Sridhar

Multi-Factor Authentication not very secure

Week 2, November, 2019

Let us discover what we can learn in cyber security this week:

Insider Threats

Two news items this week highlight the tricky nature of insider threats.

The Incidents

Trend Micro has revealed a “security incident” leading to the theft of personal data from 120,000 customers caused by a former employee.  And, on the other hand, Saudi Arabia bribed two Twitter employees to access confidential information of twitter users as a spying exercise.
The two cases demonstrate a key tenet of security: Any and all security measures that are implemented are only as good as the people using the systems.

The Threat

Consider it. It is far easier and more effective to bribe someone who already has privileged access to get you the information you want. (I daresay it would ultimately be cheaper too!).  In a similar vein, it is easier to hire away your employee to get your confidential information rather than go through the complex process of hacking your systems and accessing your information. And it has the added benefit of not having to take a legal risk as an organization!  The risk is entirely the employee’s as the Waymo-Uber case amply demonstrates.

The Learning

While a lot of security advisers will tell you how to set up processes, security policies and technical gates to ‘prevent’ insider threats, I think the answer lies in how well you understand your employees. At the end of the day, you have to trust them with the information in order for them to do their jobs.  It is also inevitable that a few of them go bad despite how well you treat them. After all, it is easy enough to build leverage on or play on a person’s greed. 
The problem is how do you to understand what their ‘normal’ behaviour is and catch any anomalous behaviour when it does happen.  It is not possible, ethical or even legal to know all the actions of your employees and catch it when they seem off. (It is called ‘stalking’ if you do it!).  
One necessary step is to ensure that you log all activities of everybody on your systems without fail, and immutably.  Once you have that, there are plenty of AI / ML tools that can highlight anomalies.  Without that, you have nothing.  Over time, you would be able get the tool to highlight only the salient anomalies.
Understanding what your employees are up to is one of the most important aspects of security. Do not ignore the first step in doing that.

– Sridhar Parthasarathy, CEO, Purple Team(Https://www.purpleteam.in)

Learning News this Week

The FBI as put out a public service announcement about a scam that has cost companies, by FBI’s estimates, $ 26 Billion!  The FBI calls it BEC (Business Email Compromise) and essentially it is a scam where the attacker tricks the organization into transferring money to a wrong account by sending instructions from what appears to be a legitimate email id of the person sending the instruction. For example it could look like a mail from the CEO asking for a sum to be transferred to close a deal; or a vendor changing payment instructions.

Learning

BEC is different from regular phishing mails in that it is targeted and requires a high level of understanding of your processes and the identity of the purported sender.  You need to ensure that the people processing payments are first aware of this scam. You then need train people on adequately validating  instructions for change of payment – these mails are crafted to look genuine for any but the most sceptical person. And finally, you need to ensure that no one ever suffers any blowback if they follow those instructions.  The full list of recommendations from FBI:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Don’t supply login credentials or PII in response to any emails.
  • Monitor financial accounts regularly
  • Keep all software patches on and all systems updated.
  • Verify the email address used 
  • Ensure that full email extensions are viewed.

So  you found out that you have been infected by ransomware, like seems to be the norm.  What do you do next?

Here’s what 1,180 adult individuals did:

Restarted Computer 30%Online Tool 18%Restored from backup 22%Removed 13%Reformatted Computer 5%Removed using AV 5%Paid Ransom 4%Other 3%
What should you do next?

Learning

First thing to remember – do not reboot off your computer!!   That sometimes enables a malware which is stuck to complete the job. Typically, if you have a ransomware attack, you have to do two things – The first is finding the ransomware’s artifacts — such as processes and boot persistence mechanisms — and removing them from an infected host.
The second is restoring the data if a backup mechanism is available.  If the first step is not completed, then it is possible that rebooting the computer often restarts the ransomware’s process and ends up encrypting the recently-restored files.
So, your best bet is to disconnect the computer from the network and then hibernate your computer because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leave copies of their encryption keys.
Call for expert help immediately after that, instead of trying to restore your backup.
To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware’s first response guide on dealing with a ransomware attack.

Interesting News

Cybersecurity for women
The Indian Police Service & a set of IT professionals have launched a site,   https://cybersafegirl.com/ that educates women on how to stay safe in the cyber world. And, if they do get into trouble, what to do about it. They have a free e-booklet that can be downloaded from the site.

What is a good password?

Is a password that even you cant remember good?  “Not really.” say experts.
Unreadable passwords lead you to repeat passwords, which means that a hacker cracking one account can crack multiple accounts. 
Shift to pass phrases.  Turn on two factor authentication. Install a good password manager.
IOT Security
IOT is setting the world ablaze with its myriad use cases. One forecast  predicts that there’ll be almost 41.6 billion connected things in 2025 that will generate 79.4 zettabytes of data.  However, the same use cases increase the attack surface and enable novel attacks to materialize. 
Technopedia has aggregated various expert’s views on how this threat can be handled and the risk limited
Cybersecurity Excuse Generator
As we have been saying, it is inevitable that you will get attacked. When that does happen, how to you tell the world that you got hacked?
The site linked above comes to your rescue and gives you plenty of tongue-in-the-cheek excuses you can use. 
Strictly for recreational use!

Amazon Echo, Google Home Laser Hackable

Researchers discovered that precisely modulated lasers could silently send “voice” commands to smart speakers from hundreds of feet away. The attack also worked on smartphones and on an iPad, but only at short distances.

How can you defend yourself if this starts happening in real life? The best bet is to make sure your Amazon Echo, Google Home, Facebook PortalAmazon Fire TV Cube and other smart speakers aren’t facing windows. Pwn2Own
Pwn2Own is a bi-annual hacking contest held at the CanSecWest security conference.  Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. This year’s Tokyo contest was won by Team Fluoroacetate (researchers Amat Cama and Richard Zhu) taking home the Master of Pwn title for the third year in a row.  Amazon, Sony, Xiaomi, Samsung Devices were successfully hacked this year.
The highlights of  Day 1 & Day 2 linked.

Advisory on Holidays, Phishing & Malware
As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online. A few dos & donts from CISA!

Threat Intelligence

How to protect your data in AWS ?

Amazon AWS in the year 2018 emerged as a powerful player in the Cloud world, with its growth surged at a significant rate. Amazon AWS’s CEO, Andy Jassy in July 2018 declared the company’s cloud business witness 49% revenue in the second quarter. This growth ensures a radiant prospect for AWS in 2019 and will stay cut-above its market rivals Google, the Microsoft. AWS is a secured cloud service platform managed by the tech giant Amazon. It provides the compute power, the data storage the content delivery, along with several other functionalities to let businesses of differing complexities to scale &grow.

Now and then we come across headlines of data breaches, and therefore it acts a leveraging reminder that it is of paramount importance fool-proof data on various cloud platforms like the Amazon Web Services. Now, is the million dollar question how to secure your data in AWS-?

Data Protection

The procedure of data securing is crucial when architecting a system and it involves a set of functional practices to boost security. To understand from a layman’s term, the data classification is an act of categorizing the data in terms of its sensitivity grades, and the data encryption thwarts the unwanted access to the critical data. All these steps are pivotal in deterring data breaches. The AWS cloud platform involves the following approaches to establish through data protection.

Data Classification

This step involves the classification of data in accord with their sensitivity levels. Here, it is important to know the various types of data, where the data is being located, access levels, and security of the data. AWS gives you the freedom to classify data in an efficient manner, by mapping the controls, the access levels, and the data protection needed to a particular data type. Ideally, the best strategizing approach for data classification is to maintain a harmony of access and protection.

Data Encryption

Data encryption in AWS is a means of preventing unwanted access to sensitive data as the stuff can only be viewed via a secret key. With Amazon AWS, the user can define the encryption for the system, which in turn protects unauthorized access to the content. AWS KMS feature let you keep track of all the encryption keys and then integrate them with the Amazon AWS.

Securing the Data at Rest

The data at risk is at maximum risk, thus securing it is imperative. The Amazon AWS has multiple features. These include, KMS that encrypts the content by virtue of the keys, the S3 of Amazon encrypts the data by picking KMS key on object upload, and RDS of Amazon let you encrypt the data by selecting a key for data at rest.

Protecting the Data in Transit

The Amazon AWS has HTTP endpoints functionality that performs the purpose of protecting the data when it is being transferred from one system to another.

Data Backup

You can safeguard your critical data by keeping a data backup, then defining the replica and the recovery approach. In the end, if you want to secure your data in AWS it is highly advised to seek more technical advice and information from experts of Amazon AWS.

Influence and the Indian Elections

  • Why do we care ?

All of us have heard the accusations of the US elections being unduly influenced to favour one candidate over the other; that the Brexit vote was influenced unduly producing a surprising result. While opinions may vary whether the results of these elections were fixed or just slightly emphasized towards one direction or the other, there can be no doubt that in today’s world expert use of social and other media influences, ultimately decides the course of public, democratic elections.

India, the largest democracy in the world, is going to polls shortly. In a lot of ways, this is a defining moment for both the country and for the world at large. Therefore, it is imperative that we ensure it is solely the expression of peoples’ will that determines the election and not any manipulation by any external agency, benign or malignant.

It would be extremely naïve to think that the approaching Indian Parliamentary elections in 2019 would not be influenced and arrogant to think that we, the voting public, will not be susceptible to such emotional manipulation. A more prudent course would be to try and understand what such influence is and how it is carried out. Perhaps, by staying vigilant, we could counter (or at least minimize) the effects of such manipulation one voter at a time.

In this article, I aim to outline how such insidious manipulation occurs and how
we can guard against being manipulated. Or if we can …

  • What is influence ?

First let us define the terms. Again, at the outset let us all agree that all nations indulge in both.

Propaganda is the purveying of news or information, especially of a biased or misleading nature, used to promote a political cause or point of view.

The focus is the nation itself.

Influence operations on the other hand, are the co-ordinated manipulation of opinion by using a selection of distorted, false or partisan information with the intent to cause harm to another nation. Influence is effected, nowadays, by manipulation of the social media & news outlets of the targeted nation.

The focus, of course, is the other nation.

Finally, Cyber Warfare is, the attempted disruption of a rival nation’s cyber
assets with the explicit purpose of crippling it.

These are three different axes and not really parts of a continuum as is generally
assumed.

  • What is the state of art in influence ?

Today, major social media platforms like Google or Facebook or Twitter need relatively minor amounts of input from a person to form a profile of the person that is more informed and accurate than their close friends. Double that amount of information, and they could, in reality, know you better than your parents! One study puts that number at 70 ‘likes’ for Facebook to outdo your friends in knowing your proclivities. And 150 ‘likes’ to better your parents.

Google, being privy to your searches, your purchase history, your location history etc, can predict with a high degree of accuracy what your next activity in a given line of inquiry could be. For example, what you are likely to be buying online next.

“So what?” you ask?

The problem is that these kind of platforms are the primary means that people use to obtain information. With that kind of intimate knowledge about a person, these platforms can mould their opinions in a specific direction by emphasising some kinds of information over others or by hiding other kinds of information. Essentially they can create a very customised, interconnected narrative that can skew your world view.

  • What is the danger ?

The danger is Orwellian – if you did not have the information (or vocabulary) to think something, you cannot think that. If all your sources tell that ‘red’ is ‘green’ and you have no concept of green, with no means of finding out, is it any wonder that you believe red is indeed green?

The ability of social media platforms to tailor experiences for each user according to a pre-determined narrative is just a tool. If I were to be charitable, I would say that it was created, and is used, by the concerned organizations largely for commercial exploitation of the user.

However, this tool can (and it is) be hijacked by other players to further other agendas. For example, other nefarious actors can use the targeting abilities of these tools to create a reality for you that is very different from ‘objective’ reality. And by the creation of that reality, slant your opinions in a direction that makes you act in a certain fashion, say, vote for a particular party. Since you do not get any counter message to the narrative, you naturally believe the synthesis of the stories you receive.

That this happens has been proved in the US Presidential Elections, the Brexit referendum and in the 2018 US elections. Multiple agencies of various governments have implemented multiple measures to address this influencing of the populace, one individual at a time.

The danger is, if such influence is left unchecked or even undetected, what will be expressed in the largest democratic election in world will not be the will of India’s one billion voters but, instead, the will of a few other nations.

Part 2 of 3: Influence and the Indian Elections

Different Objectives – Dirfferent Approaches

It is normally assumed that all influencing takes the form of purveying “fake news” and as long as one is conscientious about validating sources, one cannot be influenced.

Nothing is further from truth than that idea.

Fake news is not a tool used by sophisticated influencers. It is too easy to counteract by vigilance. In fact, it has been shown that fake news is propagated primarily by people over 60 within their own peer group. As such these are people who are pre-disposed to the point of view espoused by the fake news and are not really contributing to changing the outcome of, say, an election.

What is being aimed at by these agencies is to manipulate you, even if you are vigilant.

In fact, it is a good assumption that everyone (including yours truly) can be, and is, influenced and all the time. Research indicates being aware of being manipulated does not change the result – you still end up being manipulated, just as though you were not aware. (I recommend reading “Predictably Irrational” by Dan Ariely for a few benign examples).

Today agencies that seek to influence public opinion use a variety of tools, and in coordination, to achieve their aims. The primary methods they use are listed below:

  • They don’t lie.

The story that they use to influence you is typically factually correct. What is changed is the frame it is presented with.Take the example of ISRO. Let us say that they have a 80% success rate in their launches. That is a fact. However that can be presented as either “ISRO is the most successful space agency of all time” or as “Almost one in four ISRO launches are failures”.

  • They morph & amplify

They use various methods (army of people, bots, SEO etc) to amplify their chosen message, typically about a true but partisan story.
In the previous example, the negative message could take this path

  • 25% of ISROs launches are failures
  • Understanding the repeated failures of ISRO
  • 5 reasons why ISRO cannot compete
  • ISRO – underfunded or incompetent?
  • ISRO – Story of an opportunity squandered

And the positive message could take this path:

  • More successful than NASA – India’s ISRO
  • ISRO – where success is a habit
  • Frugal Engineering – ISRO launches a Moon mission cheaper than a Hollywood movie
  • Even NASA prefers to use ISRO to launch their satellites
  • Fastest-Cheapest-Best: India’s ISRO

(Please note, I don’t really know the actual failure rate of ISRO. I am only using the name for illustration)
Both sequence of stories are built on the same set of flimsy facts – an 80% launch success rate. By timing the sequence and flooding the channels, it is quite clear that either opinion could be reinforced in a large portion of thepublic.

They subvert credible sources
A stronger approach is to take over (either legally or by means such as hacking) a normally credible source like a news agency and present point of view that furthers their objectives. Fact checking does not help in this case as the credibility of the source is good and the item is propagated widely ensuring that multiple sources provide the same information.

This was the method that was used in precipitating the Qatar crisis. They took over an official twitter account, published an inflammatory (but completely made up) interview and locked the account so that the original owner cannot recant or refute it, at least until it is too late.

The tragedy is, in today’s climate, even a recant will be viewed as a confirmation of the original story!

  • They use memes. The defining characteristic of a meme is its stickiness in the mind.
  • Psychologists have long been aware of the importance of ‘priming’ – where a pre-existing environmental trigger influences your mood, performance or even vocabulary.
  • By using memes, agencies achieve twin goals – plant a concept in an easily retrievable fashion and also prime the user towards a specific orientation.
  • By planting memes about how crass the President of a country is, they are able to change the perception of the activities of the country itself as mean spirited or selfish or vulgar.
  • They create echo chambers
  • By constantly repeating the same message in all your channels and in all your circles (remember, they have this information in excruciating detail), they create a situation where you simply do not hear any information that contradicts the information you have been given. Over time you believe that you have been told as the gospel truth.
  • Since they target entire groups with the similar approach, the message becomes self-reinforcing. You keep hearing that somebody is a nincompoop and all your contacts also hear it. Whenever you interact with people they talk about how much of a nincompoop that person is. You never hear anything to the contrary and ultimately believe that the person is a nincompoop.
  • It does not matter that the ‘nincompoop’ has 3 PhDs, at that point. As far as you & your cohort are concerned that nincompoop is the personification of nincompoop-ness.

And thereby you are influenced.

Part 3 of 3: Influence and the Indian Elections

How do you avoid being influenced ?

As I have hopefully demonstrated, you cannot help being influenced. Being vigilant is only the first step. There are few other things you can try to ensure that you are not overly influenced.
Here are a few:

  • Actively seek contrary view points

The one way you can break out of an echo chamber is to actively seek contrary view points. If you think the current government is doing great, go look for evidence that shows where they are failing or vice versa.

This approach has two major benefits. One, you actually look at a more complete body of evidence and hopefully form a more informed opinion.

Second, by doing this, you skew the algorithms that identify what is ‘relevant’ to you. They now, because they are automated, also start
showing items that are contradictory.

So you are using the power of the medium to break the evil of the same medium. What can be more satisfying than that!

  • Confirm a news item with at least 3 sources

Any major happening is sure to be repeated in all channels, irrespective of the slant of the presentation.
While it would be impossible at the first reading to identify the framing of a story, you should be able to glean the facts of the case by reading multiple sources.
It would also help if you developed an understanding of statistics and numbers!

  • Do not propogate opinions

This is a difficult one to implement.

Essentially you forward something because if conforms to your opinion of something. So it is difficult to avoid the temptation of forwarding a meme or article that seems to “express it better than I could”. That is precisely why it is pernicious.

If possible, formulate and express your own opinion rather than forwarding a pre-made opinion. By doing this, you give yourself a chance to understand the structure your opinion is built on and hopefully, understand when it is built on flimsy foundations. It also ensures that you are not manipulated by hot buttons like “Hindu”, “Muslim”, “Conversion”, “56 inches” or “Pappu”.

  • Wait

This goes in conjunction with the earlier point.
By writing your own opinion, you automatically delay the propagation of influence. It also gives a chance for disconfirmatory evidence to emerge & be heard.

  • Seek Information; Don’t consume.

If you think that something is true, actively seek information on it rather than consume information that is fed to you. And when you are doing it, ensure that you multi-source it and look for discomfirmatory evidence. If you take the easy way out and just believe what is presented to you because “it feels like the truth” you are more susceptible to being influenced.

  • Don’t rely on the people you know for truth

There is a major change in how information is found and the veracity of that information is validated.

Earlier, reputable persons and papers presented information and editorialized their opinion. The information was pushed to you at fixed times and was authenticated by the source.

The other aspect is that when your friend in your group tells you something, you have reason to trust them because you know them and their proclivities. Therefore the validity of the information is measurable and you adjust for their leanings.

Now, you pull information by searching for it and you have no control on the sources that present you the information. The onus shifts to you validate the information and separate fact from opinion.

The people who are in your group (say a WhatsApp group or Facebook group) are not necessarily known to you. So you cant use your old yardstick of “someone, who is like me, told this in my group and hence it is likely to be true”. You don’t really know who they are.

So, beware the people agree with you!

Conclusion !

Being vigilant is hard work and requires effort. It is doubly hard as by nature, we are programmed to take the easy or lazy path while thinking about something.
Hence the prevalence of heuristics and short cuts.
Since this very mechanisms are being suborned into influencing you, you need to make the extra effort to ensure that you are thinking about something rather than just consumes what has been pre-thought for you.

Otherwise, your vote will represent somebody else’s opinion. And since they took the effort that you are not willing to make, it is almost guaranteed to be not in your interest.