Hello again everyone! October has come and gone in a flash. We had an amazing time at Texas Cyber Summit, and it was uplifting to see how this community comes together to educate and empower one another. During this time, I was honored to chaperone an aspiring group of cybersecurity enthusiasts who are a part of the Cyber Patriot program.
It was amazing to see how quickly these kids picked up and understood complex issues that honestly did not even exist when I was their age. They are growing up in a time when phishing and credit card skimmers are an everyday issue, and it brought to mind how we in the technical community often take for granted what we may consider “simple” security practices. As we wrap up Cybersecurity Awareness month, I have asked two of my favorite Cybersecurity enthusiasts, Justin Mitchell (whom you might remember from our previous blog post – October is Cybersecurity Awareness Month – and Ermin Kreponic, to join me in helping shed light on some of these topics.
Would you each take a moment and introduce yourselves?
Justin: Sure, so for those that didn’t catch me in your last post, I’m Justin Mitchell, a Security Training Architect here at Linux Academy. I’ve been in the IT field for the past 12 years, with the last 8 being in Security. I’ve worked in several positions with the Federal government as well as in the healthcare field.
Ermin: Hi all, my name is Ermin, my last name is Kreponic, good luck pronouncing my last name… I am a Security Training Architect here at Linux Academy and a fairly relaxed, down to earth, approachable person. Over the course of my career, I worked on malware reverse engineering, surveillance, and tracking software, creating and fighting against botnets and a bunch of other stuff. That sounds really cool, but in reality, it involves me sitting in a chair for 12 hours a day or more with a liter of coffee. That is why I always religiously preach to have fun with what you are doing! And to love it! Otherwise, it will either be “just a job,” or you will give up on it. In any case that is me, if you would like to know more or have some specific questions in mind, please feel free to reach out to me at any time via our community Slack in the security channel or via community posts on Linux Academy website.
As you both know I am writing this blog post as a part of Linux Academy’s “It’s Okay to be New” series. We had an opportunity to hear about Justin’s journey earlier this month. Ermin, would you take a moment and tell us about how you got your start in Cybersecurity?
Ermin: Well I guess you could say that my computer days have started before school with a DOS computer; sadly they did not start with Linux, but oh well. I did not have a GUI and had to make due with the DOS command line interface (Windows CMD is generally terrible to me, PowerShell is a slight improvement). Later on, my dad gave me a copy of openSUSE on a CD (CDs – an ancient piece of technology used for data storage). I rushed over to install it and to see how it works, but there was no YouTube or readily available tutorials, so I had to ask people in person and ask for help; actually read books and manuals. It worked out somehow after a lot of struggle, and there was a sharp learning curve simply due to the lack of readily available tutorials and resources. Today this process is way, way, way, and I mean way, easier. Soon enough I got acquainted with the almighty Linux terminal, and it was an eye-opening experience. Commands were intuitive, and I could do pretty much everything. Sure enough, it did not take long for me to start playing around with stuff and start breaking and fixing things. Those were my baby steps. As time went by, I slowly over time acquired more and more knowledge and became more proficient at certain things. And this is really the moral of the story, there is no instant gratification, and it takes a lot of hard work and sacrifice, but enough of that. Being able to disconnect the whole college campus from wifi, or being able to virtually enslave an entire internet cafe and control all the PCs there, etc… Well, that can be classified as fun stuff! Right? NO! That would be illegal! And just because you are able to do something does not mean that you should do it.
I had the fortune to have my family steer me in the right direction, where I was able to put my skills to good use and benefit myself and my clients. That is another lesson that I learned. You can make a good living not breaking the law.
In any case, I went from one client to the other gathering experience, learning new stuff until I eventually was involved in creating facial recognition software for border surveillance. Another project involved reverse engineering malware jet; another required me to work on creating a botnet. Another notable one was the creation of a physical keylogger and so on and so on.
That is my story in a nutshell…. If you have any questions please feel free to reach out!!!
I’m going to jump right into one of the subjects I have seen become more prevalent in the last year and that is credit card skimmers. For our readers who may be unaware, credit card skimming is a type of credit card theft in which a criminal will use a small device to steal credit card information from a legitimate purchase such as purchasing gas at the pump or using an ATM. The advice I always see on the news is to jiggle the reader to ensure its securely in place as well as look for the security seal at gas stations. Could you give us any additional things to look for or advice on how to stay secure during day to day transactions?
Ermin: Actually, this is one of those problems that is just getting worse and worse over time. Here is the deal, credit card fraud was rampant before, but with the coming of NFC and wireless cards it has quite literally never been easier to get someone’s card credentials. Please keep in mind that when I say that it has never been easier, I am not stating that it is easy to perform this kind of fraud today, all that I am saying is that it got easier as opposed to before. People are using all sorts of technologies that they do not understand, and in a lot of cases are completely unaware of all the risks and dangers.
A malicious individual can walk down the street with a proper device and gather a metric ton of data by just going close or rubbing on other people in the street and reading their NFC capable cards. In addition to this, you also have devices that are placed on the legitimate ATMs that read your card credentials. On top of it all, someone came up with an idea to break into a storage facility in Dubai where the devices used in stores are stored, and modify them with custom hardware from the inside. This custom hardware would capture card credentials, and then they would be transmitted wirelessly; to make this even worse, this data was gathered over a longer period of time and amassed. So people went about their lives and kept on using their cards completely unaware that their credentials were stolen….
You need to be very careful with new technologies and not use something just because it might be trendy or convenient; my advice is to keep it as simple as possible! Think about it, do you really need an NFC capable credit card? Why not create a daily limit at the bank, in most places this is free, phone notifications are also nice, and of course, survey the ATM before usage. Chances are that you might notice something out of place, and do not use the ATMs that are in dodgy, secluded places. Remember your behavior in most circumstances can either make you into a victim or save you a lot of headaches later on.
Justin: Ha, so credit card skimmers are a true pain! I don’t know that the jiggle trick works all that well, to be honest. Anyways, probably the biggest thing to watch for is the same thing people should’ve been watching for the past 30 years: social engineering. It’s actually just as effective today as it was back in the 80s, which is shocking. I think we’ve all heard the sob stories, right? “My car ran out of gas…. My grandma is sick… I’m a Nigerian prince and need someone to pick up my check and send me a money order…” These work, that’s the reason we keep seeing them over and over and over again. Especially with the holiday season approaching, we’ll start to see more of it, so just be cognizant of what’s going on and don’t be a sucker.
Many people decide to bypass this issue along with the long lines and holiday stress by shopping online. What are some tips they can implement to protect themselves?
Justin: The holiday seasons are weird, right? There’s the scent of pumpkin spice in the air, the leaves are turning brown, and an increase in… crime? That’s right! And cybercrime is no exception. As a matter of fact, it’s now believed that the cybercrime black market is more valuable than the international drug trade!
Did you know experts estimate that 50 million individuals were the victim of cybercrimes between the months of October through December in 2017? As folks are ramping up to figure out their Halloween costumes, carve their turkeys and looking for that perfect Christmas gift for their loved ones, cybercriminals are hard at work. Most online retailers see their peak performance during this time, sometimes recording sales at a whopping 100 times their sales during the rest of the year, which is why it is such a great target for these criminals.
Use alternative payment methods when shopping online
Statistically speaking, if you shop online, your payment information is going to be compromised at some point. If you keep an eye on those charges and determine one to be fraudulent, you’re going to contact your financial institution to issue a chargeback. Unfortunately, these chargebacks that allow you to reclaim stolen money sometimes take as long as 60 days. If using your debit card, this money could be pulled directly from your checking account, leaving you unable to access it when needed. When using a credit card, you simply wait on the chargeback to drop the charges from your card. Most institutions will also perform a chargeback on any interest that has been accrued as well.
Of course, there are other payment options as well. Paypal and Square are two of the industry standard options that are widely accepted by most online retailers. You also have the ability to buy prepaid credit cards from many retailers. Any payment option that doesn’t give direct access to your accounts is a much safer alternative to use for online purchases.
Pay attention to your emails and watch for phishing and spam
Most retailers increase the amount of discounts they offer during this time of year. They want to get people in the door, and what better way to do it than offer 50% off of an item that you weren’t going to buy anyways? BUT BEWARE! Ads that appear to be too good to be true, probably are. Many of these fake ads will lead you to nefarious websites or to websites that are already breached.
It’s also especially important to verify anyone asking you for sensitive info. If your bank calls you and starts asking for your details, hang up and call your bank’s official number. The same basic principle applies to emails. Most financial institutions have a policy that they will NEVER ask for information via email. So, be extra careful with any emails you receive that appear to come from financial institutions.
Internet of things (IOT) has become a hot topic with more and more people connecting to the internet through more than just their computers. They are connecting their household items such as refrigerators, security cameras, doorbells, and even their pet’s treat dispenser! Should people be concerned about the security of these items and if so what steps should they be taking to help protect their privacy?
Ermin: The primary problem here is the lack of security updates. For example, a smart refrigerator will probably never receive any security updates for its firmware, so if anyone ever finds any vulnerabilities they will probably never get patched. You, a user, will end up with a permanently vulnerable device in your house.
The more devices existing in the house that have networking capabilities, the greater the number of points of failure! Again just think about it. Do you really need that smart refrigerator? Think about the risks associated with it! Do not, and I mean do not just blindly trust the manufacturers in terms of security.
Justin: The Internet of things (IOT) is kind of an interesting phenomenon. Things that you used to have to be in front of to operate, you now can control via an app on your phone. It’s actually pretty scary, to be honest. Obviously, these IoT devices are built with functionality in mind and security is not even an afterthought. How many times has your device told you an update is needed and you thought: “I can’t be bothered with this right now”? Probably more than you’d care to admit, right? Now, what if I told you that those updates included fixes that addressed major vulnerabilities that would allow an attacker to take control of your home automation systems? Would that change anything? Probably not, right? Because it’s not convenient to have to go without that device for even a few minutes. That’s exactly the concern that I have about these IoT devices, they go unpatched for days, weeks, months at a time, and where does that leave us in the grand scheme of things? The biggest step anyone could take is to install patches as they come available as these generally address vulnerabilities that are discovered in that device.
Another simple step everyone could take is to enforce passwords on their home networks. It seems simple, right? But as late as 2016, as many as 20% of US households had no passwords or default passwords for their home networks. Let me make a quick comparison: what if I told you that 1 out of every 5 houses in the US didn’t have a lock on their front door? You’d probably think those people are crazy, right? How could that many people not care about the contents of their home? That’s essentially what you’re doing when you don’t even have a password on your home router! You’re saying: “Hey, it’s cool if you want to come in, hang out, eat my food, use my bathroom, and walk out with my TV.”
I reached out on Twitter and asked our community, “What is a #CyberSecurity practice/standard/concept you wish more non-technical individuals knew about.” The answer I kept seeing was password managers. I have been on the fence on this topic as I do feel that this may give individuals a false sense of security as well as a single point of failure. How secure are these password managers and are their steps that you would recommend we take when using them.
Ermin: I generally do not use them, nor do I like them, as they represent a single point failure. If a password manager is compromised, then pretty much all of your accounts are compromised as well. Then again, for the average user a web browser password manager should be good enough as long as there is a viable recovery method and that two-factor authentication is set up on some of the more important accounts.
I personally do not write my encryption keys or passwords anywhere, I have a way of creating them and an approximation of how they will change over time. On top of this I make a note to type them in at least once a week so as not to forget them. When I go outside I am already logged into all of the services of importance and the device is remembered by the services, so I do not really type in my passwords in public. In a nutshell, if you are not an IT person and are not knowledgeable in regards to the subject, I would recommend you just use Firefox, Chrome or Safari and use their password managers in combination with two-factor authentication.
Justin: To your first point, they’re still infinitely more secure than using the same password for multiple accounts. I think we’ve all fallen into this trap at one point or another, right? Maintaining a long list of passwords for each individual site can be cumbersome and takes a lot of management skills. However, it has been confirmed that attackers will often use breached credentials from one site to gain access to accounts on other sites. There’s just too much at risk, in my opinion. For those folks that don’t have the patience to deal with trying to keep track of multiple passwords, using a password management system, such as KeePass (TOTALLY FREE!), allows you to only have to remember one master password. These password management tools act as a sort of virtual keychain for you to store and manage your credentials.
Now, to your single point of failure concern, yes. But, in theory, you should keep a backup of the password manager file on an external drive. It’s honestly that simple. Another best practice is to still continue to rotate your passwords, at least every 90 days.
What are some of the trends that you are seeing in terms of Cyber Security threats that our readers may not have heard about yet? Or may not have thought to bring up to their friends and families.
Justin: I think one of the latest trends that no one is talking about is embedded system security. Embedded systems are everywhere, and traditionally these types of systems were segregated from our corporate environments. However, over the past couple of years, the line between corporate environments and these other systems have become more and more blurred. Since many of these devices are rarely thought about during our day-to-day security operations, they introduce vulnerabilities to our environments.
For those of us who may be a bit newer than others, could you expand on what embedded system security is?
Justin: I cover embedded system security in my upcoming Security+ Prep course, so if you’re interested in learning more, check it out! But in a nutshell, every system that we come in contact today is made up of embedded systems. Your smart fridge, cars, printers, multifunction devices, smartphones, the list goes on and on, are made up of embedded systems. These are simply small devices that contain both hardware and software that allow these devices to perform their function in the overall scheme of the device that they’re in. In other words, they’re mini-computers that perform specific jobs that allow our devices to function appropriately.
The reason they’re such a huge concern to me is they literally impact us in our everyday life, and nobody is talking about them. NOBODY! These devices are subject to the same IP-based attacks than any other device on our networks, and organizations are not taking the proper procedures as a whole to protect these devices. No vulnerability scans, no patches, no compensating controls around them at all, and nobody is talking about this. It’s scary!
Thank you both for your time today!
That’s all for this week’s “It’s Okay To Be New: Cybersecurity In The Real World.” If you have any follow up questions or ideas on topics for us to cover please leave a comment below.