Tuesday, February 14, 2017

ID Fraud, Taxes and Doctors Again (Still?)

   It's that time of year again.  Brian Krebs just put out an article on "darkweb" sales of W-2 information.  You can read that article here.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:

  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here)

   Here's a re-run of my article on this subject from two years ago.  It's all still true...

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 31, 2017

Hello Dearest One

   I just got some incredible news!  I really love working in Information Security, but with this windfall it's certainly time to retire.

   And I wanted to share this news with all of you!

   Here's the email I received that covers it all... this is so exciting!




Hello Dearest One,

I am Mrs. Jessica W the Administrative manager at a vault of financial & security Institute in Madrid, I am contacting you as regards an abandoned sum of $31.7 Million Us dollars (Thirty One million, Seven Hundred Thousand United State Dollars) in our safe deposit vault, that belongs to one of our foreign customers that share the same surname with you, who died along with his entire family on the 11th march 2009 in a ghastly motor accident in Porto Portugal.

The banking policy can only allow the release of such funds to a benefactor through an application as next of kin to the deceased. After his death, the bank has been expecting a possible beneficiary, but nobody came for the claim, this institute has exploited all its ethical possibilities in other to contact possible relation or inheritor, but no success, I have made my own research with the help of private investigator, it is my knowledge that this man has been living in Barcelona for the past 19 years and has never returned back home. I also leant that his wife and 7 year old daughter died with him during this accident, however because of the international financial crises, a lot of reform has been made within the Spanish financial system; this includes the new law on succession/claims which indicates a duration in which such inheritance could be tolerated,

Upon your acceptance to partner with me, I urge you to please kindly get back to me with your direct contact details for further details via my email address: EMAIL: jessica_jessicaxx@yyy.com  or Alternative Email: jessica_vivian@yyy.com on how you and me can make a claim to the funds in question. I GUARANTEE you that this process would be executed under a legitimate and risk free arrangement. Thanks as I wait to hear from you as soon as you receive this proposal e-letter.

Best Regard,
Mrs. Jessica W
EMAIL: jessica_jessicaxx@yyy.com
Alternative Email: jessica_vivian@yyy.com


   I did alter the email addresses!

   I'm not sure what I did to get so lucky to receive this gift, but it sounds like the greatest thing ever!  And the thing is, I'm lucky that I even saw this message because it was in my spam folder.

   😃😄😉


Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think

Tuesday, January 3, 2017

New Year, Don't Click!

   Well, it's a new year and, as we've discussed in the past, the more things change the more they stay the same.

   My advice for 2017... Don't Click!

   Of course, that's easier said than done.  We've discussed phishing and malicious email here, here and here.

   But on a more practical note, and because I like things that come in 3's, here's some info from the way-back machine... it's advice from Brian Krebs from 2011.  It is his 3 basic rules for online safety.  They are every bit as relevant now as when this was first published.  And it was relevant for years before that.

   The 3 rules are:
  1. If you didn’t go looking for it, don’t install it - this means when you get a pop-up asking you to install some software... don't click!  Only install software that you look for and intend to use.  And, wherever possible, install from reputable websites.  Do your research.
  2. If you installed it, update it - After you install the software you want, you need to keep it up to date.  This is not trivial, but I like using Secunia PSI (Personal Software Inspector) on my home systems for keeping software up to date.
  3. If you no longer need it, remove it - software will have vulnerabilities.  The less software you have, the fewer opportunities there are for vulnerabilities and malware.  This is especially true on your smartphone and tablet, where excess software really slows the performance of the device.
   Here's to a safe and secure 2017!

Tuesday, December 20, 2016

Ya-How?

   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?

Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Tuesday, November 22, 2016

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!



Information Security Learning Resources
or information security for the self-learner
by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:
  • Systems Administration
  • Network Administration
  • Programming
It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.
“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD