Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.
One of the most common methods an attacker can utilize to defeat transport encryption is a Man-in-the-Middle (MIM) attack. At a high level, an attacker can sit in-between a target user and the secure service they are communicating with, break the established secure connection between the user and the service, and force unencrypted clear-text communication of information back to the victim – data that can be easily captured by the attacker. This all happens in the background, almost seamless to the user. In such an attack, the only noticeable difference is likely to be the use of “http” vs. “https” in the address bar of a browser or a missing lock icon, which is likely not enough of a warning to alert the user to what is happening unless they have been trained to detect such an event.
If users do not understand basic attacks that can deceive them into letting attackers through the front door, it is bound to happen and remains a legitimate concern for their organization. Human risk is difficult to mitigate, even though it is one of the easiest and most common weaknesses for an attacker to exploit. Organizations are realizing this, and rethinking how they provide security awareness training to their employees. Security Awareness has long been a compliance-based necessity, but more and more organizations are reaching beyond compliance and trying to achieve best practice standards.
Educating your employees on common cyber threats like SSL spoofing, phishing attacks, and social engineering can reduce your organization’s human risk level. According to Forbes magazine, in 2015, companies spent $1 billion annually on security awareness training in attempts to reduce human risk. When combined with testing procedures to collect relevant metrics, a security awareness program can have very real, tangible effects on your organization’s overall risk. However, building out an effective, mature, security awareness program is not a small undertaking. Understanding what training to provide to particular employees, and how to then test them to ensure they are able to apply the information can be difficult and time-consuming. As organizations begin to recognize the value in addressing human risk, the need to implement security awareness capabilities programmatically and strategically becomes ever more necessary. Approximately 70% of cyber attacks use a combination of phishing and hacking techniques, with the increase in technical security and hardened defenses, end users are proving to be easy targets for attackers.
If your organization is struggling with controlling human risk and implementing an effective security awareness program to do so, CyberSheath can assist you in constructing a program to train your employees on a variety of security topics in order to enable a broad security mindset, and address behavioral risks as they relate to security and ultimately reduce the number of security events due to human risk. We provide services that assist clients in building and maintaining security awareness programs that not only meet compliance requirements but go above and beyond to impact an organization’s human risk level through effective policy/program design, implementation and a proven metrics framework.
Cybersecurity researchers are increasingly concerned with Internet-connected vehicles. Vehicles nowadays are connected to owners’ homes, traffic signals, insurance companies, and more and are just as vulnerable as corporate networks. Security analysts and researchers have demonstrated ways to remotely manipulate a car’s system that controls braking, accelerating, steering, and other critical functions. Furthermore, these vulnerable systems were not limited to one brand or model of car. As such, the FBI and National Highway Traffic Safety Administration (NHTSA) issued a public service announcement in March warning of the potential cyber threats.
According to the public service bulletin, researchers could gain control over these critical safety functions by exploiting wireless communications vulnerabilities. According to the bulletin, despite remediating the wireless vulnerabilities, third party and aftermarket equipment and devices with the Internet or cellular access plugged into diagnostic ports could also introduce additional wireless vulnerabilities. By exploiting weaknesses in vehicles’ wireless communication and entertainment functions and connected to the controller area network (CAN), researchers were able to accomplish the following:
Target vehicle at 5-10 MPH
- Engine shutdown
- Break disablement
Target vehicle at any speed:
- Door locks
- Turn signals
While it is important to note that there have not been any reported incidents involving vehicles being hacked, manufacturers did issue a recall notice (NHTSA Recall Campaign Number: 15V461000) in order to remediate the vulnerabilities. The NHTSA and FBI provide additional tips and security awareness here.
According to Deloitte, the vast amount of software running in cars raises many concerns about the quality and security of the vehicle and everything connected to it. Manufacturers and suppliers will need to address these issues including cyber risk, building cybersecurity into software and component design lifecycles, monitoring the threat actors, and collect and share cyber threat intelligence.
Regardless if you are a vehicle manufacturer, Fortune 500 organization, or a small business, security is everyone’s responsibility. CyberSheath can help you on the path towards security maturity.
ARS Technica recently published an article on the security of inflight Wi-Fi. Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services. While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow. Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story. Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen. But what can be done about it?
First, Wi-Fi on an airplane operates similar to public Wi-Fi networks. Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service. Once that is done – the user is granted access to the web. There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear. This means anyone listening can grab the data that passes through the access point.
Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks. Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.” When you are on a public Wi-Fi your device becomes visible to other people on the network. Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.
While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional. Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google. By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers. ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:
“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”
While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.
To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled. Also, pay attention to the certificate warnings. If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to. Of course, the best defense is to turn off your Wi-Fi and work offline.
What does this mean for your organization? As your organization sends workers around the globe, it is important to develop good security habits. Start with security awareness training. Ensure devices are protected. An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.
Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.
There is a steady growth of businesses adopting wireless technology to increase their workforce productivity but this productivity gain is not without a heavy surge in security risks. External and internal security threats have successfully targeted and compromised corporate wireless networks for years, which in turn, has driven the demand for heightening vigilance when both deploying Wi-Fi networks and specialized training for employees on how to use these networks. Corporate WLAN isn’t going away anytime soon so it’s important that we understand the top security risks that plague this technology and how professionals may bridge the gap in security maturity.
The Impact to the Security Boundary
Boundary security is only as strong as its weakest link. In the case of Wi-Fi, I find that physical security is an effective analogy for illustrating the impact Wi-Fi has on the security boundary. Effective physical security controls ensure that unauthorized individuals don’t just walk up and plug their computer into the company’s ethernet ports but wireless networks, however, introduce new opportunities for threat actors by removing the need for physical penetration. By simply getting physically close enough, a threat with a laptop and a wireless LAN card may be able to get an IP address on the network. Yagi, backfire, and other less expensive makeshift antenna’s capitalize on this vulnerability from several miles away which considerably reduces any direct risk to a threat.
This is the case is amplified when we consider Wi-Fi availability in the company parking lot(s). The best metaphor I have seen that captures the reality of wireless connectivity in the company parking lot comes from the National Institute of Standards and Technology (NIST), they stated,
“Perhaps the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot.”
The physical deployment or signal strength should be limited so that wireless signals do not extend out into the parking lot and while that might make some of some smokers angry but the gains and benefits to security are much more substantial.
The last significant hit to the security boundary that I’ll talk about stems from the mobile technology explosion in recent years. The explosion in mobile technology has driven advancements into networking technology to support these devices, fingerprint them, and ensure identity management. The sheer volume of mobile devices found in companies today has created significant challenges for security teams and unanticipated risks from internal and external threat adversaries for wireless networks, creating a new dynamic that has expanded the network beyond traditional boundaries.
Wireless “Rogue” Access Points
Rogue devices are wireless devices, such as an access point, that should not be on your network. It’s that simple. IT and Security teams that identify equipment that they don’t recognize should be taking steps to investigate and block them from network access immediately. Policies, training, and practices should be enforced to prohibit employees from setting up their own “rogue” access points. Additionally, vulnerability scanners can be leveraged to check for activity on any wireless bands or channels you don’t usually use.
The Nefarious “Evil Twins”
I consider evil twins to be the most atrocious WLAN vulnerability that exists today. For those who aren’t familiar with this term, let’s talk about what “evil twins” are first. Evil twins can be summarized as a nasty variant on phishing attacks and a distant cousin to rogue access points. They can be used appropriately by ethical penetration testers but in the wrong hands, they are inherently malicious. The objective of an evil twin is to lure the unsuspecting individual into connecting to an access point that is masquerading as a legitimate source to then deceive the end-user into releasing sensitive information.
To illustrate the danger here let’s use Starbucks as an example. Let’s take an individual who frequents Starbucks often and uses their free wireless by connecting to their access point “Starbucks”. Unfortunately, about 99% of the population doesn’t change their laptops or mobile devices default configurations and these default configurations are set to remember the SSIDs you connect to and for the sake of user convenience will connect to these SSIDs automatically when you enter their proximity. This becomes a particularly dangerous situation when we bring evil twins into the picture.
An individual with malicious intent that happens to have a small and relatively inexpensive evil twin hacking tool, such as a Pineapple, could walk into a mall, activate this device, have it broadcast the same SSID as Starbucks, connect it to another Wi-Fi source, and then sit and wait. Any users that connect to the innocuously appearing Wi-Fi access point might face a direct phishing attack through a fraudulent website or worse, have all of their network traffic transparently monitored and captured. There are additional tools at a hacker’s disposal that act simply of fingerprinting devices.
Granted this example focused on some fairly mundane circumstances but I ask that you stretch your imagination and consider the same malicious tactics nearby your company parking lot. It gets a little real, right?
So what can be done about this? Well first and foremost, you need to educate and train your employees the threats and risks that exist in Wi-Fi. Secondly, IT and Security teams can implement the Extensible Authentication Protocol (EAP) under 802.1X. There are a number of EAP configurations that are secure against evil twin attack. For instance, IEEE endorses the EAP-SWAT configuration since its implementation is lightweight and integrates a one-way access point authentication inside EAP.
Treat all Wireless Connections as Insecure
All corporate WLAN should be encrypted with the latest and greatest encryption mechanisms available but that’s still not enough to secure a wireless network. Wireless networks should be treated the same as the public internet and segmented entirely from trusted internal networks. They should require end-users to authenticate (preferably with some kind of two-factor) through a VPN or a similar mechanism before allowing access to a trusted wired network segment. In addition, I encourage everyone I talk to run regular penetration tests against the wireless network for security holes and to add the WLAN devices into a regular schedule for vulnerability assessments.