Posts

What Was Scary About Blackhat 2017?

As you might know, at the end of July, all types of hackers came to Las Vegas to attend Blackhat 2017. During the conference, some pretty scary hacks were exposed, and we can all take this as a lesson on what we are up against in this technology-heavy world. Here are some of the scariest hacks we learned about during Blackhat 2017:

Carwash Hijacking

Nothing is safe from technology, and these days, carwashes are an unexpected target for hackers. It is perfectly possible that a car wash could be hacked, controlled remotely, and used to destroy vehicles. Scary.

Hacking Cars

Speaking of vehicles, it was also revealed how easy it is for a pro to hack automobiles. Just last year, Chinese hackers were successful in hacking a Tesla S. The hackers disabled the brakes, so Tesla updated security in its cars. However, recently, the car company was hacked again, showing that hackers always find a way.

Oculus Headsets and Hoverboards

Another scary hack participants learned about was that hackers can access hoverboards and the Oculus Rift headsets. These hacks could cause the devices to shake uncontrollably, bringing harm to those who are using them.

Printer Hacking

Michael Howard Chief Security Advisor of HP and painfully demonstrated that only 18% of IT security managers are concerned about printer security where as 90% are concerned about PC’s. That stat is one reason why ?92% of Forbes Global 2000 companies experienced a breach in 2016 which in part resulted in 4 billion records breached worldwide. According to the Ponemon Institute, 60% of data breaches reported by companies involve printers. Very scary.

The Motivation of Adversaries

We also learned that hackers wanting money, data, or intelligence aren’t their only motivation. More and more, they are motivated by the ability to manipulate people, to undermine democracy, and to wreak havoc for journalists and activists.

Wind Hacking

Wait, what? Participants at Blackhat 2017 also learned about how the bad guys are hacking the wind. Well, not actually the wind, but the systems that create wind energy. The main motivation here is money. Just one hacked turbine can cost anywhere from $10,000 to $30,000 per hour. That’s a lot of leverage for hackers who only need to hack a single turbine to demand ransom to set the turbine free.

Hacker Masquerade

Hackers are also using a savvy technique to hack phones. Chinese hackers are switching from targeting high tech LTE networks to slow 2G technology. This means, when our phone switch to a slower network, which happens if the signal isn’t strong, even if you have great security, your phone can still be hacked.

Facebook Bounties

These are some of the scariest hacks we saw at Blackhat 2017, but never fear, white hat hackers are on it. In fact, companies like Facebook are offering cash, up to $1 million, for developers who create software to keep users safe. OK, not scary. But good.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Black Hat 2017 was an Amazing Event

In July, more than 15,000 security pros, hackers, hobbyists, and researchers met in Las Vegas for the Black Hat Conference 2017 at Mandalay Bay in Las Vegas. This was the 20th year that the security conference was held, and both black and white hat hackers joined together to discuss security.

For two decades, Black Hat has gained a reputation for demonstrations of some of the most cutting-edge research in information security as well as development and industry trends. The event has also had its share of controversy – sometimes enough to cause last-minute cancelations.

Launched in 1997 as a single conference in Las Vegas, Black Hat has gone international with annual events in the U.S., Europe and Asia.

Black Hat 2017 was almost a full week of everything having to do with IT security. There were hands-on training sessions, a full business hall where vendors gathered with swag and products, and of course, parties. I hit 5 parties in 3 nights. I’m totally spent.

This is a conference that attracted some of the brightest people in the world of security, and has a reputation for bringing together all types of professionals and amateurs interested in hacking, security, or the latest in encryption.

What’s interesting about Black Hat 2017 is that there is something for everyone. From hackers trying to hack hackers to remaining “off the grid,” you never know what you might find. In fact, most people who attended this conference decided to stay away from electronic communication all together. Let’s just say leaving devices in airplane mode, shutting off Wi-Fi, using VPNs, and always utilizing two-factor authentication for critical accounts is the norm during the conference for veteran attendees.

One of the most popular parts of Black Hat 2017 was the briefing on business protection. It’s important to note that many companies have employees that simply don’t comply with security policies. Additionally, these policies aren’t governed enough, and it is costing millions. In her presentation Governance, Compliance and Security: Three Keys to Protecting Your Business, the speaker from HP, Sr Security Advisor, Dr. Kimberlee Brannock, during her 16-year tenure at HP, Dr. Kimberlee Brannock has used her extensive education and experience in compliance and governance to shape HP’s security standards. shared why it’s not always enough to secure business networks and why governance and compliance really matters. With 25 billion connect devices by 2020, maintaining proper network and data security compliance is an important concern for any business, as noncompliance costs businesses an average $9.5 million annually through fines, lost business and lawsuits.

Another very popular briefing at Black Hat 2017 was Staying One Step Ahead of Evolving Threats demonstrated on average, an organization has more than 600 security alerts each week, and over 27,000 endpoints leading to 71% of data breaches starting from the endpoint.

Most put in thousands of hours, and dollars, for that matter, on securing servers, laptops, and data centers, but many companies are ignoring other areas of security vulnerability. One of the best things about this briefing was that the leader, Michael Howard from HP, Chief Security Advisor, as Worldwide Security Practice Lead, Mr Howard is responsible for evolving the strategy for security solutions and services in Managed Services. He gave a lot of information on printer security, something that most businesses fail to address. He used real-world examples of how some of the most secure organizations are still lagging in their print security and share how he uses a proven framework to secure the print infrastructure.

Overall, Black Hat 2017 was an eye-opening experience, and with the world of network security changing all of the time, all in attendance surely learned something new. I met a ton of very cool characters, partied hard, drank too much, ate too much, slept none and to keep my data secure, I’m considering moving off grid to a cave in the Outback of Australia.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Blackhat Hackers Love Office Printers

The term, or in this case the word “blackhat” in tech generally refers to a criminal hacker. The opposite of black is white and a “whitehat” is a security professional. These terms originate from the “spaghetti western” movies when the bad guy cowboy wore a black hat and the law wore white hats. Fun huh?! Blackhat is also the name of the largest conference on the planet for information security. The conference itself is 20 years old and as Alex Stamos who is the CSO for Facebook and also Blackhat 2017’s keynote speaker said “Blackhat isn’t even old enough to drink” That statement reflects just how far we’ve come in information security and also how much more there is to do.

One of the presentations at Blackhat discussed printer security called “Staying One Step Ahead of Evolving Threats” by Michael Howard Chief Security Advisor of HP and painfully demonstrated just how much more there is to do.

Do you ever feel as if your office printer is dangerous? Most of us don’t. In fact, more than half of businesses don’t even bother adding printers to their security strategies. Mr Howard stated only 18% of IT security managers are concerned about printer security where as 90% are concerned about PC’s. That stat is one reason why ?92% of Forbes Global 2000 companies experienced a breach in 2016 which in part resulted in 4 billion records breached worldwide.

Hackers know this, so office printers are the perfect target for them. Remember, printers are connected to the network, and if unprotected, they are easily hacked. According to the Ponemon Institute, 60% of data breaches reported by companies involve printers. So, why do hackers love printers? Here are a bunch of reasons:

Networks are Vulnerable

Even if you have a firewall, there are several devices that might be on a network that are access points to that network. When you don’t add your printer to your security plan, it becomes a welcome access point to hackers. Once they get in, the consequences could be terrible for a business.

Hackers Can Get Useful Data

The data that hackers can get from printers that are not protected is unencrypted. If one of your staff members sends sensitive information to the printer, yet it is unencrypted, the hackers can read it. Mr Howard shared how one universitys unsecured printers led to students hacking tests days before they were taken, giving the students a significant advantage. Do you really want your company’s data to be open like that? All hackers have to do is take it if the printer isn’t protected.

They Know They Can Access Other Devices

Hackers also love office printers because they know that once they are in, they can access other unprotected endpoints on the network. Mobile devices are an excellent example of this. It is quite challenging to secure access to all of these devices. The more devices that are connected to the network, the easier it is to access it.

Information Leaks

How many times have you printed something at the office and let it sit in the tray for a while? This happens often. Hackers know this, too, and they can essentially print anything once they have access to the printer and retrieve it at any time. This easily opens up the business to compliance issues.

Finally, hackers love office printers because they get inside access. ?Once the printer is compromised, so is the rest of the network.

  • Change the printers default passwords.
  • All computing devices including printers need encryption.
  • Printer hard drives have lots of data. Destroy hard drives prior to recycling or reselling.
  • Printer firmware and software needs to be regularly patched and updated.
  • Use “fleet management” tools to ensure all of the companies devices are protected.

When businesses implement security policies and procedures that directly address endpoints, including printers, they significantly reduce risk and maintain proper network and data security compliance.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

What are Bug Bounties?

A bug bounty refers to the reward a bad-guy hacker gets upon discovering a vulnerability, weakness or flaw in a company’s system.

6DThis is akin to giving a reward to a burglar for pointing out weaknesses in your home’s security.

But whom better to ask than a burglar, right? Same with a company’s computer systems: The best expert may be the black hat or better, white hat hacker.

An article at bits.blogs.nytimes.com says that Facebook, Google, Microsoft, Dropbox, PayPal and Yahoo are on the roster of companies that are offering hackers bounties for finding “bugs” in their systems.

A “zero day bug” refers to an undiscovered flaw or security hole. Cybercriminals want to know what these zero day bugs are, to exploit for eventual hacking attempts. There is a bustling black market for these non-identified bugs.

Compounding the issue is that it is becoming easier for Joe Hacker to acquire the skills to infiltrate—skills that common hackers never would have had just a few years ago, and especially a decade ago. So you can see how important it is for businesses to hire the best at finding these bugs and rewarding them handsomely.

So yes, hackers are being paid to report bugs. The bits.blogs.nytimes.com article says that Facebook and Microsoft even sponsor an Internet Bug Bounty program. Such a program should have been started long ago, but it took some overlooked bugs to motivate these technology companies to offer the bounties.

Heartbleed is an example. Remember that? It was a programming code mistake that affected certain SSL certificates—which help protect users on a secure website. As a result, over a dozen major tech companies began an initiative to, as the bits.blogs.nytimes.com article says, “pay for security audits in widely used open-source software.”

So as clever as bug bounties sound, it shouldn’t be regarded as the be-all end-all solution. How about an incentive to get developers to implement secure, mistake-free coding practices? Well, companies are trying. And they keep trying. But with humans behind the technology, there will always be mistakes.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

What is a Hacker?

You probably think you know what a “hacker” is, but the images portrayed in the media can be misleading. You may be thinking of a geeky-looking guy who causes peoples’ computers to get infected with viruses or cracks passwords to raid the accounts of big business. This is one kind of hacker, but in a broader sense a hacker is a person (male or female) who uses their programming skills and technical knowledge to create and modify computer software and hardware by finding their weaknesses and exploiting them.

11DHackers can be motivated by a number of reasons, both positive and negative. For instance, criminal hackers can create malware to commit crimes, such as stealing information and money, while other hackers are benevolent. They may work for big companies or the government in the name of protecting them from bad hackers.

It helps to be familiar with these general categories of hackers:

Black hat hackers

This is a hacker who gains unauthorized access into a computer system or network with malicious intent. They may use computers to attack systems for profit, for fun, for political motivations, or as part of a social cause. Such penetration often involves modification and/or destruction of data, as well as distribution of computer viruses, Internet worms, and spam.

White hat hackers

Also known as “ethical hackers,” white hat hackers are computer security experts who specialize in penetration testing and other testing methodologies to ensure that a company’s information systems are secure. These security experts may utilize a variety of methods to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to evade security to gain entry into secured areas.

Gray hat hackers

These are skilled hackers who sometimes act legally, sometimes in good will and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.

In addition to these definitions, the term “hacker” is currently used to refer to any individual who deliberately tries to compromise a computer system—regardless of objective.

It may also simply refer to someone who likes to tinker around with the innards of computer systems, and it may also mean a really smart person who can solve any computer problem.

So, while you may have generally thought of hackers as criminals, the term actually describes a range of people with different technical skills and motives. That’s why it would be more helpful if we used the term with descriptors, such as “white hat hacker” or “criminal hacker,” so we have a better idea to whom we are referring.

After all, hackers shouldn’t have a bad reputation overall. They are usually very talented people and we need more of the good variety: white hats.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Are All Hackers Bad?

The word hacker has a pretty negative connotation. It brings to mind other words like cybercriminal, thief, and malicious. It’s easy to see why hacker has a bad rep. The news is full of stories about hackers stealing data from large companies and the government. Hackers are the bad guys.

But are they?11D

Tesla just recently announced they are hiring hackers to find and fix security holes in the Model S car. Google started a league of hackers called “Project Zero” to track down security flaws in their software. Companies like Facebook and others sponsor hack-a-thons, where anyone is invited to try and crack their systems, all the time. Why would these companies want to hire or incentivize hackers?

The truth is not all hackers are the same. Here are the different kinds of hackers:

  • White hat hackers: Also known as “ethical hackers,” these hackers use their skills to make the Internet a safer place. Some white hat hackers do this for fun and then report the information to companies or sites they have broken into so the companies and sites can be fixed. It is these white hat hackers that Tesla is hiring they can find any security holes in their Internet-enabled cars before the bad hackers find and exploit them.
  • Gray hat hackers: These are the guys in the middle. They sometimes act legally, sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits. An example of gray hat hackers is hacktivists—who hack to bring attention to a political agenda or social cause. Anonymous, a predominant hacktivist group, recently took down multiple Israeli websites in protest of the Gaza crisis.
  • Black hat hackers: These are the bad guys that give the word hacker its negative connotation. These hackers are committing crimes…and they know it. They are looking to exploit companies or you and your devices for their financial gain.

So the next time you hear the word hacker, don’t automatically assume it’s a bad thing. Hacking can used for good and evil, it all depends on the hacker’s intent.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

FFIEC Mandates “System Of Layered Security” to Combat Fraud

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

7 Types of Hacker Motivations

There are good and bad hackers. Here is a window into what they do and why:

White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid.

Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves.

Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.

State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments.

Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.

Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)