There is no place like home

Surely you've heard of 127.0.0.1. Additionally, you may know that 127.0.0.1 pointing to localhost. But, why is 127.0.0.1 the IP address of localhost and not something else?

Before trying to answer this question, let's talk a little about how things work. This address is used to establish a connection to the very same computer used by the end user. When dealing with IPv6 address, is set to use the concept :: 1:. As IPv6 addresses are entered into the game, the localhost became known as 0: 0: 0: 0: 0: 0: 0: 1.

How does 127.0.0.1? Why is it called so?

Often developers use 127.0.0.1 to test their applications. When you try to create a network connection to the loopback address 127.0.0.1, it works the same way as trying to make a connection to any remote device. However, you avoid connecting to the local network hardware interface.

But why the localhost IP address starts with 127?

Well, the 127 is the last network number in a class A network. It has a subnet mask 255.0.0.0. So the first assigned subnet address is 127.0.0.1. However, if you use any other number of the host portions, should work fine and return to 127.0.0.1. So you can ping to 127.1.0.1, if you want.

You may also have wondered why the last number of the network was chosen for this implementation. Well, the earliest referance of 127 as loopback is dating back to November 1986 RFC 990. And, by 1981, the 0 and 127 were the only reserved Class A networks.

The Class A network number 127 is assigned to the "loopback" function, ie, a datagram sent by a higher level protocol to a network 127 where the address should returns back to the host. Any IP datagram with a source or destination address set to a loopback address must not appear outside of a computing system, or be routed by any routing device. Packets received on an interface with a loopback destination address must be dropped. Such packets are sometimes referred to as Martian packets

IPv4 network standards reserve the entire 127.0.0.0/8 address block for loopback purposes. That means any packet sent to one of those 16,777,214 addresses (127.0.0.1 through 127.255.255.254) is looped back. IPv6 has just a single address, ::1.

As 0 was used for a particular host, the 127 stayed for loopback. Some would consider it more sensible to have selected 1.0.0.0 for loopback, but had already given to the BBC Packet Radio Network.

Read More

Merry Riskmas

People of all ages look forward to Christmas holidays. Children think of the gifts they will receive from Santa, and those of us who are older savor the thought of spending the holidays in joyous company with friends and family. Christmas is considered by most, including myself, as the most wonderful time of year.

Cyber criminals feel the same way about the holidays. They exploit online shoppers’ longing for a good sale by slamming them with phishing scams laden with "special offers" and try to turn our beautiful Christmas to Riskmas.

We have talked about this subject in the past but constant repetition carries conviction.

The holiday season is retailers’ busiest time of year, with an estimated 20% of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20% growth. During this time, retailers arguably face a more difficult problem with IT than other industries for many reasons. The holiday retail "freeze" is underway, which means that any security upgrades or technology additions for retailers are put on hold until after the busy holiday shopping season. For the next few weeks, only critical security patches will get installed. The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a "freeze", there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.

The main challenge and priority is service availability to the customers, whether it is for online or in-store purchases. At executive level, service availability translates to transactions, which in turn relates to revenue growth. However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage but also in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.

In December 2009, a hacker, then operating under the alias of “igigi,” succeeded in stealing the account credentials for all 32.6 million users after successfully penetrated RockYou, a company which develops games and advertisements for social media sites. All of the information had been stored in clear text, meaning that neither account holders’ usernames nor passwords had been encrypted. Company’s databases were infiltrated as a result of an SQL injection vulnerability, one of the most common security vulnerabilities with respect to web applications today.

Following the breach, the security firm Imperva analyzed the stolen information, portions of which were published online by the hacker. The study revealed that 40% of account holders had used a password consisting only of lowercase letters, 30% had chosen a password less than six characters in length, and nearly 1 in 100 had set their password to "123456".

Nevertheless, companies are not the sole targets of holiday breaches. The amount of unwanted traffic increases significantly before Christmas, and people need to be wary of viruses and other malware. Christmas, like other holidays, is a time of opportunity for junk mailers and information phishers. An ill-advised click can ruin your holiday, when an electronic Christmas card from a friend or business partner installs malware on your computer. People are in holiday spirits and behave more casually in the online environment. For example Christmas greetings sent by email can be disguised so that they look like they have been sent by someone you know. When the unsuspecting recipient opens a picture or link contained in the message, a virus is released.

Back in 2010, just two days before Christmas, attackers sent out an email that spoofed “seasons greetings” from The White House to a number of government employees and contractors. The text of the email was published on Brian Krebs’ website. It read:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

The card then prompted users to click on a link, which downloaded a variant of ZeuS malware.

A control server allegedly based in Belarus manually sent out the email to a small number of recipients, which made the attack undetectable by security traps and sensors. Ultimately, more than 2GB of government documents were stolen in the attack. However, no classified documents were compromised.

On December 2013, Symantec reported a spike in the number of NTP amplification attacks. NTP stands for Network Time Protocol. It was originally developed by a professor at the University of Delaware as a means syncing the clocks of multiple computers.

According to Symantec’s blog post on the topic, NTP attacks are similar to DNS amplification attacks in that they use a small packet to request the delivery of a large amount of data to a specific IP address. In this case, the attackers used the monlist command, a query found in older versions of NTP that sends requesters a list of the last 600 hosts who connected to the server, as part of a series of DDoS attacks against certain targets, including a number of gaming sites in late December. The evolution of NTP amplification attacks in part reflects the Internet’s development thus far.

To sum up, here are some additional tips you can use to avoid becoming a victim of cyber fraud: 

• Enable 2-factor authentication in all your accounts. You can find a list of services that support this here.
• Do not respond to unsolicited (spam) e-mail.
• Do not click on links contained within an unsolicited e-mail. Ask yourself: "Why am I being asked to click here?" If you’re not sure, don’t click!
• Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible. Ask yourself: "Does this look authentic?"
• Avoid filling out forms contained in e-mail messages that ask for personal information.
• Always compare the link in the e-mail to the link you are actually directed to and determine if they match and will lead you to a legitimate site.
• Log on directly to the official website for the business identified in the e-mail instead of "linking" to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
• If you are requested to act quickly or there is an emergency that requires your attention, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
• Remember if it looks too good to be true, it probably is not.

For organisations: 

• Ensure your staff are educated ahead of the Christmas period. Phishing presents as much danger to businesses as it does individuals.
• Get a penetration test now before the Christmas period to test the security of your networks and systems.

Have A Very Merry Christmas and Stay Safe Online!

Read More

Hard Dollar, Hard Times in IT Spending

The consequences of "hard" dollar and the weakening of demand in the emerging economies of the world will suffer, this year, the global IT market. Spending on IT is expected to move, internationally, to the level of $ 2.69 trillion in 2015, down by 3.5% compared with a year earlier, with all - without exception - branches of the world economy to reduce investment costs of Information Technology.

The decline of international market of IT associated, primarily, with the rise of the dollar - particularly in relation to the euro, the yen and the ruble - and the increases that brought the prices of IT products, as well as weak performance of markets such as Russia, Brazil and China.

According to estimates of the company Gartner, the exchange rates will impact investments in all sectors of economic activity for IT, with costs limited to 2015. In the case of banks, the costs will be, this year, less 2.4% in Communications and Media, the decline will be around 3.6% in Education are expected to fall by 2.5%, while travel spending of public organizations will be reduced in 2015 by 5%. As is apparent from the same data, spending on IT in the health sector will be reduced by 2.7%, insurance by 2,8%, in construction by 4,5%, in retail trade by 1,5% and transport by 3.1%.

Despite the downturn, however, retail, banking and insurance and the health sector should take the lead by making the highest IT spending this year.

Retail

The technologies that help better understanding of consumer needs and enhance customer engagement in a brand, through a multi-channel shopping experience are high priority areas concerning the agenda of business retail for IT. Regarding purchases in the store, the challenges identified, particularly in the various electronic payment systems, but also investments in card acceptance machines (POS).

Banks

Although investments in the banking sector and insurance companies in Information Technology will be reduced in the current year, by 2.5%, Gartner estimates that banks will double their budgets for IT by 2019 in an effort to hold their customers, improve consumer service experience and reduce operating costs. The cyber security remains a focus area for retail banking and an emerging area of ​​interest is the intelligent machine technology, including artificial intelligence, robotics and automation processes.

Health sector

Spending on IT is expected to fall during the current year, in health and care, with the related rate of decline can be estimated, for 2015, to 2.7%. The largest market for IT in the health sector is that of the US, which accounts for the current year, 40% of total expenditure on IT f the health sector. Great mobility is expected to show the sector in the region of Europe, Asia and South Africa.

Read More

From Information Security to Digital Competitiveness

Information is the lifeblood of almost all businesses today. At the same time, not a week goes by without news of another big hack or security breach. The pressure on the security function is immense, and security professionals need a fine balance of skills to bring together risk, compliance, operations and technology in any large organization. Sadly, they rarely find time to grow their relationships and standing in the corporation. 

The role of CISO is difficult yet crucial. Not all organizations appoint an executive CISO; many have a security director report into the CIO or else into risk and compliance functions. A dedicated CISO role is crucial, both politically and culturally, for it sends a strong message about the priorities and commitments of the business.

The role of CISO is relatively new and by no means is it a universal position. Managers attain the title CISO by following any number of career paths, typically starting in an IT environment, then acquiring specialist security certifications and/or on-the-job experience. Information security is managed in many different ways from one business to another. Some firms see it as a part of security generally; it is common among banks, for example, for the safekeeping of cash, branches, staff and IT to all come under the one executive. Other organizations have information security report into legal or risk functions, as they can see it as a corporate governance matter. And some prefer operations or IT to take responsibility for information security, especially if technology in the sector is volatile or complex. Regardless of reporting line, an effective CISO must have influence inside IT and inside the business units. 

Whether a CISO comes with technical qualifications or has learned on the job, the classical CISO job description covers a basket of activities spanning network security, access management (for customers, staff and/or partners), standards compliance (particularly in regulated industries like banking, government and healthcare), policy development and implementation, internal IT audit, and sometimes privacy. The CISO’s position generally involves a lot of tech and a lot of compliance. 

Organizations tend to utilize the security department in a purely defensive capacity. However, in the digital age, an organization’s internally and externally collected information are valuable data sources. Security Officers archive, protect, and maintain the quality of an organization’s information, putting them in a unique position to implement strategic, information-driven business initiatives.

The security department must evolve from “the department of no” to a business unit that utilizes a company’s information to create a strategic advantage and value to internal and external customers alike.

In a market characterized by rapidly changing technology and increasing global competitive forces, it's no secret that companies can no longer afford to rely on the feature-set of their products or services alone. After all, today's innovation is rapidly becoming tomorrow's industry standard, so organisations must ensure they create value from the information they have and forge intimate connections with their customers, colleagues, suppliers and partners in order to stay ahead of their competition. The need for joined-up thinking in business cannot therefore be underestimated. This is not just about improving the flow of information within a business; rather it needs to be about unlocking consistent value and meaning from that information and extending collaboration across an organisation's entire ecosystem in order to put the customer at the center of the business and achieve real customer intimacy.

As the global economy starts to show signs of recovery, businesses can afford to look beyond short term survival and start planning for the anticipated upturn. The long-term value that collaboration brings to an organisation more than outweighs its perceived cost - it will help forge stronger relationships and happier workers as well as translate into more efficient operations company-wide. Clear visibility of business-critical information, improved insight into business performance and customer value are the cornerstones of successful, profitable business in any sector. Making these changes today will not only improve competitiveness and provide the operational clarity required to maximize corporate performance, but will also prepare the organisation to exploit future economic growth.

Digital disruption is not a new phenomenon. But the opportunities and risks it presents shift over time. Competitive advantage flows to the businesses that see and act on those shifts first. We are entering the third, and most consequential, wave of digital disruption. It has profound implications not only for strategy but also for the structures of companies and industries. Business leaders need a new map to guide them.

In the first wave of the commercial Internet, the dot-com era, falling transaction costs altered the traditional trade-off between richness and reach: rich information could suddenly be communicated broadly and cheaply, forever changing how products are made and sold. Strategists had to make hard choices about which pieces of their businesses to protect and which to abandon, and they learned that they could repurpose some assets to attack previously unrelated businesses. Incumbent value chains could be “deconstructed” by competitors focused on narrow slivers of added value. Traditional notions of who competes against whom were upended—Microsoft gave away Encarta on CDs to promote sales of PCs and incidentally destroyed the business model of the venerable Encyclopædia Britannica.

In the second wave, Web 2.0, the important strategic insight was that economies of mass evaporated for many activities.1 Small became beautiful. It was the era of the "long tail" and of collaborative production on a massive scale. Minuscule enterprises and self-organizing communities of autonomous individuals surprised us by performing certain tasks better and more cheaply than large corporations. Hence Linux, hence Wikipedia. Because these communities could grow and collaborate without geographic constraint, major work was done at significantly lower cost and often zero price.

Smart strategists adopted and adapted to these new business architectures. IBM embraced Open Source to challenge Microsoft's position in server software; Apple and Google curated communities of app developers so that they could compete in mobile; SAP recruited thousands of app developers from among its users; Facebook transformed marketing by turning a billion “friends” into advertisers, merchandisers, and customers.

Now we are on the cusp of the third wave: hyper-scaling. Big — really big — is becoming beautiful. At the extreme — where competitive mass is beyond the reach of the individual business unit or company — hyper-scaling demands a bold, new architecture for businesses.

It is fashionable (and correct) to assert that business leaders need to worry about disruption. But disruption takes very specific forms, and these forms are shifting. The disruptive impact of deconstruction—like that of low-cost technologies—is now widely understood, but the challenge of the very small, less so. And the challenge of the very large, hardly at all. Put them together and you pass from the familiar world of value chains to the world of platforms, ecosystems, and stacks. The role of CISO is mission critical in a world of digital disruption.

Read More

Our First Birthday

Its been a year since the first post appeared in ISL blog! On September 1st, we celebrate our birthday and in order to thank all our loyal followers we have setup a small giveaway as the least we can do to thank you for all your support. The whole process is powered by Rafflecopter and all you have to do is follow us on Twitter, tweet about our birthday, or visit our Facebook page. Each of these actions will give you one chance to win one of the prizes.

1. One (1) winner will receive a 12 months Heimdal Pro premium subscription, (approximate retail value or "ARV": €34)
2. One (1) winner will receive quertyCard (approximate retail value or "ARV": €4.99)

The giveaway will last for the entire September, so the winners will be announced in the first couple of days of October.

You can enter the giveaway through our special Giveaway page.

Read More

Tell Me Who You Are, and I Will Tell You Your Lock Pattern

You are predictable, your passwords are predictable, and so are your PINs. This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create?

Pattern unlock is one of the entry protection mechanisms in Android system for unlocking the screen. It was introduced by Google in 2008. By connecting 4–9 dots in a 3 x 3 grid, the user can set up an unlock pattern which is equivalent to a password or a PIN. As an alternative to the traditional password/PIN, the visual pattern has gained its popularity because of the potential advantages in memorability and convenience of input. However, the limited pattern space and existing attacks such as shoulder surfing, or smudge attack make this mechanism weak in security.

A recent study by Marte Loge, as part of her MSc thesis, presents the results from a set of 3400 users and their selected lock patterns.

"Humans are predictable, we're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords."

Lock patterns, for Android, can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.

Loge asked subjects to create three ALPs, one for an imaginary shopping app, a second for an imaginary banking app, and the last to unlock a smartphone. Sadly, the minimum four-node pattern was the most widely created one by both male and female subjects, followed by five-node ALPs. For reasons Loge still can't explain, eight-node patterns were the least popular, attracting significantly fewer subjects than nine-node choices, even though both offered the same number of possible combinations.

The minimal use of eight-node patterns, by both males and females, was a surprise. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.

Males were much more likely than females to choose long and complex patterns, with young males scoring the highest. The slide below illustrates the overall breakdown between men's and women's choices differently.

Loge said the number of nodes isn't the only thing that determines how susceptible an ALP is to guessing attacks. The specific sequence of nodes is also key in how complex a pattern is. Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction.

A team of researchers formalized this scoring system in a 2014 paper titled Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. They analyzed the characteristics of all valid patterns and proposed a way to quantitatively evaluate their strengths. They also designed two types of pattern strength meters as visual indicators of pattern strength.

Data breaches over the years have repeatedly shown some of the most common passwords are "1234567", "password", and "letmein". Loge said many ALPs suffer a similar form of weakness. More than 10% of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

Loge had several suggestions for ways to make lock patterns more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.

Full disk encryption won't save you if your lock pattern is L - as in "loser"

Read More

Patch Management for Home Users

For system administrators, patch management is a routine activity. But for most home users, patch management is a uncharted waters. Knowing when to patch products and how often patches need to be applied are some of the questions that most home users never think about. Knowing what to patch and when can make a difference in the security of your home computer or network.

First things first, let's clarify some terms. The following definitions come from a post of Allen Householder in CERT Blog.

Zero Day Exploit (a.k.a 0-day)

There are many definitions of zero-day exploit available. These definitions are not merely diverse wordings that map onto the same concepts; they refer to distinct (albeit related) concepts.

"A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack." — SearchSecurity

By the way, nothing in this definition talks about patch availability. We'll come back to that in a moment.

"A zero day exploit attack occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator." — Kaspersky

Stating it explicitly: if the following events occur (a) a vulnerability is announced by a vendor, (b) a patch is provided along with the announcement, and (c) it is exploited on the same day (whatever you decide that means, just be consistent), definition 1 says it's a zero-day exploit while definition 2 says it isn't.

 "An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit. The term "zero-day" denotes that developers have had zero days to fix the vulnerability.  It can also refer to attacks that occur on the same day (day zero) a vulnerability is disclosed. In fact, some zero-day exploits are the first indication that the associated vulnerability exists at all."  — Tom's Guide

Here we find that the definition hinges on the existence of a patch. A strict interpretation of this definition would permit someone to apply the zero-day exploit label even if the vulnerability is known to the vendor and the public long before the first attack. The vulnerability may have been known to the vendor for months, and a patch is in development but not does not yet exist. Thus definition 3 directly conflicts with both definitions 1 and 2 above. Definition 1 says nothing of patches. Definition 2 talks about patch availability, not existence.

"Zero-day attacks...software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it." — FireEye

Granted, this definition is for a zero-day attack, but since it mentions exploitation, I think we are justified to include it here. FireEye adds hardware to our growing list of definitions. Further, they discriminate based on the state of knowledge of the general information security community, with the implication that if that community is unaware of the vulnerability, there must not be a patch available. From context, this general information security community appears to be larger than the affected vendor(s) yet smaller than the public. So while it shares some degree of overlap with the other definitions discussed above, it remains distinct in its referents.

There is no generally accepted formal definition for "0Day (also known as zero-day) vulnerability." The term has been used to refer to flaws in software that no one knows about except the attacker. Sometimes the term is used to mean a vulnerability for which no patch is yet available.

Shortly after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were released to the public, along with about 400GB of company emails and other data.

Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents.

But the hack of last week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties.

Automating Patch Management

Enable auto update of your software. Apply patches any time a program asks (needs) to be updated. Although these updates don't always mean it is for security reasons, a security patch may be issued along with the update. Microsoft Windows offers automatic windows updates and in their newest release, of Windows 10, it will not be an option to install them or not. So updating windows is easier than ever when users choose this option.

Problems with Patches

The main risk with patching software is breaking other programs. This is usually only the case with updates from larger programs that other programs hang on. Such as operating systems, anti virus software, etc. Applications that other software does not rely on are usually immune from this. During automated patch management, this may happen and you don't realize it has happened. The problem can be combated with manual patches, but knowing when and what to patch may be a hassle for home users.

When to Patch?

The short answer is: As soon as a stable pach or fix is released by the vendor. It is a good practice to check for patches to your software products about once per month. If you use your computer on a daily basis, or the computer stays online constantly, such as with high speed connections, you may need to opt for a stricter schedule on patches. Such as weekly or bi weekly. Of course, using automated patch management software can eliminate this need for such time consuming tasks.

As mentioned, automating patch management can save much time and energy. Check with your software vendor for information on when patches are usually available. And also check if the program offers automatic updates to its software. This mundane task can be handled with little user intervention and may be possible to run at times when the computer is idle or late at night when it is not in use and doesn't restrict your browsing bandwidth.

Act proactively in order to minimize exposure to known vulnerabilities and zero day attacks.

Information Security League, through our partnership with Heimdal Security, offers you a 70% discount to the Heimdal Pro. Just use infosecleague34 as voucher code in their site when you order the product.

Read More