Tuesday, September 20, 2016

It's Microsoft Calling (Not!)

   The amount of automation and detection in our world today can be scary but it can also be useful.  You can set your lights to come on as you approach your home.  You can have your phone switch to wifi when you get to the office.  And Microsoft will even call you when they detect a problem with your PC!

   OK, maybe not that last one!  As we've discussed before, this is a common scam that has now been around for a few years.

   It works like this... There are 2 basic scenarios:
  1. you get a popup on your computer telling you that "Microsoft" has detected that there is a problem with your PC, and you should call the phone number they provide, or;
  2. you get a phone call directly from "Microsoft" telling you that they have detected a problem on your PC.
   Of course, neither of these are legitimate.  Microsoft will not call you.

   This article has a recording of what one of these calls sounds like.  Here's another.

   I said PC above, but people with Macs have received these as well!

   Here's the thing about these scammer orgs...  they provide very good customer support!  That, of course, is good for them but bad for us.  It's one of the reasons that these scams work.  People are very happy to receive great customer support - it's unfortunately too rare.   So when a friendly, attentive "customer service" rep is telling someone that their computer is infected, it can be convincing.

   Typically the "customer service" rep will ask the victim to pop a web browser and type in what they tell them.  The victim's web browser is directed to a malware site that will give the attacker control of that PC.

   Why do they do this?

Tuesday, September 6, 2016

Call Me

  I recently received some awesome news via email.  And it was totally unexpected.  Check it out:

   Now I can retire in style!  :-)

   Needless to say, this is a phishing email.  We've talked about phishing many times in the past.  And we keep talking about it.

   So why does phishing still work?  There are two primary reasons:
  1. No cost/low barrier to entry.  It is effectively free to send out potentially millions of phishing or spam emails.  Attackers can easily relay email through open mail relay servers, but there are other ways to send spam and phishing emails.  Open mail relays are systems that send email but don't require any kind of identification.  Here's some more technical info on open relays.
  2. Exploiting the human factor.  People are busy and we all receive too much email.  It's not always easy to take the time to figure out if an email is OK or not.  Attackers leverage this by sending plausible-looking email, though there are plenty of poorly-created messages as well (like the one above that I received).
   As I mentioned in a previous column, rather than looking examining an email for evidence of phishing, we can approach all email as if it's hostile and then look for indications that it's OK.

   If you'd like to have some fun... try these spot the phishing online quizzes!

   I won't be contacting the "friend" to sent me the above email.  And I did not win.

   Have you seen any interesting phishing emails you'd like to share?

Tuesday, August 23, 2016

ESCROW - Extreme Security Cool Resource Of the Week!

   ESCROW - Extreme Security Cool Resources Of the Week.  OK, well sometimes you start with the acronym and see how you can make it work!  And I've got a good one for you.

   It's a bit geeky, but if you're interested in learning more about the more in-depth technical aspects of security you will enjoy this resource.  And I've got another, less geeky, resource.

   Everyone knows about Youtube.  You can find just about anything there, but there's so much content that sometimes it's hard to find what you're looking for.

   Enter SecurityTube, securitytube.net, and SecurityTube, securitytube-training.com - originally created as a way to aggregate information security videos in one place.  These are some fantastic free online learning resources.

   Some of the resources have difficulty ratings to help you choose the right course of video.  For example, this one on Wireless LAN (WLAN) security is rated "easy" (and that's certainly in the eye of the beholder!).

   For those who don't want anything that in depth, here's another tip.  You can go to Youtube and search for "cybersecurity for beginners".  There are many basic information security videos there including this one from NOVA PBS:

  Check some of these out and let me know what you think!

Tuesday, August 9, 2016

News you Need Now (NNN)

    I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

Tuesday, July 26, 2016

Gotta Catch Some of 'Em

   Because you just can't catch 'em all!

   I guess I can't get around having to comment on Pokemon Go.

   If you have children, or if you were, born in the 90's through the 00's then you know all about Pokemon.  It used to be about the cards, action figures and, of course, the video games.  Remember the Game Boys, game cartridges and all the sounds and music?!

   With Pokemon Go, the game has gone from sometimes mobile to really mobile.  And from sometimes social to a social phenomenon.

   It's not farfetch'd!
   For some reason, many adults seem to dislike this game, siting issues like inattention to surroundings, time spent playing, etc.  I think the game is great!  Here are my top reasons why (major caveat... I have not actually played the game!  These are my observations as a technology and security professional and as a parent):
  • It gets kids out of the house - many people need a little Vitamin D.  One of the biggest complaints about gaming and computers for kids is that they don't get outside enough.
  • It gets kids moving - #exercise.  While there have been some attempts at game-ifying exercise, such as Wii Fit, it never really caught on.  Pokemon Go gets people outdoors and moving around.  In fact, part of the game is logging lots of steps.
  • It's for "kids" of all ages - parents can play along with their kids!  You don't have to play, but at the very least it's a great opportunity to be involved.
  • It's really social - you may remember that, back in the day, players could connect two Gameboys so two people could battle.  Now people are connecting IRL (In Real Life) as they hike trails, walk through cities or congregate at parks or other PokeStops.
  • It's another step toward acceptance of Augmented Reality.  Unlike Virtual Reality, in which one is entirely immersed in a manufactured visual scene, Augmented Reality overlays images, text or other information on top of what you are actually looking at.

Tuesday, July 12, 2016

Brexit Protection - click here

   Brexit Protection... or should we call it Brexitection? :-)

   How does Brexit affect your finances?  Do you care?  Plenty of people do.

   And that creates an opportunity for scammers.

   Any time there are major news events, particularly disasters or anything economic, people get worried. and the scammers are right there to play on those fears.

   According to the Telegraph, they have seen emails with subjects such as "Brexit causes historic market drop". These emails have links that supposedly connect to pages with information on how to protect your investments.  Of course, they actually download malware to the victims computer.

   This is a common problem... common because it works.

   We've covered this topic before... and the advice remains the same.  In fact, here are my top 10 email scam tips from a 2013 post!  These are just as relevant today as then.  And they will be relevant years from now:

Tuesday, June 28, 2016

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.