So these cyber attacks that have been in the news lately seem to be exposing some possible flaws in the ‘I’ve got a great Idea, let’s put everything on the internet’ business / government approach.

How vulnerable are we really? Will they become a regular occurence? Will paying ransoms become a cost of doing business in future? Or worse?

H-ack! Ack ack! Ack ack ack ack ack!

I know of one government organisation that is closing it's data centre in Wellington and putting everything up in Amazon.

Apparently the financial benefits of outsourcing are more important than having control of your own data, in your own secure location.
Of course if the link(s) go down, there goes your access.

The fact that an American company is subservient to the US PATRIOT act i.e. all your data are belong to US (Goverment) has escaped notice. Or has that law been repealed?

As someone that works in IT, I just want the aerospace approach to the attacks, rather than traffic collisions. IE, report on the facts, highlight how it occurred. Or, y'know, focus on who to blame, without anyone learning from it.

Ultimately, we can build the most secure system, but if a user gets tricked into (or willingly) provides their details we're going to be fighting an uphill battle. Like a user that infected the network with ransomware two Fridays in a row, a few years back. MFA goes a long way to restricting breaches because a username and password isn't enough (as a Microsoft partner, and having access to multiple systems that give us high level access across all clients, we're ending up MFA'd to the hilt) but we have users that struggle to remember their username and password. Now they have to remember their mobiles, which code to use... and switching on MFA comes with licensing costs...

Besides that, depends on budget (and I bet this is a big factor in the DHB issues). The right kit costs money. It's like trying to explain a door lock being picked 24/7. You'd sure notice on your front door, but not on the internet.

one of our mission critical software services is apparently going to be migrating to Amazon servers. All the rest of our stuff lives in a datacentre (I imagine a battery hen farm, but for electrons) in Auckland and one in Christchurch with backups offshore. Not so keen on the Amazon idea

THe Covid / let the users work from home thing hasn't helped. People home computers are invariably less secure (basic free AV software, if any at all) compared to the work environment, but with the lockdown, giving home users access via VPN was deemed important and hastily thrown together. Home user browses some dodgy links / clicks on an email link, next thing malware is lurking in the home PC, and the next time the home user connects to the work LAN via VPN, boom.

I think a lot of these things are fake news used to sell fear/agendas/antivirus software...

Get some IT nerd blackmail him over his porn collection and tell him to flick the off switch etc...

And why is a hacker only asking 4 million for ransomware. You’ve just successfully crippled a non functioning crippled healthcare system already in decline in a developed country and you only ask 4 million dollars.....
And what kinda hijacker doesn’t ask for hard cash on a park bench... all electronicctransactions are fully traceable ....
The only real hackers are the CIA NSA and they already just use the intel “ inside “ factory installed backdoors ....
I e had no antivirus for 8 years and nothing happens to my electronic gear.

When REvil infects your employers systems you'll find it's no fake attack. As far as traceable electronic transactions,you've not heard of Bitcoin? TOR routers?

I think a lot of these things are fake news used to sell fear/agendas/antivirus software...

Get some IT nerd blackmail him over his porn collection and tell him to flick the off switch etc...

And why is a hacker only asking 4 million for ransomware. You’ve just successfully crippled a non functioning crippled healthcare system already in decline in a developed country and you only ask 4 million dollars.....
And what kinda hijacker doesn’t ask for hard cash on a park bench... all electronicctransactions are fully traceable ....
The only real hackers are the CIA NSA and they already just use the intel “ inside “ factory installed backdoors ....
I e had no antivirus for 8 years and nothing happens to my electronic gear.
I hear birth control is a myth and God will decide who gets pregnant. Also condoms give people cooties and there is no such thing as aids or herpes it's just a marketing ploy from durex starting in the 80s. All those weird std pictures floating around were photoshopped old school with airbrush.

The fact that an American company is subservient to the US PATRIOT act i.e. all your data are belong to US (Goverment) has escaped notice. Or has that law been repealed?

When I was looking at installing a VPN recently, geoblocking pisses me off, one recommendation was to avoid brands hosted from the US. The US Govt, whichever acts they are using, has too much control over US companies.

IIRC the FBI went after Mega Upload because they used some servers in the US. Otherwise they would have had zero justification to act against a Hong Kong registered company owned by a German/Finn citizen resident in NZ.

I think a lot of these things are fake news used to sell fear/agendas/antivirus software...

Get some IT nerd blackmail him over his porn collection and tell him to flick the off switch etc...

As another IT professional - I can tell you guys horror stories about things that I've sen.

The most common causes of any exploits are the following:

Users being stupid (Phishing, Social Engineering, Bad Passwords etc.)
Systems not being patched
Misconfigurations

The first 2 account for the overwhelming majority.

I think in my professional career, I've dealt with 1 or 2 Spam Attacks that have been the result of a technical issue. I've dealt with too many to count websites being hacked because of an out-of-date Wordpress version or similar CMS, but Users with crap passwords is still the biggest culprit.

I've never had anyone try and gain access to any of the systems I have, by targeting me directly. To put it simply - if you've managed to gain enough remote access over an IT Nerd's devices that you have enough evidence to Blackmail them, why would you bother? You've already got enough access to get onto the privileged Network and interact with the File System - you'd just get on with accessing the juicy stuff.

If anything, it would be worse trying to Blackmail the employee - afterall, if they don't know you are there, they aren't looking for you.

TL;DR - keep your shit up-to-date, don't click on dodgy links and password123 isn't a wise choice.

So basically it just takes one user to do something stupid and you can bring down a DHB or a pipeline?

Yikes.

https://metro.co.uk/wp-content/uploads/2016/11/mars-attack-21.gif?quality=90&strip=all&zoom=1&resize=540%2C315

So these cyber attacks that have been in the news lately seem to be exposing some possible flaws in the ‘I’ve got a great Idea, let’s put everything on the internet’ business / government approach.

How vulnerable are we really? Will they become a regular occurence? Will paying ransoms become a cost of doing business in future? Or worse?

H-ack! Ack ack! Ack ack ack ack ack!

There are good products on the market to protect businesses from this available which should in 90% of the cases do the job. These will protect against the casual hacker who is sending out emails hoping someone is stupid enough to open them.
Essentially they use a layered defense approach to pick up on these attacks and isolate them if they get through. All of these are licensed in someway so the businesses need to see the advantage of paying for it over the basic router/antivirus package you see in most SME businesses. I managed to get one in at a car dealer that had been crypo'd twice historically, only for their desktop provider to ask me to open up heaps of ports to get their emails going to their old windows server (it's getting migrated soon thankfully).

With Enterprise sized deployments like the WDHB you'd hope they'd have the best of everything, I was involved briefly at the DHB the other night and they seemed to be making really good progress on rebuilding their whole infrastructure. The key now will be to reverse engineer whats happened then put processes in place to protect from this. I'm guessing the kind of hacker that has a go at a government agency is probably pretty smart though so nothing is fail safe.

What it comes down to is that the internet is a huge place and there's most likely millions of would be hackers out there hoping to get lucky. I've seen hackers hit a phone system within seconds of a port being opened up in a router, so it goes to show the magnitude of the what we're dealing with.

The cheapest solution is to teach everyone what a phishing attack looks like, but in such a large organisation that's tricky.

Fuck this I'm moving to a cave

So basically it just takes one user to do something stupid and you can bring down a DHB or a pipeline?

Yikes.

https://metro.co.uk/wp-content/uploads/2016/11/mars-attack-21.gif?quality=90&strip=all&zoom=1&resize=540%2C315

Yup pretty much.

Run the wrong .exe file and boom, she's gunna have a field day on the network until its stopped

As another IT professional - I can tell you guys horror stories about things that I've sen.

The most common causes of any exploits are the following:

Users being stupid (Phishing, Social Engineering, Bad Passwords etc.)
Systems not being patched
Misconfigurations

The first 2 account for the overwhelming majority.

I think in my professional career, I've dealt with 1 or 2 Spam Attacks that have been the result of a technical issue. I've dealt with too many to count websites being hacked because of an out-of-date Wordpress version or similar CMS, but Users with crap passwords is still the biggest culprit.

I've never had anyone try and gain access to any of the systems I have, by targeting me directly. To put it simply - if you've managed to gain enough remote access over an IT Nerd's devices that you have enough evidence to Blackmail them, why would you bother? You've already got enough access to get onto the privileged Network and interact with the File System - you'd just get on with accessing the juicy stuff.

If anything, it would be worse trying to Blackmail the employee - afterall, if they don't know you are there, they aren't looking for you.

TL;DR - keep your shit up-to-date, don't click on dodgy links and password123 isn't a wise choice.

When I say blackmail the employee I’m talking in the realms of a special
Ops/deep state hit job not some random hacker

I don’t do updates but I’m very selective about what I click and good passwords.... although apparently a high level hacker with good computer can hack any password in 38 mins or something. Also businesses that for e employees to constantly change passwords creates environment where they use shortest one available....

The blackmail being referred to in the (eg) DHB case is just another point of force the crypto people use
1. We have locked up your systems , give us money and we will unlock (maybe)

if the victim says no, we will rebuild from backups, then

2 We have also copied alot of your sensitive data. Give us money or we will release this to the internet

Two main forms of hacking/attacks etc.

The scatter gun, where they're just trying anything and everything to see what gets through, which then either reports back, or gets in, and invites all it's friends for a party in your network (that's not a good thing btw). I could easily show you firewall logs, as admin/admin, root/root, user/password etc all get attempted, multiple locations, multiple times a minute, if not every second, via various services a typical business might use.

Targeted. This is way more dangerous. Either they're a market leader, or have an enemy that either personally doesn't like them, or wants them out of business (for whatever reason). I have both of these categories as clients. Unfortunately for the client, we spend more on security than another typical client, but this is all open discussion (as best possible, I like to enable clients to make knowledge based decisions). Sometimes they're quite aware who is after them, but either geographically we can't do anything, or proving it all the way back through layers, is very tricky to do.

Ultimately, people are the problem. As noted above, some have no idea about security. Yeah, we want open access to our device. Sure, your office address? Oh no, from any mobile etc. A client has exactly this, so all those devices have their own separated network - as best possible, coz staff also want to access.... yay. Btw, if any of you still have open RDP, turn it off. Please... changing the external port from 3389 to 33389 or 3390 is not even close to smart or secure. If you can access from anywhere, so can someone else.

Oh, and understand the stakes we're playing with, when we tell you, you can't have p@ssw0rd. Even something like https://www.dinopass.com/ (using a strong password of 10 characters or more) makes it relatively easy to type, while still being completely random and different to anything else you have.

[slightly more geek mode]
Use this to discover if a website you've used was compromised: https://haveibeenpwned.com/
Your passwords are for sale (or freely available), and they will try that password on every logical site, because so many people re-use the same password over and over. If they get access to your email, now they can re-set the password to a website and get the new password.

The balcmail being referred to in the (eg) DHB case is just another point of force the crypto people use
1. We have locked up your systems , give us money and we will unlock (maybe)

if the victim says no, we will rebuild from backups, then

2 We have also copied alot of your sensitive data. Give us money or we will release this to the internet

The 3rd vector now is direct contact to victims/clients of the company breached. We'll release your data, if you don't pay up.

Two main forms of hacking/attacks etc.

The scatter gun, where they're just trying anything and everything to see what gets through, which then either reports back, or gets in, and invites all it's friends for a party in your network (that's not a good thing btw). I could easily show you firewall logs, as admin/admin, root/root, user/password etc all get attempted, multiple locations, multiple times a minute, if not every second, via various services a typical business might use.

Targeted. This is way more dangerous. Either they're a market leader, or have an enemy that either personally doesn't like them, or wants them out of business (for whatever reason). I have both of these categories as clients. Unfortunately for the client, we spend more on security than another typical client, but this is all open discussion (as best possible, I like to enable clients to make knowledge based decisions). Sometimes they're quite aware who is after them, but either geographically we can't do anything, or proving it all the way back through layers, is very tricky to do.

Ultimately, people are the problem. As noted above, some have no idea about security. Yeah, we want open access to our device. Sure, your office address? Oh no, from any mobile etc. A client has exactly this, so all those devices have their own separated network - as best possible, coz staff also want to access.... yay. Btw, if any of you still have open RDP, turn it off. Please... changing the external port from 3389 to 33389 or 3390 is not even close to smart or secure. If you can access from anywhere, so can someone else.

Oh, and understand the stakes we're playing with, when we tell you, you can't have p@ssw0rd. Even something like https://www.dinopass.com/ (using a strong password of 10 characters or more) makes it relatively easy to type, while still being completely random and different to anything else you have.

[slightly more geek mode]
Use this to discover if a website you've used was compromised: https://haveibeenpwned.com/
Your passwords are for sale (or freely available), and they will try that password on every logical site, because so many people re-use the same password over and over. If they get access to your email, now they can re-set the password to a website and get the new password.Yup the one about the ports cracks me up, I've had IT professionals say to change ports to the closest thing possible to the service ie
4433 for https
50600 for sip Etc

If you want to go random, go random ffs. Better still get a router with built in VPN and don't open anything, a Mikrotik can do it and its 88 bucks.

I have a security firm with port holes for days for cameras, I always make sure such requests are in emails and I reply back that I don't feel comfortable doing it etc, don't want to be dipping into public liability for something that I warned about.


Sent from my SM-G991B using Tapatalk

Everyone knows that 1234 is bad. You have to get smart and reverse it to 4321.

Seriously though, the comment about companies forcing password changes too often is true. 'An acquaintance' had a 17 character random generated password to login to his work laptop. His employer changed the system to force a password change every week. He argued that his own password was more secure but they insisted on the weekly change with at least 8 characters including uppercase, lowercase, number and special character. He started with Idiots-01 and is now up to Idiots-37. He knows that this is common practice in the company but they know best.

Needless to say, he keeps or accesses nothing personal on his work laptop or mobile. He carries a seperate personal tablet and mobile everywhere and each have their own SIM card.

He keeps all of his passwords within an encrypted wallet that is accessed by a 23 character random password that he has memorised. I'm guessing that there's not much more that he can do?

I used to use one password for all websites that didn't involve money. I've now been advised several times that password has been compromised, so it only applies now to sites I haven't visited in ages. The longest passwords I use are for the bank, otherwise I'm starting to trust technology. I'd be more comfortable if I trusted it more than I do.

Technology will save us!

https://newatlas.com/computers/morpheus-processor-secure-darpa-hackers/

Yup the one about the ports cracks me up, I've had IT professionals say to change ports to the closest thing possible to the service ie
4433 for https
50600 for sip Etc

If you want to go random, go random ffs. Better still get a router with built in VPN and don't open anything, a Mikrotik can do it and its 88 bucks.

I have a security firm with port holes for days for cameras, I always make sure such requests are in emails and I reply back that I don't feel comfortable doing it etc, don't want to be dipping into public liability for something that I warned about.


Sent from my SM-G991B using Tapatalk

I personally hate changing from Default Ports - As if anyone with a Port Scanning tool isn't going to find that open port in a few milliseconds longer than it would take than if it was on the default port.

If your security solution is to change the port - the question I'm asking is 'Why don't you properly secure the application?'

Definitely agree on if it doesn't need to be public, do it on a private network with a VPN.

Needless to say, he keeps or accesses nothing personal on his work laptop or mobile. He carries a seperate personal tablet and mobile everywhere and each have their own SIM card.

He keeps all of his passwords within an encrypted wallet that is accessed by a 23 character random password that he has memorised. I'm guessing that there's not much more that he can do?
In terms of passwords, I've got most websites (got 100+ logins just for personal stuff, doesn't even include my internal home network) on unique randomised 16-20 character passwords. This means if any website is hacked/compromised, nothing else is affected. But how do I keep those passwords? I sure as hell can't remember a single one, let alone all of them. Well, it's a passworded excel file at home, remote access only through VPN, plus Firefox/Chrome accounts sync'd, as I've also got a massive bookmark list of folders in sub-folders in a toolbar etc. They of course also have separate passwords for them. Probably not ideal, but I don't overly like trusting lastpass etc, because I've watched colleagues try to change the access password, then lose all access. The excel file has tabs for personal stuff, family, the 2 internal networks complete with multiple servers etc. If an app or system loses it's password, then it waits until I get home, unless I really want to dick around with VPN, reaching into the file storage etc. Waiting for a more complete v3 of Teampass, we use this internally at work for a self hosted solution (but v2, which is a bit clunky), plus it supports MFA.

At a minimum, I suggest tiers of passwords. Banking/IRD gets the most secure. Websites with your credit card next, lastly the junk websites with no risks like credit card details, and arguably, the most likely to be compromised.

As for password policies, we have to change our password every 3 months. I always have to be careful another engineer is around to reset if needed. Once or twice, despite being careful, it just hasn't played nice. Microsoft has now changed to suggest no expiry, and I do see the benefits, but again, comes down to humans. We had an engineer we later uncovered (after they'd left), that loved Welcome123$ for a password. It was fucken everywhere and multiple staff in the same client had it! :eek:

Every user gets a dinopass strong password, especially when I set up new starters. Most actually keep it, some laugh and wonder where on earth I get such random passwords, then more critique when I show it to them and they say it's for kids. Then I show them the random password generator I use for the more secure stuff and say, would you like a 16 character of this? Stops em pretty quick :msn-wink:

This sums it up quite well.

I personally hate changing from Default Ports - As if anyone with a Port Scanning tool isn't going to find that open port in a few milliseconds longer than it would take than if it was on the default port.

If your security solution is to change the port - the question I'm asking is 'Why don't you properly secure the application?'

Definitely agree on if it doesn't need to be public, do it on a private network with a VPN.It's better than using the default port though as it at least keeps the casual scans at bay as they generally are only trying the common ports or the variations which are well known.

Of course if someone points it at the IP and scans every possible port they'll eventually find it, Better than nothing, but give me no port forwards any day of the week, or at least only ones that can be locked down to IP.

Sent from my SM-G991B using Tapatalk

This sums it up quite well.

Yep - we recently made a move to Passphrases over Passwords.

Certainly made typing passwords into a console (when you can't copy/pasta) a whole lot easier than the randomized 20 character passwords we were using.

Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.

It's better than using the default port though as it at least keeps the casual scans at bay as they generally are only trying the common ports or the variations which are well known.
Easy enough to scan internet packets and get ports for communication. Changing the port doesn't change the risk. Simple.


Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.
Depends on the 2FA. Some methods have already been proven to be beatable (reddit breach was it?). SMS particularly can be defeated by intercepting the SMS, either further down with sim copy, or further up inside the network - as said, this isn't just theoretical, it's already been used.

Much better is the apps and registration, usually through QR, which give you push auth, OTP (one time password) or similar. Push obviously being pretty easy, it pops up on your mobile and you approve or decline.

That all said, depends on your profile. Joe Blogs, unlikely to be targeted. CEO, CFO of large organisation, yeup, more protection, more training etc. On that note, we've run Security Awareness campaigns for some clients. Ran it on ourselves first, several staff failed... :wait: On the other hand, you know where to focus your resources.

Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.

I have a love/hate relationship with 2FA.

In some settings, 2FA is a very wise precaution:

- Infrequently accessed platforms
- Platforms with sensitive information
- Platforms that have a large number of users accessing it
- Privileged Actions

Then yeah, 2FA makes perfect sense. Having 2FA for things that are regularly accessed makes it a chore - we had a system that I would login to multiple times a day, each time my session timed out, I'd have to login, pull out my phone, wait for the text, copy the code etc.

It was a pain in the arse. That system has now been migrated so that it has no internet facing component, only accessible via an internal VPN and there's no more 2FA.

On the flipside, For things like a Google account, most operations by default don't require 2FA, but elevated account actions (such as changing passwords, managing payment details) will require 2FA - and I think this is a good balance - since those operations aren't frequently used.

In addition as Gremlin pointed out - the higher the profile, the more likely that additional layers of security should be used (such as the Celeb Nude hack a while ago)

- Privileged Actions
Haha, in contract network management, as a Microsoft Partner, the number of privileged areas, MS, firewalls, remote access, the list is only growing.
Some have limited concurrent licences, so if you're not actively using someone else kicks you off. Then someone calls, and in the midst of the call you're also using your mobile to log into the console etc.

The password management doesn't stay logged in for over an hour at a time, but holds all the passwords including for the highest levels of access. Sometimes I think I use my mobile for MFA more than calls (one app for business use, another for personal)...

But, as for profile, with the amount of admin and/or unattended access we have, there is no choice for us.

Oh, the really fun one is clients that we've deployed MFA, we need MFA to login, but then we need it on more than one mobile, in case an engineer isn't around. For stuff like Microsoft's ancient licencing portal, we had it on a company mobile that was always in the office. Worked real good when we were all working from home...

So my 14yo daughter changed the password on Mums iPhone this morning and promptly forgot what she changed it to.

2FA or MFA would be better options than what is available which appears to be sweet FA.