Tuesday, March 14, 2017

A Culture of Security - The Best Infection! (repost)




   This week we're relaunching our Security Awareness campaign at work.  In honor of that, I thought we should re-sample a past post on this subject.  Enjoy!



   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.

Tuesday, February 28, 2017

Seriously, You Can't Make This Stuff Up!

   Fake news and alternative facts aside, the truth really is stranger than fiction.

   We finally get to the point where the only thing left to talk about concerning Yahoo! is their upcoming turbulent buyout by Verizon.  But noooo...

   They're back, with another breach announcement.  This one is from sometime in the 2015/2016 timeframe (am I the only one who is concerned that they can't pin it down better than that????).  It seems to be more limited in scope (i.e. less than the 500 Million users affected last time!).

   We seriously just "finished" talking about this issue.  Normally when an old problem comes back again (like always do), I consider re-running an older post with any needed updates (and rarely are any major updates needed).  But I just posted about Yahoo!'s problems TWO MONTHS AGO!

   This time around the root cause is supposed to be a forged cookie that could be used to access an account without using a password.  Yahoo! is saying that the attackers must have had access to the source code and that a similar method may have been used in the previous attacks.  Maybe... maybe not.

   In other news... the price for Verizon to buy Yahoo! keeps dropping.  Could "free" be far behind?

   You know, the funny thing is that I really like the Yahoo! home page layout with its news summaries.  If they could just protect my account data for more than a month or two we might actually have a service worth salvaging.

   Vote... are you dumping your Yahoo! account or keeping it?

Tuesday, February 14, 2017

ID Fraud, Taxes and Doctors Again (Still?)

   It's that time of year again.  Brian Krebs just put out an article on "darkweb" sales of W-2 information.  You can read that article here.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:

  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here)

   Here's a re-run of my article on this subject from two years ago.  It's all still true...

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 31, 2017

Hello Dearest One

   I just got some incredible news!  I really love working in Information Security, but with this windfall it's certainly time to retire.

   And I wanted to share this news with all of you!

   Here's the email I received that covers it all... this is so exciting!




Hello Dearest One,

I am Mrs. Jessica W the Administrative manager at a vault of financial & security Institute in Madrid, I am contacting you as regards an abandoned sum of $31.7 Million Us dollars (Thirty One million, Seven Hundred Thousand United State Dollars) in our safe deposit vault, that belongs to one of our foreign customers that share the same surname with you, who died along with his entire family on the 11th march 2009 in a ghastly motor accident in Porto Portugal.

The banking policy can only allow the release of such funds to a benefactor through an application as next of kin to the deceased. After his death, the bank has been expecting a possible beneficiary, but nobody came for the claim, this institute has exploited all its ethical possibilities in other to contact possible relation or inheritor, but no success, I have made my own research with the help of private investigator, it is my knowledge that this man has been living in Barcelona for the past 19 years and has never returned back home. I also leant that his wife and 7 year old daughter died with him during this accident, however because of the international financial crises, a lot of reform has been made within the Spanish financial system; this includes the new law on succession/claims which indicates a duration in which such inheritance could be tolerated,

Upon your acceptance to partner with me, I urge you to please kindly get back to me with your direct contact details for further details via my email address: EMAIL: jessica_jessicaxx@yyy.com  or Alternative Email: jessica_vivian@yyy.com on how you and me can make a claim to the funds in question. I GUARANTEE you that this process would be executed under a legitimate and risk free arrangement. Thanks as I wait to hear from you as soon as you receive this proposal e-letter.

Best Regard,
Mrs. Jessica W
EMAIL: jessica_jessicaxx@yyy.com
Alternative Email: jessica_vivian@yyy.com


   I did alter the email addresses!

   I'm not sure what I did to get so lucky to receive this gift, but it sounds like the greatest thing ever!  And the thing is, I'm lucky that I even saw this message because it was in my spam folder.

   😃😄😉


Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think

Tuesday, January 3, 2017

New Year, Don't Click!

   Well, it's a new year and, as we've discussed in the past, the more things change the more they stay the same.

   My advice for 2017... Don't Click!

   Of course, that's easier said than done.  We've discussed phishing and malicious email here, here and here.

   But on a more practical note, and because I like things that come in 3's, here's some info from the way-back machine... it's advice from Brian Krebs from 2011.  It is his 3 basic rules for online safety.  They are every bit as relevant now as when this was first published.  And it was relevant for years before that.

   The 3 rules are:
  1. If you didn’t go looking for it, don’t install it - this means when you get a pop-up asking you to install some software... don't click!  Only install software that you look for and intend to use.  And, wherever possible, install from reputable websites.  Do your research.
  2. If you installed it, update it - After you install the software you want, you need to keep it up to date.  This is not trivial, but I like using Secunia PSI (Personal Software Inspector) on my home systems for keeping software up to date.
  3. If you no longer need it, remove it - software will have vulnerabilities.  The less software you have, the fewer opportunities there are for vulnerabilities and malware.  This is especially true on your smartphone and tablet, where excess software really slows the performance of the device.
   Here's to a safe and secure 2017!

Tuesday, December 20, 2016

Ya-How?

   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?