin

So if you treat your network as if its security has already been compromised, where do you look for the evidence? Start with establishing comprehensive audit logs to record telltale clues within your network, such as:

  • Abnormal incoming/outgoing network activity, focusing on unusual connections among workstations’ TCP ports.
  • Suspicious network traffic at odd hours (when one cyberattack is detected, it establishes a timeframe for similar attempts).
  • The sudden appearance and locations of strange new files, including malicious rootkits.

Hacking and cyberattacks are no longer a question of if, but when. And you can’t limit the damage until you know what to look for. For more ideas about cutting-edge network security, contact us.