MS Risk Blog

Password Security In A Corporate Environment

Posted on in Cyber title_rule

Many companies use passwords to allow employees access to sensitive material, yet to many cyber security experts, passwords are a relic of the past, stemming from a time when individuals used passwords to access email and the rare e-commerce site. Today, the internet has caused computers to be hyper-connected: many sites require password authentication, and more information belonging to individuals and corporations is stored in “The Cloud”.  The constant use of passwords is a double-edged sword. First, it causes individuals make critical mistakes in creating passwords, either through over-simplification or through creating over-complex and forgettable passwords which cost company time in retrieval and/or resetting. Second, many corporations have been lulled into a false sense of security by allowing one-factor access to secure information.  To a malicious hacker or a corporate espionage actor, these vulnerabilities make it easy to access critical information. 

How Hackers Hack

Hackers access corporate information in a number of ways. The first, and simplest, is guesswork. Individuals who use passwords to access many sites tend to become lazy in creating passwords. In 2012, the number one password used around the world was “password”, followed by “123456”. Hackers can often guess simpler passwords, or use “password dumps”— web pages dedicated to passwords uncovered by other hackers. In addition, automated password cracking programs simplify the process of cracking common passwords, even incorporating common numeric substitutions (i.e. pa55w0rd). In addition, many people tend to reuse passwords for multiple access points, so it is common that a user will create a password in their personal life, and then use it in their corporate environment as well. If a malicious user gains access to an individual’s private password, the likelihood increases that they can use the same password to gain access into a corporate environment.

Hackers also gain access to passwords through “phishing” by which they create websites or emails which look almost identical to existing companies, such as banks or email sites, and ask users to submit login information. Regardless of how complex a password is, the strength of that password is useless when it is freely given through these methods. If a hacker has access to a personal site, they may “lurk”, that is, look at the emails people receive to identify their banks and banking habits, place of business, social connections, and even “electronic mannerisms” such as how a person “speaks” online. By watching email transactions, a hacker can easily emulate the person to gain access into other parts of their life, such as sending messages to an accountant or a client, asking them to redirect funds or use the “new” email address, so as to go unnoticed.

In addition, hackers can gain passwords using malware: undetected viruses which are stored on one computer and send data to another, such as monitoring key strokes or activating a web camera. A report from 2011 indicated that malware was responsible for almost 70% of data breaches. Malware is particularly vicious because it targets large groups or corporations, gaining access to entire systems rather than single individuals.

Finally, an emerging trend that hackers can take advantage of is called “socialing”. Because most individuals use one or two email accounts to access banking, ecommerce, social networks and other sites, gaining access to one can easily allow a hacker to gain access to the other. For example, if a hacker has an e-mail username and password, they may attempt to use it on an e-commerce site, such as Amazon, which stores credit card information. If the password doesn’t work, they can click “Forgot Password?” and answer a few personal questions, often which are accessible through a Google Search or looking through the hacked email account. The password gets sent, and the hacker deletes the email and immediately logs onto the e-commerce site and changes the email address to direct it to him. Now, the hacker has access to banking information and home address.  The hacker then uses this information to gain access to other data, including tax and benefits numbers, and can infringe upon a person’s work and private life.

Increasing corporate password security

Because passwords are still the most common and critical entry point into most businesses, steps should be taken to increase security wherever possible.

Strong Passwords: First, and most critical, encourage staff to come up with strong passwords, with a minimum of eight characters, and check them through a password strength estimator, which measures the accessibility of the password, and can be found using a simple Google search.  Using the tool, one can see that a password such as “12345678” has a strength of 4%.

To generate a strong password, it is beneficial to think of a favourite saying or line from a book, and use the letters from each word, then to replace certain letters with capital letters or numbers. For example: “It was the best of times, it was the worst of times”

First becomes:                    iwtbotiwtwot (3% strength)

Then becomes:                   Iwtb0t1wtw0t (93% strength)

Another option is to create random phrases with mixed characters where possible, such as “nine-happy_dolphins_ate?” (85% strength).

Most importantly, discourage use of passwords which individuals use in other parts of their lives, and discourage password re-use as passwords expire. Many companies are opting for longer periods between password expiration to prevent people from changing only one portion of their password (For example, from “password1” to “password2”). Stronger passwords and longer user periods can minimize the risk of password apathy.

Malware and Phishing Awareness: Again, a password is meaningless when it is given freely. Corporations are increasingly educating employees on how to identify and authenticate legitimate e-mails and websites, encouraging staff to contact the company in question if the information looks suspicious. Organizations should invest in anti-virus programs which update regularly as new viruses are introduced into the cyber-world, and check digital certificates (the fingerprints of an incoming piece of data) to see if they are associated with existing malware.

Multi-factor IDs: Earlier this week, social media site Twitter announced a new two-factor identification system following a system-wide hack which compromised the information of over 250,000 users. Increasingly, corporations use multi-factor identification to allow employees access to protected information. Users supply their chosen password, and then either receive a SMS message to their phone which provides the secondary password, or enter a password from a physical token (some of which also require a code for authentication—creating a three factor ID). The multi-factor method adds an additional layer of security, and alerts true owners of attempts to intrude upon an account.

Biometrics: Biometrics, such as fingerprint, or voice scans, seem like the best possible protection for corporate integrity. However the technique has not yet been perfected, and is considerably pricey. If biometrics are used as a one-factor system, they are easily replicated: fingerprints can be lifted, or a voices can be recorded, particularly if one is speaking into such a system in a public location, such as a library or coffee-shop. In the future, biometrics may become one component of a multi-factor verification system, but at present, they are not feasible to many organizations.

White-Hat Hackers: In cyber-slang, a white-hat hacker is one of the “good guys”. Often, companies will hire white-hat hackers to expose weaknesses in cyber security systems, and suggest or provide remedies before those weaknesses are exploited by black-hat hackers, who use the weaknesses for malicious purpose.

Monitor Abnormalities: The best protection is vigilance, specifically, identifying access attempts that are outside of normal business processes. For example, Internet Service Providers identify the location from which a user attempts to access a secure sight. Be wary if a user, known to be in London, is logging in from Boston or Singapore. In addition, if a user is given a company phone or computer, identify whether that user is attempting to log in from a non-registered device.

As hackers become increasingly efficient, individuals and corporations struggle to find the balance between convenience and privacy. While multi-factor systems are on the rise, it is important to avoid making them cumbersome or inaccessible. Cyber experts are constantly working to deliver a system that covers the new areas of cyberspace that corporations venture into. Cyber-awareness and education ensures that your company is abreast of the latest technology in online security.

Security Situation in Mali (8 February 2013)

Posted on in Mali, Region Specific Guidance title_rule

In line with MS Risk’s recent advisories indicating that the security situation throughout Mali remains uncertain, a suicide bomber blew himself up on Friday in the northern town of Gao, sparking the first such incident to occur since France launched its military intervention in January of this year.  This attack signifies that the Islamist rebels have resorted to guerrilla warfare as a means of demonstrating that despite being ousted from their stronghold in northern Mali, they are still able to carry out hit and run attacks.  MS Risk therefore advises that it is highly likely that such guerrilla attacks may continue in the coming months, especially in those towns and cities that were recently recaptured by French-led forces.  This recent incident also proves that the war is far from being won.  The current security situation may result in an increased military presence and checkpoints in towns throughout the country.  Meanwhile in Bamako, fighting has erupted between Malian government soldiers and paratroopers who are stationed in the capital city.  MS Risk advises any expats in the Bamako to get to safety immediately.  It is highly recommended that you stay off the streets and keep away from any military bases as further fighting amongst the military divisions may occur.  Military base, especially those occupied by French troops, may also be targeted by rebel Islamist groups.  It is also recommended to be wary if driving over any of the three bridges across the Niger river which cuts the city in two.

Fridays’ suicide attack occurred when the attacker, who was on a motorbike at the time, approached a checkpoint located on the outskirts of Gao at about 6:30GMT.  The bomber, who is believed to be a young Tuareg, then detonated an explosive belt.  Reports have also indicated that he was carrying a larger bomb which failed to detonate.  The attack left one soldier injured.  Gao is one of the most populous cities in northern Mali and it is one of the towns that was recaptured by French-led troops.

This incident is the first known suicide attack to have occurred in Mali since France sent 4,000 troops into the northern region of the country on 11 January in order to oust the militants.  Although there are checkpoints, which are run by troops from France, Mali and Niger, throughout the country, there is currently an increased military presence in Gao as there are rising fears that mines may have been strategically placed throughout the city as a means of carrying out further attacks.  The suicide attack comes just one day after one of the Islamist groups, the Movement for Oneness and Jihad in West Africa (MUJAO), stated that they had “created a new combat zone” by organizing suicide bombings, attacking military convoys and placing landmines.

Over the past week, French-led forces have increasingly come under attack in the reclaimed territories.  A landmine blast which occurred on Wednesday between the northern towns of Douentza and Gao, killed four civilians who were returning from a market.  A similar incident in the same area, which occurred on January 31, resulted in the death of two Malian soldiers.  All of this is occurring at a time when French-led forces have been split into two units, with some remaining in the recaptured towns in order to enforce security, while others, along with 1,000 Chadian soldiers, moving into the mountains near the Algerian border where a large number of Islamist rebels are believed to have fled after French forces began bombarding their strongholds.  On Thursday, French and Chadian troops arrived in Aguelhok, which is located 160 km (100 miles) north of Kidal.  By Friday, the French-led forces moved into Tessalit, which is the gateway into the country’s northern mountainous region.  Over the past few days, air strikes have targeted both towns, aimed at removing Islamist bases.  The air strikes are also in preparation for ground forces which are set to enter the mountainous regions in order to drive the remaining Islamist groups out of the country.

Meanwhile in Bamako, reports have surfaced that Malian government soldiers have fought mutinous paratroops in the capital city.  Fighting erupted as soldiers attacked a camp of elite paratroopers who are loyal to ex-President Amadou Toumani Toure, who was ousted in the March 2012 coup.  It is believed that the incident broke out after the paratroopers refused to be absorbed into the other units in order to go to the northern frontline.  The violence comes on the same day that the first EU military trainers were expected to arrive in Bamako in order to begin further training of the Malian army.

Understanding Algerian Non-Interference

Posted on in Algeria title_rule

The hostage crisis at Ain Amenas gas complex in January placed a spotlight on Algerian foreign policy and security measures. Although unilateral Algerian security tactics frustrated international governments, authorities in many nations still believe Algerian support is necessary for security in North Africa. Yet President Bouteflika and the Algerian government are unlikely to provide extensive cooperation beyond their borders; Algerian policy is isolationist at the core.

The Algerian government has long held a “non-interference” foreign policy strategy.  Historically, President Bouteflika has been a vocal opponent of foreign intervention, believing in particular that Western foreign military spending in North Africa allows too much leverage and insight into domestic militaries. The January attacks highlighted the extent to which Algeria is ready to act unilaterally. When Islamic militants took several hostages, including 48 foreign nationals, the Algerian military acted quickly to end the siege. This decision, made without the advice or support of other nations, aggravated world leaders who commonly cooperate in such situations. However, to the Algerians, these dialogs appear time-consuming and intrusive.

Algerian reluctance to invite coalition cooperation within its borders is equally matched by an unwillingness to interfere beyond its borders, as evidenced during the2011 Libyan Revolution. Though the Algerian government did not support the Gaddafi regime, they were reluctant to become involved in NATO-supported operations to remove the dictator. Rather, the Algerian government focused on the potential volatility in Libya, fearing that instability would create pockets of opportunity for increased weapons trafficking and radicalised groups to take hold. The Algerian government fortified its borders, shutting down crossings between the two nations. Foreign Minister Mourad Medelci stated, “We can only say that the relationship between us will improve with the return of stability to Libya.” Further, the Algerian government believes that those who aided in the overthrow of Gaddafi, particularly NATO, are responsible not only for the resulting instability, but are beholden to guide Libya’s new government through course-correction as it makes its way into democratic polity.

The nature of this “fortress-like” philosophy dates back to Algerian independence from France in 1962, when the Algerian government became determined to become a pillar of sovereignty. Decades later, in 1992, Algeria suffered a coup d’etat which led to a decade long civil war between the Algerian military and two Islamic parties; the Islamic Salvation Front, and the considerably more radical Armed Islamic Group (GIA).  The GIA carried out a series of massacres, and Algeria found itself alone in struggling with militant Islamic insurgencies, relatively unaided by Western forces. By the end of the war, insurgencies cost the lives of almost 200,000 people, yet the terrorist threat in the Middle East was not fully acknowledged by Western forces until the attacks in the US on September 11, 2001. As a result, Algeria’s experiences have reinforced the government’s conviction to remain solidly independent in dealing with domestic security issues, and non-intrusive in events beyond its borders.

Complicating matters for Algeria, however, are contentious neighbours along those borders. Algeria is the largest country in Africa (five times the size of France) and has a 2,500 mile land border. Six hundred of those miles are shared with a still-unstable Libya, and a further nine hundred of those miles are shared with Mali, where Islamist militants have taken over the northern region of the country, threatening to impact security along Algerian borders. Still more troublesome, a large section of the nation borders fall deep within the Sahara. In that vast, secluded space, many militant groups have taken residence in the areas bordering Algeria, particularly in northern Mali.

In April 2012, an offshoot group of Al Qaeda in the Islamic Maghreb (AQIM) kidnapped seven people from an Algerian consulate in northern Mali. The militants executed one hostage and released three in the summer. The three remaining are reportedly still in captivity.  Despite these affronts, the Algerian government has been loath to cooperate in actions against militants in Mali, acutely aware of their direct impact on security within Algerian borders.  Algerian officials fear that military involvement might push the radicals further north into domestic territory. Further still, Algerian actions may cause radicalisation of the nomadic Taureg Bedouins, whose territory resides on the borders of Algeria, Mali, and Niger.

While the Algerian government is adamant that they will not send troops to Mali, it has granted permission for French fighters to use Algerian airspace, and has reinforced military presence along the Malian border. The attackers at Ain Amenas gas complex claimed that the siege was a direct result of Algerian cooperation. Attacking Algeria’s gas complex is a significant step for militant Islamists; the assault was more sophisticated than bombings in public places, and sources confirm that the attack has been planned for some time, with the help of individuals working inside the complex.  AQIM and other radicalised groups have historically profited from ransoming hostages, and a complex with foreign nationals would possibly provide income to spend on achieving goals in northern Mali.  In addition, the attack sends a message. Sonatrach, Algeria’s nationalized oil and gas company, is the tenth largest in the world. The hydrocarbon industry provides the bulk of the nation’s wealth.  An attack within such an infrastructure signals an attempt to cripple the Algerian economy.

However, a large percentage of Algerian revenue supports its defence spending. Algeria has the 16th largest defence budget in the world (primarily purchasing weaponry from Russia), and a highly proficient military, adept after years of experience, at securing its borders and ensuring safety to its hydrocarbon profit sectors. Algeria will continue to secure and reinforce its borders from within, but are unlikely to provide more than airspace permissions in affairs beyond its borders.

Security Situation in Mali (7 February 2013)

Posted on in Mali title_rule

Over the past forty-eight hours, Chadian soldiers have continued to secure the town of Kidal in Mali while France has urged the United Nations to send peacekeepers into Mali as French troops prepare to withdrawal from the mission by March 2013.  The security situation throughout the country remains to be volatile as counter attacks by Islamist rebels have indicated that while all of the cities in the northern region have been retaken, the rebels continue to have the capabilities of regrouping and staging hit and run attacks.  It is highly likely that such attacks and clashes will continue to occur during the transitional period as the rebels will attempt to use this moment to regain their access.

On Tuesday, an estimated 1,800 Chadian troops entered the northern town of Kidal in  order to continue securing the last major Islamist rebel stronghold.  Meanwhile reports have indicated that there are rising tensions in Mali as the French-led forces have been attacked by Islamist rebels in retaken territories, raising fears that a prolonged insurgency may occur.  French Defence Minister Jean-Yves Le Drian confirmed on Tuesday that rebels had hit back at troops with rocket fire in Gao, which is the largest northern city.

Meanwhile after announcing plans to start withdrawing its 4,000 troops from Mali in March, France has called on the United Nations to begin deploying its peacekeeping force in order to take over the mission.  Speaking to the media in Paris, Foreign Minister Laurent Fabius indicated that a peacekeeping force could be in place by April and that it would incorporate troops being deployed under the banner of the West African intervention force.   France wants the UN force to help stabilize Mali and to seek an end to the long-standing conflict between the ethnic Tuaregs and Arabs and the rest of the population.

So far, France has sustained one fatality, a helicopter pilot who was killed at the beginning of the mission.  The Malian army has indicated that eleven of its troops have been killed while another sixty have been wounded.  France’s Defence Minister has indicated that the monthlong French offensive has killed hundreds of Islamist fighters in Mali.

Security Situation in Mali (4 February 2013)

Posted on in Mali, Region Specific Guidance title_rule

Over the past 24 hours, French fighter jets have continued to bombard supply bases located in northern Mali in order to flush out any Islamist rebels who are hiding out in the region.  The additional bombings also comes at a time when Paris is placing added pressure on African troops to deploy as quickly as possible in order to take over the offensive.  While all of the previously militant-controlled towns have been recaptured by French and Malian troops, MS Risk continues to advise vigilance throughout the country.  Food and supplies in some parts of the north are beginning dwindle as many of the Arab and Tuareg traders have fled the region as a result of rising fears of reprisal attacks.

Amidst increasing fears that the rebels could re-group in the mountainous region, dozens of French fighter jets carried out massive air strikes on rebel logistics and training centers around Kidal over the weekend.  The fighter jets focused on Tessalit, which is located about 200km (125 miles) north of Kidal, and which is the gateway to the Adrar des Ifoghas mountains.  The bombings also focused on the mountainous region, which is located in the north-eastern area of the country, as it is believed that the terrain could provide the perfect hiding place for the militants.  Speaking to the media in Paris, Foreign Minister Laurent Fabius indicated that the militants “have taken refuge in the north and the northeast but they can only stay there long-term if they have ways to replenish their supplies.  So the army, in a very efficient manner, is stopping them from doing so.”  Since the French military intervention began in Mali several weeks ago, extremist fighters have been fleeing to the Adrar des Ifoghas massif in the Kidal region, near the Algerian border.  Although they have been driven out from their strongholds by French and Malian soldiers, the operation has been complicated as it is currently believed that the militants may be holding seven French hostages in the mountainous region.

While Chadian and French forces continue to secure Kidal, the last militant stronghold in the north, France’s Foreign Minister has indicated that his country is keen to wrap up its leading role in the offensive, noting that French troops could rapidly withdraw from Timbuktu within weeks.  France is now eager to pass the role over to some 8,000 African troops pledged for the UN-backed AFISMA force.  However French President Francois Hollande stipulated during his visit to Mali over the weekend, that his country would not abandon Mali.

Meanwhile Niger’s President Mahamadou Issoufou has confirmed that French special forces are protecting one of the country’s largest uranium mines.  Officials in France have also confirmed that a dozen special forces reservists are currently strengthening security at the site.  The special forces will be protecting Areva, a French company, which plays a major role within Niger’s mining industry.  Areva is also the world’s fifth-largest producer of uranium.  The added protection to the site comes as a result of increasing threats to Western, and French interests throughout Africa, coupled with the recent hostage situation in Algeria.  The added security is also in light of the fact that three years ago, Islamist militants kidnapped five French workers at the mine in Arlit, Niger.  Four of them are still being held, along with three other hostages.  They are believed to be somewhere in the northern region of Mali, not far from where French troops are battling al-Qaeda-linked rebels.