» Home >

Author Archives: Mark Borrie

Is my home Wifi network ok?

Tuesday, October 17th, 2017 | Mark Borrie | Comments Off on Is my home Wifi network ok?

What is it KRACK?

You may have heard about the latest security problem with wifi networks and be wondering what this is all about.

Yes this is a serious problem, and YES your home network is vulnerable. Every network is currently vulnerable to this new issue. More importantly, you computers, laptops, phones and other devices are also vulnerable.

What impact is there?

Potentially this impacts an extensive range of devices including Apple, Android, OpenBSD, Linux, Microsoft, smart computers, smart phones, access points, IoT devices etc. The attack cannot be executed remotely; the attacker must be within range of your wireless network ie physically near your Wi-Fi.

So what can happen? An attacker can insert themselves into your network conversations and listen to what is going back and forth. They could also potentially start changing things. If you are communicating over an encrypted link such as using https then an attacker cannot see your information. This means that your passwords will continue to stay secure.

At this time, there is no evidence that an attack tool exists in the wild but they will come sooner rather than later. Until then the attack will only be possible from a skilled attacker, however once easy-to-use tools are available the skill factor is no longer a barrier . Expect to see your neighbourhood hackers attacking your old iPhone or Android device.

What to do about it?

With this in mind you should patch all of your devices soon.

If you have an older device then the manufacturer may not release patches for this issue. This is a problem and you will need to consider upgrading your device to one that is supported.

If you need to ensure the privacy of your network usage then use a VPN to encrypt all your traffic. VPN is a protocol for encrypting all network traffic between two network points. The University has a VPN service that allows staff to connect to the internal University network from most places on the Internet. You will need to find a suitable VPN service for you.

The Bleeping Computer site is keeping an up to date list of patched devices at https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Summary

KRACK is an issue for all wireless networks. You should apply the security patches as soon as they become available.

Older devices may not receive security updates and are now at risk of becoming a gateway into your network and privacy. As such, sensible disposal is the preferred approach.

For devices where no patch is available you should assume that all traffic from that device can be spied on and potentially altered. Using a VPN to help mitigate this for you.

Can my light bulbs DoS me?

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Can my light bulbs DoS me?

Denial of Service (DoS) attacks are situations where an IT system is deliberately overwhelmed to a point where normal activity is no longer possible. A DoS attack usually comes from a single source. Where the attack comes from many sources we call this a Distributed DoS, or DDoS.

DDoS traffic is usually sent from many computers from around the world. These computers will have been hijacked and grouped together into a botnet which are then controlled by the bad player. These computers usually have been compromised because security patches have not been applied.

For some time InfoSec people have been wondering what impact the Internet of Things (IoT) will have on things like DDoS. The IoT generally refers to all those everyday objects that can now connect to the Internet. Think CCTV, toys, nappies, cars, door bells etc.

At the KiwiCon conference last year in Wellington, and at other conferences,  some of the presentations talk about the security of various IoT devices. Some of the findings were

  • Certain brands of car immobilisers could be activated by other people by attacking the website where the device was registered. This was particularly concerning for those vehicles that could have the fuel system shut down. Imagine suddenly running out of fuel while in the middle lane of a motorway doing 110 km/hr!
  • Home security devices being sold in NZ could be controlled by other parties.
  • Baby monitors can be listened into, and worse.
  • Barbie Dolls are relatively hard to take over.

So are the IoT really a problem? In late September a DDoS attack was launched against a well known security writer. The attack forced his website off line for a time by the huge volume of traffic sent to it. What is interesting is that most of the devices involved in the attack were on line cameras (it is estimated that about 1.5 million cameras were involved).

The security issues with the IoT may well turn out to be a bigger problem than Y2K. When preparing for Y2K it was possible to identify likely systems that needed fixing, and then update them. In the end a Y2K disaster was avoided since we understood how to fix the problems.

The problem with IoT is that we cant identify and/or fix most of the devices. Few manufacturers of an IoT device include options for efficiently getting updates onto the device. Almost no one will commit to providing support for any set time. For most devices, if there is a significant security issues with them, it will be a case of throwing them away.

So this comes back to the original question. Can my light bulbs DoS me?

Well, the current versions probably cannot launch a co-ordinated network attack, which is good. However, a bad player may well be able to take control of your light bulbs. Think about the result of all your lights coming on at 3 am. Perhaps we should call this a DoSl (Denial of Sleep).

What to do? Some of the functionality of some IoT devices is truly exciting. We are going to see more and more options out there. When buying these devices we need to start thinking about the impact if things go wrong. Ask the retailer about security updates. If updates are available ask for how long support will be provided.

Finally, be prepared to throw the device away. This may end up your only option.

Update on RansomWare

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Update on RansomWare

In March this year I wrote about the upswing in ransomware attacks. Well since then we have seen even more attacks. Unfortunately some people have been caught out by the attackers and have had files encrypted.

Luckily everyone so far has been able to restore their data from backups and other sources.

The criminal gangs running these attacks are constantly looking for new ways to get results. Recently they used a flaw in certain types of Word docs. These were Word files with macros in them. Once we worked out what they were up to we started using our spam management system PureMessage to quarantine all these Word files with macros (these have a docm suffix). Only a few genuine files were quarantined and they were still available to the user.

During August we quarantined about 150 000 docm files.

Since then we have seen a decline in the use of docm files but a large increase in zip files. Zip files are a convenient way to bundle together a number of files in a compressed format that makes them easier to distribute.

During the first 12 days of September we quarantined about 1.5 million zip files. Almost all of these had some sort of malicious content.

Dealing with these ongoing attacks is a team effort and we all have a part to play. Remember if something looks suspicious then get someone to check it out.

User awareness videos

Tuesday, July 12th, 2016 | Mark Borrie | Comments Off on User awareness videos

Here are a couple of videos to help people become a bit more aware of social engineering risks. It would be interesting to hear from you as to which one you think is more effective.

http://click.email.sans.org/?qs=c5f96f16ca893d8d2f0d14de6b7a75772c968cabaa38a6908445ec57e78146b3c527b9f0ea796009

 

Here is another good one from a bank

 

What is Ransomware?

Monday, March 7th, 2016 | Mark Borrie | Comments Off on What is Ransomware?

In recent years another new term has emerged to describe yet more malicious software that attacks users. This one is called ransomware.

So what does ransomware do?

When a computer become infected with this software, all the files on the computer get encrypted. The user is then notified and offered an option of paying a ransom to get the secret decryption key in order to recover the files. If the user refuses to pay up all the encrypted files are lost.

There has been a large increase in ransomware attacks worldwide in recent months. The Information Security Office team is seeing large numbers of spam emails being intercepted here at Otago that are connect to ransomware attacks.

A recent attack

Many staff recently received an email claiming to be from a lawyer that suggested the user had breached copyright on some material. This spam was deliberately sent during the weekend so that users would not have the usual support channels available (Alarm bell #1). This email was sent to many other Universities.

An analysis from another institution of the email revealed that some interesting things.

  • The email had a zip file attached (Alarm bell #2)
  • The zip file attached to the email contained a pdf that had a script in it.(Alarm bell #3)
  • This script requested the user to install a special font in order to read the pdf (Alarm bell #4)
  • If the user (or their IT support person) finds the font and installs it then the ransomware is installed and immediately starts encrypting all the user’s files INCLUDING those on file shares.

Protecting yourself

Targeted spam attacks are getting more sophisticated. They use real companies and individual’s names. They are sent outside normal work hours, i.e. during weekends or holidays, or overnight. They often appear to be relevant to the target people, i.e. copyright issues for academics, or account information for financial staff.

Things to do (or not do)

  • Do not respond to unexpected emails outside work hours (It really isn’t that urgent)
  • Do not respond to requests to “take an action” (It truely is not that urgent)
  • Check with IT staff or colleagues if you get an unusual email. Chances are it will be a known attack, or it will alert staff of a new one under way
  • Be prepared. Make sure all your data files are properly backed up. Some of the ransomware attacks are now targeting backups as well as file shares so backups should not be accessible to the attack

For more information or assistance, contact the ITS ServiceDesk or the Information Security Office.

Financial fraud phishing emails

Wednesday, February 17th, 2016 | Mark Borrie | Comments Off on Financial fraud phishing emails

The Information Security team has noted an increase in phishing emails that are targeting staff who may handle financial transactions. Initially these emails targeted senior staff and attempted to get fraudulent payments made by the University. A tertiary organisation up north fell victim to this and may be out of pocket to the tune of over $100k.

The phishing emails are now targeting departmental staff. The email will appear to come from another University staff member and attempt to establish further email communication. The email address will not be an @otago.ac.nz address. Eventually the target victim will be asked to set up a fraudulent financial payment. These emails are asking staff to work outside University financial processes by suggesting that there is some urgency in processing the request and hence bypass normal processes.

Staff who handle financial transactions are asked to be vigilant for these types of attacks. If you receive unusual requests to process payments then ensure that the following is undertaken
– Check with the apparent requester via another channel, i.e. if the request comes via email then give them a call to verify.
– At all times follow the University account processing systems. Contact FSD if you have questions.
– Report any attempts of this nature to the Information Security Office so that we can keep up to date with current attacks.

If you have any questions regarding this matter then please contact myself.

Thanks, Mark

P.S. A copy of this email has been posted on the Information Security Blog site for verification. See https://blogs.otago.ac.nz/infosec/2016/02/17/financial-fraud-phishing-emails/

-- 
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin 9054, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-8813
Email: mark.borrie@otago.ac.nz

Airline Boarding passes

Thursday, October 8th, 2015 | Mark Borrie | Comments Off on Airline Boarding passes

Ever wondered what is recorded on your airline boarding pass? Well someone has done some analysis of one and quickly turned up some interesting information. The bottom line is don’t throw them away, instead make sure you take them home and destroy them at the end of your travels.

See http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ for an explanation.

LinkedIn Scams

Tuesday, September 1st, 2015 | Mark Borrie | Comments Off on LinkedIn Scams

In recent weeks there has been an increase in fake requests on LinkedIn for users to connect with people. These are likely to be precursors to attempted scams or fraud.

Some examples I have noticed are from people claiming to be from financial companies based overseas. After connecting with the person a message quickly follows asking for more information about yourself.

If you are unsure about these connect requests there are a few things you can do. Check out the company affiliation. If you cant find the company then there is a good chance it is fictitious.

Also check the profile picture. This is easy with Google. Open the Google search page and select the images link. Now drag the profile pic into the search bar and see if there are any matches. You might be surprised at where that profile picture originated from.

Now there is no requirement that someone will use an actual picture of themselves on LinkedIn, however you may want to think about why someone uses a picture of someone else.

So what to do with these requests. There are options on LinkedIn to report people that appear to be misrepresenting themselves. Alternatively, simply don’t connect or disconnect from people you don’t trust.

Above all else, keep safe.