TORONTO – The first day of the annual SecTor security conference was filled with presentations on what to do — and not to do — to enhance enterprise protection. Here’s a synopsis of a few of them:
It was an unexpected, but most deserved reward, the executive must have thought: A new iPad tablet.
It arrived by courier with a note congratulating him for his team’s good work in the last quarter. So he eagerly unwrapped it and began entering personal data.
But the tablet wasn’t from his employer. It was a hacked device from a penetration testing team from Fortinet Inc. the company had hired to test staff’s defences.
The story was one of several told by Aamir Lakhani, a Fortinet senior security strategist, at the annual SecTor security conference in Toronto. His point was that attackers will do anything to get into the enterprise, so IT security pros should be prepared.
For another test Foritnet rigged an iPhone with hacking software and an external battery network, then couriered the device to a company, where the box sat unclaimed in the mailroom for a time. Meanwhile the Fortnet team hacked into its wireless network.
“There are two types of companies,” he said. “those who have been hacked and those who don’t know they’ve been hacked.”
How imaginative are attackers? They’ve been known to put a mini Linux server with a hidden cellular radio for network hacking into surge protectors . When someone plugs a PC or printer into the Ethernet jack, it’s on the network.
There’s the “Pineapple Express,” a box that looks like a regular Wi-Fi access point which hunts for any device with range and impersonates any network being sought — including accepting security credentials. After that it can be used by an attacker to launch any number of network attacks.
It’s sold on the Internet for $99, Lakhani pointed out. [Editor’s note: One company says it’s to be used “for audit and penetration testing” …]. It’s one of a number of things security pros can learn for defensive measures if they hunt the Internet, or its underbelly, the so-called Dark Web.
The Dark Web is a parallel network, accessed through Tor and similar tools, largely used by criminals and state actors to buy and sell stolen data and attacking technologies — everything from fake PayPal accounts to hit men, Lakhani. One Web site lets anyone spoof the caller or device ID for phone calls or SMS messages, he said, disguising the source.
That leaves the attacker free, for example, to send a message with a phone number that goes offshore. When an unsuspecting person dials the number, they’re charged $1,500.
Lakhani’s lesson is that security pros need to educate staff about looking for and reporting phishing attacks — and that if a gift looks too good to be true, it probably is.
Amol Sarwate of Qualsys gave a good presentation on how the data held by magnetic stripes on the back of credit and debit cards is temporarily held unencrypted in the RAM of point of sale devices. where it can then be drained by malware — as executives of Target and other U.S. retailers in the last 12 months have found to their dismay.
Such attacks haven’t been reported here, presumably because Canadian card issuers have recently added the more secure encrypted data chips to their cards. Are these cards safer? Yes said Sarwate — but some card makers still include mag stripes on the back for retailers who don’t have chip reading devices. Swipe those cards and the chip’s protection is useless.
I pulled out three cards in my wallet: All had chips, all had mag stripes.
Lesson to consumers: If the retailer doesn’t have a chip reader, no sale.
There’s one relatively cheap defence enterprises could mount to the increasing number of cyber attacks: Share information. Unfortunately, said William Peteroy, co-founder of a security starup in stealth mode called Icebrg Inc., few organizations and vendors are so generous.
Which is too bad, he told an audience, because despite all the advantages attackers have information sharing is one that defenders could use.
“Its one of the key problems,” he said in an interview.
For some advanced attacks defenders have only a short time between penetration and exploitation, he said. The faster word gets out about these attacks the better.
There are some mailing lists used by IT pros, he said, and they can be effective. “However they’re still sharing predominantly by email.”
It’s akin to making espresso in a machine by hand or automatically he said . “We need to go to superautomatic. But we’re so far from that now. Most vendors are hoarding information … It’s something collectively we as an industry need to do better, and there needs to be better technology to facilitate it.”