Security seminar for NetworkRail
5 October 2020 Reading time: ~1 minute
This is a video recording of my talk for NetworkRail when I was working for PA Consulting Group. The presentation was about possible vulnerabilities in a train traffic management system (ICS and SCADA) and a demonstration of exploitation by hackers (simulated attack). The attack features SQL injection, weak credentials, client-side HMI GUI manipulation and more. The "train management system" featured in this video was initially designed by me as one of the challenges for the Certified Security Testing Professional (CAST) training course.
Do not get hacked in troubled times
16 March 2020 Reading time: 4 minutes
We receive more and more information about the increased number of incidents when cyber-criminals are trying to use the current, challenging global situation with the coronavirus outbreak for their profit.
The number of email scams linked to coronavirus is high these days and probably will increase even more. The attacks could come not only by email (phishing) but also by phone (vishing). This is a well-known method of using deception to lure you into revealing personal, sensitive, or confidential information. Fraudsters can try to impersonate a person or legitimate business to scam innocent people. Typically, cyber-criminals use a tactic of scare and emotional manipulation (FUD: Fear, Uncertainty, Doubt) when they try to trick people into giving up their precious information.
Cyber criminals are targeting individuals but also companies, so it is very important to stay vigilant. Here are a few quick recommendations about how to protect you, your family and your business.
- Always be suspicious when you receive an unexpected email or phone call of any kind, especially if someone asks you for some action, e.g. click the link or return the call. The link can lead to malware or an attempt to steal your data and the number you will dial could lead to additional charges.
- Every unsolicited email where the topic is related to coronavirus and your money and/or e.g. sudden access to your property is highly suspicious.
- Every unsolicited email or phone call when someone offers you something for free (especially an email with an attachment) is highly suspicious.
Examples of suspicious topics:
- Someone claims they can give you access to “the real truth about the coronavirus outbreak” or “learn more about the true scale of contamination”.
- An unexpected email from the medical facility, e.g. “double-checking your personal details before the coronavirus-related appointment”.
- An unexpected email from your bank with similar requests.
- An unexpected email from a government organisation (global, like WHO, NHS, CDC, etc. or local government), e.g. providing you with “additional funds” or asking for donation “to fight the virus”.
- All types of stupid emails with information like: “click here to get the immediate cure from the virus”.
- It may not be you, but your family member, friend or business partner who has been hacked recently. So, if you receive an unexpected email from their address (the legitimate email address, perfectly well-known to you) with untypical questions or a call for action – do not do anything. Call them first and quickly rectify the situation.
- Do not open any attachments from unsolicited or suspiciously looking emails. Beware that hackers are improving their techniques every day and there are countless ways to transfer malware to your computer. Believe me, you do not know all of them. Do not assume you are safe because you know this-and-that about computers. There always could be someone smarter than you or who will simply use a new ingenious exploitation technique.
- If you have any questions about cybersecurity – always ask someone who is proficient in this area. Do not be afraid to ask your corporate IT department about issues or incidents with your personal digital security. Quite often, this is exactly the way cyber-criminals infiltrate organisations: they start from hacking the home computers of the personnel. Every incident of such kind must be carefully reviewed.
I believe that the existing situation is one more reason to double-check that you have a good understanding of the basic cybersecurity principles. If you know those principles - help others. Hope is not a strategy, and, in my opinion, never was. Do not act before you think, be wise and vigilant and always stay safe.
Penetration testing, kangaroos and tsunami
12 December 2018 Reading time: 3 minutes
I would not say that I was at all surprised by the information that Australia’s parliament recently passed new (and apparently some of the world’s toughest) anti-encryption legislation. (Check e.g. this: https://www.bloomberg.com/news/articles/2018-12-06/australia-moves-toward-passing-law-targeting-whatsapp-signal). It was, so to speak, “in the air”. Australia is not the only one, by the way. In 2016, the UK gave authorities a "license to hack". Similar legislation is already in place in China and in Russia (Again, I guess no one is surprised by that either).
It looks like IT companies operating in the sunny Kangaroo Country now have no choice, but with the smile, “provide a[ll?] necessary help” to government agencies so they can decrypt communication on various platforms such as Signal, Telegram, WhatsApp, etc. The purpose of all this action obviously is very noble as it should provide the necessary technical capabilities to decode messages used by organised crime and terrorists. But here we have an interesting dilemma. It is understandable that all those government agencies must have up-to-date technology to be able to deal with modern rapidly evolving threats. Also, let’s be honest: it does not matter how liberal you are by heart, - you sleep much better knowing that “our” government agencies are equipped better than “theirs”. On the other hand, we could be creating a dangerous precedent: in the 21st century, the age of information, we are giving to someone a license to create security holes in IT systems. As if we don’t have enough of those holes already.
The government will be reading our emails and accessing our data if they need it, whether we like it or not. I see no problem with this as it’s their job and their responsibility to protect the country. But, at the same time, as a security-conscious person, I don’t like the idea that the same security holes can (and, surely, will) be found and immediately exploited by cybercriminals, - because those guys have no scruples and no moral obligations. They will come, exploit you, blackmail you and take everything they can leaving smoke and ashes behind. Additionally, if you are in IT business and one beautiful morning you wake up and realise that you have a massive data breach, - I don’t think your furious customers will appreciate the explanation saying “we apologise for the breach which was caused by a backdoor installed by authorities which was accidentally found and exploited by hackers”.
So, what can you do? Considering that legislation sometimes comes almost as an earthquake or tsunami – you can’t really avoid it, but you can have an “early detection system” in place, be prepared and minimise the damage. I think it is imperative to have your IT infrastructure well-tested on a regular basis, including all Internet-facing web and mobile applications. Many people do not understand that penetration testing is about more than simply ticking the compliance box. It gives you strong confidence that you will be well-prepared when the lightning strikes. And, believe me, it will, rather sooner than later. Penetration testing should never be a one-time action but a part of a complex security management programme for the whole organisation. Keep asking yourself whether your due diligence requirements are really being met by your actions. The standard of care that was considered sufficient in the past may be less than adequate in the face of today’s cyber threats and data protection environment. Think in advance, put emphasis on prevention, always try to predict the unpredictable and stay safe.
Never give up
5 December 2018 Reading time: 2 minutes
Today was a fascinating day at BlackHat Europe. So many people from all over the world, are smart, knowledgeable and inquisitive. So many inspiring conversations. I should probably note a great interest in Spirent security solutions and services (well-known and well-deserved by the way). We had an ICS hacking challenge at our stand and that also raised a few eyebrows. Many people decided to come and try but without much luck. Well, you can't call ICS security a "pentesting mainstream", and I know really well that it requires specialist knowledge. Not too many companies are doing it and especially doing it with confidence. A majority of people were saying: "yea, you know, generally I am very good with security, but this is SCADA, it is complicated so I cannot do it". Fine. There was one case, however, which, in my opinion, was really unique. A couple of guys from a small pentesting company in Croatia came to our stand, tried classic this-and-that and said: "you know what, we never did ICS pentesting before, but we absolutely love this challenge and (I am quoting) we will not go home until we solve it". They were there for almost an hour, googling the subject on the fly, trying different scenarios, and step-by-step slowly they came to the solution. On their way, they wrote a few pieces of bespoke code and went through many trial-and-error attempts. I must confess, I was really impressed. Impressed by their determination, not giving up, applying all they know in an entirely new field, experimenting and finally being able to nail the challenge. It was just brilliant. I think such an attitude is an absolute key to being successful in the security testing business (and, honestly speaking: probably in life). Life is fantastic and brings us so many great opportunities which can make us better. Opportunities which can make our horizon broader. Do not miss them! Have an endless curiosity, never stop until you try everything possible and impossible, get out of your comfort zone and experience something new. Don't be afraid to make mistakes - well, this is how we, humans, learn about things. If you have your knowledge and determination multiplied by courage - truly, for you there will be no limits!