Thank you to all the subscribers to this blog. Please note that Demystify Cyber has moved to its own website!
For articles by the InfoSec community please go to the Demystify Cyber Community Blog page here> Demystify Cyber Community Blog
When cybercrime s mentoned people may immediately think of malware, others may think phishing, however cybercrime is far more than that. Cybercrime is crime against technology or crime enabled by it. This means that as well as perhaps the more obvious crimes of malware and phishing, it encompasses online fraud, unauthorised modification or destruction of data, romance fraud, tech support or remote access scams, child abuse material, and a range of other crimes.
Remember that anyone can become a victim of cybercrime, nobody is immune. Also be wary of victim blaming, as a cybercrime victim needs support, the only people to blame ar ethe criminals.
All of us that understand tech and cybercrime need to be part of the solution and help help each other, our friends, families,colleagues, and total strangers to stay safer from cybercrime. Anyone can become a victim of cybercrime, the fall out of cybercrime to victims and their famiies and/or businesses can be huge. Please be part of the fight against cybercrime. Be kind to each other, support each other, and help everyone stay safer in the online world.
Software and technology evolve fast, and at times they may have an inadvertent flaw in them. Vulnerabilities in technology or software code can be exploited by criminals to gain access to a person’s computer or phone, or a company’s system. The reason why software companies release security patches is to fix or mitigate security flaws that have been discovered in their code
Five points
about vulnerabilities and patching:
1. Vulnerabilities – A flaw in code, hardware or systems may
be exploited by criminals to gain access to restricted systems
2. Zero day - A vulnerability that is not widely known about,
except by the criminals exploiting it, and where there is yet no known fix, is
called a zero-day exploit.
3. Exploits - Criminals can exploit vulnerabilities in
applications and use these to steal passwords, gain access to networks and
install malware
4. Patches - Software companies release security patches is
to fix or mitigate security flaws.
5. Patching - All users of technology, whether individuals or
corporate entities need to ensure they keep their systems and software current
and patched as this helps to protect the technology from criminal exploitation.
Thank you to my lovely colleague, Ella Donald, for generously taking time to write this article supporting the demystifying cyber project and helping people to stay safer from cybercrime.
\Let’s reduce this to the questions you should be asking yourself to discover enough about the device / manufacturer / cloud-app before you let this 'thing' into your home?
When I approach new things, the first question I think about is:
Why do I need this device and what benefit(s) is it bringing me?
I think of the ’why’ as the key to my internal business case. This why determines both the benefit it (might) bring as well as qualifying what we are balancing the risk of having the device join our network and share in our data.
If we’ve established the why, we need to establish the risks of having the device in our lives and on our network. To get a feel for the risks, as yourself the following questions:
• Firstly, what data will the device actually be collecting and/or using to provide you a service? This is pretty crucial to the overall use case - if the device is measuring the temperature of your living room and that data gets out… 🤷♂️ well that’s likely not a big issue. But if it’s video and audio of the baby monitor and it’s being handled by a country that is not ‘legally friendly’ with Australia (I.e. any misdeeds with that data cannot be punished in any way) then it might be a bigger issue for you.
• What info does the device or corresponding app need about me (or my family/business/staff) in order to function, or even set it up? Is this device ‘personal info’ that, if it fell into the wrong hands, could be used against me in some way?
o As a sub-question, can I give the device false info and still achieve my objectives of having the device? I.e. it’s not a law enforcement, government or financial sector device or app where it might not be legal to provide false details.
• Where is my data stored? The answer to this will determine whether or not you could do anything about it if the organisation you, or your devices, gives the data to has a data breach.
• Can I delete my data? If your new device has a one-way flow of data out to some cloud service, can you ensure that data is removed/deleted from the service after a given time period?
• What is the likelihood of my data being breached? Evaluating this question as a “non techie” is very, very difficult. Even inside the info security industry, it is difficult to determine all the factors needed to make an educated guess at the probability of the data “getting out” to somewhere unintended. However, what I mean here is, for most people reading this, is that if you’ve heard of the big name (think Microsoft, Google, Amazon Web Services) then there is an inherent safety factor in that most of those companies spend a lot of money to protect themselves and their client data within their systems - because they will be held accountable when something goes wrong. On the other hand “Mom & Pop’s Corner Data Mart” that are based in a different country may have little to no repercussions for them.
• How does the device connect to the internet/cloud? Is it through your wifi or a built-in mobile data service?
• Can I use a unique email address for sign-up in order to provide some traceability if the gathering party misuses my data? e.g. with Gmail you can setup an email with a ‘+’ in it, to provide you some easy tracking if your email address is used for something other than what you gave consent to.
• If the software (device or cloud app) isn't updated or 'patched' regularly, what does this do for the my risks?
The term 'risk' used here is combination of the likelihood of something happening (usually untoward or it would be an opportunity, not a risk!) and the impact of that something happening. There are usually also mitigations that help reduce the overall risk.
A brief, simplistic example would be of a baking tray in a hot oven. If you open the oven and take out the tray with your hand, the likelihood of your skin coming into contact with the tray is 'almost certain' and the impact of coming into contact with the hot tray may be 'major' (i.e. being burnt). Combining the likelihood and impact we might end up with a 'high' risk to your health and safety. However, a simple mitigation of wearing a heat-proof oven mitt would lower (i.e. 'mitigate') the likelihood of your skin coming into contact to 'very rare' and may decrease the impact slightly as well, to say 'minor' (by decreasing the possible surface area of skin that may be affected during contact). Thus, the resultant risk with the mitigating mitt would be 'low'.
CHECKLIST
For those of you still reading who like checklists, my thinking is along the lines of understanding the following:
Why do I need this device; what benefit does it bring me?
What data will the device be collecting/using?
What info does the device or corresponding app need about me? How could this info be used against me?
Where is my data stored? And can I delete my data if I want to?
What’s the likelihood of my data being breached, and what is the impact to me?
How does the device connect to the internet/cloud, and how does data get in/out of your environment?
How is the device maintained / patched, and how regularly?
Practical Application
Let’s put this into practice and weigh up a use case I have just gone through - getting an IOT device to check pool chemical levels. For those that don't own a pool, there are various chemical levels that need to be 'in balance' for a domestic swimming pool to stay clean, sanitary and nice to swim in. Typically, pool owners use either test strips bought from the local pool shop or hardware, they take water to a pool shop for testing, or they pay someone to come around regularly to maintain their pool. I've been in the 'test strips' group but with an interest in home automation and a bit of a data geek, I could see the point in something a little higher tech, more accurate, and less wasteful of those little chemical strips; i.e. more sustainable, reliable and consistent.
Context / aka 'use case': The test strips, and replacements I've been using, have provided unreliable, inconsistent data to me about the condition of the pool - namely pH, chlorine and salt levels. This has meant I've been treating the pool incorrectly (based on incorrect data) and have been spending too much money. The core problems are consistency and accuracy (within the limits of a pool testing device, but not a scientific tool for research) to cut financial losses in chemical costs. The pool is also inconveniently placed for me to do testing on a daily basis (i.e. I'm lazy and don't like going out in the cold and dark of a winter's morning!) to ensure I get my data.
Solution: a device that test for the core levels (pH, free chlorine, salinity) with enough accuracy that I can make decisions and see trends (like pH rising over a week). And being a techno geek of some sort, I would like that delivered to my smartphone or email.
What benefit(s) does it bring me?
The device + cloud app brings me the ability to know what my pool chemical levels are like, updated on an hourly basis. This allows me to make decisions (like adding pool acid) based on not only instantaneous data (like using a pool testing strip) but on historical data over the whole day or week. In turn, this drives down the cost of making pool chemical errors, lessens wastage of both chemicals and testing strips; leading in turn to more swimming time and less swearing at the state of the pool.
What info will the device be collecting?
The device I put on my short list detects and collects pH, free chlorine, salinity, and temperature. There's no location data, other than what I choose to tell the app so it can give me weather predictions.
For the purposes of a basic "can this data be used against me" analysis… well, you can tell how bad I am at managing our pool but in real terms, there is not much an attacker could do with this info. (Please get in touch if you think that the pH level of my pool could be used against me in something other than a public shaming of my pool maintenance because I'd legitimately love to hear another angle!)
All in all, I'm comfortable with what the device collects and sends away to be stored. (I am hopefully it will show that I will get better at pool maintenance… but that trend will only be visible with hindsight!)
Moving on - what info does the device need to operate?
It turns out that the setup of this device is app + bluetooth based (info I obtained from the website prior to purchase). I had made an unvalidated assumption that the device would then default to wifi connection, in order to upload its data to a cloud app.
It turns out I completely missed the fact it can use wifi but only does so when the Sigfox network is not available in the installed area. The what-fox-network!?! Standing there with the installer drilling holes in my pool piping, I realised I had never heard of the Sigfox network… I had a quick decision to make - do I let this install go ahead or stop it now?
I made a quick mental risk calculation - the device will be connected to 'some other network' but not mine and transfer minimal data (basically a few data points, every hour or so) to a cloud service. Thus, it should not be "a way in" to my network, so I let the install continue.
(As a side note - I actually have an IoT zone on my wifi network for such devices as this and had the details ready for the installer.)
Going back to answer the question though - the device only needs enough 'data' of mine to link/sync up with your account in the cloud app… so I'm happy enough with that.
Moving on from the shock of discovering a type of network I had not heard of yet that has coverage in my backyard…
What data does the corresponding app need?
When setting up the app, I created an email address unique for this install in the format of myname+devicename@example.gmail.com which is simply delivered to the myname@example.gmail.com mailbox I already use. However, if the cloud app provider ever has a data 'leak' (or sells the data) then I might find spam coming to that particular myname+devicename address, so I at least know where the leak happened.
Note that this is not 'protection' but it is a form of 'detection' in the language of security. I also used my password manager to generate a unique, long, complex passphrase that I'll never have to remember, because the password manager does that for me (topics for a different post, I'm sure!).
The app also wanted my location (via smartphone location/GPS) as a one-time set of location, to sync up weather patterns that may be helpful when determining pool conditions. I ‘corrected’ the app’s location data and set it for a park near my house - close enough for weather purposes - but not my actual home address.
So far, so good - nothing I wouldn't expect, given what the device needs to do to provide me with my benefits. It has asked for no credit card numbers, photos of my driver's license or requests for my mother's maiden name or birthday. 👍
As a side note, this lack of pumping me for information is refreshing but correlates nicely with the manufacturer being European and having to conform with GDPR. Having the manufacturer conforming to this privacy legislation provides me with comfort that they will uphold some basic privacy principles like not storing or using my data for purposes other than what I have consented to.
What’s the likelihood of my data being breached and the impact to me?
Looking at what I know so far about the device and cloud app, I decided that the likelihood was effectively irrelevant as the impact of a data breach to me would be basically non-existent.
Said another way, there is only pool water data and a unique user+password combo being held by the company providing me with the service – any breach of this data should cause me no harm, so I’m not going to invest time and effort investigating exactly where and how the company is storing my data.
How does the device connect to the internet/cloud, and how does data get in/out of your environment?
As evaluated earlier, the device connects outside of my home network. I can connect directly to it from my phone, using Bluetooth, to request an immediate water check, however this only provides an attack vector to my smartphone. As I’m using an up-to-date iOS device to run the app, using the IoT device (and its very limited compute power) to ‘attack’ me via my smartphone would be a very esoteric and costly way of ‘getting in’ to my environment.
While valid for some threat models, I’m going to discount them for the typical ‘home user’ and this post. Why? Because they’re theoretical attacks around a completely different threat model to the target audience (please excuse the pun). If the device was, for example, a set-top box that is connected to a home’s core network and uses/stores your credentials to access your home computers for videos and music, there is a far more credible threat to be thought through based around the data and access of that particular IoT device.
Lastly, let’s look at how the device maintained / patched, and how regularly?
For this IoT device, I’m not even sure it can get software updates as it is a very basic device. If it does, it will likely require a local Bluetooth connection from the smartphone. The Sigfox network seems to exist more for transferring captured data points, not maintaining software/patch-levels.
The supporting cloud app seems to be patched through the smartphone’s app store for bugs and features, and the cloud server side is invisible to me. As covered earlier, if this device gathered info that I was more concerned about, I would investigate the server side more.
Summary
In summary, while I did look at my list of key points to evaluate, the lack of the device and related cloud app gathering any data of use to anyone but me, along with the benefits the device should realise made it a quick decision to approve the device for install.
Now if only someone would break into the device, see the trend of my pool’s pH levels rising on a daily basis and tell me exactly how I can solve that problem… now that’s a ‘hack’ I could get behind!
Thank you to author and infosec profesional Craig Ford, for writing this article and supporting the demystifying of all things cyber. If you are looking for your dream career in cybersecurity, infosec, all things cyber, this article will be of interest to you.
If you use Goodreads, please follow Craig's author page on Goodreads.
.........
Thank you to the highly respected infosec professional, Raj, for writing this article on responsible disclosure of exploitable vulnerabilities. This artilce highlights the reasons for being carefull how vulnerabilites are disclosed, adn the ethical approach to this disclosure.
.........
A few days ago, I saw one of the cybersecurity enthusiasts publish a post on how he found a brand-new vulnerability affecting a network security device. No doubt it’s cool when someone identifies a bug/security flow, and many followers congratulated him on his findings. It turned out the person found the flaw then within a few hours posted it straight to social media.
Finding a security flaw/vulnerability is a fantastic thing. However, you must do a responsible disclosure too.
There are three ways of doing a disclosure:
In the private disclosure model, the vulnerability is reported privately to the organisation. The organisation may choose to publish the details of the vulnerabilities, but this is done at the discretion of the organisation, not the researcher, meaning that many vulnerabilities may never be made public. The majority of bug bounty programs require that the researcher follows this model.
The full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response or organisations ignoring reported vulnerabilities in order to put pressure on them to develop and publish a fix.
Responsible disclosure attempts to find a reasonable middle ground between these two approaches. With responsible disclosure, the initial report is made privately, but with the full details being published once a patch has been made available (sometimes with a delay to allow more time for the patches to be installed).
In many cases, the researcher also provides a deadline for the organisation to respond to the report or to provide a patch. If this deadline is not met, then the researcher may adopt the full disclosure approach and publish the full details.
It’s clear that the responsible disclosure approach is designed to ensure the security researched / enthusiasts identify security flows/vulnerabilities where product owners/vendors fix them with a reasonable time. Also, this system enforces time limits on vendors to act; if not, the researcher can go for full disclosure.
So why would people go with the full disclosure?
- Lack of understanding of Vuleneraility disclosure ethics.
- To gain public attention (to the person)
- Unavailability of a Proper vulnerability disclosure policy by the product vendor
- The intention of finding a vulnerability is to fix them, so if we do a full disclosure in the first place, the attacker could easily exploit it or weaponised them and cause harm against general public systems.
- Someone else already did a responsible disclosure, and the product owner/vendor is already working on a fix (This time known as disclosure embargo).
- You may be violating the software use agreement and could face legal challenges.
- You may be breaking the ethics of cybersecurity. This will also may severely be impacting your career.
Suppose you ever found a vulnerability/security flow. In that case, the best thing you can do is do a responsible vulnerability disclosure, so you play your part in the fight against cybercriminals. If you are unsure, get advice from a cybersecurity professional.
ASD ISMS guidelines on Vulnerability disclosure program - https://www.cyber.gov.au/acsc/
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 29147:2018, Information technology – Security techniques – Vulnerability disclosure, at https://www.iso.org/standard/
CISA Coordinated Vulnerability Disclosure (CVD) Process - https://www.cisa.gov/
The Cybersecurity FAQ series, in the Demystify Cyber project's blog, looks at some commonly asked questions about cybersecurity and cybercrime. If you have a query you would like covered in a future blog post please contact Demystify Cyber via the contact form.
________________________________________
QUESTION: If the website has HTTPS does that mean it is safe?
ANSWER: HTTPS means the web traffic is encyrpted for data transmission security but does not mean the website is safe.
The Hypertext Transfer Protocol Secure (HTTPS), first used in 1994, places a layer of encryption over HTTP to help prevent sensitive data, like payment details, being eavesdropped or leaked. This means that a site using HTTPS is encrypted and private, however just because a website is using HTTPS does not mean the site is safe from being compromised, nor does it prevent a site from dropping malware on its visitors' computers or being used to phish for credentials. In fact criminals may purchase their own certificates to create malicious websites using HTTPS.
Do not be lulled into a false sense of security when you see a site is using HTTPS, it may be encrypted but that doesn't mean the site is not being used by criminals.
If you use connected or connectable technology in any form it is essential you do what is in your power to help protect your information, finances and accounts. Although cyber security can seem daunting, it is just another avaneue of life we need to learn to be secure in. From a young age you may have learned about keys and locking doors, or looking both ways before crossing a street, let's make cybersecurity as easy to understand!
Here is a list of some achievable basic cybersecurity essentials to consider.
Thank you to James Meikle for contributing his expertise to support the Demystify Cyber project.
........................
Risk statements have the power to deliver a
strong message to people from all backgrounds on something bad that might
happen. To be clearly understood common language should be used. There are a
few different ways to formulate risk statements this is just one of the common
ones.
PS: We all need an acronym swear jar!
As I would like to see more powerful messages
and I like Aussie BBQ's. It is time for a combo!
Diving in at BBQs you usually need a story, keep
the interest going use common tongue, use Aussie slang rarely. You tell a story,
and you hope people understand it. Your feedback is provided by still having an
audience and as you practice you get better at it. There is a formular for
success of storytelling – its watchable if you do not do this yourself.
A formula is also needed for successful risk talking.
Let us try a minimal one (in BBQ speak) and yes, I had to change it for the
example – but it is still based on a true story in our very own Gold Coast of
Australia!
“Our family fun day on a whale sighting trip may
be ruined by naughty jet skiers that get too close scaring off whales resulting
in no fun and children in tears.”
This is going to get a bit quirky but let us
try take this apart. My rough translation of talking risk is people trying to explain
the effect of uncertainty against what they want to occur so they can help the
situation.
Event
An event is something that happens due to
something else that disrupts its objective. In this example the objective is
family fun, and the event is a whale sighting tour. Keep it to one event per
statement.
“Our family fun day while on a whale sighting
trip may be ruined”
Cause
The jet skis cannot be linked directly to
kids crying their little hearts out as their effect of being there is scaring
whales. Cause and event can be mixed up if you are not careful – events have
objectives causes do not. There can be more than one cause.
“… by naughty jet skiers that get too close
scaring off whales”
Consequence
The worst examined outcome for the day was whales
not being seen on a (first-time) sightseeing tour with crying kids and ruined
day. I always seem to focus on this one since it is the meaty part of why we
should care about the risk. There can be more than one consequence.
“… resulting in no fun and children in tears”
Okay since my BBQ stories have happy endings
when involving children, I must add this bit…
“The day was saved by instant karma when the
pair were intercepted by the cops waved at by a few really happy children and
camera people. Kids got to see a whale. Day Saved!”
It has been said before we cyber people must
speak many languages but common is the most important.
My quick tips advice
1. Use common language
2. Use specific industry language sparingly - only
if you must (Aussie Slang at BBQs!)
3. Use an obvious formular like:
There is a risk that “Event” occurs that can be “caused by” resulting in “the
bad thing”.
4. Use your voice and read them out loud (take
care of surroundings people)
5. Use the basic one you come up with to build
on what you and add to the narrative.
Break
up the statement using spreadsheeting or other tools to make it easier to
consume if appropriate
6. Use ISACA’s good quality risk statement
questions to sound your content:
What
could happen, Why could it happen, Why do we care.
Helpful
links
Ninety nine problems but a vuln ain't one
Okay, cheesy (revised) lyrics aside, I caught up with my colleague Sean McIntyre - Information Security Analyst at AusCERT - to discuss our shared thoughts on the common misconception that cyber criminals are “hooded / masked baddies” and we outlined some ways in which AusCERT, as a not-for-profit security group can help our members and the general public avoid the common pitfalls of falling victim to a cybercrime and/or incident.
Sean, it isn’t unusual for our collective cultural community to think of cyber security in terms of tired cliches and common tropes. In your opinion, what can we do to help people understand that a cyber criminal and victim could look like anyone, including you and me.
I think it’s really important to talk to folks - family, friends, neighbours even - about how cyber crime isn’t discriminatory, that it can happen to anyone. I feel it’s great that the media draws attention to cyber related incidents, it helps bring the topic to the mainframe. People relate to examples like Nine Network or domain.com.au. However, I do think we can do better at the grassroots-level. We should start talking about it with kids in schools etc., avoid making “cyber” a scary topic. I think organisations like eSafety do some good work in this space [1].
You’ve been working at AusCERT for close to 18 months now, in your opinion and observations, what cyber security challenges are the most common in terms of our membership audience?
Personally, my top 3 observed challenges are as follows:
We sat down and did one of these sessions at the end of last year, when you and I presented a case study on the AusCERT Incident Management service [5]. Can you reiterate the key take-aways for our readers again?
Of course! For those who haven’t had a read of that piece we did together, definitely check it out on the AusCERT website [5].
If you’re an AusCERT member, definitely utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au for any cyber related incidents.
Where possible, implement the “Essential 8” as outlined by the ACSC [6]. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.
Thanks so much for the chat Sean!
.............................
AusCERT is a Cyber Emergency Response Team (CERT) based in Australia. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy and posture.
..........................
Resources:
[1] https://www.esafety.gov.au/
[2] https://girl-germs.com/?p=2324
[3] https://www.accc.gov.au/media-
[4] https://www.scamwatch.gov.au/
[5] https://www.auscert.org.au/
[6] https://www.cyber.gov.au/acsc/