Assume communications are being intercepted
24 November 2014 | 0
The PRISM surveillance programme from the NSA is just one of a number of such programmes, and organisations must assume that their communications are being intercepted.
That was the stark warning from Sean Reynolds, CEO, RITS. Speaking at the Renaissance executive briefing on current and emerging data security threats and countermeasures, Reynolds said that service providers, vendors and governments are engaged in a cycle of surveillance, with governments using the likes of the US Executive Order 12333 to force providers and vendors to disclose data, while the likes of the Electronic Frontier Foundation (EFF) try to fight such measures. These same vendors and service providers are often served with gagging orders that prevent them from revealing the nature or extent of disclosure requests too.
Despite the culture of surveillance and the sophisticated tools that are often used, Reynolds said that many organisations are still failing to do the mundane things to protect themselves. Chief among these was patching to ensure that known vulnerabilities could not be exploited.
Reynolds showed a live feed from the Zone-H.org site, filtered by country domain for Ireland, to show a number of Irish web sites that had been hacked and ‘tagged’ by the hacker. Among those shown were web sites for a county council, a university, a retailer and a promotional site for an energy drink company.
Reynolds highlighted how easy it was to use open search tools, such as Google, to reveal spreadsheets with passwords, default log-ins and more that were left accessible.
He also highlighted the fact that more and more tools for hacking are becoming increasingly widely available, cheaper and easier to use, requiring no in-depth knowledge at all. Two of these were the Rubber Ducky USB keyboard and the Pineapple Wi-Fi access point. The Rubber Ducky allows someone to plug a USB stick into a PC that is recognised as a keyboard. This means that pre-scripted commands can be executed on the machine, which appear to come from a user. The Pineapple allows someone to spoof a normal Wi-Fi access point, jam other access points and gather Wi-Fi traffic as users connect. The device is simple to configure and can be bought for less than a hundred euros.
For the full article, see the December edition of TechPro magazine, available 9 December.