Missouri Cyber Security Blog

Using Public Data to Alert Missouri Entities of Vulnerabilities

06.01.17

Overview

The State of Missouri Office of Cyber Security’s (OCS) “Using Public Data to Alert Organizations of Vulnerabilities” program identifies vulnerable internet connected systems belonging to organizations from various industries across the State of Missouri. The program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks.

Understanding the high probability that there are critical, yet potentially forgotten about infrastructure connected to the Internet, OCS set its sights on identifying these vulnerable systems within the geographical boundaries of the State of Missouri. The Regents of the University of Michigan in collaboration with Google have created an indexer of all “things” on the Internet called Censys.io. Censys.io is a publicly available research platform that scours the entire Internet and indexes devices, open ports, the services exposed, and so much more. Using this service, OCS has been identifying vulnerable systems statewide, including systems belonging to both government and non-government organizations. Using privileged research credentials granted by the Censys.io admins, OCS leverages their API to find vulnerable systems based on banner feedback and running services. The raw data is carefully reviewed and then cross referenced against the American Registry for Internet Numbers (ARIN) to obtain contact information for every system identified. Once contact information has been obtained, OCS sends a notification to all impacted organizations with an explanation of the program and a listing of all impacted systems for that particular entity. OCS has built several scripts that automate the bulk of the effort as thousands of hosts are generally involved on any given run.

The primary business goal of this program is to protect the critical infrastructure belonging to governments, businesses, utilities, and academic institutions across the State of Missouri. Critical infrastructure provides the foundation of many life sustaining services such as healthcare, government, public safety, energy, transportation, communication, food/agriculture, and manufacturing. Keeping these services available around the clock are critical to today’s way of life. A secondary business goal is to safeguard the data belonging to Missouri citizens, students, and customers. Our data lives online as much as we do, and to safeguard it has become essential to prevent identify theft, financial loss, and brand reputation impact.

Significant server side vulnerabilities within the recent years such as ShellShock and Heartbleed highlight what’s at stake for unpatched servers. In the not too distant future a critical vulnerability within IIS 6, Windows Server 2003’s web server, is a very real possibility. In May 2016, the public data vulnerability program was used to identify over 9,000 Windows Server 2003 hosts geographically located within Missouri. Microsoft ended support for Windows Server 2003 in July 2015, so if any critical vulnerabilities were identified, the situation could be dire for the continuity of business and government services. While many of the 177 organizations involved were state, local, and educational entities, quite a few of the hosts belonged to Fortune 500 companies. In spot checking the data for accuracy, many of the hosts appeared to have been forgotten about or overlooked. Once compilation of the results was finished, OCS promptly notified all of the organizations individually with information about each host. The reception of the program by the various organizations was very positive and welcoming. Since notifying the organizations, OCS has been watching the Windows Server 2003 host count drop by over 16% since the first run back in May.

In early August 2016, OCS used the public data vulnerability program to identify devices accepting Telnet connections. Telnet is an antiquated protocol typically used for administration that offers no protection from eavesdroppers. By default, Telnet does not encrypt the transmission of data (including credentials), it doesn’t offer non-repudiation, and over the years multiple critical vulnerabilities have been identified within common Telnet daemons. Over untrusted networks, attackers could easily sniff administrative credentials and perform various nefarious activities with vulnerable Telnet systems such as distributed denial of service or remote code execution attacks.

Utilizing this program, OCS notified 161 entities that had a combined Telnet device count of 10,300. These Missouri based devices belonged to local governments, education, small businesses, and Fortune 500 companies. As mentioned in the summary, while examining the results of the query looking for Telnet devices within Missouri, OCS noticed customer information within the Telnet banner of network equipment being managed by an ISP. On noticing the situation, OCS promptly called the organization to make them aware of the privacy and security concerns of their current configuration or business practice. As with the other entities involved, they received a report outlining all of the impacted devices and their meta data, including the Telnet banner information, publicly linking customers to their IP addresses.

Presentation

The following abridged presentation has been shown at various conferences:

Example Queries

IIS 6 Hosts

SELECT ip, p80.http.get.headers.server, location.province, location.city, autonomous_system.organization, autonomous_system.asn FROM ipv4 WHERE p80.http.get.headers.server=”Microsoft-IIS/6.0″

Telnet Hosts

SELECT ip, p23.telnet.banner.banner, location.city, autonomous_system.organization, autonomous_system.asn FROM ipv4 WHERE p23.telnet.banner.banner is not null

Heartbleed Vulnerable Hosts

SELECT ip, location.province, location.city, autonomous_system.organization, autonomous_system.name, autonomous_system.asn FROM ipv4 WHERE p443.https.heartbleed.heartbleed_vulnerable = TRUE

Reception

The overall response has been quite positive and enforces the direction of OCS’ involvement in assisting / collaborating with all forms of industry. OCS will continue to run similar reports in the future to reduce the overall risk to the State of Missouri and its citizens. If you have any questions about this project, please contact us.

category: Awareness
tags:

Comments Off on Using Public Data to Alert Missouri Entities of Vulnerabilities


Common IT Wisdom That Keeps You Secure

03.20.17

Day in and day out, employees hear the same things from their IT staff about cybersecurity and safety. Though they may sound like a broken record, there are very important reasons and rationale behind these practices and advice. Keeping safe and secure while connected isn’t just about how your system is set up – it is also very much about how you end up using it. Below, we discuss some common IT staff wisdom and provide some background information and the rationale as to why it definitely merits your attention.

 

Make sure you lock your screen when you are away from your desk.

Screen locking policies exist for a reason. Even if you are leaving for just a few minutes at a time, be sure to lock your screen. Though physical intruders are rare during daytime and in conventionally secured offices, intrusions do occasionally happen. Screen locks also thwart opportunistic insider attacks from other employees that may seek to obtain information or access information beyond what they should normally have. If you don’t adhere to a screen locking policy, an attacker can simply walk up and start manipulating or stealing your information without having to even work at getting in to your system. And remember, you are ultimately responsible for everything done under your login!

 

Don’t write down your passwords or user credentials. 

The same concept applies here as in establishing a screen lock on your system. On the rare occasion a physical attacker gains access to your desk area, they will immediately look for written passwords and authentication material. Post-it notes, index cards, etc. aren’t secure from attackers even if you think they might be out of sight under your keyboard! From looking at your written password, they can get right into your sensitive protected office systems and start stealing data or compromising assets. This risk isn’t only from a completely unknown outsider, but could be coming from contractors or internal staff with malicious intent.

 

Don’t re-use your office computer password for other systems and services.

One of the most risky things you can do is use the same password across multiple accounts or systems. Cyber threat actors are constantly stealing login credentials from numerous systems that may be more insecure, like online shopping sites for example. Many times, these credentials are leaked online for other cyber criminals to also exploit. They then are able to take these stolen credentials and use them to try to access more secure systems, like online banking, or your office systems. If you unfortunately follow this practice of re-using your work password elsewhere, you leave yourself and your organization open to this type of compromise.

 

Don’t install unauthorized software on any office systems.

The installation of unauthorized software can negatively affect your workplace’s security posture. This software can include everything from stand-alone programs to plug-ins for your web browser. Not only can this pose a stability issue leading to slower or unreliable system performance, but the installation of unmanaged software can pose a direct security threat either because it may be malicious software itself, or because this is introducing software that is not part of the patch management system in your environment. If this new unauthorized software ends up making you vulnerable to cyber-attacks in the future, but IT isn’t aware of it or implementing regular patches or fixes, you leave that avenue open for attackers who easily leverage these known vulnerabilities to compromise systems and potentially steal information.

 

Don’t check your personal email while on office systems. 

By checking your personal email on your office computer, you are extending the risk profile of your workplace to include your own personal activities. Attacks that target you as an individual, are now naturally extended to the entire enterprise. Your office email account is carefully managed and secured by policies and the vigilance of your IT team to minimize the risk from suspicious emails, links, and attachments. Once you open your own email account on your office computer, you bypass many of these defenses and render them less effective. If you open that suspicious attachment in your personal email on your office computer, you can infect your system (and eventually many other systems) with malicious software like ransomware that may prevent you or your colleagues from performing their duties.

 

If you follow these few common pieces of IT wisdom, you will lead a much more secure and productive life in the workplace. Remember, if you are working handling your organization’s information, you play a big part in its protection and safety. Let’s all work to make it as difficult as possible for attackers to affect our operations in the workplace.

category: Awareness

Comments Off on Common IT Wisdom That Keeps You Secure


Safe Browsing at Home

11.01.16

Staying safe online is a group activity – it is important to talk to everyone in your family about being safe online so all of them can recognize the danger and browse the Internet safely. Children and older citizens are particularly at risk because they might not be able to recognize phishing attacks, malware, and other scams.

Here are a few things you can do to keep your family safe:

  1. Secure you Wi-Fi

Keep a password on your home Wi-Fi network. This will help prevent unwanted access to devices on your network, which could compromise your personal information. Check your wireless router’s instruction manual for instructions on how to change your network’s password.

  1. Talk to your family about Social Networking

Many social networks do not allow users under the age of 13 to create an account. When you and your family do sign up for social media, be careful with what personal information you make available to the public.

  1. Create strong passwords

A strong password should be at least 8 characters long and contain a mix of upper and lower case letters, numbers and special characters. It should be easy to remember, but difficult to guess, and should be changed on a regular basis. For more info on passwords visit <link to page about passwords.>

  1. Learn to avoid scams

Scams take on a huge range of variation and methods depending on the desired outcome by the scammer. Some target your money directly, while others want your personal information. For more information, check out our page on scams. <Link to page about scams>

  1. Keep computers up to date

Technology companies regularly release updates for their applications and operating system to improve security by closing holes and exploits used by hackers. Many applications will notify you when these updates are available, and they can be updated with a simple click.

  1. Back up your computer

Keeping an up-to-date backup of your computers can be very important, particularly if you use your computer as a source of income, but even if your computer is strictly personal, the loss of family pictures and videos, financial documents, and other important files can be devastating. There are many methods for backing up your computer such as physical drives that you connect to, as well as cloud backups.

  1. Shop Safely

Shopping online is convenient, but it’s also an opportunity for scammers to steal your money. Prevent this by only shopping from outlets that you can verify are legitimate businesses and making sure to shop using an encrypted (https://) connection (link to https blog post).

category: Awareness

Comments Off on Safe Browsing at Home


How to Create and Keep Strong Passwords

10.07.16

A strong password is a key to secure your information and sometimes the information of others or your place of employment. Creating a secure password is vital to staying safe while online, and just as important as creating a strong password, you must maintain that password. No password will keep you secure if others can guess it or steal it.

Tips for creating a secure password:

  • Use a combination of capital letters, lower case letters, numbers, and symbols.
  • Make passwords at least 8 characters long.
  • Don’t use words that can be found in the dictionary.
  • Use different passwords for each site.
  • Don’t use your name or names associated with you such as friends, family, pets, or the name of a business.

How to keep a password safe after creating it:

  • Never write down your password.
  • Never share your password with someone else.
  • Never let anyone see you enter your passwords.
  • Always log out of your device when not using it.
  • Change your password periodically.
  • Never enter passwords on public computers or unsecured Wi-Fi.

category: Awareness

Comments Off on How to Create and Keep Strong Passwords


Learn to avoid scams

09.30.16

Technology offers many benefits for connecting with people all over the world. Unfortunately, it also offers more opportunity for criminals to scam unsuspecting victims. Scams can take many forms; some are blatant while others are more subtle, and you can protect yourself by learning to recognize popular scams (link). Regardless of the method, here are some ways to protect yourself from almost any scam.

  1. Know who you’re dealing with

Scammers will often impersonate someone with authority, such as speaking on behalf of bank or a government agency. Always check the email addresses, and if you’re unsure, call a reliable number for that agency such as one found on a bank statement.

  1. Be wary of anyone demanding money

If you get an email demanding money for any reason, such as a debt you were unaware of, and especially if the email is making threats such as legal action for not paying, it is probably a scam. If you’re unsure, do some research on the sender – a quick online search may turn up someone else may who was contacted by the same person.

  1. Don’t share your personal information

You should never give out any personal information to unsolicited sources. This includes financial information, social security numbers, passwords, and access to email and social media accounts.

  1. Delete suspicious email

Never respond to, or click on, links in suspicious emails. If anything seems strange about an email from a source you usually work with, such as a bank or close friend, contact them from a reliable number on the company’s website, instead of using a number from the email.

  1. Take time to check your paperwork

Once a month, set aside a day to review important paperwork in detail. Check bank and credit card statements, any bills or monthly payments, as well as any debt statements such as car and house loans or medical bills. If you find any irregularities in these, contact the sender immediately.

category: Awareness

Comments Off on Learn to avoid scams