In Conversation with Richard Coyne, Senior Advisor for IScann Group
In the first half of 2019, it is estimated that data breaches exposed 4.1 billion records, and that, on average, only 5% of companies’ folders are properly protected. These numbers are only increasing with the number of records exposed skyrocketing to 8.4 billion in Q1 2020. These are alarming numbers, particularly when highly-sensitive data is involved, however companies are still struggling to properly protect themselves against cyber attacks. Victoria- is there an dollar figure associated with the breach of 4.1 billion records?
IScann Group’s In Conversation talks with Richard Coyne, IScann Group’s Senior Advisor, who has an extensive background on the military and commercial side of vulnerability and penetration exploitation. He is here today to share with us some of the key issues he has come across within companies, as well as some easy tips on how to be protected against cyber attacks.
Q: Morning Rich! What sort of companies usually ask for and need your expertise?
Richard: Well, I run these tests on any type of company really. Over the last couple of years I’ve happened to have a substantial run on industries that provide military components and technologies to the defence industry. One prime example of such a company is Boeing. They’ve got an army of engineers – no pun intended – producing all kinds of technologies, some of them commercial and some of them very much for the military.
The latter will eventually be very well defended technology, both physically – imagine having to break into a military airfield, that’s going to be tough – and in cyber terms. Digital defenses will be tough to crack, as they should be!
A military group will have a defensive mindset generally and will understand that technologies have to be protected and secure. But can you expect that civilian organisations, which are originally building these technologies can possibly have the same mindset as people in the military or the intelligence services?
The answer is no. So anybody working in these organisations can be seen as a potential attack vector into government secrets, and that’s what people have to remember. This is particularly worrying if we keep in mind that today’s corporate secrets are going to be tomorrow’s national security secrets.
And it is made easy for people with bad intentions. Look at how many ways there are to use publicly accessible open information – such as Wikipedia or YouTube – giving you all the necessary approaches to break into that company and get a hold of its information. It’s surprisingly low tech, and it does not need a cyber mastermind to crack digital defenses of sensitive information.
Q: It’s interesting, as you were talking, one company in particular that I know about immediately popped to mind. It’s a startup that is redesigning supersonic flight and bringing it back to market. They’re in their prototype stage, I think they are rolling out their first model in January for testing. They’ve just signed a contract with the US Air Force to incorporate their systems and technologies.
But if you look up this company, there’s so much information, public information, about them. They create YouTube videos where they introduce their team and who’s working on what, filmed inside their own labs. It’s great for the company and their publicity, but given what you have just said, is it safe?
R: If we can find out all that information without even trying, then we can assume that hackers know more than that. They will commit colossal amounts of manpower to that research and ultimately that penetration.
Q: So, what industries are the most vulnerable?
R: Well, industry has supplied governments since forever, penetration of those supply chains isn’t a new thing. What’s new is that you can see who all the people are, simply by looking them up on the internet. It’s instantly accessible to any member of the public, and that has made this so perilous.
The research phase into vulnerable targets requires very low effort and tech standards, and even stepping off from that phase into the attack does not yet require high-tech or special expertise. Everyone’s seen examples of phishing emails, good ones and bad ones – sometimes they work, and they require very little effort.
I’ve just finished a job where I didn’t need more than a computer and a phone. I got all the goods, at least all of the initial goods, which are my keys to get in the metaphorical door, through phone calls. Just well researched phone calls. By pretending to be a number of different people I got the respective employees to hand over their passwords to me.
Q: That sounds amazingly easy! What sorts of people were you persuading in this case?
R: The good news is, it isn’t usually this easy. Generally, people are better prepared for aspects of information attack, but not always. In this case, I deliberately went to very varying members of staff to prove the point. To start with, I went to one guy who was very junior and reasonably new in the company. He had no seniority so shouldn’t have access to an awful lot of data. And equally, I targeted a woman who was very senior. Both I managed to mislead with a different pretext.
So on one end of the spectrum, I knew that the young lad was actually quite dissatisfied with work and the amount he was getting paid. So I adopted the guise of a corporate elite headhunter. It was a very long developed approach with this guy. He came to my attention, first of all, through LinkedIn.
If I could change anything, it would be this: LinkedIn. Everyone’s on LinkedIn, and that’s the soft underbelly of every company.
Q: I would not have expected that.
R: On LinkedIn, he had a CV, a full one that contained his phone number. Based on his work history, I made up a job. A really great, well-paid job, tailored entirely to his work experience. And then of course I had his personal phone number to contact him on.
At the other end of the spectrum, the woman I mentioned, she’s had a fairly high-profile career as a board member across a number of places, and she presently consults with the customer company. I identified from LinkedIn that she works remotely, even before the pandemic. She’s always worked remotely, and she’s not been with the company that long. So she ticked all the right boxes in terms of her level of access. The people that she can get access to, and the fact that she is not that familiar with most faces and voices in the company, made her interesting for this case.
From other information online about the company I learned who the internal IT support guy was. I pretended to be him and with a couple of phone calls – the first one to develop trust and collect a bit of info, and the second one to put the attack in (I got her to put her credentials into a webpage where she shouldn’t have done) – I had what I needed.
Q: Was there any difference in the kind of access the junior and the senior person had?
R: That’s the interesting thing. It turned out that they both had access to all the same data inside the company. Within half a day, bearing in mind I spent four or five weeks researching, within half a day with the passwords gained, we had total control of the company.
That is what we call domain administration. In other words, I could, if I wanted, delete the company from inside, I could delete all their backups. I could implement ransomware, or as I and my working partner did, we spent five days sitting in there gathering all of the most sensitive details that they had.
We decided to have some fun with it as well. We ended up sitting silently and invisibly in board meetings. So we had 23 people attending these meetings and I was in there just getting their most sensitive corporate details.
Q: And none of this was detected by the company?
R: We were eventually detected by the technical guy – but not initially. We had to deliberately start slightly more noisy attacks, so that we’d raise our profile and therewith prompt the IT staff to actually notice us and respond. We were in an IT group meeting when one of the younger people reported it. And we’ve seen some odd activities.
In that meeting, I was logged in as the IT director, pretending my microphone wasn’t working. And I said in the chat, no, it’s a false alarm. Don’t worry about it. So we evaded their detection for a further day, because we were able to do that. And then on the very last day, I just had to barge in so to speak – the cyber version of barging into the meeting.
I turned on my camera. I just had to say: “Hey guys, you don’t know who I am, but guess what?”
It was the awareness poke in the eye that they really needed. But again, it was surprisingly low tech. It was based on publicly accessible data, followed by just logging in, and having misled people on the phone.
Q: Since the beginning of the pandemic, there have been some issues with major breaches of security.
R: Very much so. But in this case we still had to get past the first level. So for example, in this case, we stole Microsoft Office 365 passwords, and that meant that we could get onto Microsoft teams.
There is no system to say: Hey, this person’s logged in twice, that shouldn’t happen.
But it doesn’t end with just joining video conferences. We have all of their message threads on there. Microsoft Teams goes back to forever, nobody ever wiped data. And there were passwords hidden in there.
Q: Sensitive information like that was just stored in Microsoft Teams?
R: Yes, you would think that people would know by now not to store their passwords digitally. But there they are. And it goes even further than not deleting old data. There were login details stored there for several members of staff, and not just their company logins either. We found passwords for their external Twitter account, their external PayPal account, their external Amazon and eBay accounts.
And we took control of all of them, their revenue streams, everything. If we’d been malicious, that money would have been gone forever, as would their reputation.
Q: Reputation is a huge thing. That can’t really be quantified in dollars. It’s possible to totally destroy a reputation with a rogue posting on Twitter.
R: Absolutely. Social media is an interesting thing to attack.
Let’s use a fictional example, Barclay Bank. Let’s say their Twitter account is hacked. That is outside of the company perimeter. It’s not within the company infrastructure – it’s on Twitter.
But people see what is happening on Twitter. They will see the parties that have been harmed by the hack. Now let me ask you: Who are you going to invest your money in that month? Especially if you’re earning or investing big money. And if you were trying to choose which bank you want to open your account with, would you choose them?
No, you wouldn’t. Because their Twitter has been hacked, and you will wonder how safe your money would be with them, if they cannot protect their Twitter account. This is an important development: that kind of third party hosting becomes just as important as your own security within your own parameters.
Q: We have talked a lot about the risks, and what has gone wrong, and how easy it is. Turning that around: What are some simple things that companies and people can do to keep themselves safe?
R: The number one thing is staff awareness. Staff needs to be aware of how visible that data is.
As a hacker, I would start, and the exact platform depends on the case, but let’s go with LinkedIn. I would take a close look and see what I am able to determine from it. This is what I could infer from it. And then work with that to get more.
If staff were to get off LinkedIn, hackers would have very little to go on comparatively. But for some reason, the norm is to be on LinkedIn. Even if you’re not looking for a job – in fact, most people on there are not looking for a job. They just think they have to have it as some kind of business card. But you don’t.
The next thing is personal passwords. There is a colossal amount of people reusing passwords. Most platforms and websites encourage you to use a unique and strong password for every site, but most people reuse passwords and they are simple ones. This really becomes problematic when they reuse passwords in the workplace that they have used outside of the workplace.
Q: I would assume most people will reuse a password in dozens of places. Do you always have to steal a password to log in, or are there other ways too?
R: Oh, there is an array of ways of logging in. As we demonstrated once, without stealing any password, it was still possible to log in: All we had to do was answer security questions. When going into Microsoft Office 365, we claimed to have forgotten the password. And then we just had to answer questions like, mother’s maiden name, father’s date of birth, all of which we can assess from social media with a bit of time.
More often than not, though, we’ll actually have the passwords that are required. That is a simple extra thing that staff could apply in their own lives as well: two factor authentication.
Pretty much every platform now offers it. And it’s just super easy to activate! However, corporations somehow see it as being too much effort.
Q: Even though it is easy to implement it? Sounds like two factor authentication can be a fairly easy fix to a lot of problems!
R: Absolutely. I saw that to the detriment of the company I’ve just finished working with. If they’d had that in place, my work would have not been impossible, but much harder. A big problem is that people are not making use of free and available tools to increase their security. It is just so easy to implement and would be a huge benefit!
Q: Earlier you mentioned something about people not removing old data. Can that also become an issue?
R: Oh yes, I would have hundreds of examples. Data retention, as we call it, is an underestimated risk. How long do you keep things in your inbox?
An example from a recent job of mine: I had access to countless overflowing, packed inboxes. Every single one of those inboxes showed me the entirety of their communication since they began work. In some cases that means communication going back 15 years! Yet that “old” information can still be relevant if you haven’t changed passwords.
With a combination of not keeping your passwords and other codes all in one place, and getting rid of stuff you no longer need, you’re massively improving your security!
Q: Thank you, you really have touched on a lot of issues and solutions today. So beginning with people’s visibility of their data, whether it’s the Facebook privacy settings or what they say on LinkedIn; passwords that they use and indeed reuse; whether or not they use two factor authentication – all those tips apply for the workplace as well as for their personal lives.
Thank you, Rich!
If you want more information on vulnerability and penetration exploitation, contact Andrew Vasko at firstname.lastname@example.org