The Pocket Sized Attack

Back in July Reuters reported on warnings by a UN team regarding mobile device vulnerabilities.

Last week, I got an email notice from the Facebook gods that once again their policies were changing, among them some updates to language concerning what data you're sharing with mobile devices.

4 days prior to that, I saw this article in the New York Times about malicious software being installed by clicking on a video link.

And immediately prior to that, Red Sky and Wapack Labs came out with a Priority Incident Report in which it was stated:
"Kaspersky recently reported that five million Android devices have been infected with malware, through Google Cloud Messaging, which allows hackers to send update messages directly to applications installed on a device.[i] The malware is designed to steal the victims information including the phone’s contact list and is the most diffused agent in over 97 countries."

As I mentioned previously, one of the most common vectors that bad people use to get into the intellectual property of companies large and small is through you and your contacts.

Being able to hijack a contact list allows hackers to gain a treasure trove of information that otherwise would take multiple phishing attacks over long periods of time. Names, addresses, phone numbers, company info...all of which can be used in very specific social engineering.

I'm delivering a presentation in a few weeks to a group of concerned parents that are exactly the same as every other parent. They are concerned about their children and want to do everything they can to protect them. What makes this group intriguing is that they have extremely high net worth.

Does this make them any different than you and me? Not in the least.

Hackers will use any vector they can to get the information that they need. High net worth individuals tend to be in CXO type positions or have significant influence in their companies. If their children are not using safe online practices, it could expose the parent to attacks both physical and cyber.

These days, most parents will have their children listed as contacts and vice-versa (at least one would *think*). To the hacker, it's all about who is in your contact list and how that information can be exploited. They have no problem compromising a child's mobile device to gain access to home networks of powerful people.

For some reason, the folks that I speak to tend to believe that cyber attacks will only occur on their laptop or home computer or company network. They forget that the device that they hold in their hand is a 4 ounce key to their entire life, sometimes much more powerful and valuable than anything you may have on your daily PC.

Just because you can fit it in your pocket doesn't mean it is any less susceptible to compromise.

Stay vigilant, stay up to date with your security patches, and for goodness sake, don't click that sketchy Facebook video link on your phone.

Airports and APTs

I'm sitting here at Logan Airport waiting for a flight. Like a lot of folks, I am a people watcher. As the crowds float by, I am fascinated by human interactions. What I tend to notice more often than not is the complete and utter lack of personal security most adults display.

Humans by nature are very trusting individuals, and this is the crux of the problem, especially to those of us in the world of security.

Society dictates that we be polite to one another, and it is a common belief that in general people are not out to do us harm.

This statement, although primarily true, has a weakness: there are always people willing to do us harm. The Media makes a living off of reporting it.

As folks stand in line, I am often amazed by the amount of information that they give out: where they are going, who they are meeting, if they are alone, where they are from, what they do for a living, and on and on. This information, in the hands of a malicious person can be an entry point into your personal and professional data. If we are willing to give up our personal security to complete strangers at an airport, how can it be expected that we make a paradigm shift as a culture towards cyber security? How do we make people more vigilant in their ever increasing dependence on current technology?

Hold that thought.

So as I sit here in the terminal, I'm also reflecting on the notion of short term vs long term "pain". The website Hackmageddon lists current cyber security threats and there is always some interesting analysis to be found. For example, 57% of the cyber crime perpetrated last month is general financial theft, fraud, and the like. Only 4% of crimes in the previous month are the Advanced Persistent Threats: highly targeted industrial espionage attacks. This is where intellectual property of high profile companies is stolen, resulting is significant and negative financial impacts.

What kinds of intellectual property? How about the plans for your next phone or your next network-connected television or the control systems of your car? 

If you're more concerned about the 57% than the 4%, then we have some work to do. The short term cyber crime (credit card theft, etc) is painful for the individual. There is no doubt about that. However, losing the intellectual property that is driving this country's future innovation is hurting all of us at once and will lead to longer term national impacts.

So how does this all tie together?

Typically, hackers will use exploits in general human interactions and security practices to gain access to the networks that drive our companies.

Maintaining proper security practices is vital to keeping us all safe. If you're new to security and are reading this blog, you are well ahead of most individuals. One of the best ways to learn more is to actively engage with other people passionate about the same topics. That's what we do every day at Wapack Labs in the Beadwindow™ portal. Get in touch with us and join the conversations.

Silence Ain't Golden

I'm a gun guy.

I shoot frequently, I attend as much training as I can, I research gear incessantly, and I am constantly staying up to date on what is "best of breed" in the industry. I network with folks to get news on trends and understand why a product does or does not work. This social connection is the single most important influence in my purchasing.

I read books on tactics, mindset, preparedness, and avoiding violence in the hopes of one day being able to use that knowledge to help myself and those around me should I ever be in a situation where it is needed.

I owned a small profitable business. I am very active in social media. I have many terabytes of information stored across disk arrays in my house that make my electricity provider very happy.

I spent MANY years at a top networking company in the IT organization.

I own a big dog.

Nutshell, I take my environment and situational awareness very seriously.

Why is it then that until recently, I did not take the same precautions with my digital security?

Why? Because when I step away from my keyboard, I don't see anyone in my environment that can physically harm my equipment. And this is bad.

As a small business owner, I rely on my systems to work when I need them. I do not want to find myself in the Ron Burgandy-type situation of saying that "60% of the time, my credit card processing works every time"

I also do not want to leave myself open to unknown threats.

Now more than ever, SMBs are hosting their websites, card processing, customer data, and financials out in the cloud. Often times, these systems are secure at the individual account level, but what about the host themselves? Are they not subject to attack? Do you know the ins and outs of their disaster recovery or intrusion prevention strategies? No? How does that make you feel?

Let's suppose you are a brick and mortar retail owner that runs Quickbooks on their personal laptop in the office, and then goes home or to a coffee shop and surfs the web and checks email? You happen to unknowingly install malware. This vicious little bit of code then contacts a Command and Control server (CNC) and alerts the hacker that info is ready for the taking. From that point, you, your financials, and your customer data are compromised. Depending on the sophistication, your machine can then be used to penetrate others.

Point is, most small companies or individual businesses do not spend enough time considering the implications of the security of their data environment. They expect that their backups are being backed up by some geek in a closet, and if something goes wrong, they just get restored and running without a hitch. Unfortunately, most of us learn the hard way that this is far from reality.

As business owners, we host with companies that are recommended by friends. We use products recommended by peers. We read Amazon reviews religiously. Why is it then that we don't use the same peer group style of interaction to maintain vigilance over our digital world? Because we don't want anyone knowing our business.

This is where I have changed my point of view. As a life long student, I find that the best way to learn is to talk to the folks that have been there and done that. The people that are experts in their fields and are more than willing to give me advice to spare me pain. Freeing myself of my own ego in this regard has allowed me to learn more than I ever imagined.

The moral of the story:
As individuals, we spend an infinite amount of time and energy preparing ourselves for physical situations, but rarely apply the same consideration to our digital lives. We're afraid to reach out for help or talk to others for fear of appearing weak.

It's time to change that mindset. This isn't about being weak. It's about becoming strong. Take a look at what is going on over in Beadwindow® at Wapack Labs. These are the experts that can help and they are doing it by the best way we as humans know how: by talking to each other.

Join our conversations.

The Secret Lives of Computers:

The things you find in a digital forensic investigation

It is often asked “Why would I ever conduct a forensic investigation on a computer?!” Well if you are concerned about what people are doing on a computer (or cell phone), what is going on it, coming from it, or happening to it then it benefits you to conduct an investigation. A digital forensic investigation sounds like a big complicated procedure, but an initial examination can have a relatively quick turn around and give you plenty of information. In some cases involving white collar crime, a single investigation (with an affidavit) can be brought to civil court to produce injunctive relief or even settlements.

So let's begin to answer the mysteries of a computer investigation and see if it is something that would benefit you, your company, or legal situation. In a preliminary forensic investigation many questions can be answered if you are concerned about something specific, but typically we like to try and shed light on the following:

File Activity

No, unfortunately I can't show you files jumping around or being active, but I can show you creation, deletion, and modification. In most cases this file activity drives the rest of the investigation. When we plot out file activity on a timeline it begins to tell a tale of what was going on with the computer at the time. For instance if we see large file creation on a certain date, then that usually indicates things like installing programs or copying files from one place to another. If we see a lot of file deletion, then that could mean that someone is trying to “burn” or “shred” the evidence. If you couple large creation and deletion together then that could point to someone copying files from one place (let’s say your company’s network server) to the local system, copying off the computer (maybe to a thumb drive) and then wiping them clean. Or so they think.

USB Drives

USB devices are becoming more ubiquitous and increasing to incredibly large capacities. The amount of data that used to be contained in several servers is now placed onto one 2TB external hard drive. While their capacity is very large, their physical size gets smaller and smaller. Are you aware of all the things that your employees are carrying on a thumb drive? Very few companies implement a policy to control the flow of information to external devices. In my experience, a majority of my investigations have included someone plugging a thumb drive into their computer days, if not hours before they leave the company. Are you sure they only took their personal photos and music, or did they just clean out all of your client records and proprietary information?

Internet History

Internet history can sometimes be the most telling of all the information in a computer. How often do you go to work, log into your computer, and then go directly to Gmail and log into your personal email? Few companies restrict this type of personal access (although they may frown upon it). Today many applications and services are becoming “cloud ready”. This means that information is no longer stored on your local systems. Instead this information travels out over the Internet and is stored on some other company’s servers. Is it secure in travel? Is it safe when sitting on those servers? Many services like Dropbox also offer huge amounts of storage space for people to upload information to. An employee could easily upload information from their system, to Dropbox, and then access it from anywhere else in the world.

If you aren’t concerned about movement of data through the Internet, maybe you are concerned about what your employees are doing on their computers as far as spending too much time on Facebook or playing games. Plenty of HR people lose sleep over what is being done and said over things like Facebook or Instant Messaging. In many cases a computer investigation can collect and parse this type of information and even give you remnants of the pages that the person looked at. For investigations pertaining to harassment, chat logs can be collected and produced for legal counsel (in many cases even if they had been deleted).

Wait, there’s more…

These are just a few of the things that a standard preliminary investigation could offer you. If you have a concern about what is happening on your work or personal computers, then please give Wapack Labs a call to find out how we can help. Whether you are in HR, legal, IT, or own your own business, there are several ways that we could help put your mind at ease or solidify a legal action. Our certified and experienced digital forensic examiners can assist with almost any type of digital investigation. We specialize in helping even those that have never heard of digital forensics or are wary of technology in general. Don’t worry, we speak English too and won’t get overly technical! Wapack Labs is located in Manchester, NH and services all of New England. Call us at 603-606-1246, email me at dkirmes@wapacklabs.com, or stop by our lab at 250 Commercial St. Suite 2013.

Info. Security: Do you have the right people for the job?

Information Security:

Do you have the right people for the job?

When you have a problem at your house (or are building a new one), do you trust your general contractor to do the specialized and sophisticated work? If your pipes burst, don’t you want a licensed and experienced plumber to take care of it? If you choose a dedicated and specialized professional for these jobs, why aren’t you doing the same thing with your IT security? Why trust the same guy that plugs in your printers and keyboards with sophisticated work like managing your network security, protecting you against targeted attacks, and preventing your client and private information from being stolen?

In today’s digital landscape hackers are becoming more sophisticated and precise in their attacks. These attacks come from all corners of the internet: from China looking to steal proprietary intellectual property, from Iran looking to disrupt bank transfers, and from “hacktivists” like Anonymous and other groups. How can you depend on your IT group (either in house or consultant) to know and defend against all of these online threats? The reality is that you can’t. When it comes to information security, you need someone that has seen the threats first hand and knows how to protect against them.

Here at Wapack Labs we have experts with proven track records in the field. Our analysts and digital forensic examiners have years of real world experience protecting companies large and small from targeted and complicated attacks to their information networks.  Backed by the power of its parent company Red Sky Alliance, Wapack Labs is able to bring the knowledge and information sharing of Fortune 500 companies to the table to protect your network.

We know how to protect you and your data, and we have developed a layered solution that will make sure that you are secure from every angle. Here at Wapack Labs, we have developed the Socrates Solution (our own version of the Socratic Method). This solution combines information security protection from industry leaders into an easy to install solution that we manage for you! The impact to your company is minimal and you don’t need to train your current staff to operate or manage the equipment. Once a simple setup is done, everything is managed off site from our location in Manchester, NH. The Socrates Solution protects against threats from the outside at the perimeter (right where your modem is) all the way down to the individual workstation. If your business needs to conform to HIPAA, PCI, or Sarbanes–Oxley regulations then the Socrates Solution is for you and can give you Data Loss Prevention (DLP) to make sure that none of your personal and client information is getting out.

If you are concerned about your current security setup, or just have questions as to how we can help you, don’t hesitate to give us a call at 603-606-1246 or email me at dkirmes@wapacklabs.com

Your Company Is Walking Out the Door

Today just about every company in America has their vital proprietary information on computers. Everything from email, client lists, pricing models, to trade secrets is stored on company computers. In many cases those computers leave the office daily, or sometimes never show up onsite if the employee works from home. Even if your company utilizes the most rigid security rules and not a single computer leaves the facility, emails are still sent back and forth from smart phones. A lot of the time attachments can be saved directly from emails to the smart phones and then transferred on from there without the company’s IT department ever being aware.

This situation becomes even more precarious when you include companies that allow people to bring their own device (BYOD). In these situations company data often resides on the personal laptop or in a “cloud” solution where the data are available from any device connected to the internet. What happens when the employee leaves? Can you guarantee that nothing was stolen, deleted maliciously, or taken to a competing shop? Without conducting a proper digital forensic investigation by certified examiners you may never know what was taken. Even if your internal IT department does their due diligence in trying to determine a theft, without the proper forensic handling of the evidence, it may not be admissible in court.

Attorney Sid Leach from the law firm Snell & Wilmer wrote an excellent paper (“What Every Lawyer Needs to Know about Computer Forensic Evidence”) pertaining to the valuable information that digital forensic investigations reveal. Whether it pertains to fraudulent activities, non-compete contracts, harassment, or intellectual property theft, Mr. Leach explains that “A forensic examination of a departing employee’s laptop or computer workstation can provide a goldmine of information concerning what the ex-employee was doing”.

In my own experiences I have seen companies both large and small with employees leaving abruptly or on bad terms causing suspicions as to their activities. It is always in the company’s best interest to at least have a forensic examiner create a forensically sound bit-by-bit copy of the device before it is used by another employee. In these situations, even if your company doesn’t proceed with an immediate investigation, at least you have a court admissible copy to work from if anything were to arise in the future. Wapack Labs is a digital forensic firm based in Manchester, NH with certified and experienced digital forensic examiners to handle any investigation or discovery need. Contact us today to see how we can help you!

Why use Digital Forensics? Let us help you solidify your case!

Why Use Digital Forensics?

Working in the digital forensics field has opened my eyes to many other professional practices. Specifically in my job I deal with a lot of lawyers, law firms small and large, and plenty of litigation protocol. One of the most interesting aspects of the law field to me and specifically when dealing with on-stand experts, is that you don’t ask a question you don’t already know (or think you know) the answer to. This important factor made me think: Why don’t more litigators use digital forensics in their cases? Having a certified forensic expert helping you in your case is like giving you the answers to questions you haven’t even thought about asking!

Recently I worked in Chicago where I collaborated with lawyers throughout the country who had various levels of experience with digital forensics and computer investigations. One of my most memorable cases was an attorney from a very small law firm in the suburbs of Chicago who dealt with Employment and Labor law. This attorney had come to me with ongoing litigation concerns about an employee who left a company and went to work for a direct competitor within a matter of weeks.  This employee had been in a position where they were privy to a lot of sensitive data about the company (product specs, pricing models, client lists, sales leads, etc.). While we already knew that the employee had violated their non-compete contract, counsel was worried that the business might have been harmed by the theft of this sensitive information. I was brought in to either put these fears to rest, or create a “slam dunk” case with empirical digital evidence.

Not long after our initial conversation where I addressed what kind of things we may find in a digital investigation, counsel was able to procure the work laptop from the company. Within a week of receiving the device I was able to image (duplicate the evidence to be able to work on a copy), parse, index, and analyze the entire system. Combined with a simple questionnaire from the client, I had a complete understanding of the activities on the system. In this case (as with most investigations) I focused on the employee’s last two weeks at the company. I was able to pin down that before leaving the company (and pretty much right before walking out of the door) the employee was attaching USB thumb drives to the system, and copying data to these drives. Along with the USB devices, I could see that through emails and by viewing his Internet history (Gmail, DropBox, LinkedIn) that the employee had been planning to leave the company for some time. The combination of the employee’s actions, coupled with solid digital evidence, proved that sensitive information was taken from the company laptop, and copied to personal devices. Information provided by digitial forensic examination of the laptop provided counsel with ample means to win their case.

The best part for me on a personal level was that this case was the first time the attorney had ever used a computer investigation. It provided me the ability to teach counsel exactly what we do, how digital forensic science is proven in court, and how best to phrase his questions and shape his case to present what we found. Not only was this his first case involving digital forensics, but it was my first deposition as well! That give and take provided a great working relationship for the case going forward and the follow on investigations that arose from it.

At Wapack Labs we are driven to provide that same level of service to litigators throughout the Employment and Labor, Intellectual Property, and Technology law practices. Give us a call to see how we can help! Find us online at http://wapacklabs.com/ or give us a call at 603-606-1246. Be sure to follow us on LinkedIn as well as this blog.