Tuesday, June 20, 2017


   I received this great news in email today.  For some reason gmail marked it as spam!  But it looks great to me! :-)

Tuesday, May 23, 2017

I'll Cry if I Wanna

   I try not to jump on bandwagons, but with so much coverage and affects of the whole worldwide WannaCry mess, I do have a few things to say.  I have a few different things to cover that you may not have seen elsewhere.

   There's been plenty of media coverage so I'll just give a high level overview of what happened.  Like many other nations, the US National Security Agency (NSA) studies computer flaws and develops ways to attack them.  The Shadow Brokers are a hacker group who started leaking some of these NSA-developed attacks in the second half of 2016.  The April 2017 edition of their leaks included the code that enabled the WannaCry attack.
   The attack that started on Thurs May 11 consisted of two parts.  One would encrypt files so that the owner could not get access to their files (commonly called "CryptoWare").  The other part could get remote access to any vulnerable computer.  This was a very powerful combination and this is the first time we've seen this kind of auto-spreading cryptoware.  Once infected, the victim sees a screen that directs them to pay a ransom in bitcoin - so the whole attack is considered "Ransomware".

   Now, Microsoft did release a patch in March to fix some of these problems, in particular the remote access part.  So no problem, right?  Desktops and laptops are usually easier to patch, and you should always have your home systems set to automatically update.  But servers need more testing to assure that applications continue to work as expected.

   Patching was a critical part of the fix, but there was definitely more to it including things like new anti-virus signatures, whitelisting, intrusion prevention signatures and firewall rules.

Tuesday, May 9, 2017

Google Docs and the Mailinator

   You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.

   You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment.  This one appears to come from someone you know.  The subject and body of the message seem consistent with a Google doc sharing message.

   Problem clue #1 - look at the "To:" line.  Clearly, this message wasn't sent to you.

   Problem clue #2 - were you expecting this email and file?  Has this sender sent you Google docs in the past?  Did this email arrive at work or home - and do you normally use Google docs there?

   But, you are rushed and don't have time to send your friend a message to see if this email is legit.  So you click.  If you're not already logged in to your Google account, you're asked to log in.  What you see next is...

Tuesday, April 25, 2017

World Password Day and Teen Power

   Thurs May 4, 2017 is World Password Day!  I know that's coming up fast, but don't worry, you still

have time to plan your celebration.  No, that's not the day when you share your password with the world.  Nor is it about changing your bank password from 123456 to 1234567.

   I've written about this in the past.  World Password Day is a day to learn and it's yet another opportunity to take a look at what is protecting your personal information, your financial information, your medical information as well as your internet presence and reputation.  Most passwords provide a thin veil of protection

   On World Password Day, we should at the 4 main problems we can very easily fix:
  1. People choose weak or easily guessable passwords - the simple fix is to choose better passwords!  As I've said many times in the past, when it comes to passwords, size matters!  Make 'em long.  But even if you choose a good password...
  2. Passwords get reused among sites - this is a major problem because the attackers will try stolen passwords at other sites.  And it works.  So choose a unique password for every site on which you have an account.  But...
  3. We can't remember all our passwords - so, as we've discussed in the past, use a password vault.  The vault is a program that will help you choose great passwords, recall those passwords and protect them.  But sometimes that's not enough because...
  4. Even well-chosen passwords can be guessed or hacked - so for extra protection use two-factor authentication (also called multi-factor authentication).  Typically this means using an app on your smartphone as part of the login process.  That means, to break into your account, an attacker would need both your (long, strong) password AND your smartphone.  That's hard for the attacker to do.  And using multi-factor is easy!    Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including Google, Facebook and Twitter.  Here's some info on sites offering 2-factor authentication.

   The WPD website has some high level guidance on each of these as well as those great Betty White videos!

   And if those all aren't enough reasons to move to 2-factor authentication, now... that pinnacle of journalism... Teen Vogue, has put out a really good article on the subject!  You can read it here.

   In addition to really good coverage of 2-factor methods and websites, the article also goes into more advanced topics like the use of a physical fob called a Yubikey.

   What is really significant is that this article is directed at a population who both grew up with technology and is used to sharing everything. The key message is that there are good reasons for protecting your information and reputation, even if you don't yet have financial assets or a job.

   So, are you ready to take the World Password Day challenge?  Start slowly.  Get a password vault and start with your most important sites: banks, insurance, investment and social media.  Change the passwords to unique long strong ones.

Tuesday, April 11, 2017

Cyberbullying and the New Math

   According to Cyberbullying Research Center, the National Crime Victimization Survey (NCVS) is a large-scale data collection effort led by the U.S. Census Bureau and the Bureau of Justice Statistics.  This study has been going on since 1973.  In 1989 they added supplemental questions focused on school-related incidents, and stepped this up to a more in-depth biennial survey in 2005.

   Cyberbullying is still a major issue.  It's been over 4 years since I've written on this subject.  While there is perhaps more visibility, the basic problems haven't changed.

  Based on the above benchmark, at first glance, bullying appears to be trending down over the past decade.

   While there have been some high-profile cases over the years, this is a real, current and ongoing issue.

Tuesday, March 28, 2017

Big Problems, Small Packages (part 1)

    We're constantly hearing about data breaches in the news.  Many are due to external attacks as happened to Yahoo! or OPM.  Many others are caused by well-meaning staff or contractors who carry with them on laptops that then get lost or stolen.

   USB flash drives, often called thumb drives because they're about the size of your thumb, first hit the market in around 2000.  They had relatively little storage space and weren't cheap, but quickly became a security issue both for the potential to carry and load malware as well as taking data out of the office.  I remember discussions about this issue back in the early 2000s and some organizations were even thinking about using hot glue guns to fill in and block the USB ports on computers!  That would have been a mess!

   Before long the prices came down, the storage space went up and the problems multiplied.  Many organizations were not ready for how quickly these drives got integrated into every day work.

   Today we're going to focus on data that is copied on to USB flash drives and taken out of the office.

   The highest capacity USB flash drives we can find today are around 1 TB, though there are plans for 2 TB drives coming on the market before long.  Drives over 512 GB or larger are still pretty expensive.  But we know that prices of the high capacity drives will drop as new larger drives come out.

   To give you an idea of that size... 1 TB is about the size of 1500 CD-ROMs or 143,000,000 Word documents!  That's a lot of data potentially leaving your organization.

   So how do you combat this at your organization?  You don't!  We're not dealing with an adversary who's efforts need to be defeated.  These are well-meaning staff trying to get work done.  Always assume positive intent.

Tuesday, March 14, 2017

A Culture of Security - The Best Infection! (repost)

   This week we're relaunching our Security Awareness campaign at work.  In honor of that, I thought we should re-sample a past post on this subject.  Enjoy!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.