First Response Technical Director, John Douglas, talks about the 2019 Nuix Insider Conference and excitement about the Nuix partner portal.
And it’s still a potential open door for bad actors
Most people who were alive at the time can remember where they were on September 11, 2001, even though it now seems like ancient history. But how many can remember where they were a little more than six weeks later on October 25, 2001?
That date is when Windows XP was released to the public, and nearly 18 years on, incredible as it may seem, it is still in use around the world. Although it may not appear on many desktops, according to one source just under four percent of desktop and laptop computers worldwide are running this antique – in computer terms – operating system. Only three years ago, it was calculated that 90 percent of British NHS trusts were still using XP – and that was over two years after support had been officially withdrawn.
Additionally, variations of this operating system, including an embedded version, are in common use around the world in critical applications. To take just one example, the Reserve Bank of India has set a deadline for the removal of XP by banks from a critical application area by June 2019 – that’s over five years since Microsoft pulled the plug on support for desktop XP (support for the embedded XP system ended some two years after that. And the critical application? ATMs – and India is far from being the only country where XP is deployed in this area. POS (Point of Sale) systems are other major platforms on XP is still installed, although officially support for POSReady 2009 – an XP SP3 variant – has been continued until April 2019.
What is alarming is that Microsoft has recently released a patch – its first for XP in over two years – warning of a vulnerability whereby “any future malware that exploits this vulnerability could propagate … in a similar way as the WannaCry ransomware attack … swept the globe,” according to Microsoft’s Security Response Center’s director of incident response, Simon Pope.
The vulnerability is vaguely described by Microsoft as being through Remote Desktop Services, but even that small amount of information, according to some experts, is enough for the bad actors to uncover it, and to create a worm that can spread through networks without any human intervention. Systems running Windows 8 and above are reportedly not vulnerable.
Though banks are known to pay Microsoft for support long after XP’s ‘sell-by’ date, other users of the system may not have the resources to do so. Over half of industrial sites are using the system for realtime systems, such as industrial process control, or services that cannot be interrupted, such as in medical institutions, and cannot halt the system to upgrade from XP, or even install a critical patch, even though Wired magazine describes a future attack on XP as being “inevitable”.
First Response’s technical director, John Douglas, comments, “Running a vulnerable system presents security and reputational risks to the organisation. At First Response, we deal with a wide variety of operational environments, including ‘always on’ systems, and are ready to help and advise on proactive preventative measures, as well as working with our clients on Incident Response Plans to mitigate the effects of any possible cyberattack, and provide a speedy recovery and return to normal operations.”
Messaging service can act as gateway to turn phones into bugging devices
Although this popular messaging service, owned and operated by Facebook, is promoted as a secure messaging service, since all messages are encrypted on their journey between users (‘end-to-end encryption’), it turns out that what it says on the tin may not be entirely correct.
Admitting that there is a major vulnerability which has been exploited by “an advanced cyber-actor”, WhatsApp has strongly recommended that its 1.5 billion users upgrade to the latest version of the software, which allegedly fixes the bug allowing the malware to have its wicked way, though only a “select number” of WhatsApp users have been targeted.
In this instance, the loophole was a buffer overflow in the VOIP stack used by WhatsApp, meaning that data masquerading as the sound in a voice call can be received and stored in the wrong area of the phone’s memory. This ‘voice data’ may in fact be a piece of malicious software. Without going into detail, the upshot of this is that a specially tailored WhatsApp call, even if that call is not answered, can plant the spyware in the victim’s phone.
According to sources, an Israeli company, described as “one of the world’s most invasive software weapon distributors”, developed the malware, which is available commercially, with a price tag of under $1 million per deployment. NSO Group’s Pegasus, having once lodged itself in a victim’s phone, allows a remote site to access data on that phone. The data that may be accessed in this way includes text messages, photos, and location, in addition to the WhatsApp messages, as well as cameras and microphones.
The spyware has been used to target human rights activists, including a staffer of Amnesty International, and journalists in the Middle East and elsewhere. The University of Toronto’s Citizen Lab reports that there are 45 countries in which Pegasus has been reported, and six operators of the malware (out of the 36 total operators) have been linked to countries with a history of abusing spyware to target civil society.
Even though statistically your phone is unlikely to have been infected with the spyware, this latest security news should act as a wake-up call to keep your apps and operating systems up to date, not only on your phone and on your mobile devices, but on your computers, and all IT equipment such as switches and routers.
First Response’s Security Operations Centre can provide monitoring, and a response to malware infection, and our Incident Response capabilities allow us to identify attack sources and vectors, and help you remediate and protect against future attacks, but ultimately prevention is better than cure.
Please call First Response if you would like our assistance in guarding against cyberattacks, and improving your organisation’s response should such an attack occur.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15” (Facebook)
If you’re not already a target – the odds are that you soon will be
Cybercrime is big business – the average cost to a business of an attack on a UK corporate target in 2019 is about £190,000, according to a recent survey carried out by an insurance company. And in case you imagine that a cyberattack is something that only happens to other people, you should think again. The same survey revealed that 55% of firms had already faced an attack in 2019 – a rise of 15% from the previous year, and according to the World Economic Forum, “74% of the world’s businesses can expect to be hacked in the coming year”.
The traditional Scout motto of “Be Prepared” would therefore seem to be an appropriate one to adopt in this regard, but along with US organisations, UK firms don’t appear to be following this advice. Less is spent on the enhancement of cybersecurity than in many other countries, and there is typically a lack of pre-assigned responsibilities in the event of a breach or incident being detected.
John Douglas, Technical Director at First Response, points out that “very few organisations have the technical skills in-house to deal with sophisticated multi-tier attacks, and often the well-intentioned but clumsy responses by server teams under pressure to resolve the issue will simply tip off the attacker and drive them deeper into the network.”
It also is a mistake, claims the head of Cyber at Hiscox insurance, to feel that one’s organisation will not be targeted. He puts this down to the fact that “we tend to only read about large breaches in the press” and therefore it is generally assumed that only large companies will be targeted by the cybercrooks. This is far from being the case.
Smaller companies are also vulnerable – maybe a ransomware attack on a SME where vital corporate files are encrypted and ransom demanded for their decryption will not bring as much money for the attackers as an attack on a major international institution, but it is still a profitable line of business for the criminals, and is probably easier for them to mount.
Attacks may come in many forms, by many different routes, with social engineering or ‘phishing’ emails being a common way of introducing the malware. It is important to be able to recognise these vectors, and to keep all staff aware of them, and to respond appropriately to their occurrence.
At First Response, our experienced team of Incident Response Specialists can work with you to develop a Cyber Incident Response Plan (CIRP). This assigns and develops the roles and responsibilities within your organisation in response to a cyberattack, and acts proactively to identify and eliminate any weak spots in your cyber defences. With the introduction of the GDPR, it is also necessary to have up-to-date accurate documentation on breach monitoring, detection and reporting, and our teams can help develop and maintain this.
With such a pre-arranged plan, which includes the 24/7 on-call services of your assigned First Response Incident Response specialist, who can provide guidance and advice, the disruption caused by a cyberattack, together with the associated costs, can be greatly reduced, allowing your business or organisation to continue running smoothly.
Call our specialists now to discuss your needs and develop a tailored solution.
Smartphones are a part of everyday life, and they can tell investigators a lot about the actions of both suspects and victims, leading up to the event being investigated. Simply having the details of an individual in the contact list may be enough to disprove the claim that “I never knew them”, and having the number in the call records or the texting data is proof that contact has been made between two individuals.
Conveniently, these artefacts are time-stamped, and may be cross-referenced to cell tower records, allowing an investigator to determine the area where a communication took place. Other data on smartphones may be even more precise – for example, photos are geotagged, pinpointing the time and the place at which the phone was used and destroying alibis.
Aware of these facts, those who wish to hide certain data, for example, text messages that threaten violence which might be used as evidence of intent in a criminal trial, or compromising text messages to a co-respondent in divorce proceedings, will often delete these artefacts, assuming that their secrets are now lost for ever.
This, unhappily for them, is not the case. Just as files that have been supposedly deleted from a computer can often be reconstructed and read by investigators, so can the data from mobile phones. Using specialist tools, the contents of a phone’s memory, including those items supposedly safe from prying eyes, can be easily examined.
Even the contents of phones which are believed to be unreadable, having been dropped in water, smashed with hammers, and so on, can sometimes be extracted, much to the discomfiture of those involved.
First Response offers a service to clients where mobile device data is to be extracted and analysed prior to a court-ready report being provided. Whether the case involves criminal activity, including indecent images or fraud and embezzlement, or a family case such as divorce or custody, our specialists are able to act promptly on court orders to seize suspect devices. In defence cases, thanks to our long experience in such matters, we are often able to produce evidence that the prosecution may have failed to consider when bringing the case, sometimes dismissing the case altogether.
Clients of Canada’s largest crypto currency exchange, QuadrigaCX, found themselves locked out of most of the £145 million worth of their assets. The founder, Gerald Cotten, said to be the only person with knowledge of the password to the ‘cold storage’ area is apparently dead, having passed away in India in December 2018. The cause being given is complications with Crohn’s disease, which occurred while he was helping to set up an orphanage.
According to Cotten’s widow, even a technical expert has been unable to recover the password, and hence unlock the millions of crypto-coins, largely variants of Bitcoin, in the exchange’s cold storage.
This is not the first controversy linked to QuadrigaCX. Earlier in 2018, some irregularities associated with a payment processor were reported, with $26 million in assets frozen by a bank while these irregularities were resolved.
Partly as a result of this earlier controversy, some, including rival exchanges, have cast doubt on the veracity of reports of Cotten’s death. Movement in and out of QuadrigaCX accounts has allegedly been detected, though it is unclear as to whether this involves cold storage or ‘hot wallets’.
One expert on applied cryptography, Peter Todd, says that “The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known”, without claiming that this is actually the case. The owner of another crypto exchange calls the reports of the death and lost keys “bizarre, and frankly unbelievable”.
What lessons can we learn from this?
Other than the fact that cryptocurrencies and their infrastructure are still very much the Wild West in legal terms, there are a couple of important lessons here.
Firstly, cryptography is a two-edged sword. The state of the art in today’s cryptography is such that it is impossible in practical terms to break the encryption if set up correctly. While it is useful for keeping those secrets that you wish to remain hidden, it can also be abused – either by ransomware bandits, who can encrypt your data so that it becomes inaccessible, or used as an excuse for not coming up with the goods – be they bitcoins or other digital assets.
Secondly, and related to the above, a valuable piece of information, such as a key to unlock a digital vault, is too important to be held by one person. On a personal level, it is now possible to create a ‘digital will’ which is the IT equivalent of the envelope marked “To be opened in the event of my death” so beloved of mystery writers.
At an organisational level, a dependency on confidential information being held by one person requires a fall-back in the event of that person being unavailable. It doesn’t have to be as dramatic as death – a system administrator on an off-grid holiday somewhere in the wilds of the Welsh mountains may be a fatal blow to business continuity if the timing is wrong.
Obviously, in the case above, there is a fundamental structural issue with this organisation’s password policy This can be avoided through the use of secret sharing, whereby more than one person is needed to unlock a vault, open a file, or otherwise gain access to secured information. At its simplest, this is analogous to the famous launch control systems used in nuclear missile silos during the Cold War – a launch can only be initiated by two keys being turned simultaneously in two locks, spaced so far apart that a single operator cannot perform this – in other words, two people have to simultaneously give their consent to launch.
In multi-signature terminology, this protocol would be a 2-of-2 configuration. Two keys are available, and two are needed to unlock. These two keys might be held on separate devices – a PC and a mobile phone, for example, or they might be known to two different people. The concept could be taken further – a 2-of-3 configuration might require two keys from a pool of three to unlock the vault, so our Welsh wanderer’s key, though unavailable, becomes redundant, and could be replaced by the keys held by the CEO and CIO. A 3-of-5 configuration might be implemented to provide a majority voting solution to access jointly-held funds, etc. There are clearly many possibilities here.
Back to Canada and QuadrigaCX – Cotten claimed earlier in 2018 that the exchange had implemented multi-signature technology for its cold storage of crypto coins. Given the current situation, that claim – or the report of Cotten’s death – now seems suspicious, unless the multi-signature was one requiring a unanimous vote.
How can we help?
At First Response, password security is something we take very seriously. If passwords are poorly managed or carelessly stored, become the easiest way for your organisation’s networks to be compromised and taken over.
A network’s password system is more than just access to computers. It also comprises switches, routers, dedicated network appliances and the like, as well as Active Directory and Office365 administration passwords – all of which may be reprogrammed by an attacker who has used a compromised weak password to gain administrative rights over your resources, thereby causing damage to your business or operations. Often, the attacker exploits a weakness in procedures, rather than technology; for example, the use of identical, or near-identical, passwords for different devices, or password sharing by admin teams.
We can assist with best password practices, and help you set up a password vault system, tailored to your individual needs which provides security from attacks launched from both inside and outside your organisation, while at the same time providing failsafe and controlled access in cases where the primary key-holder is unavailable.
Call us for details of how we can help to solve password-related issues – before they become a crippling problem.
Troy, 1200BCE (give or take a year). The Greeks have left their camp outside the walls, and in their place is a large wooden horse. Ignoring the cowardly sceptics, the Trojans open the gates, drag this thing inside the city and close and bar the gates. Then it’s party time. Of course, we know what happens next. The horse is full of an advance guard of Greeks, who let themselves out when the party’s at its height, open the gates to the main Greek army and… No more Troy.
The term ‘Trojan horse’ has its place in computer security, as you probably know. An innocuous piece of data or software that when activated, opens the gates to the enemy. Most of these enemies at the gate depend on social engineering to effect their entry, just as the original Trojan horse did (it is believed that the Trojans worshipped Poseidon, who as well as being the god of the seas, was also the god of horses – a large horse would have been an object to be venerated).
It’s impossible to go over all the social engineering techniques which are used, but the use of fake emails, directed at a particular target (spear phishing) is a common way, whereby an innocent party is precisely targeted with a message that requests sensitive information, or which invites the reader to open a particular web site or piece of software, perhaps linked with a hobby or pastime that the victim practices.
Surprisingly, even those people whom you might believe to be sophisticated and immune to these tricks will fall for them. Briefly, there are several major reasons why people fall for them:
- Authority – given an official letterhead, or the electronic equivalent, most people find it easier to believe what is written below it (“At HMRC we have received your tax return, and require a few more details before presenting you with the final demand. Please click below to enter these details.”). On the other hand we have the classic 419 scams (which continues to attract victims at all levels), there are the West African princes, bank managers, lawyers, etc. who promise millions in unclaimed inheritances, compensation, etc.
- Social acceptance – “Thousands have already taken part in this proven cryptocurrency scheme. You can join them.”
- Commitment – if a phish appeals to a publicly expressed set of ethics (“We know that you value the goodwill of others. Click here to learn how you can make a difference to the most vulnerable in our society.”)
- Scarcity – “Only 50 more places remain in this once-in-a-lifetime opportunity to join our fund partners.”
- And of course, plain and simple greed.
Of course, many of these tricks will work over the phone or in text messages. But sometimes the social engineering can take place face to face. Here’s a fictional example from a recent novel:
“Want me to give away my trade secrets?” said Leo. “Okay, here’s one example I’ll give you for free. Most offices, at least most banks, anyway, you can only get in with a special card key, or you need to punch in some sort of access code. Keeps the bad guys out, right?”
“Right,” said Nick.
“Except it doesn’t, of course. Wear the right sort of clothes, and hang around the entrance looking lost. Say to the next person who comes along that you just nipped out to the toilet or for a cup of coffee, and you left your card on your desk. You’re new here, and you haven’t learned the tricks of the new office yet. They take pity on you, let you into the office, they turn left, you turn right, and you’re in. Everyone just thinks you’re new, and from another department.”
“That doesn’t get you into the computers, though,” objected Bobby.
“Aha. Phase two. Find out where the help desk is, if you don’t know already. Wait till there’s no-one there. There’s always going to be a few minutes when they’re doing desk-side support or having lunch or something. Then you use their internal phone and say something like, ‘Help desk here, we’re having problems with the mail system. Can you just give us your password so we can check the mail queue?’ The internal extension on their desk shows them that the call’s coming from the help desk number, so it has to be legit, right? And then you’re in like Flynn.”
“Sounds far too simple. I can’t believe that would ever work.”
“Believe me, it works.”
Make sure you keep the Trojan horses out of your organisation by educating and re-educating your staff on how to recognise phishing traps and scams (some anti-virus sites also offer anti-phishing training for organisations), by blocking suspect sites and also by establishing responsibility and procedures to deal with any possible breach.
First Response can help you develop an internal capability with a CIRP (Cyber Incident Response Plan) – which also includes post-incident support and analysis from your personal Incident Response Specialist.
If you were trying to fly out of Gatwick for your Christmas holiday in late December, you have our sympathy. One of the world’s busiest airports was disrupted by a toy helicopter – or something. The jury still seems to be out on who or what caused this chaos.
Drones make the headlines at reasonably regular intervals – and we see pictures taken from them on our TV screens often enough. If a producer wants an aerial shot, it’s much easier (and cheaper) to hire a drone and operator than to charter a helicopter. The cameras on drones are often of very high quality, and are almost as controllable as one held and operated by a cameraman. The drone is much less disruptive than a helicopter, in terms of noise and almost everything else.
These qualities have also endeared drones to criminals, who use them to fly drugs and miniature’burner phones’ into prisons. Standing outside the prison, the dealer guides the drone, loaded with its illegal and highly valuable cargo, to a specific cell window, where it is hooked inside, unloaded, and sent back, where the ‘return home’ function flies it back automatically into the waiting arms of its owner, who may make tens of thousands of pounds in profits from a single flight.
Making the links
Happily, once there’s a basic lead, it’s reasonably easy to put together a sturdy chain of evidence that will help to convict the drone operators. The majority of drones contain a camera, which records the flight on a memory card. One of the first things that anyone does with a new toy, such as a drone, is to have a play with it, and several crooks have had their features clearly captured on video by their own drones, as they fly them from their homes, as they get used to operating them.
Drones also often include a GPS tracker. With time and date stamps, it can be shown that a drone was in a certain place at a certain time. When this data is linked to a mobile phone’s cell tower and GPS data, the likelihood that a certain person was operating this drone increases. Add to this CCTV images of a vehicle’s number plates, and the net is tightened.
First Response specialises in linking evidence from different sources in this way, to provide a coherent and complete picture of the events surrounding an incident, and presenting this information in such a way that it can be used in Court as evidence. State-of-the-art analytical software allows the discovery and presentation of links within terabytes of data to be completed within hours rather than weeks. If necessary, we can provide experienced expert witnesses to give evidence in Court and provide clear explanations of how the results were obtained.
Such digital forensic skills can be employed not just in criminal, but in family, civil, and corporate cases, where the ‘paper trail’ has gone cold, and the evidence resides in a number of different digital repositories. If you think that First Response’s skills can benefit you (or your clients), please get in touch so we determine how we can best assist you.
A story has recently surfaced from Bloomberg about the supposed discovery of tiny ‘spy chips’ installed on servers constructed for an American firm (Super Micro) that sells to large, publicly-visible customers such as Apple and Amazon, as well as lower-profile customers such as the US Department of Defense, the CIA, and the US Navy.
According to these reports, which have been denied by both Apple and Amazon, these tiny chips are capable of modifying the operating system of the servers, and allowing the servers to ‘phone home’ for further instructions. The existence of this alleged hardware hack has stunned many security experts, one of whom is quoted as saying “having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow”.
Whether or not a unicorn did ever actually jump over any rainbows is still in dispute, but what is interesting is the methodology that US intelligence agencies and a Canadian security firm are reported to have used to trace the provenance of this hack.
As background, the servers in question were produced for a firm called Elemental Technologies, that creates video compression servers for, among others, Amazon, the CIA, the Church of Latter Day Saints (Mormons), and the adult film industry. The company producing them is Supermicro. However, Supermicro does not actually make these servers, but subcontracts the manufacture to fabrication plants: and the motherboards, on which the hacks are said to have been installed, are almost all created in China.
However, the fabrication plants producing the motherboards often run out of capacity, according to the article where this story first surfaced, giving the work to other companies, and these four sub-subcontractors were identified by the serial numbers of the suspect motherboards, and from there more
information was gathered from communications intercepts, tracking phones and phone records of key players, and from human sources.
It is reported that these firms were approached by individuals who claimed to represent either Supermicro or the Chinese government, who used threats and bribes to force changes to be made to the motherboard design incorporating the spy chips. These individuals are believed to be part of a special unit of the Chinese People’s Liberation Army specialising in hardware attacks.
How does this affect you?
Happily, it is extremely unlikely that your business will be affected by this alleged act of espionage, even if it does turn out to be true. However, hacking and data theft, implemented by simpler and less complex means, do occur on a regular basis, and catching the perpetrators is not always straightforward.
It often relies on a ‘join-the-dots’ technique, searching through gigabytes or more of data to identify and create connections, which lead to the identification of those involved in the data breach or cyberattack.
First Response is experienced in using the world’s most advanced forensic tools to help organisations track down the methods and the sources of such attacks, and to set up defences against future attacks.
Of course, prevention is always better than cure, and First Response is happy to work with you to create a Cyber Incident Response Plan which allows you to work together with us to prevent successful cyberattacks, and to mitigate the damage in the event that such an attack does take place.
Insurance is a must to mitigate many business risks. Fire, flood, employee liability, and so on. One of the newer risks is cybercrime. Banks and other financial institutions make tempting targets for cybercriminals, who can walk away with millions, unnoticed until it’s too late.
Cyber insurance products form a bright spot in an otherwise dull insurance market. Managers are starting to recognise the risks, and take out policies, believing the company to be covered. However, it doesn’t always work the way they expected.
As one example, a US bank lost $2.4 million to cybercrime in two incidents (May 2016 and January 2017), and its insurer paid out – but only a mere $50,000.
The hackers had used phishing techniques to plant malware in the bank’s servers, stolen user names and passwords, and then stolen (on two separate occasions) over $2 million through fraudulent ATM transactions. The insurance company classified both incidents as a single event, and covered by
the debit card rider (maximum claim $50k, with excess of $25,000), rather than the cybercrime loss liability of $8 million with a $125,000 excess, since the cybercrime rider specifically excluded any card or ATM related losses.
It is not only the direct losses which cost money. For example, Houston City Council in Texas has recently taken out a cybercrime policy, taking other consequential costs into consideration. This policy will cover not only the costs of recovering lost data, but also the cost of a crisis response, including
investigations, and the cost of legal claims which may arise as the result of such cyberattacks with a total maximum pay out of $30 million. Such a comprehensive policy should make it easier for the organisation to survive a cyberattack.
When insurance is not enough
Of course, the best plan is not to rely solely on the insurance, but to formulate a Cyber Incident Response Plan (CIRP) which will (a) make it more difficult for the cybercriminals to attack successfully, and (b) if a malicious threat actor does slip through your defences, your organisation can respond effectively
and promptly with minimum impact.
Partnering with specialists such as First Response not only allows you to create your CIRP and to define recovery procedures and set roles and responsibilities, but also to maintain full compliance with GDPR – and in the event that a breach does occur, your personal Incident Response specialist will be available to advise and help, by determining how the breach occurred, what, if any data has been stolen and what needs to be done to repair and prevent any kind of reoccurrence.
And who knows, it may even reduce your insurance premiums.