Back in 2014 the company Code Spaces was murdered. They offered tools for source code management but their Achilles heel was that they didn’t have solid control over sensitive information — including their backups. One cyberattack later, and Code Spaces was out of business. Their killer had used some standard techniques, but the most effective was getting an unwitting Code Space employee to help — likely via a phishing attack.
Employee Risk Management
When it comes to cybercrime that targets businesses, employees are the largest risks. Sure, your staff are trained to recognize phishing attempts, funky websites, and other things that just don’t seem right. But can you say the same thing about the people in reception, or the folks over in sales?
Educate Employees on Basic Data Security
Those employees might know that clicking on links or opening attachments in strange emails can cause issues. But things have become pretty sophisticated. Cybercriminals can make it look like someone in your office is sending the email, even if the content looks funny. It only takes one click to compromise the business.
While employees may be somewhat email-savvy, in our experience, we’re seen issues with password. People still use birthdays, pet names, or even “password” as their passcodes — or they meet the bare-minimum standards for required passcode complexity. Randomly generated passcodes are better, and requiring multiple levels of authentication for secure data access. This is called MFA, multi-factored authentication and for any service providers that can offer it such as Google/Gmail, Dropbox or Quickbooks Online, we highly recommend using it.
Extend Security Measures to Your Remote Work Policy
Giving employees the ability to work outside of your office network, by its very architecture introduces additional security vulnerabilities into your company’s operations. Sometimes it’s beneficial allow them to work from home, or from a coffee shop on the road. But if this is the case, a nominal investment in security tools and technology such as VPN, email encryption, web content filtering and laptop encryption will minimize your chance of risk. And if people are working remotely, remind them that walking away from the computer is a no-no. Anybody could lean over and see what they’re working on, download malware or spyware, or even swipe the entire device and walk away — all of which are cybersecurity disasters.
Prevent Against Malicious Employee Behavior
Last but not least, you need to consider the possibility of a deliberate security compromise. Whether they’re setting themselves up for a future job or setting you up for a vengeful fall, this common occurrence is hard to prevent. It’s possible that Code Space’s demise was the result of malice, so let it be a warning to you as well!
Whenever an employee leaves the company for any reason, remove their accounts and access to your data. And make it clear to employees that this behavior is considered stealing, or worse, and will be treated as such in criminal and civil court.
You really have your work cut out for you, huh? Fortunately, it’s still possible to run a secure-enough company in today’s world. Keep an eye on your data and on your employees. And foster an open communication that allows you to spot potential — or developing — compromises as soon as possible.
Hackers Can Spoof Phone Numbers, Track Users via T-Mobile (and others)
A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries.
VoLTE stands for Voice Over LTE — where LTE stands for Long-Term Evolution and is a high-speed wireless communication for mobile phones and data terminals, based on older GSM technology.
In simpler terms, VoLTE is a mash-up between LTE, GSM, and VoIP, a technology used for Voice-over-the-Internet communications. The protocol rolled out in 2012 in South Korea and Singapore and has become very popular because it blends the benefits of old circuit-switched protocols (stability) with the benefits of modern IP protocols (call quality & speed).
Because VoLTE looks primed to spread to all operators across the globe, P1 Security experts have conducted an audit of this new technology. Their findings, documented in a research paper, reveal serious flaws that could be exploited by attackers only with an Android phone connected to a mobile network.
Researchers say they identified both “active” vulnerabilities (that require modifying special SIP packets) and “passive” vulnerabilities (that expose data via passive network monitoring or do not require any SIP packet modification). Below is a list summarizing the team’s findings:
User identity spoofing through SIP INVITE message
Attackers can modify certain headers in SIP INVITE messages and place calls using another user’s MSISDN (phone number). Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller’s identity at face value. Researchers warn that this is a “critical” issue that may result in attackers accessing another person’s voice mail, or could cause problems for law enforcement monitoring criminals, who would be able to avoid surveillance by placing calls from another phone number.
Not mentioned by researchers, but a plausible scenario, is if tech support scammers would spoof the phone numbers of legitimate companies to call customers and obtain sensitive information such as passwords, card PINs, and other personal information.
Leak of the victim’s IMEI
Researchers discovered that by watching VoLTE traffic on an Android that’s initiating a call, intermediary messages exchanged before establishing a connection reveal information about the callee (victim)’s IMEI number. These intermediary messages are “183 Session Progress” SIP messages, and is sent before the phone call is established. Researchers say this attack doesn’t need for a phone call to be established, and miscreants can drop the call after they collected the target’s IMEI.
International Mobile Equipment Identity (IMEI) is a serial number unique to all mobile phones. They are unique per phone and are generally used to block (stolen) devices from accessing a mobile network.
Leak of the victim’s personal information
Similarly to the attack above, researchers also discovered that the same “183 Session Progress” SIP messages can also leak more detailed information about victims.
This information is stored in another section of the “183 Session Progress” SIP message header and contains details about the victim’s “UTRAN CellID”, which is the unique identifier of a physical antenna the callee (victim) is using to receive the call.
In other words, attackers could initiate shadow calls, detect the victim’s approximate location, and hang up before the phone call is established.
For the latter two attacks, the research team recommends that mobile operators strip or sanitize these 183 SIP message headers, so they only reach the necessary equipment to support a call, and not the attacker’s smartphone.
But for ordinary consumers, there was a surprising – and reassuring – takeaway: encryption apps on smartphones, such as Signal and Facebook Inc.’s WhatsApp were the big winners of the day because the documents show they still present big problems for government hackers and are the best bet for keeping intruders out of your phone calls and texts.
Stay safe out there.