June 28, 2014

Huge Data Breach in Montana!

Holy smokes, I just read a post from SC Magazine, that describe a pretty substantial data breach at the Montana Department of Public Health and Human Services (DPHHS) where DPHHS is notifying 1.3 million clients and employees of a year long data breach. The information stolen from clients include SSNs, phone numbers, birth dates, addresses and dates of service. Data belonging to employees and contractors includes SSNs, names, numbers and bank information.

And of course, they are claiming that, after investigation, that there is no knowledge of any inappropriate use of the information that was taken. I assume that they notified the individuals and offered them the generic "credit monitoring" free for a year. Hopefully this want happen in the future, but my fingers are crossed.

Source: http://www.scmagazine.com/montana-dphhs-notifies-13-million-clients-and-staffers-of-nearly-year-long-breach/article/357655/

June 20, 2014

Common DDoS Response Mistakes

I found and interesting article on darkreading.com, which discussed some of the common mistakes that organizations make when they are under a DDoS attack. The unfortunate thing about these types of attacks is that there is no real cure, and DDoS attacks are going to remain a pain our sides for some time to come. Below is a list of some of the common mistakes that organizations make when responding to a DDoS.

* Not having a plan to prevent DDoS attacks in the first place.

Security firms say that it is much more difficult to remediate a DDoS attack after it has started. It is much easier and more effective to put a shield in place that can prevent this type of crippling traffic from starting in the first place. Senior director of security strategy at SolarWinds, Gretchen Hellman, says, 
"Such a plan should include evaluation of current DDoS protections, defined roles and responsibilities between the network and security teams, and a clear process of communication both internally and with your ISP," she says. "Failure to have a solid plan will result in mistakes, such as focusing on blocking IP addresses only -- attackers will use spoofed ones that change often -- reacting without taking the time to understand the nature of the DDoS traffic, and elongated response time when an attack occurs, resulting in more damage."
I like the fact that she says that it is a good idea to take some time to figure out and understand the nature of the attack, what kind of mechanisms is it using to execute the attack, what part of the network is it targeting or is it targeting the entire network, is the attack only focused on the Web server? Reacting too quickly can actually cause more damage than stepping back for a second to really evaluate the situation fully or at least to the best or ones ability. Having a slow response time can also lead to damaging circumstances as well. So, I think the take away from this one is to have a plan before the DDoS actually occurs so that damage can be kept to a minimum.

* Not having a plan to test the plan ...

Waiting to try out a DDoS plan in the midst of an attack is probably not the best way to go. This article gives an example, which talks about a popular bank that was hit by a DDoS back in 2012. After verifying that they were indeed under attack, they tried to switch all of their services over to their DDoS mitigation solution. When they flipped the switch their whole network went down. Ummmmm .......... is the look that I can imagine everyone had on their faces. Looks like testing their solution a head of time might have come in handy.

Michael Bennett, from DDoS Strike, says that not testing the infrastructure and defenses is a common mistake. If you have never seen or been hit by a DDoS attack, how will you know what that kind of attack looks like, and you want know what to do or how to react in that situation. Testing your plan can help to determine where there might be holes or weaknesses, which includes communication between pertinent teams within the organization.

Communication communication communication, that is one of the key points that I caught from reading this part of the article. Table top exercises would probably be a good place to start. At least it would get the conversation going and open up proper channels between each department within the organization.

* Not becoming close buddies with your ISPs 

It can is much easier to have the traffic be blocked further upstream before it even reaches your network. It is much easier to put the protection in place before you need it, and I feel that in the case of a DDoS it is almost inevitable, depending on the type or size of the org, that an attack will happen sooner of later. I would rather have something in place, so that I wouldn't be running around is circles.

So, in conclusion:

  • Plan
  • Test
  • Look outside of the immediate network 



June 17, 2014

AT&T Data Breach Warning

AT&T_logo
Marfapublicradio.org
AT&T has notified some of its customer base that their personal information (PII) may have been accessed between April 9 and April 21, 2014 by the employees of one of AT&T's contractors. Some of the information accessed includes: Social Security Numbers, birth dates, and other data. They believe that this information was accessed in a effort to create a passcode that would allow them to unlock AT&T based phones to be sold on secondary or "black" markets.

They claim that no financial information was stolen, and the employees of the company have been terminated. However, AT&T is urging their customers to change their account passwords as a precaution. One thing that some of you may find interesting is that ATT has not released the number of people affected by this breach. They are only saying that some customer accounts were affected. I do not know you, but this does not make me feel very safe, being that I am an ATT customer myself.

Security experts say that while there was apparently no direct financial effect on customers, the breach is still concerning.

-------

Make sure that, if you are an ATT customer, that you go ahead and change your account password, and monitor your account activity. Including credit card or other financial payment information.

Source: http://tinyurl.com/ATT-Breach

June 13, 2014

Mitigating BYOD Mistakes with Two-Factor Auth

Duo Security has come out with a rebuttal to The Wall Street Journal's Tech Blog article entitled "5 ways attackers exploit our bad BYOD habits" which listed 5 different ways that BYOD can introduce cyber security issues into an organization.
  • Open wifi networks can be set up by attackers in places such as coffee houses and other public areas and then invite others to join. The main risk to this threat is the  stealing of usernames and passwords. Duo Security says that the use of a modern, out-of-band 2-factor authentication solution prevents this from happening by using a separate channel to verify a user's identity.
  • With 2-factor authentication, you can prevent a Man-in-the-Middle attack because the attacker is unable to intercept a push notification sent directly to your cell phone, which would keep you in control of your account. From there, you can change your password and take other precautions to insure that your account is protected. 
  • As many people have used the same password across multiple Web sites and accounts, this could allow a successful attack to be used against multiple accounts. Once one account has been compromised, the attacker will generally try that password on multiple sites. Duo Security claims that using 2-factor auth will make the complexity of the password less important because the attacker will have to get through two levels of authentication versus one have to guess the users password. Furthermore, the user will receive a notification that 2-factor has been triggered and they will know that someone else is trying to log into one of their accounts. 
I think this article makes some pretty good points regarding account security and authentication, but I still feel that stronger unique passwords should be used on every Web site or account, along with 2-factor authentication, where applicable. We do not want to make it too easy for someone to guess one of our passwords. To me, a weak password is only a little better than using a default password or none at all. With Rainbow tables and dictionary attacks, it is much easier for someone to guess a poor password. I have been using the free version of Duo Security two-factor authentication for about 6 months now and I think it works fairly well. The only problem is that I am limited in regards to the number of site to which it is compatible. 

Source: http://tinyurl.com/DuoSec 

June 9, 2014

Helping to Reclaim Our Personal Digital Life

OPI security appliance
source: Indiegogo.com
Overview:

OPI is an information security appliance that you can use as your digital information safe. You can store and back up all information and it is encrypted! You can completely control who is able to access your information and you can control where that information is stored, primarily in your home. The super cool thing about this appliance is that it is running Ubuntu Linux! How cool is that!

The creaters want to offer an alternative to other cloud services such as Google drive or Dropbox for those of use that want to take back control of what is already ours, our data.

How It Works:


This is really awesome because you can back up all of your information while staying in complete control of where that information lives. Also, you can access that data anywhere and every where that there is an internet connects or I assume a data connection. The appliance sits at your home and is connected to your router, just as you would plug a computer or other networked appliance on your internal network. 

Currently, a base OPI starts at $119 bucks, which isn't that bad. You will get an 8GB memory card and three months of OP's back up service and if you don't want to continue paying for the service you can back up your documents, photos and other information manually. 

To access your data, OPI is compatible with Android phones and tablets, IOS and other Apple devices, desktop clients and through the Web using the OPI Web interface. A cool feature, during setup, OPI gives you the choice to create a unique name so that you can find you device and access data no matter where you are in the world. 
All OPI’s will be granted names under the domain “op-i.me”, so an example would be to enter testopi.op-i.me to access the device named “testopi”.
 What it Will Not Do:

The device isn't a firewall or a router, so it will not route or block traffic and it want be able to obfuscate your Internet searches or browsing behaviors. What it will do is keep your traffic encrypted at all times and it will encrypt the traffic between the OPI and your phone or computer. Furthermore, if anyone gains physical access to the appliance they will have a difficult time getting to the information because they will not have the password.

Overall, I think this is a really great idea, and it seems like a good product for the general purpose user. Not to mention the full encryption of my data. Great work! The only thing that I am unsure of is whether or not the device is up-gradable or can I change the amount of storage when my needs change.

Source: https://www.indiegogo.com/projects/opi-reclaim-your-digital-life

Specs: http://media.openproducts.com/tech_spec.pdf

More In depth: http://openproducts.se/2014/05/06/opi-under-the-hood/