Categories
Personal Blog

How to secure your corporate ICT during the COVID-19 epidemic?

This post was originaly posted to my LinkedIn profile here, in cooperation with Auxilium Cyber Security.

With novel coronavirus cases on the rise, people get filled with fear and uncertainty. This seriously impacts all the aspects of our everyday life, and as a result, that of our working life.

Auxilium Cyber Security has a long experience with simulated phishing campaigns, testing the readiness of its clients at regular intervals, which resulted in a good understanding, and a good amount of data, to support the understanding of the human factor in the cybersecurity aspect of a company.

Watching the huge increase of Covid-19 related malicious emails, targeting individuals and companies, it seemed like a necessity to run Covid-19 related tests and see how this situation can affect employee’s readiness and reflexes.

The results were surprising. With an average of less than 5% of users marked as phish-prone on the last, unrelated to Covid-19 tests, now the percentage skyrocketed to almost half of its users, which is a huge topic of discussion that every company using web technologies and online communication, has to consider. This is an expected outcome, which derives from the current world crisis, but supporting data and this kind of results help us better understand the situation in deep and have a clear and detailed view of what policies we need to apply and the additional steps that companies have to follow.

Previously discussed topics about phishing apply to the current situation too, but the following simple steps can help any company lower its phish-prone stats, and be more secure.

  1. Keep your employees updated. The human factor is the most vulnerable part of your infrastructure. Even with the most updated systems, the strongest security policies and security tests all over the place, a single employee that is not well educated can create a huge security issue. And because of the effect that crisis periods have on employee judgment, like the one that we are experiencing right now, companies have to update their education policies and adapt to the needs of each crisis.
  2. Update your stats. Running scheduled simulated phishing campaigns can help companies have a better understanding of how their staff performs on a frequent basis and understand the impact that a crisis situation can have. Auxilium Cyber Security with years of experience in simulated phishing campaigns and social engineering can help you perform this kind of tests and interpret the results in real-world impact on each company and its assets.
  3. Educate your employees regarding each scenario. Even if employees are updated and secure, crisis situations may affect them in ways that no one can imagine. This is why education has to be adapted to each situation, and companies need to act fast, in order to lower the impact of unexpected factors. Auxilium Cyber Security has years of experience in employee security education, which is customized in each customer’s needs and assets, which is based on years of tests and statistics.

It is common for companies to ignore cybersecurity when other factors can impact a company’s existence, but there may be a huge economic impact if they do not get used to act proactively and plan for the risk management. We have seen until now that the biggest effect that Covid-19 had to companies, was for them to change their way of working to “work from home”. Many companies were not ready for this either, with many of them struggling to find a way to communicate, connect to their networks, access files securely, etc.

Looking at the big picture, and covering the topic of securely working from home at a high level, some simple tips that every company can follow are the following:

  1. Use encrypted channels of communication and VPN connections. Working from home companies lose control of the network that their employees are connected to. In such cases, the first thing that has to be established is that employees use encrypted channels of communication, in order to avoid adversaries trying to steal information in not well-secured networks, like a home or shared one.
  2. Implement a web filtering policy. Devices used specifically for company reasons, have to be restricted in what they can browse and what they can do, in cases of work from home situations. This can be achieved with a mandatory VPN connection to the company that will filter the connections and restrict malicious and unwanted traffic.
  3. Encrypt work devices. Devices that are meant for work, like laptops and smartphones, can easily land in the hands of malicious users, when employees work from home for long periods of time. Having a drive encryption policy (even the default OS one, like FileVault for MacOS and BitLocker for Windows) can help a company secure its assets, and avoid pointless data leaks.
  4. Use a secure and shared cloud storage. Sharing files remotely becomes mandatory when working from home. This means that a secure cloud solution has to be used in order to share files fast and efficiently. When searching for your next cloud solution consider SSL encryption in the cloud provider’s website as a must, file encryption capabilities for private documents and a highly editable group policy for your users.
  5. Implement mandatory scheduled security scans. Devices that are not located in the work environment, can be used for many things other than work. This means that the attack surface can be wider with hardware devices, malicious downloads and physical access from malicious users being the biggest issues. For that reason, implement scheduled security scans (for example once a week), in order to manage potential security risks.
  6. Implement a more strict update policy. Client devices tend to stay outdated for long, which means that they can get vulnerable really easily and from one day to another. Implement an update policy and remind employees to keep their OS and all their applications up to date, in order to avoid security implications.

The current crisis situation can be overwhelming for everyone. IT departments get overloaded with requests and new tasks get created to support working from home. At the same time, working from home creates a whole new attack surface for companies, that malicious users can easily exploit. As big as it seems, there is only a handful of easy steps that a company has to follow in order to up its security game and be more sure about its assets and the headaches that a crisis can create. Stay safe, stay home, stay secure.

Thomas Sermpinis for Auxilium Cyber Security

Categories
News

NSA using Browser Cookies to track Tor Users

Web Cookies can track Tor Users easily
Yesterday a new classified NSA document was leaked by Edward Snowden – titled ‘Tor Stinks’ in which ideas were being kicked around for identifying Tor users or degrading the user experience to dissuade people from using the Tor browser.
The NSA had a very hard time while tracking down all Tor users and monitoring their traffic, especially since Tor servers are all over the world, but they make tracking more easy by adopting  the following techniques:
  1. By running their own hostile Tor nodes
  2. Using zero-day vulnerability of Firefox browser
  3. By tracking user’ browser Cookies
Tor access node tracking is not new and the Document says that both the NSA and GCHQ run Tor nodes themselves. In order to trace traffic back to a particular Tor user the NSA needs to know the ‘entry, relay and exit’ nodes in the anonymizer cloud between the user and the destination website.
Web Cookies can track Tor Users easily
So for tracking purpose they used self-hosted nodes, that is able to trace a very small number of Tor users in comparison to the whole system. Also, It is much difficult for the intelligence community to run enough nodes to be useful for tracking.

In the second method, NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of Tor user. Using same technique FBI was able to track the Owner of ‘Freedom Hosting’, the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. Mozilla has now fixed that Firefox flaw.

In another method, NSA is using web cookies to track Tor user widely. Even you are using the Tor Browser, doesn’t mean that your browser isn’t storing cookies in the system.
A cookie is a plain text file that sits on your computer in a temporary folder that stores data about a browsing session. If you log into a website it generally sets a cookie to temporarily store your information so you don’t have to log in every time you change a page, because on your next visit – website can read your information from the same stored cookies from the browser.
A cookie can track your browsing behaviors. Advertisement Agencies i.e. Google, Bing uses this data to understand how users use their partner websites and optimize their networks for the average user that visits their networks.
How NSA is using Cookies to Track Tor users ?
Let suppose that there is a famous online shopping website, owned or controlled by NSA. When a normal user will open that website from his own real IP address, the website creates a cookie on the user ‘ browser and stores real IP address and other personal information about the user.
When the same user will again visit the same NSA owned website, enabling Tor this time on the same browser – website will read last stored cookies from browser, which includes the user’ real IP address and other personal Information. Further website just needs to maintain a database of database of Real IP addresses against the Tor Proxy enabled fake IP addresses to track anonymous users.
More Popular the site is, More users can be tracked easily. Documents show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
How you can avoid Cookie tracking ?
One browser can’t read the cookies created by other broswr. So Don’t use Tor on the same browser, that you use for regular use with your real IP address. Only use the standard Tor Browser Bundle instead for Anonymous activities, which include a preconfigured Firefox browser. Anything you do inside of that browser is anonymized.
You should always clear the cookies after you’re done so any stored information, such as login information – will not be stored on that computer.
If you are doing something very interesting, you should use Tor on a virtual machine with the live OS so that cookies and cache and other OS data are dumped when the machine is closed.

This same technique is used by the Chinese government to block its citizens from reading censored internet content, and has been hypothesized as a probable NSA attack technique, but neither effort was successful enough to compromise the network as a whole.

Source: TheHackerNews.com

Cr0w Tom