Well I am assuming they are script kiddies, could be anyone really. I just can’t imagine a serious security professional doing what some people appearing to be doing to my poor little Raspberry PI.
I took a cursory glance at the Apache logs for my Raspberry PI which is happily responding to web requests. The vast majority of the requests were just attempts to identify known vulnerabilities in different frameworks/languages etc. The old version would have been war dialling I suppose.
That title sounds terrible and makes me sound like I am a cyber criminal exploiting the current pandemic to make money etc. But it is not like that all. I have just finished my Masters and my dissertation was all about how useful (or otherwise) it was to have Phishing awareness training as a means of protecting users from phishing.
I wont spoil the end by telling you what my conclusion was but it was interesting to see just how easy it was to get people to fall for a phishing email. There is a lot of research out there on Phishing and I would share some of it but my dissertation is yet to be marked and I don’t want to get any publishing/copyright mess going on.
Anyway I am hoping I can publish it at some stage, or use it for the basis of further work.
Why am I writing this post? Because I have worked in SMEs for a while and the smaller and younger they are the more I worry about their attitude and ability to respond to security events. In fact to event identify that they have had a security based event.
This is been made worse in the last twelve months with the additional responsibilities of GDPR. Now there is a potential massive financial implication of a data breach, not just from the cost of remediation but also from the DCO.
Sure enough there are a lot of vendors offering people silver bullets to protect them from the evil hackers sitting out there with their hoodies covering them up in their dark rooms. But there are two major problems with that, one is that there is no silver bullet and relying on one is a big mistake. The second problem is that without security knowledge in the business they are never going to mature and be able to deal with the emerging threats that come from cyber security. The other problem with the peddlers of silver bullets is the fact that what they sell is not cheap. These small companies are concerned (generally) with building up their revenues to turn a profit. These extra security costs are a luxury. So I suppose they could use open source tools, of which there are plenty. But then we go back to knowledge and skills. Open Source tools are by their very nature more difficult to setup, let alone correctly.
Another concern is the patching and updates of equipment. In a small company is that really going to be a priority?
Even those companies that promote defence in depth and tell you that their tools should be used in conjunction with others they are just too expensive. I fully appreciate the need for the expense, building some of these tools is a long and prolonged process which costs money.
If you look at this from the hackers point of view these companies provide an ideal learning ground for future breaches. Not only that but they also provide possible jumping off points for bigger fish. Why would you attempt a breach against a massive organisation with sophisticated security prevention measure and a security team when you can go for one of their suppliers who have no security knowledge at all.
So why am I writing this post? Well because there seems to be a massive gap in the market to help these companies meet their GDPR requirements but also to protect them from hackers. I am not sure what form a solution to the problem might take but there is surely a possibility of somebody filling that gap.
There are a couple of things that concern me about it and the most pressing is security. It is just so easy to include hundreds of packages the source of which is almost impossible to track.
If those modules are maintained by people you don’t know anything about how do you know they can be trusted. How do you know if someone has not changed the code somewhere in those packages to do something malicious.
But that concern was precipitated by my very first concern. The sheer number of packages you can install without even trying to do so. Next time you play with node just check how many packages youhave just by including express and a couple of components.
And then finally perhaps the reason that appears to be the most churlish is that just because anyone can now write backend code with JS does not mean that you should. Sometimes Node just does not do the trick. If you want to create a system that processes and transforms lots of data, Node is not the right tool.
So I was asked at work the other day if I could help find a missing server. I know that sounds odd but it was running some software that nobody had ever needed to use but was considered essential. They did not know the IP address or the user name or password used to gain access.
I had come across nmap in the past and never really understood how useful it could be. And then as part of my studies I learned of its amazing range of facilities. So after 5 minutes of research(dabbling). I found an invocation that would show me every single open port on every single device on the network. After filtering that down a little I had some potential devices we could try.
I am not sharing the nmap invocation because that would give away what I was looking for and possibly why.
Obviously that does not get you the access you need but perhaps that is the subject of another blog post.