Tuesday, August 23, 2016

ESCROW - Extreme Security Cool Resource Of the Week!

   ESCROW - Extreme Security Cool Resources Of the Week.  OK, well sometimes you start with the acronym and see how you can make it work!  And I've got a good one for you.

   It's a bit geeky, but if you're interested in learning more about the more in-depth technical aspects of security you will enjoy this resource.  And I've got another, less geeky, resource.

   Everyone knows about Youtube.  You can find just about anything there, but there's so much content that sometimes it's hard to find what you're looking for.

   Enter SecurityTube, securitytube.com, SecurityTube was originally created as a way to aggregate information security videos in one place.  There are some fantastic free online learning resources.

   Some of the resources have difficulty ratings to help you choose the right course of video.  For example, this one on Wireless LAN (WLAN) security is rated "easy" (and that's certainly in the eye of the beholder!).

   For those who don't want anything that in depth, here's another tip.  You can go to Youtube and search for "cybersecurity for beginners".  There are many basic information security videos there including this one from NOVA PBS:


  Check some of these out and let me know what you think!

Tuesday, August 9, 2016

News you Need Now (NNN)

    I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

Tuesday, July 26, 2016

Gotta Catch Some of 'Em

   Because you just can't catch 'em all!

   I guess I can't get around having to comment on Pokemon Go.

   If you have children, or if you were, born in the 90's through the 00's then you know all about Pokemon.  It used to be about the cards, action figures and, of course, the video games.  Remember the Game Boys, game cartridges and all the sounds and music?!

   With Pokemon Go, the game has gone from sometimes mobile to really mobile.  And from sometimes social to a social phenomenon.

   It's not farfetch'd!
   For some reason, many adults seem to dislike this game, siting issues like inattention to surroundings, time spent playing, etc.  I think the game is great!  Here are my top reasons why (major caveat... I have not actually played the game!  These are my observations as a technology and security professional and as a parent):
  • It gets kids out of the house - many people need a little Vitamin D.  One of the biggest complaints about gaming and computers for kids is that they don't get outside enough.
  • It gets kids moving - #exercise.  While there have been some attempts at game-ifying exercise, such as Wii Fit, it never really caught on.  Pokemon Go gets people outdoors and moving around.  In fact, part of the game is logging lots of steps.
  • It's for "kids" of all ages - parents can play along with their kids!  You don't have to play, but at the very least it's a great opportunity to be involved.
  • It's really social - you may remember that, back in the day, players could connect two Gameboys so two people could battle.  Now people are connecting IRL (In Real Life) as they hike trails, walk through cities or congregate at parks or other PokeStops.
  • It's another step toward acceptance of Augmented Reality.  Unlike Virtual Reality, in which one is entirely immersed in a manufactured visual scene, Augmented Reality overlays images, text or other information on top of what you are actually looking at.

Tuesday, July 12, 2016

Brexit Protection - click here

   Brexit Protection... or should we call it Brexitection? :-)

   How does Brexit affect your finances?  Do you care?  Plenty of people do.

   And that creates an opportunity for scammers.

   Any time there are major news events, particularly disasters or anything economic, people get worried. and the scammers are right there to play on those fears.

   According to the Telegraph, they have seen emails with subjects such as "Brexit causes historic market drop". These emails have links that supposedly connect to pages with information on how to protect your investments.  Of course, they actually download malware to the victims computer.

   This is a common problem... common because it works.

   We've covered this topic before... and the advice remains the same.  In fact, here are my top 10 email scam tips from a 2013 post!  These are just as relevant today as then.  And they will be relevant years from now:

Tuesday, June 28, 2016

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.

Tuesday, June 14, 2016

Because Math

   Encryption has been in the news again - whether it's ransomware, law enforcement and iPhones, bitcoin, quantum computing, or potential new laws.  Before we can "decrypt" all these issues, we need to talk a bit about what encryption is and isn't.

   There's an old saying in Security... "if you think encryption is the answer, you might not have understood the question".  I never liked the tone of that statement because it sounds kind of elitist, but it is basically true.  And that's because encryption is very confusing.

   Encrypting data is great because it means it can't read by unauthorized people.  And that is the trick... how to let the right people in and keep the wrong people out.  If my encrypted data is unreadable by anyone then that's called Ransomware!

   Encrypting my data so only I can read it is pretty easy.  It means that only I need the "key".  Of course, I better not loose that key!  Encrypting my data so I can share it with you is also pretty easy.  We just need a "shared secret".  If I need to share my data with a bunch of people then we get into something called "public key cryptography".  Here's a good explanation of that.


   Encryption is basically a solved problem.  Because math.  #math.  There are many great algorithms with cool names like Elliptic Curve, RSA and Two-Fish.

Tuesday, May 31, 2016

YAPF (Yet Another Password Fail)

   It's another week and password problems are in the news again!

   In the July 10, 2012 edition of this blog I wrote about the 2012 LinkedIn password breach.  A month earlier, LinkedIn confirmed that a Russian attacker exploited a website vulnerability and downloaded 6.5 million encrypted passwords.  You can read my old post to see why that's a problem.

   Well, some gifts just keep on giving!  Now, nearly 4 years later, a newly posted password dump from this same breach was advertised for sale on a dark web site.  Except that information on over 167 million accounts were for sale!  Of those, over 117 million had both the email and password.  Slightly different math!!!

   So why is this a problem?  Actually it's an old problem and a new problem.  Here are the key issues:
  • Poor password choices - once again, this latest set of stolen passwords shows weak passwords - the top five found passwords were: 123456 (used on over 1 million accounts!), linkedin, password, 123456789 and 12345678
  • Password reuse - since people have accounts on so many sites that need passwords, they tend to reuse them.  The one million people who used 123456 as their LinkedIn password likely reuse that on other sites.
  • Back to Work - are some of these same poor password choices being made on work systems?  Or are some work passwords being used on sites like LinkedIn and potentially included in this breach?