Hacking of Facebook pages possible, but not probable, experts say

by Kayla Canne, Sun Chronicle Staff, March 4, 2017

James Lang, a selectman candidate before he was eliminated in February’s preliminary election, was caught with Facebook posts disparaging Muslims. He apologized, told The Sun Chronicle he would quit the race, and shut down his Facebook page.

Two days later, Selectman Paul Belham was found with anti-Muslim posts on his Facebook page, along with posts mocking the accent of Mexicans. Belham dismissed the posts as the work of social media “hackers” who find their way into his account every few months, despite attempts to clean up his page and change his passwords.

Then within days, Lang was back, claiming he, too, was the apparent victim of hackers, and was staying in the selectman’s race, where he finished in last place.

The two situations within a week of each other begs the question: How could two small town officials end up targets of social media hackers posting similar content?

Is it remotely possible?

Cybersecurity experts couldn’t be sure, but they did lend some insight into how social media pages could be hacked.

“Hacking means basically getting unauthorized access to a social media account to do whatever you want with it,” said Azer Bestavros, a computer science professor and cybersecurity developer at Boston University.

And the hackers themselves? They could be anyone — from an estranged ex-wife with an ax to grind to a passerby who stumbles upon a Facebook profile left open on a public computer. Then, there are more sophisticated hackers.

“Say, someone wants to get into the Department of Defense,” Bestavros said. “Their computer comes with a lot of protections, naturally, so instead they might make their way into it by hacking into employees’ accounts.

“They start by hacking normal people with the hope they would get to the real target.”

Also, users who frequently visit risky sites open themselves to viruses that can latch onto their keystrokes or find passwords hidden in their computers, Bestavros said.

And, some offer hacking as a service. Yes, you can buy access to social media accounts.

“It’s difficult with cybersecurity because there’s so many reasons or ways this happens,” Bestavros said. “But, if you have somebody who is determined to hack your account, they probably will.”

And that’s simply due to the nature of social media sites, said Jonathan Gossels, president of a Sudbury network security consulting firm, SystemExperts.

“Social media sites are designed to make it easy for people to get on and disseminate information,” he said. “They’re not designed to be highly secure sites.”

Joe Clapp, a senior consultant with the firm, said hackers tend to find usernames and passwords from less secure sites and — because people tend to use the same password for several sites — use that information to hack in elsewhere.

The motivation isn’t always clear.

“If someone’s purpose is to spy on you, they’ll just spy on you,” Bestavros said. “But they could also use you to get to your friends or to see how people would react to different postings. It could be getting revenge.

“It could be as simple as bragging rights or as serious as propagating some agenda or virus, or to get people to click on a link posted by someone they could usually trust.”

Clapp described social media hacking as a “target of opportunity” — hackers use the platforms of others as a billboard for their own opinions, products or research, oftentimes unbeknownst to the victims themselves.

But if Lang and Belham were the victims of hackers, there is one way to clear their name.

“I would urge them to launch an investigation with Facebook,” Clapp said. “They can look at the technical trail and IP addresses to find where these posts came from. They can look and see, did it come from this account itself?”

Bestavros said he couldn’t comment on Lang or Belham’s postings directly, but did say the length of the posts — which stretch back as far as 2014 for both men — could be suspicious.

“It’s unusual. If you’re hacked once, you would think you’d learn your lesson and be more guarded,” he said. “It does suggest there is some persistence there. Typically, you don’t see the same person being hacked every few months.

“Could it be possible? Yes. Is it likely? That’s another question I don’t think we can answer.”

How Big an Issue is Security; How can it be Addressed?

Other than the technology itself of an IoT device and the service it provides, the single most important characteristic that will define either success or failure, no matter what the size of the business, will be the security of that device.

The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.

A concern for the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors.  Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.  One of the obvious worries that many security experts have is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., automobiles, home appliances, personal medical devices, cameras).

To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufacturers are going to have to deal with the same tried and true security areas that other network devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with. This list includes:

  • Authentication
  • Authorization
  • Encryption of sensitive data at rest and in transit
  • Maintaining updates
  • Monitoring the physical security of IoT devices
  • Privacy and confidentiality with regards to security standards
  • Secure administration

In short, the security implications of the IoT devices are the same as virtually every other type of connected device you have come to rely on. The more secure an IoT device is with respect to the above security areas, the more likely it is to be adopted and to stand the test of exploits and hacking.

Impact of a Data Breach on a Small Business

While our main focus is as a provider of IT compliance and security consulting services, we have been called in to help a few small businesses handle security incidents and data breaches. These calls come to us after the client has discovered there’s been a security incident or data breach and as a result is seeking to engage a security consulting firm for the first time.

In such cases, SystemExperts typically has to guide the client through the entire incident response process. Too often in these cases the client is not aware of its legal obligations regarding notifications and the triggers that determine what notifications must be performed. SystemExperts has found that in some cases, small companies are not fully aware of what laws, regulations, or contractual obligations are applicable prior to discovering the security incident.

In our experience, the impacts of a data breach vary wildly.  Companies that have an existing security program and have an established security incident response policy and plan that they have previously tested suffer smaller impacts. Companies that have not prepared for a data breach in advance  typically experience the greatest impact.

A data breach could cause the financial failure of a company, although no SystemExperts’ clients have suffered that consequence.  Other impacts can include:

  • System outages of several days as changes are made to prevent a reoccurrence
  • Loss of business due to reputation damage
  • Costs associated with notifying all impacted individuals
  • Costs associated with compensating all impacted individuals
  • Time, effort, and costs to contact the media and respond to inquiries from the media
  • Time and effort to notify state or federal agencies
  • Long term costs associated with new compliance requirements
  • Costs associated with forensics investigation, if any
  • Costs associated with resulting legal action, if any

Some data breaches may be the result of a fundamental design flaw in a company’s website or IT system.  In such cases, it could take several days or even weeks to implement all of the changes necessary to prevent a reoccurrence of the data breach. In other cases, a company may be able to determine the root cause and long term fix in less than one business day. Companies that can address the remediation quickly usually already have a security program in place.

The costs of notifying all impacted individuals and the costs associated with compensating all impacted individuals can vary greatly. If the company has sufficient audit logs in place, or the assistance of a qualified computer forensics team, it might be possible to prove that only a small number of individuals are impacted by the breach. Note that cost of having a certified forensics team performing an investigation can be expensive. SystemExperts knows of one company that was able to demonstrate that a breach only impacted nine individuals out of thousands of customers without needing to engage a third party. Knowing that level of detail greatly reduced their costs and time required to perform the notifications. In other cases, a company may be forced to assume that every customer and employee has to be notified and potentially compensated.

When a breach occurs, some companies will simply refer the impacted individuals to free credit report agencies. In other cases a company may decide to reimburse impacted individuals for identity theft protect services or even the legal costs to recover stolen identities. Often that decision is based upon a desire to preserve the reputation of the company.

The costs associated with media are also highly variable. In some situations a company may engage a third party public relations firm to help draft statements and even launch a campaign in order to preserve the company’s reputation. There is also the time and effort required to educate all staff about what they should do if they receive a media inquiry.

A breach may also have a big impact on a company’s compliance costs. For example a small company that handles a small number of credit card transactions could end up being required to perform an annual PCI-DSS level one compliance assessment as a result of a breach.  That level is usually reserved for companies that perform over a million transactions a year for an single card brand. The cost of a level one PCI-DSS assessment could drive some small business out of business.

Depending on the type of breach there may also be fines levied and legal costs. In March of 2016, Target’s annual report revealed that the  cumulative expenses from its late-2013 breach totaled $291 million through fiscal 2015.

Companies that did not have a security and compliance program prior to a data breach often end up implementing a security and compliance program after experiencing a data breach. That is also long term, ongoing cost, but one that most companies find is worth the  effort and expense once they have experienced the costs that a breach can entail.

Why it is Important for Companies to Invest in Cybersecurity Awareness Training

Technology is only as effective as the people that operate it.

Cybersecurity awareness training is the most cost effective investment any organization can make in preventing data breaches, system compromise, reputational damage, and loss of intellectual property.

No one is born knowing how to use computers and networks securely. There are basic dos and don’ts and it is imperative for organizations to teach their employees how to do their jobs securely.

We advise our clients on dozens of specific policies and practices, but here are just a few to illustrate:

  • Don’t use your personal password for work – make sure you use a strong password containing a mix of alphanumeric and special characters and not the local sports team – go Pats!
  • Don’t share passwords
  • Never click on a hyperlink embedded in an email message that comes from someone you don’t know and trust.
  • Never enter sensitive information (either business or personal) on a web page that doesn’t show HTTPS at the top.  The “S”  at the end of HTTP means the message will be encrypted as it is sent across the Internet.
  • Don’t open attachments from strangers or people you don’t trust.  You can’t know what type of malware may be embedded in the attachment.
  • Don’t go to sketchy sites from a work computer – ‘nuff said.
  • Don’t ever download software – your computer has everything it needs – let the IT professionals take care of any updates.

Education, education, education. It pays off!

What Exactly Does the Future of IoT Security Hold?

Picking up on the conversation from my previous post, the Internet of Things continues to pose challenges for many manufactures as they now have to think about network security for new versions of their products.

One of the worries about the future of the Internet of Things (IoT) is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products.

What makes IoT such a fascinating area is the huge diversity of things that could be considered a smart IoT device: fitness bands, nanny cameras, door locks, TVs, lightbulbs, coffee makers, personal medical actuators, home appliance sensors, transportation actuators, and weather sensors to name just few.  The real hope is that these devices will work together and make our lives and the management of our lives easier and tailored to our own needs.

One thing we know for sure about the future of the IoT is this: securing IoT devices requires thinking about exactly the same things we have had to before for wireless routers, handhelds, laptops and desktop systems.

  •      Authentication to them
  •      Authorization of the transmission of data
  •      Encryption of sensitive data at rest and in transit
  •      Privacy and confidentiality with regards to security standards
  •      Maintaining updates
  •      Monitoring the physical security of devices
  •      Administration of the devices

The worrisome part of the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t get left behind.  Historically, that means that important security issues haven’t been properly planned for or tested which means they can be ripe for a whole new wave of viruses, denial of service attempts and other malware as well as taking unauthorized control of the devices.  IoT device manufacturers are going to need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways, and what the consequences would be.

The future of IoT is bright with never seen before levels of access to data with devices across an amazing level of diversity.  The fear is that this explosion of access may happen before the security of these devices is fully understood.

Security Implications of Connected Consumer Electronics

I’d like to pose a question: What do you think the security implications of connecting various popular IoT consumer electronic devices is?

A) No harder than it was for other new devices like laptops, wireless connections and smartphones, or

B) No easier than it was for previous new devices.

The answer is both and a little bit more.

Securing IoT devices requires thinking about exactly the same things we have had to before: authentication to them and amongst each other, authorization of the transmission of data, encryption of sensitive data at rest and in transit, privacy and confidentiality with regards to security standards, securing device interfaces for storing and manipulating data and the obvious yet mundane aspects of maintaining updates as well as monitoring the physical security of the IoT devices themselves.

What’s likely to exacerbate dealing with all of this work that has to get done is the explosion of IoT devices and the almost frenzied anticipation that people have for them. The result is that manufacturers are going to be pushed to release products as soon as they can. Historically, this means that important security issues haven’t been properly planned for or tested.

Keep in mind a simple fact that some device manufacturers are already having to deal with. If the IoT device is connected to the Internet it has an IP address. If it has an IP address, it can be reached by anything and anyone else on the Internet. Ask the video camera and video recorder manufacturers that were involved in the recent massive Dyn DNS DDOS attack that brought a number of sites on the Internet to their knees.

In short, the security implications of the IoT devices is the same as virtually any other type of connected device (your desktop, a laptop, your smartphone, etc.) but it is likely to be more than that because the sheer number of them will be enormous.

Risks of Plugging a Smartphone Into a Public USB Port

As smartphones continue to increase in popularity, people can find USB charging stations in almost any location. From airports to malls, businesses are offering their customers a convenient way to keep a full charge. Without much thought, most people are quick to plug their devices into any random USB port that they might find, but doing so presents an unknown danger. Although cybercrime is on the rise, most people have no idea where to start when it comes to protecting their vital mobile device. Reports of malicious hackers using public USB ports to steal data are not uncommon, and each time an individual connects to an untrusted USB port, they are taking a significant risk.

When hackers exploit a public USB port, they gain the ability to impact mobile devices in a variety of ways. They can crash the device, upload malware that automatically executes on future computers the mobile is plugged into, video jack the device recording the screen while the user performs actions, or permanently brick the device. The best way a traveler can remain secure is by using a ‘power only’ USB cable that does not allow data transfer or an AC to USB adapter.

Important Tip for Companies Looking to Protect Unstructured Data

Most companies are very good at protecting data that they know about and consider sensitive – they restrict access to the HR systems where compensation data is available.  They put access controls and monitoring procedures on systems that store critical intellectual property like formulas or key financial analytics.

Typically, they have formal policies and associated technology deployments and procedures to protect sensitive data.

When someone downloads that data from a secure environment into an Excel spreadsheet or a thumb drive, all the controls are gone.

Technology can’t solve this  – this is human problem.  It can only reasonably be addressed through appropriate use policies and extensive and ongoing user awareness training.  Employees need to understand DON’T TAKE SENSITIVE DATA OUT OF ITS CONTROLLED ENVIRONMENT!

The CIA has plenty of technology and many smart people, but it couldn’t prevent Edward Snowden.

Down but not out of options: How to keep IT security together in a company that’s gone bankrupt

by Josh Fruhlinger, CSO, October 7, 2016

Corporate chaos

The supply chain upon which modern multinational commerce depends was thrown into chaos earlier this year when South Korea’s Hanjin Shipping filed for bankruptcy. Dozens of container ships with hundreds of crew and thousands of pounds of cargo onboard were essentially stranded at sea, as ports barred the ships’ entry for fear that they wouldn’t be able to pay for docking services.

If you’re working for a company that’s filed for bankruptcy, the consequences probably won’t be as dramatic—you’ll be able to stay on dry land, for one thing. But you’re definitely going to encounter choppy waters when it comes to maintaining tech security. We talked to IT pros who have been through it to find out the best ways to cope.

Excerpt: 

Pursue goals in a cost-effective way

Discreet tasks should be tackled in as low-frills a manner as possible. Jonathan Gossels, president of SystemExperts, described a scenario at a company he helped through bankruptcy: “The company took the critical (and valuable) intellectual property and consolidated it onto a single system and a backup. These systems were not connected to the internet. They retained a skeleton IT staff during the shutdown process to make sure this was done properly; the intent was to preserve the intellectual property and sell it off.”

Link to full article: Down but not out of options: How to keep IT security together in a company that’s gone bankrupt.

Cyber Security Investments: Experts Discuss Detection vs. Prevention

by Nate Lord, Digital Guardian, September 26, 2016

Detection or prevention? 36 security pros and IT experts share their top recommendations for prioritizing security investments.

Enterprises are increasingly aware of the growing need to invest in sound security measures capable of securing valuable company data in the ever-evolving threat landscape. But in the face of budget constraints, some companies find themselves weighing the pros and cons of investing in threat detection versus prevention. Is it possible to achieve a robust security posture by investing in either detection or prevention alone? What should today’s enterprises prioritize in terms of security investments, and why? What’s the appropriate ratio of security spend that should be dedicated to prevention efforts and detection measures?

There are various angles to consider and explore when it comes to this subject. However, it’s one of the most pressing questions facing enterprises today as companies seek to cut wasteful spending and reduce IT costs while improving their security posture.

To gain some insight into the choice between detection and prevention and what today’s top IT and security pros view as the top priority, or if it’s possible to prioritize one over the other at all, we asked a panel of seasoned experts to answer this question:

“Should enterprises focus security investments on detection or prevention?”

Find out what some of today’s IT leaders have to say about prioritizing security investments below:

Alex Chaveriat – Alex is a senior Security Consultant with SystemExperts specializing in network and application security.

“When allocating budgets for security programs…”

Companies are often left with a simple yet difficult decision: how much of the security budget should be allocated for detection, and how much should be allocated for prevention?

The maturity of the security program is a good reflection of where the budget should be spent. In a security program’s infancy, prediction and prevention tend to produce results that drastically reduce risk quicker; however, as the program matures, detecting and responding to threats becomes more important.

Gartner predicts a major shift toward detecting and responding over the next few years. Sophisticated security testing programs and inclusive methodologies are creating maturity in established security programs. That maturity is allowing companies to deepen their understanding of what is going on within the company’s network, thus driving their security investment toward detection.

To read what others have to say about Detection vs. Prevention, click here.