Back to Life. Black to Reality

Or so goes the song. Whilst we in the UK appear to be attempting to rush back to reality, far too quickly according to pretty much every so called ‘expert’, it looks very much like society is totally falling apart across the pond. There is no typo in the title.

Many of us believe that reality as was will never return and we will be living a new normal. Whatever, it does look like many people are returning to their places of work having toiled relentlessly at home as the sun blazed outside. This is certain to bring with it some nasty little bugs and viruses which will threaten the cyber security of most businesses.

The lockdown saw a predictably huge increase in the compromise of devices, relocated to a grubby home network powered by an unpatched router with a default password, and that’s just our kit ! Researchers at Arctic Security and Team Cymru did some decent research  (presumably in their pants at home) identifying a quadrupling (try saying that after your morning Gin) of compromised devices.

Malicious activity in India has skyrocketed as illustrated in this really good piece by Nasscom. It is certain that this is as global as the other thing we will try not to mention, well we will a bit, later on.

So what are we seeing out there in Lockdown world?

Let’s start with those pesky Internet routers. Obviously the readers of this blog, cyber security specialists will have home routers running the latest code with all backdoors closed, all unnecessary ports closed, all default passwords changed, not a busman’s holiday Heath Robinson setup out there at all? As you all know, that is a very rare state of affairs and home routers continue to be a target for the following three activities:

  • The router being hijacked and used as part of a bot-net for crypto mining, Distributed Denial Of Service (DDOS) attacks or any number of nefarious activities. These takeovers are very slick and may very well go totally unnoticed by the average punter.
  • Once infected, routers have their DNS settings changed which redirects users to fake sites for the purposes of installing malware on the machines inside the network. The malware varies from straightforward date theft (banking and login details) to more sophisticated attempts to use the infected machine as a platform for access to connected corporate systems, perhaps hooked up with a VPN, if for instance you were working from home. This arsTechnica (love the name) report has the download on a very sneaky attack on D-Link routers which has now been cleverly repurposed to infect many types of routers.
  • Worryingly for the corporate world, home routers are increasingly used to attempt to ‘man in the middle’ attack corporate assets being accessed by your home worker. Spooky stuff.

The esteemed Michael Horowitz has been writing about these attacks for years and has a great summary of these and other router hacks here.

The advice for managing the routers (our favourite !) is to change the default password, update the code regularly and sign up for notifications from your ISP and the Router vendor. Do the same for your friends and families if you feel like being useful - a double edged sword, if ever there was one, for anybody working in IT or Cyber Security !

On top of the router attacks, there are numerous other vectors on home network. Jacking a unsecured local machine (lurking in your teenage kids' bedrooms being used to access, well, you know..), the usual Phishing and good old fashioned social engineering attacks. It is a broad church.

The UK NCSC has some bizarre advice recommending that if your employees use their home networks for more than fifty percent of the time, you should run a security assessment of the home environment before allowing connectivity. Who knows why they picked 50%? Sounds a bit crazy to us.

We would recommend seriously locking down access to internal resources from home based devices, even corporate ones, using thin client technology or tightened web access with significant levels of monitoring and proactive action (rather than just alerting) if there is even a whiff of a RAT or any other naughtiness.

Our friends at Tiberium Security are expert in helping you get through this jungle intact. You can contact them here.

When your users return back to the office, if they have corporate devices, we recommend that you have a process for giving them (the devices, not the employees) a good once over. Wont do any harm.

And now we come to one of our pet subjects. The United Kingdom Track and Trace System.

If you can remember as far back as our highly informative blog on the subject , we pointed out a few issues with the UK approach, not least that we think we can go it alone and do a better job than Apple and Google, who do after all write the Operating Systems for iOS and Android and proposed a distributed, secure model very different to our centralised on-island, presumably ‘world class’ alternative.

Just to make you feel nice and secure, the Grande Fromage of track and trace is…drumroll…none other than Lady Dido Harding , whom you may remember presided over the infamous Talk Talk hack, for which she was given a big pay rise as the business was fined £500,000. We predicted her to be a survivor at the old shop, seems we were correct.

Organisations running the project, which to our extremely untrained eye looks very disjointed, include members of the ‘Big Four’, who have themselves been very seriously hacked in the past, together with a number of Government agencies and obviously the development outfit. Apparently the data, or some of it is going to be on AWS.

WHAT COULD POSSIBLY GO WRONG?

The answer to this question is an awful lot, and it will. This project is rushed, it no doubt relies on the use of open source code, containerisation and above all is running in the Cloud.

If you have heard rumours that Dominic Cummings sister is involved, this is fake news. It is a different Cummings. Associates of Mr (should be called) Goings are involved in the application development however, as previously reported.

Our advice remains to not install this app, released as it is when the risk level mysteriously moves from four to one or two, or whatever the made up number of the day might be.

Our next blog will include a full family tree of the components of this application with peril sensitive tagging.

Oh, as Columbo would say, 'just one more thing'. The unbelievably unthought through delivery of this contact tracing system, using poorly paid, briefly trained operatives calling people from an 0300 number or some such has opened a massive vector for identity theft which is being exploited. Please read this and warn everyone you know.

This whole shambles is incompetence on a grand scale in our opinion. Time will tell.

Updated at 00:14 on Wednesday 03 June 2020. And Lo, it has already come to pass. This is just the beginning.

Hope you and yours are all OK. Please stay that way.