Earlier this week Kaspersky Lab posted a press release<\/a>\u00a0elucidating a sophisticated attack their labs discovered last Fall. \u00a0Kaspersky has dubbed the attack \"Darkhotel<\/em>\". \u00a0It is a fascinating tale of a modern espionage ring that sounds like something out of the seminal cyberpunk novel\u00a0Neuromancer<\/em>. \u00a0It is hard to tell who is behind these attacks targeting globe-trotting corporate executives and government agents. \u00a0It seems likely that it is both organized crime and government sponsored spy rings that are behind these attacks. \u00a0The sophistication gives me pause because I could see myself falling into their trap.<\/p>\n the \u201cDarkhotel\u201d espionage campaign<\/a>, which has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives travelling abroad. Darkhotel hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they operation with surgical precision, obtaining all the valuable data they can from the first contact, deleting traces of their work and fading into the background to await the next high-profile target.<\/p><\/blockquote>\n The attackers infect and utilize hotel wi-fi networks, which is nothing new, but they then infect the target's computer via what appears to be a standard software update using a real but cracked authentication certificate. \u00a0So, you get something like click to update\u00a0Adobe Acrobat<\/em>, etc. and if you check the authentication certificate, it looks to be valid. \u00a0There are a couple of real good lessons we can all learn from this.<\/p>\n The US Government just released an alert<\/a>\u00a0about a vulnerability on iOS (iPhones) in which a user installs a third-party app, i.e. not from the iOS App Store, and then utilizing a security weakness, the malware app replaces a legitimate app with full access to the legitimate app's data.<\/p>\n Stuxnet<\/em> is a computer worm that was discovered in 2010. \u00a0Stuxnet is considered the first cyber weapon after it damaged Iranian uranium enrichment equipment. \u00a0It is generally considered that the Stuxnet attack was far too complex to be developed by anyone other than a State sponsored effort. \u00a0Most likely involving the United States and Israel. \u00a0While the Iranian enrichment facilities were the original target, Stuxnet has since evolved and escaped into the wild.<\/p>\n As the cyber world becomes more and more enmeshed upon our reality the stakes become higher and higher. \u00a0This has brought many new players into cyber warfare. \u00a0What was once the exclusive realm of the curious hacker has become one in which organized crime and Nation States must invest in.<\/p>\n Just this morning the\u00a0Wall Street Journal<\/em> posted an article<\/a> about how the US Government is using airplanes that pretend to be cell phone towers in order to intercept cell phone data. \u00a0The US Government is reportedly using the information to locate\u00a0persons of interest<\/em> without the need to go through your cell phone provider or obtain a warrant. \u00a0In another disturbing report, the EFF is reporting that ISPs are removing email encryption<\/a> from their users emails without their knowledge and for no known good reason.<\/p>\n An integral part of computer security is assessing the value of potential targets. \u00a0The higher the value, the more likely attackers will pour more resources into the attack, and the greater the security measures need to be to defend against such attacks. \u00a0But what about the average user?<\/p>\n Most of us are not trying to protect State or corporate secrets. \u00a0Our value is typically financial, i.e. credit cards, identity theft, bank accounts, etc. \u00a0However, protecting ourselves and our children from\u00a0sextortion<\/em> has become a sad reality. \u00a0There are a couple of major things that we can do to protect ourselves. \u00a0One is to use a properly implemented VPN. \u00a0Another is to use properly implemented strong encryption on our sensitive data.<\/p>\n A VPN encrypts the information traveling from your computer to the VPN server. \u00a0If you are on a wireless network, odds are that your information is being broadcast in the open. \u00a0Which means that anyone with a little technical know how can capture and read your information. \u00a0A VPN will encrypt this open data, making it virtually useless to capture. \u00a0But you need to have a well trusted VPN service, because the operator of the VPN service has the ability to view and capture your unencrypted traffic. \u00a0Another nice aspect of a VPN is it usually will mask your IP with that of the VPN server, offering you even more protection. \u00a0So, if you are surfing from your favorite coffee shop, laundry mat, airport, hotel, etc. and you are not using a VPN you are vulnerable to prying eyes. \u00a0But just like your ISP can disable security features, as some appear to have with encrypted email, your VPN provider can also fail to protect you. \u00a0However, a reputable VPN provider is risking their business if they do.<\/p>\n Strong encryption is a bit more under the end user's control. \u00a0Yet, the user still has to have a certain amount of faith that the encryption software is truly working as intended. \u00a0There have long been rumors of a\u00a0back door<\/em> existing in PGP. \u00a0The creator of PGP, Phil Zimmerman, has responded to these accusations repeatedly<\/a> over the years. \u00a0PGP and GPG source code is available to the public. \u00a0Like Open Source software, this makes the software more secure in that anyone can find a vulnerability and gain fame and possibly fortune by doing so.<\/p>\n These days most operating systems come with some sort of filesystem encryption options. \u00a0Encrypting your filesystem has its advantages. \u00a0For example if you encrypt your laptop drive and your laptop is stolen, encryption will make it much more difficult to retrieve the data off your laptop. \u00a0Yet again, the more secure you make your system the harder it will be to use. \u00a0In order to make the encryption on my laptop very secure, I would store the key on a USB stick, and have a very complicated passphrase. \u00a0Now, every time I boot the laptop, I will need my key (USB stick) and have to enter my complicated passphrase. \u00a0And of course, once I am logged in my data is still vulnerable to remote attacks. \u00a0And should I ever lose my encryption key, I would no longer be able to access my own data!<\/p>\n Most filesystem or disk encryption stores the key on the drive itself. \u00a0So, you won't lose your encryption key, but that also means the thief will have your key. \u00a0At that point, it just comes down to how good of a passphrase you used. \u00a0Another option is to encrypt only your sensitive files. \u00a0Perhaps you have a master password list, and since you are using unique strong passwords and usernames on all your accounts, there is little chance that you can remember all these credentials. \u00a0However, you can encrypt your master password list with a strong passphrase to keep it secure. \u00a0Then all you have to remember is your passphrase. \u00a0Even if someone is remotely attacking your computer they will only be able to read your encrypted file when you have it unencrypted. \u00a0Even if they steal your encrypted file, they will need your key and passphrase to decrypt it.<\/p>\n\n