Tuesday, October 18, 2016

Internet Safety for Parents

   I've written about Internet safety for families, kids, teens and I've even spoken on safety for pre-schoolers.  But it's important to think about online safety for parents as well.

   That's true both for parents of young children was well seniors with grown children.  The safety challenges for seniors are similar but there are some differences.  They may not be as familiar with technology and, according to the FBI:

  • they are often financially secure and/or have good credit
  • they may be more trusting and they don't think they'd be a target
   This article by the AARP lists some common scams against seniors including some we've discussed like fake Microsoft support calls or IRS-related tax fraud.

   What got me thinking about this topic was a great article entitled "10 Ways to Help Our Parents With Online Security".  The article touches on a number of themes we've discussed in the past.  I'll list the 10 items with links back to some past editions of this blog - typically they:
  1. don't think they have anything worth stealing
  2. have bad password habits - just like most people
  3. are confused by 2-factor authentication - something we all should use
  4. leave mobile devices unattended and without security measures
  5. don't recognize phishing emails
  6. don't understand social media and how it can be used in scams
  7. share too much information
  8. can be manipulated by online media
  9. place too much trust in an anti-virus product
  10. don't understand how sophisticated scams and attacks can be
   In what ways can you help your parents stay safe online?

Tuesday, October 11, 2016

What You Can''t See Can Hurt You(r Data)

   "It is all around us, even now in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work, when you go to church, when you pay your taxes.."

   It's "all around you. Here, between you, me, the tree, the rock, everywhere."

   No, not the Matrix and not the Force, but a more insidious power... WiFi!

   Public WiFi is everywhere.  Many stores, malls, airports, cities and even parks offer it.  Sometimes it's free and sometimes not.

   It's US Cyber Security Awareness Month so it's a good time to think about the risks of using public WiFi and how to protect yourself.

   There are definitely risks in using public WiFi including:
  • pushing software - WiFi can be configured to send software to your device when you connect.  That might be OK at home or important in the office, but it can be misused by an attacker out in public.  Don't install software offered to you on a public WiFi.
  • redirecting your browsing - a WiFi connection can control how you get to websites.  If an attacker controls the WiFi, they can cause you to go to copycat websites with malicious software or to phishing sites.
  • evil twin attack - you know when you're at the coffee shop and you can connect with a WiFi connection that has the same name as that coffee shop?  How do you know it's really the coffee shop's connection?  You don't.  Anyone can buy a wireless router at the store for $25, put it anywhere, and name it anything they want.  Using a deceptive name for a WiFi connection to lure people is called the evil twin attack.
  • are you encrypted? - VPNs, Virtual Private Networks or secure connections, are a great way to protect your data when connecting over unknown networks... like the Internet!  However, you first have to connect to the Internet before establishing the VPN.
Here are some tips to reduce your risks of using WiFi outside your home or office:
  • use your smartphone hotspot - if this is a feature of your mobile phone and plan, you can use your phone as a WiFi hotspot and connect to it.  You then can feel confident that your connection is going through your cellular carrier.  Warning... this will use your mobile data and may cost you extra depending upon your plan and data limits.
  • only use wifi with a password or passphrase - even if everyone knows the password.  Using WPA or WPA2 with a password/passphrase means that every connection between a PC and the wireless network is encrypted.
  • turn off file sharing - in Windows you can designate a network as public, work or home, or you can directly turn off file sharing.  Here's an article with the instructions.
  • if possible don't use open wifi in very open areas - the more open an area you're in, the harder it is to figure out if you're connected to a legit WiFi.  And...
  • be aware of your surroundings - it's not strictly a WiFi issue, but when you're on public WiFi you're in... Public!  Protect your screen.  Protect your passwords.
   Even if you do all this, a skilled attacker can still cause you problems on a public WiFi network.  So, if you have to use public WiFi, try to:

  • limit personal info - even if it looks like a website is https, do your personal business from a secure connection at home
  • same for banking, shopping - definitely save your financial transactions for known secure connections
  • use care with confidential work data - you should use care when dealing with critical work data, particularly if you work with other peoples' personal data!
   Here are a few articles with more info.

   As a side note, there are also questions about potential health risks of all the wireless signals in our environment.  It's hard to separate fact from speculation and wireless may or may not be a health issue.

   In the future we'll see even more wireless than we do now.  And we'll also see better wireless network security.  Many new cars come with WiFi hotspots and more cities and municipalities are offering wireless. 

   What are your tips for public WiFi safety?  Have you ever come across an "evil twin" WiFi network?

Tuesday, October 4, 2016

Can't Live with 'em, Can't Live without 'em

   They're dead.  They're here to stay.

   They're safe.  They're breached.

   They're encrypted.  They're visible.

   They're complex.  They're too simple.

   Once again, the topic we love to hate... Passwords!  And, you know what else???  It's also that greatest of holiday celebrations... US Cyber Security Month!

   In honor of US Cyber Security Month and the recently announced breach of 500 million Yahoo! account passwords and other info  (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!), I'm re-running a post I wrote in... wait for it... 2012!  Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach.  The more things change, the more they stay the same.  Happy Cyber Security Month!
   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site

Tuesday, September 20, 2016

It's Microsoft Calling (Not!)

   The amount of automation and detection in our world today can be scary but it can also be useful.  You can set your lights to come on as you approach your home.  You can have your phone switch to wifi when you get to the office.  And Microsoft will even call you when they detect a problem with your PC!

   OK, maybe not that last one!  As we've discussed before, this is a common scam that has now been around for a few years.

   It works like this... There are 2 basic scenarios:
  1. you get a popup on your computer telling you that "Microsoft" has detected that there is a problem with your PC, and you should call the phone number they provide, or;
  2. you get a phone call directly from "Microsoft" telling you that they have detected a problem on your PC.
   Of course, neither of these are legitimate.  Microsoft will not call you.

   This article has a recording of what one of these calls sounds like.  Here's another.

   I said PC above, but people with Macs have received these as well!

   Here's the thing about these scammer orgs...  they provide very good customer support!  That, of course, is good for them but bad for us.  It's one of the reasons that these scams work.  People are very happy to receive great customer support - it's unfortunately too rare.   So when a friendly, attentive "customer service" rep is telling someone that their computer is infected, it can be convincing.

   Typically the "customer service" rep will ask the victim to pop a web browser and type in what they tell them.  The victim's web browser is directed to a malware site that will give the attacker control of that PC.

   Why do they do this?

Tuesday, September 6, 2016

Call Me

  I recently received some awesome news via email.  And it was totally unexpected.  Check it out:

   Now I can retire in style!  :-)

   Needless to say, this is a phishing email.  We've talked about phishing many times in the past.  And we keep talking about it.

   So why does phishing still work?  There are two primary reasons:
  1. No cost/low barrier to entry.  It is effectively free to send out potentially millions of phishing or spam emails.  Attackers can easily relay email through open mail relay servers, but there are other ways to send spam and phishing emails.  Open mail relays are systems that send email but don't require any kind of identification.  Here's some more technical info on open relays.
  2. Exploiting the human factor.  People are busy and we all receive too much email.  It's not always easy to take the time to figure out if an email is OK or not.  Attackers leverage this by sending plausible-looking email, though there are plenty of poorly-created messages as well (like the one above that I received).
   As I mentioned in a previous column, rather than looking examining an email for evidence of phishing, we can approach all email as if it's hostile and then look for indications that it's OK.

   If you'd like to have some fun... try these spot the phishing online quizzes!

   I won't be contacting the "friend" to sent me the above email.  And I did not win.

   Have you seen any interesting phishing emails you'd like to share?

Tuesday, August 23, 2016

ESCROW - Extreme Security Cool Resource Of the Week!

   ESCROW - Extreme Security Cool Resources Of the Week.  OK, well sometimes you start with the acronym and see how you can make it work!  And I've got a good one for you.

   It's a bit geeky, but if you're interested in learning more about the more in-depth technical aspects of security you will enjoy this resource.  And I've got another, less geeky, resource.

   Everyone knows about Youtube.  You can find just about anything there, but there's so much content that sometimes it's hard to find what you're looking for.

   Enter SecurityTube, securitytube.net, and SecurityTube, securitytube-training.com - originally created as a way to aggregate information security videos in one place.  These are some fantastic free online learning resources.

   Some of the resources have difficulty ratings to help you choose the right course of video.  For example, this one on Wireless LAN (WLAN) security is rated "easy" (and that's certainly in the eye of the beholder!).

   For those who don't want anything that in depth, here's another tip.  You can go to Youtube and search for "cybersecurity for beginners".  There are many basic information security videos there including this one from NOVA PBS:

  Check some of these out and let me know what you think!

Tuesday, August 9, 2016

News you Need Now (NNN)

    I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!