Thoughts on an EU based internet

Posted by Tom Colvin (CTO), 11 Mar 2014
The German Chancellor, Angela Merkel has publicly lent her support to the idea of creating a cluster of centralised EU networks in order to keep data safe from US spies.

News published regarding the alleged phone hacking scandal between the Chancellor and the US National Security Agency reports that she may have had her Blackberry tapped by NSA spies for up to ten years. Chancellor Merkel, who has been Chancellor since 2005, has seemingly developed a personal interest in removing the NSA from Europe, leading her to push negotiations for a so-called ‘privacy regulation’, that is, a uniform standard of data protection in Europe.

Due to vague wording within the US Patriot Act, specifically section 215, which grants the NSA permission to collect all ‘relevant’ (a largely undefined term by Congress) call data and telephone numbers to ensure national security, EU civil and government data has become increasingly susceptible to interception by NSA agents.

The access of foreign data by the US is partly due to the Foreign Intelligence Surveillance Act, (FISA) – which provides agencies like the NSA with a wide range of cross-border powers for counter-terrorism efforts.

During the Chancellor’s podcast on the 15th February 2014, she states: "We'll talk, above all, about which European suppliers we have that provide security for the citizens that they need not cross the Atlantic with their emails and other things, but we can also build communications networks within Europe."

This is an action that we at Conseal Security wholeheartedly agree with – we would even press the Chancellor to consider investigating a list of EU suppliers who can assist the German and other member state governments on this matter.

We would recommend the establishment of a list of trusted vendors and suppliers specialising in controlled encryption in order to safeguard EU data from getting into the wrong hands.
The sheer power of the US Patriot Act and all of its vestiges poses a problem for foreign Governments. In such a data centric society, it is becoming increasingly difficult to secure international data from prying eyes.

Tensions have grown between the EU and US since the inception of the Patriot Act by George W. Bush in 2001. Some twelve years later, the extent to which European communications are monitored by the US has come under greater scrutiny, in light of documents exposed by NSA whistleblower, Edward Snowden.

In January, the European Parliament’s Civil Liberties Committee issued a report which questioned whether US surveillance activities were actually good for international security, purporting they were instead tools for “political and economic espionage.”
At Conseal Security, our job is to provide a channel for our clients to secure the data they own and wish to send to others. We agree with Angela Merkel’s concerns on this matter and her concept of a centralised internet is very persuasive but like Merkel, we recognise it is fraught with issues.

Perhaps the most interesting point, which remains to be seen, is how American-based companies operating to a large extent across the globe respond to these measures. The European Parliament’s Civil Liberties Committee has called for greater scrutiny of the data privacy practices of American internet companies, such as Apple, Facebook, Google, and Microsoft.

Ensuring the safety of civil and governmental communications, the emails, text messages, voice calls and general internet habits of EU citizens, is vital to ensure civil liberty and respect the privacy each individual is entitled to.


By utilising a network of trusted EU based partners specialising in controlled encryption, which have no ties or data storage in the US the Chancellor can begin to drive against a dark Orwellian future that acts such as FISA demonstrate. 
 

The real cost of a data breach

Posted by Tom Colvin (CTO), 5 Mar 2014
Following recent news that three major South Korean credit issuers have been suspended by the country’s financial watchdog due to a massive data breach, this blog will look into the real cost to business of a data breach.

For the 6th year running the average UK data breach cost has risen – this time by 16.5% from £1.75m to £2.04m in 2013. As a result the danger of a breach is back on the agenda for most data centric organisations. According to the latest research by Symantec Corp. & Ponemon Institute in the 2013 Cost of Data Breach Study, the average UK firm could be liable for costs of over £2 million should it fall foul to employee negligence or malicious attacks.

The prospect of private customer data getting into the wrong hands is becoming an increasingly concerning reality for many organisations across the UK and abroad. The costs involved in protecting data from a breach are not insignificant, but should a breach occur, the bill can be much larger.

Recent discussions have seen EU Justice Commissioner, Viviane Reding, push for much tougher fines for institutions breaching EU data privacy laws. She is quoted as saying that under her new plans for privacy failings, Google would owe $1bn for breaking Spanish data protection laws.

So with Governmental and regulatory pressure along with hiking costs, the heat is on organisations to protect vulnerable databases and educate employees in safeguarding vital data from catastrophe.

According to the report, the most costly data breaches are those malicious and criminal, as with the recent South Korean breaches - where it is believed a temporary employee of the KCB stole data via a USB stick and sold the information to phone marketers.

Across all nine countries covered by the research, malicious and criminal attacks are a key factor in 34% of all cases surveyed. The number of breached records per incident averaged at 23,647, with German and U.S companies having the most costly breaches at $199 and $188 per record, respectively. Organisations most susceptible to data breaches include those in the financial, pharmaceuticals and communications industries, partly due to the sheer amount of data these industries hold.

However, it is concerning that employee negligence continues to be the most common cause of data loss. This involves anything from employees losing devices containing confidential information to failing to adhere to best practice and securing data as it is received by the business. With employees increasingly exploiting the trend of BYOD and with data being transferred unsecured across the internet, lost on USB or other portable devices or misplaced within personal devices – it is vital that any incident response plan accounts for these types of external mishaps in addition to the protection of internal data.

The on-going costs related to business reputation are also considerable.  The study reveals that fewer customers are remaining loyal to businesses that have been the subject of a breach which resulted in a loss of information. Increasingly, companies dealing with a previously ‘breached’ organisation are taking their business elsewhere.


It is therefore critical that businesses take the appropriate measures to reduce the impact of potential breaches - including training employees and having an incident response plan in place should anything untoward occur. Implementing these measures well in advance will reduce the cost to the business in the long run. 
 

How to protect yourself from an Internet data breach

Posted by Tom Colvin (CTO), 27 Feb 2014
Anything you send via email over the Internet can be intercepted and viewed by anyone who has the technical capability and perseverance to access it. Anything you send via insecure wireless can be intercepted and read by anyone in the vicinity. Anything you send at home or at work can be intercepted and read by anyone at your home or work’s ISP.

Stranger Danger! How easy it is to snoop over unsecured networks?

There is an old saying: ‘An iron tongue makes a sharp head’. Throughout day-to-day life we monitor and filter what we think into something appropriate to say. For example, it would be dangerous and inappropriate to shout out a pin number at a cash machine or whilst paying for something in a shop. Doing so would make us immediately vulnerable and make that valuable data open to exploitation.

This street-wise behaviour is rarely transferred online however and there are a number of situations during day-to-day Internet activity where our data can be criminally monitored, stolen and exploited within a matter of seconds. 

News reports debating the value of national security over personal privacy are increasing in number and prevalence. Much like in the U.S., the UK government is working on laws which may require ISPs to relinquish data to GCHQ – allowing the intelligence agency to intercept and monitor the calls, emails, texts and website visits of UK citizens. Beyond this, the illegal interception and theft of data is a real problem which needs to be tackled.

It is important for daily Internet users to understand the process behind data theft and how to secure valuable data such as passwords and vital bank account details.

Technology used to mine data has evolved beyond the use of key-loggers into more sophisticated wireless network analysis technology which can be acquired for free on the Internet.

Programs of this type scan and capture Wi-Fi signals, effectively recording 802.11 packets – small pieces of information transferred across a network. These pieces of information appear on screen within milliseconds of the data being sent from an unsecured PC or mobile device and if that data is unsecured at source, it will appear in a network monitoring program and can be exploited.
Similar programs can be downloaded onto mobile devices which achieve the same end, such as: Droidsheep or Deep Whois,
These are not sophisticated, in that they won’t allow access to login details. However they do scan for unsecured sessions and can provide access to live sessions of popular web based services; for example anything you search for on most search engines, purchases made and emails sent. The key is to understand where your personal information is at its most vulnerable.  

  • Unsecured wireless hotspots – usually found in coffee shops or out and about.
  • Data transferred across a work network can be easily viewed by an administrator.
  • Data transferred across your home or work network can be viewed by employees of that ISP.
How do you secure your data?

Essentially, it is about basic vigilance and gaining an understanding as to what to look for in terms of secured and un-secured networks.

  • Each time you log into a website in a public space, ensure your session is encrypted. Check that your URL address begins with https not just http.
  • Ensure as you browse that this security does not change. For example, many websites will take your login details via https but remove that security beyond that point. Many sites give you the option of encrypting the entire session; you can do this by enabling Secure Browsing.
  • If you use POP3, SMTP or IMAP through an email client such as Outlook, Thunderbird or Mail – the general advice is to ensure your account is configured with an encryption. However this is only partly true. Configuring an account with an encryption will only secure the connection from mail client to mail server – we would stress the importance of encrypting the email itself given that the transfer of an email is carried out across the internet, without any security and in plain text.
  • Browse using a VPN. (Virtual Private Network)
In addition, it is important to refrain from sending send personal information over an unsecured public network. For example the use of online banking services, social media login details and web-based email services should be avoided unless through https; it is better to save this kind of browsing until you are on a secured connection.

Don’t just take our word for it, Internet snooping by individuals is really happening - see www.amibeingfollowed.com. If you’re concerned then get in touch and we’ll advise you on the latest technology to secure your data. 
 

Are you managing your passwords?

Posted by Tom Colvin (CTO), 19 Feb 2014
The average web user’s experience of the security of the internet is defined by the use of login details including passwords. Memorable character strings are the (almost) universal means to access the important day-to-day web-based services we need to live our lives and fulfil our various roles.

All commonly used websites like Facebook, Twitter, LinkedIn, Wordpress and GMail require some form of authentication to access services and important personal data.

More importantly - online banking services, mobile devices such as phones and tablets, along with personal and office computers require similar login authentication to access. Therefore the range of different user credentials for differing sites is rapidly increasing, resulting in the average user needing an ever increasing list of login details.

Recent news reports have been damning to the reputation of the password. Several large data breaches, at Adobe, LinkedIn and the game website RockYou have all involved the theft of login names and passwords.

The recent Tesco.com breach, which saw over 2,000 users’ accounts hacked and subsequently posted to a popular text-sharing site, marks a period where the humble password has a lot of explaining to do as it falls short of the requirements needed to secure data. Some might say, ‘once again!’

As these data breaches continue and the resulting information is published online, various places on the internet are becoming repositories for a growing volume of readily accessible private data.

The main element playing on the effectiveness of a password is the human one. Lazy duplication across accounts and common password usage is a massive problem. Internet users need to fundamentally understand that by using the same password on different sites, any breach of the any one will naturally permit access to all the others.

In real terms this means that a worryingly large number of internet users are entrusting their valuable private information to a variety of services but protecting that important data with relatively weak passwords.
According to mobile software firm SplashData ‘123456’ has recently overtaken the term ‘password as the most frequently used password across the web. These two commonly used passwords dominate the ‘Worst Passwords of 2013’ used by the average internet user. In addition, ‘qwerty’ comes in at number four, ‘iloveyou’ at number nine and ‘admin’ is a new but very common addition ranking in at number twelve; not forgetting, of course, the infamous ‘letmein’. 

So what can I do?
What we are seeing here is a fundamental attack on passwords themselves. Hackers are simply exploiting the fact that people use the same password for every account, by trying the same leaked address/password combination against multiple accounts.

Essentially, it is important to not generalise a password to fit across a number of accounts and to keep those passwords as impersonal as possible. Long passwords which feature a combination of upper and lower-case letters, numbers, and other random characters will also reduce the likelihood of your data getting into the wrong hands.

As the number of vital web-based services increases, passwords become more difficult to manage as a host of complex passwords simply cannot be maintained accurately by the average user. It begs the question – is there anything that can actually replace the password and make our online experience easier?
 

8,404 Tests

Posted by Nancy Wyatt (Penetration Testing), 7 Jan 2013
From the development office: An insight into how a product as sophisticated as Conseal Server is security-ensured before we allow it out.

Any server product naturally needs very careful testing and analysis to ensure, amongst other things, that it is safe for users and secure for the computer it's installed to. With Conseal Server, we arguably have an even greater responsibility than most to ensure complete security, given the sensitivity of the data it protects.

Each release, therefore, goes through a very strenuous series of tests. Our current checklist calls for a vast 8,404 separate tests on each and every release - and this number grows with every release. The checks allows us to guarantee things like user permissions working as they should, devices being available only as permitted by user-supplied access rules and users being correctly "sandboxed" (meaning they cannot overstep their permissions).

We also test against security flaws which commonly affect other server software, such as protection against cross-site request forgery and HTML and SQL injection attacks. It is my job as a penetration tester to attack the server in as many different ways as I can. Again, we have a checklist of attacks we try on every release - by the fun of my work is finding ever-more creative ways of attacking!

As a final layer of security testing, we analyse all the differences in code between releases. This can also be helpful in formulating attacks against the server - knowing how it's written can suggest further attacks to try.

If you are looking to start pen-testing a server, whether your own code or a third party one you've just installed (or even if you want to confirm our work on Conseal Server!) then here is a very useful guide to some of the most common and dangerous flaws.
 

New Windows flaw allows hackers control of your computer

Posted by Alf Norris (Conseal USB Lead Developer), 21 Dec 2012
A very significant new flaw in all versions of Windows allows hackers complete control over your computer if you visit an infected website or open a document. The flaw is fixed in KB2783534 which is currently on Windows Update.

This has vast damage potential, and we're not sure why it isn't receiving more media attention. The flaw exists in the way that fonts are opened and displayed - so in any situation where hackers can get your computer to display a custom font, they can take control over your system. This includes just visiting a web page for example.

This is uniquely damaging because it's software-independent. It would apply regardless of the browser you are using, as presumably they all use Windows' own mechanisms for loading and displaying fonts.

We advise all customers to ensure they have the latest OS patches.
 

Security, in Numbers III

Posted by Alf Norris (Conseal USB Lead Developer), 10 Aug 2012
In numbers:
26%companies which believe their staff have a very good understanding of their security policies
75%of those organisations in which security policy was poorly understood, the percentage which had staff-related data breaches
67%percentage of large organisations which expect more security breaches next year
37%number of small businesses which do not have a formally documented security policy
568mnumber of flash drives expected to be in use by 2015