Associations are Powerful – and therefore Targets for Hackers

Associations are very powerful, particularly in America.

Think about it. Your Doctor is approved by the American Medical Association. Your Attorney is approved by the American BAR association. Your Accountant is approved by the American Association of CPAs (certified public accountants).  A person’s license /certifications may be “recognized” by the government, but ultimately it is a group of peers that form the association.

Americans of all ages, all stations of life, and all types of disposition are forever forming associations… In democratic countries knowledge of how to combine is the mother of all other forms of knowledge; on its progress depends that of all the others.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This may sound philosophical, and we’ve blogged about this before, but it’s important for associations to remember just how much power they have.  And with power comes great responsibility.

YOUR ASSOCIATION IS A HACKER TARGET

Why? Because it’s logical.

If you were a dictator in a country that had sanctions against it, I dunno, maybe they didn’t allow US Companies to help you drill for your oil reserves and you lacked the technology to do it yourself, wouldn’t it make sense to go after an association of accomplished professionals in that area?

St. Petersburg IP Address Alerts
Security Alerts with  IP addresses (listed as) St. Petersburg Targeting Associations. NOTE: IP Addresses are easy to fake so it could be a false positive.

It sounds horrible, but it is logical in a Machiavellian kind of way.

A story for y’all. I was talking to a client who had a Tendenci Open Source AMS site for a group of students at universities in the liberal arts. He said

nobody is going after English majors“.

“Oh really?” I asked.

Then I asked If any of his students attended X University (really I could have picked any University). He said “yes.” I pointed out that exact University also has extensive Chemistry, Energy and Engineering programs that do cutting edge work.

My point was if you can do spear phishing on a student to get closer to an Engineering Professor with expertise in Directional Drilling, wouldn’t Russia be interested in that? Would North Korea be interested in obtaining information on the latest tech in chemistry? Of course they would.

Those countries might not even be directly doing the hack attempt. But a entrepreneurial hacker knows there is a market for that data. Would Russia buy it? Yes. Would the US buy it? Yes.

My point was simply that if you can infect the computer or phone of one student, any student, then you can get into the network. And then move laterally. You are in.

Again – to the POWER of ASSOCIATIONS:

Americans combine to give fêtes, found seminaries, build churches, distribute books, and send missionaries to the antipodes. Hospitals, prisons, and schools take shape in that way. Finally, if they want to proclaim a truth or propagate some feeling by the encouragement of a great example, they form an association. In every case, at the head of any new undertaking, where in France you would find the government or in England some territorial magnate, in the United States you are sure to find an association. I have come across several types of association in America of which, I confess, I had not previously the slightest conception, and I have often admired the extreme skill they show in proposing a common object for the exertions of very many and in inducing them voluntarily to pursue it.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This is not to scare users of any association management software. It is pointing out facts and hopefully increasing awareness among NGO technology professionals, association executives, association leadership and in fact (hopefully) the whole country, that there is a serious vulnerability if not addressed seriously.

American corporate espionage preparedness is unprepared

American corporate espionage preparedness, in a random sample and via anecdotes, is in bad shape. We are not prepared.

the-company-man

The video is 30 minutes but worth it for training your team. Now a question.

What is the technical difference between a Speaker (thump thump) and a Microphone (can you hear me now?)?

NOTHING. There is no difference between a speaker, headphones or microphones. No. Difference. At. All. None.

Significance:

Plug your headset into the microphone jack on the stereo and poof – you have a mic.

Why do you care? Because if your employees are relaxing after work, at the local vegan cafe. Just unwinding, spending 20 minutes at the salad bar. nearby people hypothetically might get bored. “Hackers aren’t vegans” you say, “so it can’t happen here.”

Mics vs speakers – the answer is anyone can just put their iphone down with the headphones in and record away. Especially if the marks are “extremely loud bar talkers” as these two were.

Identity? Well gosh, they left their credit card receipt detail side up so I could helpfully straighten their table and take a quick photo of their info on the way to the restroom

How does this impact you? Well these two gentlemen next to me are clearly in town for a conference. Still wearing lanyards with fortune 500 company logos? Accents. Of course, we’re either the first or second most diverse city in the USA.

Again, It’s Houston – we know what’s going on. Houston is all about the back channel. And once your dialed in? Well it’s kinda like the matrix. Seriously – why else would millions of people live in a paved over swamp with the moniker “The Bayou City”?

Back to the situation at hand. These fools spouting corporate secrets next to me because I have headphones on and my audio turned off.

I’m white hat so no, I did not record anything and will not inform their companies nor will I inform them. No I did not take a detailed photo of their receipt although it sits just to my right at the moment as it has for 10 minutes.

Honestly I have other battles to fight. And so do you. Yet make no mistake – if they had revealed some anti-American activity I would have arranged for them to meet up with some of my friends who love America as much as me and my friends know how to handle such matters delicately.

This blog post is simply an anecdote, a story that is true, of knuckle-heads who weren’t thinking before they spoke.

As for companies that employ people, what are our options? First the obvious – we can try to hire for common sense, Then you can train and test – I do drills to test our team,

Big picture? What will work best? Dunno. I do know ignoring the issue of human hacking /social engineering isn’t the solution.

To repeat, we know humans are the weak link because I’ve tested it with my own company and as a paid approved pentester at the request of some of our clients. I’ve unfortunately been 100% successful in finding security holes in my pre-approved and client authorized tests.

Even when the employees KNEW ahead of time that someone was testing the systems..I’ve yet to fail to find an opening and honestly I’m not that good at the whole pentesting thing … like I don’t have the best tools or a infinite budget or even a good lock pick set with a proper bump key.

In other words – I’m amateur at best and only to protect my own clients.

But sheesh, a little reality training would go a long way with folks like this. The humans are almost always the weak point. I was in one restaurant and they said “ya, the Internet has been spotty for days.” I said “well maybe I can help. Would you mind taking photos of the front, back, connections and the serial number on your router and I might be able to fix it.”

I still have the photos on an encrypted drive somewhere. My point is I didn’t misrepresent myself as a Comcast employee or whatever. I just said I was a customer and that I might be able to help.

Back to our main storyline. It is YOU, the management team and every employee who is handling YOUR company’s data. It should take more than sitting down next to two guys drinking IPAs for me to even have the opportunity to gather that type of intel.

And the router example where the waiter literally texted me all of the technical specs of the router? xOMG, no excuse.

In the various circumstances I fixed their internet, got their credit card processing systems working again, reset passwords with upper management’s permission. I did what I would do with my own family’s business. 

What did happen is that even with permission and weeks of advance notice, zero clients or friends have had any network my team has tested properly secured. It was not barriers already installed that blocked us. On the rare occasion we ere too impatient to power through something (which we can do), it was laziness, we simply were tired and wanted to go home. So we’d just ask a manager and say it was part of the test. Seriously.

Grok that. Leaders at a company who were specifically told who we were, that we were there to test network security, that it was serious and they were to block us in every way possible. Those managers would give u the keys to the kingdom if i asked the right way. (the “right way” is vague on purpose. I’ll do another post on that one later.)

Perhaps the scariest part is that I personally was never impeded by even the most basic security training for these employees or their own intellectual “well duh I shouldn’t do that” factor. In every instance if I hit a roadblock they helped me bypass any remaining obstacles.

  1. Train. Train. Train your people.
  2. Know, don’t expect but know they will get in. So shrink the attack vectors and restore from a known clean backup regularly.
  3. Try not to get anyone fired. The business owner would have been just as clueless.

—————–

PS – for the curious, the fastest network break in I’ve ever done? 5 minutes. The owner asked us to test his network security. I agreed and we agreed on a  price (remember this guy didn’t know me from Adam). Then I said “of course we’ll need your login to monitor how the red team is doing. He then just blurted out his username/password for the network and for his email. And assured us it wouldn’t be a problem with anything else because he always “used the same password.” Gosh. We printed nice reports and pounded sand for a few days, but it was the fastest… whatever you want to call it.

PPS – I bet if you owned stock in that corporation and liked the CEO you’d call it a hack. Similarly if a black hat, you’d call it like it was.