Author Archives: Scott

How Likely Is Hacktivism?

After the major data breach at Sony this December, the Houston Chronicle published an article “Imagine If a Major Oil Company Got Hacked.”  They proceeded to report   “For example, can you imagine reading emails from Exxon Mobil’s top management about relations with Russian President Vladimir Putin? Imagine the documents that hackers could obtain if they broke into the servers at BP, Chevron or Royal Dutch Shell?  What would happen to one of these companies’ stock price if suddenly a good portion of their emails became public? What would happen to the sector?  Hackers could probably find something embarrassing enough to try to blackmail these companies. Sony has shown that if pressed hard enough, and long enough, a major corporation will crack… most major corporations say they maintain strict cyber-security standards. The problem is that professional, determined hackers tend to stay a step ahead.”   The Houston Chronicle got most of it right, except that we don’t have to “imagine” a major oil company getting hacked.  It’s happened already.

According to a study by PwC, the number of reported cyber-attacks carried out on oil and gas companies last year soared above 6,500 cases – a 179 percent increase from the year before. Frost & Sullivan has also reported that cyber security uptake is expected to surge and become “the highest-priority area for oil and gas companies”.    This is coming at a time in the industry when automation is increasing the oil and gas companies’ risks.  The email revelations, typically thought of as a result of hacking, might sound harmless, they could cause damage varying from embarrassing reputations, disruption of supply to millions of dollars in damage, or even health and safety incidents if critical equipment fails or is led astray by faulty data. As the industry is increasingly becoming more automated and technologically advanced, its vulnerability increases.  The trend of digital oilfields and other industrial internet advances, sensors are generating more data than people.  Temperatures, pressures or drill speeds, can be manipulated. This could disrupt or damage the operations or have potentially more devastating consequences on the safety of those who work with hazardous equipment or processes.

In 2014, National Security Authority Norway revealed 50 companies in the oil sector were hacked and 250 more are now being warned by the government agency. NSM is Norway’s prevention unit for serious hack attacks.  Statoil, Norway’s largest oil company was a target of the attack.  The attack was the largest of its kind against Norwegian interests to take place.  This was believed to be in response to Statoil pursuing a partnership with Russia’s state oil company to explore oil in Norway’s Barents Sea.  Indigenous  and environmental groups have deep stakes in blocking drilling operations.

In June 2013, the oil and gas industry has found itself in the crosshairs of hacker activist group Anonymous, which recently announced plans to launch cyber-attacks on countries involved in the global oil trade.  This was prompted by revelations that European investigators were probing BP, Royal Dutch Shell and Statoil for oil price manipulations.  Dubbed Operation Petrol, the attacks focused on countries including the United States, Canada, Russia, China and Saudi Arabia.

Also in 2013, Anonymous attacks shut or slowed websites of businesses that had cut ties with WikiLeaks, including MasterCard Inc., Visa Inc. and PayPal.  The campaign, Operation Payback, brought Anonymous new followers from around the world. Via online chat forums and social-media websites, participants disseminated instructions about how to download attack software and about sites to target. Software called LOIC, or low-orbit ion canon, was downloaded tens of thousands of times, security specialists say.

 

Below are typical cyber-attack tactics used by hacktivists:

Denial-of-service attacks

Computer users bombard website servers with data in the hopes of knocking them offline. Among targets have been companies, such as PayPal and MasterCard, as well as government sites, including the CIA’s. Such attacks can cost tens of thousands of dollars for the victim, including the cost of defending against the attacks and improving security.

Hacking

Break-ins into computer systems, potentially giving access to sensitive data such as customer information and internal emails. A hack into Sony’s systems resulted in the theft of personal data of about 100 million online video-game users. Sony shut its popular PlayStation online network for nearly a month, and has estimated the attack cost it about $171 million. Anonymous participants said the group didn’t orchestrate the attack, but couldn’t rule out that someone involved in the group could be involved.

Doxing

Involves finding personal information about people and disclosing it online. LulzSec this week claimed to rat out two U.S. individuals it said had “tried to snitch” on the group, apparently disclosing names, addresses and other contact information.

 

— Gene Dieden

Presenting Internet Safety to Families

Recently, I was asked for an Internet Safety presentation for a scout troop.  It occurred to me that the approach for an Internet Safety Presentation for children can be a bit daunting in a world where it’s possible, if not probable, that the audience is more tech savvy than the presenters.  The Internet today is different even for younger families who must be aware that “online” is much more than spending time on the computer and traditional PC controls and monitors are not sufficient; online can be game machines, phones, or even an alarm clock (anyone else remember the Chumby?)  A check on my own home router showed over 2 dozen internet connected devices!  Much like a large metropolitan city, the Internet is an amazing place with some of the finest examples of our culture, available at the click of a button or swipe of a few gestures.  It is also home to a plethora of material that is not appropriate for all ages, creeds, or cultures.  One would likely never drop their child off in a big city and expect them to explore it unprotected and remain safe.

Bilateral education and communication is key; continual conversations about what is appropriate, what is not appropriate, and what dangers to look out for should be mixed with a genuine understanding of the technology and applications that are being used.  Just like the real world, educate children on how there are bad people in the world while taking the time to understand from them what the real world influences are that are impacting their safety.  Ensure they are comfortable talking to you about risks and that you are comfortable asking them to explain to you about the technologies they are using.  There are many resources available for Internet Safety, some are better than others.  Here is a short list of some useful resources that are particularly helpful:

  1. Protect your home. It’s not enough to simply protect the home computer anymore, protecting your network at the router helps protect all of the devices in your home.  Open DNS (http://www.opendns.com) is a great free service that is simple to set up and use; it is excellent for filtering and protecting against malicious interweb (website) activity and other internet services.  Secure The Human (http://securethehuman.org) has a great infographic with a lot of helpful tips for securing the home:STH
  2. Educate each other. McAfee (yes, the anti-virus guys) has a service, InternetSafety.com (http://www.internetsafety.com/internet-safety-presentations.php) with a good Internet Safety presentation that is age-appropriate for teens and tweens.  Use this to present to a group of children or young adults and couple it with this presentation from (ISC^2), an organization focused on educating security professionals,  for their parents:https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/top-ten-tips.pdf
  3. Get professional help. Safe and Secure Online (https://www.isc2cares.org/safe-and-secure/) is a partnership with Childnet International and is a valuable collection of resources that can be tapped to bring certified, accredited, and screened information security experts into classrooms or groups.  It’s a volunteer program where professional security volunteers visit school classrooms or community organizations as guest speakers, teaching children ages 7-14 about online safety and responsibility.   You can get an information security expert by signing up at their website who will spend about an hour at no charge to teach students and their parents how to be “educated, responsible digital citizens.” The (ISC)² Safe and Secure Online (SSO) program can gear their instruction to groups of children ages 7-10, 11-14, or even their parents.

Protect Your Online Life with Multifactor Authentication

Although a lot has not been made clear yet about the recent announcement that a Russian crime ring had amassed 1.2 billion user identities (a combination of user names and passwords), one thing that should be clear is that protecting your online identity with simply a password is not good enough.  This type of identity theft activity has been going on for years and is why major social and email Internet sites offer multi-factor authentication to their users.  Even computer social gaming sites like Steam and Blizzard offer multi-factor authentication to their players.

Multi-factor authentication is the use of two of the three established ways to identify a person’s identity, what you know (like a password), what you have (physical token or even your cell phone), and what you are (DNA or fingerprints).  Using multi-factor authentication is the best way currently available to ensure your accounts don’t get abused.  Multifactor authentication increases security by adding another barrier to entry; it requires something you’ve committed to memory (like your password) and something you have in your pocket (your phone or FOB).  By adding this additional authentication to access an account, you are requiring yourself, and also the bad guys, to have two forms of identification.

Enabling multi-factor authentication is an extra step initially; however, most service providers will make this easier for users by allowing users to trust certain mobile devices or computers, essentially establishing a registered personal device as ‘something you have.’  Wherever possible, it is a good idea to leverage any multi-factor authentication that your favorite service offers; if it’s not obvious how to do it or if its offered, contact their support service.  Here is a list of some popular Internet sites and how you can set up multi factor authentication to protect yourself:

  • Apple: Apple’s two-factor authentication sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine.
  • Bank of America: They use a feature called “SafePass.”  It lets a user authorize transactions using one-time, 6-digit passcodes.
  • Chase.com:  To activate, their users need to request an “Identification Code,” which gets delivered by email or text message. Users can then enter their secure mobile site, https://m.chase.com.
  • Dropbox: Dropbox’s two-factor authentication sends you a 6-digit text message code; it also will let you set up Google Authenticator. Dropbox will also allow a user to trust a device.
  • EBay:  EBay’s Secure KeyFob supports a hardware FOB with a tumbling key on a keychain.
  • Evernote: Evernote users can use the Google authenticator app Google Authenticator, premium users can also receive a code via text message.  Evernote will also allow a user to trust a device.
  • Facebook: Facebook uses a feature embedded into their mobile app called “Code Generator.”  Facebook will also allow a user to trust a device.
  • Google/Gmail/YouTube: Google uses a smartphone app to enable two-factor authentication which sends you a 6-digit code called Google Authenticator and is for Android, iOS, and BlackBerry.  Google will also allow a user to trust a device.
  • LinkedIn: LinkedIn’s two-factor authentication sends a 6-digit code via SMS.  LinkedIn will also allow a user to trust a device.
  • Microsoft Accounts (including Office 365): Microsoft’s two-factor authentication sends you a code via text message or email; they also support other authenticator apps like their own authenticator app or Google Authenticator.  Microsoft will also allow a user to trust a device.
  • PayPal: PayPal’s two-factor authentication sends you a 6-digit code via text message.  Paypal will also allow a user to trust a device and also support their secure Key FOB.
  • Twitter: Twitter will enable two-factor authentication by sending a 6-digit text message.  Twitter will also allow a user to trust a device.
  • Yahoo! Mail: Yahoo’s two-factor authentication sends you a 6-digit code via text message.  They will also allow a user to trust a device. NOTE: As of this writing, AT&T’s version of Yahoo mail did not seem to support the multi factor authentication.