Tuesday, December 20, 2016


   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?

Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Tuesday, November 22, 2016

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Information Security Learning Resources
or information security for the self-learner
by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:
  • Systems Administration
  • Network Administration
  • Programming
It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.
“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD

Tuesday, November 8, 2016

Patch, Vault 'n Fob

   Well, I was trying for something catchy like Stop, Drop and Roll.  That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.

   Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.

   Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.

   Fortunately, the odds of your clothes catching on fire is low.

   Unfortunately, the odds of your software, browsers or accounts being compromised is very high.

   A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (DDoS) attack on Dyn, a DNS provider.  I won't go into the details here but I think I will cover DDoS in a future post.  Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do.  To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...

Tuesday, October 25, 2016

Lock Before You Leap

   Most organizations have some kind of requirement to protect data.  Sometimes it's regulatory, for example organizations in healthcare or financial or retail need to protect personal data on individuals.  But for sales, manufacturing or other industries like medical devices, their "secret sauce" could be intellectual property like formulas or proprietary processes, or customer lists.

   Whether it's critical data on people, processes or things, what most organizations have in common is that, if they cannot protect this information, the results could be fines or inability to do business and that can directly translate to harm to people and organizations.

   There are so many ways to protect information (or to fail at protecting information), some more complicated than others.

   One very simple way that information can be breached, disclosed or otherwise lost is through unattended, unlocked devices.  For example, someone leaves a laptop logged in, screen unlocked and walks away - someone else can take that laptop and would have access to any data it has.  This is also true for desktop workstations.  In this case the computer won't likely be taken, but if the workstation is unattended and unlocked, anyone else can access the data on that machine leading to potential breaches and regulatory problems.

Tuesday, October 18, 2016

Internet Safety for Parents

   I've written about Internet safety for families, kids, teens and I've even spoken on safety for pre-schoolers.  But it's important to think about online safety for parents as well.

   That's true both for parents of young children was well seniors with grown children.  The safety challenges for seniors are similar but there are some differences.  They may not be as familiar with technology and, according to the FBI:

  • they are often financially secure and/or have good credit
  • they may be more trusting and they don't think they'd be a target
   This article by the AARP lists some common scams against seniors including some we've discussed like fake Microsoft support calls or IRS-related tax fraud.

   What got me thinking about this topic was a great article entitled "10 Ways to Help Our Parents With Online Security".  The article touches on a number of themes we've discussed in the past.  I'll list the 10 items with links back to some past editions of this blog - typically they:
  1. don't think they have anything worth stealing
  2. have bad password habits - just like most people
  3. are confused by 2-factor authentication - something we all should use
  4. leave mobile devices unattended and without security measures
  5. don't recognize phishing emails
  6. don't understand social media and how it can be used in scams
  7. share too much information
  8. can be manipulated by online media
  9. place too much trust in an anti-virus product
  10. don't understand how sophisticated scams and attacks can be
   In what ways can you help your parents stay safe online?

Tuesday, October 11, 2016

What You Can''t See Can Hurt You(r Data)

   "It is all around us, even now in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work, when you go to church, when you pay your taxes.."

   It's "all around you. Here, between you, me, the tree, the rock, everywhere."

   No, not the Matrix and not the Force, but a more insidious power... WiFi!

   Public WiFi is everywhere.  Many stores, malls, airports, cities and even parks offer it.  Sometimes it's free and sometimes not.

   It's US Cyber Security Awareness Month so it's a good time to think about the risks of using public WiFi and how to protect yourself.

   There are definitely risks in using public WiFi including:
  • pushing software - WiFi can be configured to send software to your device when you connect.  That might be OK at home or important in the office, but it can be misused by an attacker out in public.  Don't install software offered to you on a public WiFi.
  • redirecting your browsing - a WiFi connection can control how you get to websites.  If an attacker controls the WiFi, they can cause you to go to copycat websites with malicious software or to phishing sites.
  • evil twin attack - you know when you're at the coffee shop and you can connect with a WiFi connection that has the same name as that coffee shop?  How do you know it's really the coffee shop's connection?  You don't.  Anyone can buy a wireless router at the store for $25, put it anywhere, and name it anything they want.  Using a deceptive name for a WiFi connection to lure people is called the evil twin attack.
  • are you encrypted? - VPNs, Virtual Private Networks or secure connections, are a great way to protect your data when connecting over unknown networks... like the Internet!  However, you first have to connect to the Internet before establishing the VPN.
Here are some tips to reduce your risks of using WiFi outside your home or office:
  • use your smartphone hotspot - if this is a feature of your mobile phone and plan, you can use your phone as a WiFi hotspot and connect to it.  You then can feel confident that your connection is going through your cellular carrier.  Warning... this will use your mobile data and may cost you extra depending upon your plan and data limits.
  • only use wifi with a password or passphrase - even if everyone knows the password.  Using WPA or WPA2 with a password/passphrase means that every connection between a PC and the wireless network is encrypted.
  • turn off file sharing - in Windows you can designate a network as public, work or home, or you can directly turn off file sharing.  Here's an article with the instructions.
  • if possible don't use open wifi in very open areas - the more open an area you're in, the harder it is to figure out if you're connected to a legit WiFi.  And...
  • be aware of your surroundings - it's not strictly a WiFi issue, but when you're on public WiFi you're in... Public!  Protect your screen.  Protect your passwords.
   Even if you do all this, a skilled attacker can still cause you problems on a public WiFi network.  So, if you have to use public WiFi, try to:

  • limit personal info - even if it looks like a website is https, do your personal business from a secure connection at home
  • same for banking, shopping - definitely save your financial transactions for known secure connections
  • use care with confidential work data - you should use care when dealing with critical work data, particularly if you work with other peoples' personal data!
   Here are a few articles with more info.

   As a side note, there are also questions about potential health risks of all the wireless signals in our environment.  It's hard to separate fact from speculation and wireless may or may not be a health issue.

   In the future we'll see even more wireless than we do now.  And we'll also see better wireless network security.  Many new cars come with WiFi hotspots and more cities and municipalities are offering wireless. 

   What are your tips for public WiFi safety?  Have you ever come across an "evil twin" WiFi network?

Tuesday, October 4, 2016

Can't Live with 'em, Can't Live without 'em

   They're dead.  They're here to stay.

   They're safe.  They're breached.

   They're encrypted.  They're visible.

   They're complex.  They're too simple.

   Once again, the topic we love to hate... Passwords!  And, you know what else???  It's also that greatest of holiday celebrations... US Cyber Security Month!

   In honor of US Cyber Security Month and the recently announced breach of 500 million Yahoo! account passwords and other info  (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!), I'm re-running a post I wrote in... wait for it... 2012!  Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach.  The more things change, the more they stay the same.  Happy Cyber Security Month!
   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site

Tuesday, September 20, 2016

It's Microsoft Calling (Not!)

   The amount of automation and detection in our world today can be scary but it can also be useful.  You can set your lights to come on as you approach your home.  You can have your phone switch to wifi when you get to the office.  And Microsoft will even call you when they detect a problem with your PC!

   OK, maybe not that last one!  As we've discussed before, this is a common scam that has now been around for a few years.

   It works like this... There are 2 basic scenarios:
  1. you get a popup on your computer telling you that "Microsoft" has detected that there is a problem with your PC, and you should call the phone number they provide, or;
  2. you get a phone call directly from "Microsoft" telling you that they have detected a problem on your PC.
   Of course, neither of these are legitimate.  Microsoft will not call you.

   This article has a recording of what one of these calls sounds like.  Here's another.

   I said PC above, but people with Macs have received these as well!

   Here's the thing about these scammer orgs...  they provide very good customer support!  That, of course, is good for them but bad for us.  It's one of the reasons that these scams work.  People are very happy to receive great customer support - it's unfortunately too rare.   So when a friendly, attentive "customer service" rep is telling someone that their computer is infected, it can be convincing.

   Typically the "customer service" rep will ask the victim to pop a web browser and type in what they tell them.  The victim's web browser is directed to a malware site that will give the attacker control of that PC.

   Why do they do this?

Tuesday, September 6, 2016

Call Me

  I recently received some awesome news via email.  And it was totally unexpected.  Check it out:

   Now I can retire in style!  :-)

   Needless to say, this is a phishing email.  We've talked about phishing many times in the past.  And we keep talking about it.

   So why does phishing still work?  There are two primary reasons:
  1. No cost/low barrier to entry.  It is effectively free to send out potentially millions of phishing or spam emails.  Attackers can easily relay email through open mail relay servers, but there are other ways to send spam and phishing emails.  Open mail relays are systems that send email but don't require any kind of identification.  Here's some more technical info on open relays.
  2. Exploiting the human factor.  People are busy and we all receive too much email.  It's not always easy to take the time to figure out if an email is OK or not.  Attackers leverage this by sending plausible-looking email, though there are plenty of poorly-created messages as well (like the one above that I received).
   As I mentioned in a previous column, rather than looking examining an email for evidence of phishing, we can approach all email as if it's hostile and then look for indications that it's OK.

   If you'd like to have some fun... try these spot the phishing online quizzes!

   I won't be contacting the "friend" to sent me the above email.  And I did not win.

   Have you seen any interesting phishing emails you'd like to share?

Tuesday, August 23, 2016

ESCROW - Extreme Security Cool Resource Of the Week!

   ESCROW - Extreme Security Cool Resources Of the Week.  OK, well sometimes you start with the acronym and see how you can make it work!  And I've got a good one for you.

   It's a bit geeky, but if you're interested in learning more about the more in-depth technical aspects of security you will enjoy this resource.  And I've got another, less geeky, resource.

   Everyone knows about Youtube.  You can find just about anything there, but there's so much content that sometimes it's hard to find what you're looking for.

   Enter SecurityTube, securitytube.net, and SecurityTube, securitytube-training.com - originally created as a way to aggregate information security videos in one place.  These are some fantastic free online learning resources.

   Some of the resources have difficulty ratings to help you choose the right course of video.  For example, this one on Wireless LAN (WLAN) security is rated "easy" (and that's certainly in the eye of the beholder!).

   For those who don't want anything that in depth, here's another tip.  You can go to Youtube and search for "cybersecurity for beginners".  There are many basic information security videos there including this one from NOVA PBS:

  Check some of these out and let me know what you think!

Tuesday, August 9, 2016

News you Need Now (NNN)

    I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

Tuesday, July 26, 2016

Gotta Catch Some of 'Em

   Because you just can't catch 'em all!

   I guess I can't get around having to comment on Pokemon Go.

   If you have children, or if you were, born in the 90's through the 00's then you know all about Pokemon.  It used to be about the cards, action figures and, of course, the video games.  Remember the Game Boys, game cartridges and all the sounds and music?!

   With Pokemon Go, the game has gone from sometimes mobile to really mobile.  And from sometimes social to a social phenomenon.

   It's not farfetch'd!
   For some reason, many adults seem to dislike this game, siting issues like inattention to surroundings, time spent playing, etc.  I think the game is great!  Here are my top reasons why (major caveat... I have not actually played the game!  These are my observations as a technology and security professional and as a parent):
  • It gets kids out of the house - many people need a little Vitamin D.  One of the biggest complaints about gaming and computers for kids is that they don't get outside enough.
  • It gets kids moving - #exercise.  While there have been some attempts at game-ifying exercise, such as Wii Fit, it never really caught on.  Pokemon Go gets people outdoors and moving around.  In fact, part of the game is logging lots of steps.
  • It's for "kids" of all ages - parents can play along with their kids!  You don't have to play, but at the very least it's a great opportunity to be involved.
  • It's really social - you may remember that, back in the day, players could connect two Gameboys so two people could battle.  Now people are connecting IRL (In Real Life) as they hike trails, walk through cities or congregate at parks or other PokeStops.
  • It's another step toward acceptance of Augmented Reality.  Unlike Virtual Reality, in which one is entirely immersed in a manufactured visual scene, Augmented Reality overlays images, text or other information on top of what you are actually looking at.

Tuesday, July 12, 2016

Brexit Protection - click here

   Brexit Protection... or should we call it Brexitection? :-)

   How does Brexit affect your finances?  Do you care?  Plenty of people do.

   And that creates an opportunity for scammers.

   Any time there are major news events, particularly disasters or anything economic, people get worried. and the scammers are right there to play on those fears.

   According to the Telegraph, they have seen emails with subjects such as "Brexit causes historic market drop". These emails have links that supposedly connect to pages with information on how to protect your investments.  Of course, they actually download malware to the victims computer.

   This is a common problem... common because it works.

   We've covered this topic before... and the advice remains the same.  In fact, here are my top 10 email scam tips from a 2013 post!  These are just as relevant today as then.  And they will be relevant years from now:

Tuesday, June 28, 2016

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.

Tuesday, June 14, 2016

Because Math

   Encryption has been in the news again - whether it's ransomware, law enforcement and iPhones, bitcoin, quantum computing, or potential new laws.  Before we can "decrypt" all these issues, we need to talk a bit about what encryption is and isn't.

   There's an old saying in Security... "if you think encryption is the answer, you might not have understood the question".  I never liked the tone of that statement because it sounds kind of elitist, but it is basically true.  And that's because encryption is very confusing.

   Encrypting data is great because it means it can't read by unauthorized people.  And that is the trick... how to let the right people in and keep the wrong people out.  If my encrypted data is unreadable by anyone then that's called Ransomware!

   Encrypting my data so only I can read it is pretty easy.  It means that only I need the "key".  Of course, I better not loose that key!  Encrypting my data so I can share it with you is also pretty easy.  We just need a "shared secret".  If I need to share my data with a bunch of people then we get into something called "public key cryptography".  Here's a good explanation of that.

   Encryption is basically a solved problem.  Because math.  #math.  There are many great algorithms with cool names like Elliptic Curve, RSA and Two-Fish.

Tuesday, May 31, 2016

YAPF (Yet Another Password Fail)

   It's another week and password problems are in the news again!

   In the July 10, 2012 edition of this blog I wrote about the 2012 LinkedIn password breach.  A month earlier, LinkedIn confirmed that a Russian attacker exploited a website vulnerability and downloaded 6.5 million encrypted passwords.  You can read my old post to see why that's a problem.

   Well, some gifts just keep on giving!  Now, nearly 4 years later, a newly posted password dump from this same breach was advertised for sale on a dark web site.  Except that information on over 167 million accounts were for sale!  Of those, over 117 million had both the email and password.  Slightly different math!!!

   So why is this a problem?  Actually it's an old problem and a new problem.  Here are the key issues:
  • Poor password choices - once again, this latest set of stolen passwords shows weak passwords - the top five found passwords were: 123456 (used on over 1 million accounts!), linkedin, password, 123456789 and 12345678
  • Password reuse - since people have accounts on so many sites that need passwords, they tend to reuse them.  The one million people who used 123456 as their LinkedIn password likely reuse that on other sites.
  • Back to Work - are some of these same poor password choices being made on work systems?  Or are some work passwords being used on sites like LinkedIn and potentially included in this breach?

Tuesday, May 17, 2016

National Betty White's Password Day

   So apparently May 5, 2016 was World Password Day.  Who knew?  Not me... I missed this one.  But Betty White didn't!  Here's a great video:

   It's not exactly clear to me how May 5 was chosen.  I thought that was Cinco De Mayo!  Apparently this is the 3rd annual World Password Day on the first Thursday in May.  However, for years before that, Feb. 1 has been National Change Your Password Day.

   I don't know about the date change but I definitely support the name change.  The point here is that changing your password is not the key thing to do... I've written about this plenty of times before... when it comes to passwords, size matters!  And multi-factor authentication is a great choice for your personal accounts.

   But don't take it from me... Let's hear from Betty White!

Tuesday, May 3, 2016

Secrets Your Phone Told Me

   You may remember that earlier this year we were all talking about the standoff between the FBI San Bernadino attack.  This specific problem was "solved" when the FBI said they were able to decrypt the phone and no longer needed Apple's help.  The assumption by many is that the FBI purchased an exploit used to break into the phone.
and Apple about the decryption of an iPhone used by one of the shooters in the

   This leads us to an important consideration and question... can any phone be hacked?  Is any information on your smartphone really private?

   We have become completely dependent upon our phones.  According to a 2015 Pew Research Center study, in the US over two-thirds of the population uses a smartphone.  We keep all of our personal information on there: passwords and accounts, photos and videos, credit card data, tax data; we shop and set many preferences (travel, food, dating, real estate); we track our workouts, our weight our food and all our movements.  Today's smartphone is the key to far more information about you than you can imagine!

   We can, of course, watch TV on our phone.  And on 4/17/2016, 60 Minutes aired a show about smartphone security and privacy.  You can view it here.

   In the episode, they talked about the SS7 (Signaling System 7) protocol and how it works.  SS7 was designed in 1975 and it is the protocol that allows phone systems to pass calls between them.  For mobile, it handles maintaining connections as you move between cell towers, for example as you are driving down the road (using hands-free calling of course! :-).  This particular exploit is not new at all.  In fact, this has been a topic at the Black Hat Briefings and other security conferences for years.

   But all this aside, there is no need for exploits or vulnerabilities to track people or glean personal information through their phones.  Disclosing this information is simply how phones and apps work!  Let me explain...

Tuesday, April 19, 2016

Ad Where?

   The first website debuted on Dec. 20, 1990 at CERN in Switzerland.  And less than four years later, the first banner ad.  The idea was simple... if people are reading information on a website, why not hit them with an ad?  Media has traditionally been either for-pay or ad-supported and the model for the web included that.  Of course, back then people had no idea the extent to which other screens like laptops, tablets and smartphones, and binge-watching would displace traditional TV watching.

   And shortly after website ads arrived, so did the malware. Ad-ware, also called "malvertising", was born.

   There are a few different ways website ads can cause problems:
  • virus code in the ad itself - so clicking on the ad downloads or executes the malware
  • malicious code that executes based on a mouse action - such as clicking on a flash animation or even just moving your mouse over an ad (called a "drive-by download")
  • a link in the ad brings you to a different page that can have malware, asks for personal information or exploits your browser to grab information from another tab (kind of like phishing)
   You may ask... why would someone allow a virus in an ad on their site?  That's a great question.   The issue is that most sites don't have a direct relationship with the people creating the ads.  The way it typically works is that sites sell space on their pages to ad brokers, who resell that space either to someone wanting to place an ad, or even to other ad brokers.  And often the ads rotate.  It becomes pretty easy for crooks to insert malware into these ad spaces without detection.

   This led to the creation of ad blockers.  These are programs that work in your browser to block content from the 3rd party ad brokers.  There was a big controversy about this in 2015.  On one hand, websites that offer free content need to have a way to monetize.  On the other hand, web and banner ads are annoying, collect our information, and can contain malware.  Some businesses block ads on corporate systems as a way to cut down on malware... and it works.

   To fight back, some sites block people who block ads!

   And that's where things get interesting.

    Let's look at Forbes.com for example.  Many websites simply show their ads along with each page.  If the ads are blocked, then those parts of the pages just don't load, or show a broken image icon.  But when you go to the Forbes website, you first see a welcome page that counts down until you can click to the main page.  While that is happening, the page loads hundreds of those 3rd party ad sites.

   And earlier this year, the Forbes site was serving malware through ads!

   So there's the bind... allow sites to display their ads, including those full sites that only display if ads are allowed; or open the enterprise to malware!

   But shouldn't the responsibility for this malware be with the website that displays the ads?  Shouldn't they test to make sure there isn't executable code in those ads?  I think so.

   I also understand that sites display content that is worth something and they deserve to be compensated.

   There are some compromises.  Some sites ask you to register to see additional content.  You are "paying" by providing information about yourself that they can sell.  Some sites charge nominal subscription fees (some sites charge high subscription fees!).

   There is perhaps some middle ground with Google Contributor.  With this consumer service you pay a nominal monthly fee.  Then google distributes that to sites based upon your usage patterns.

   What are your thoughts?  Is there a middle ground?  Should consumers have to pay for content?  Do we need to be bombarded with ads?  And who should be responsible when sites serve up malware or malicious links?

Tuesday, April 5, 2016

It's Not If, but When

   Have you heard???  2015 was the "Year of the Breach".  Of course, 2014 was the year of the breach.  And, 2013 was the year of the breach.

   2016 is shaping up to be quite a year as well.

   Of course, when we talk about breaches, we're usually talking about someone "stealing" data.  It's not actually "stolen" because you still have it.  It's more accurate to say that in a breach the data is exfiltrated.  This is also called an attack on the confidentiality of the data.

   In security, we talk about the C-I-A triangle, Confidentiality, Integrity and Availability.  Confidentiality is about the secrecy of data.  Integrity is about the accuracy of data.  Availability is about being able to properly access data when it's needed.  A well-rounded security program needs to consider all these aspects.

   What is somewhat different this year is the crypto-/ransom-ware attacks.  In these cases, the attack is a virus that typically gets in as an email attachment.  Someone opens the attachment and the virus executes.  It finds files in network shared directories and encrypts them.  Now, encryption is often a good thing, but that's when you (or your organization) has the decryption key.  In a crypto-ware attack, only the attacker has the key.  That's a problem.  It becomes ransom-ware when the attacker offers to provide the key for a "small" consulting fee, usually paid via the anonymous crypto-currency, bitcoin.
   These are basically attacks to the availability of data.  We've seen instances of hospitals or other organizations temporarily shutting down as a result.  These could also be considered attacks to the integrity of the data - though I think we have not yet seen the real integrity attacks... and they are coming.

Tuesday, March 22, 2016

Credit Cards Calling

   So I'm driving down the road, out of state but heading toward home, when I received a text message.  The message said it was from a credit card company asking me whether a charge was legit.  I did not recognize this charge!

   Receiving this kind of message may concern some of you, but for me this is awesome!  The credit card companies have, by necessity, become really good at detecting fraud.  That could be because of the huge amount of credit card fraud out there!  Fraud is big money and it's both in our, and the credit card companies', best interests to try to get a handle on it.

   Detecting this kind of fraud is basically about big data analytics and anomaly detection.  That's just a fancy way of saying it's kind of like finding a needle in a stack of needles!  It's complex and expensive.  Luckily(?) credit card companies have lots of money!  They have to figure out what might be fraud so they can appropriately allow or block transactions.  If they allow too much then there can be a lot of fraud.  If they block too much then there can be unhappy customers.

   Back to our story... the charge was not legit and I responded "2".  As you can see in the image, the credit card company said they would call me.  I did receive a call and was immediately put into a hold loop!  Wait...

   If I did speak to someone they would first have asked me to identify myself.  However, they called me.  I don't actually know who they are!  This whole event could have been a scam to collect personal information from me.  Had someone connected with me that way, I would not have given them any identifying information.  They called me... at my registered (with them) phone number.  They already know who I am.  They need to positively identify themselves to me!

Wednesday, March 9, 2016

How To Vault (part 2)

   A few posts ago I wrote an overview of why you may want to use a password vault.  This was in answer to reader question to provide more specifics about vaults.

   We've talked about passwords and password vaults a number of times in the past including here, here and here.

   If you haven't read part 1 of this discussion, it's here.

   Hopefully you are now convinced that you should be using a password vault, also called a password manager.  Now what...?

Products & Costs.
   A few years ago there were just a few key players in this field, but the list of products has grown and there are a number of good choices.  I'll briefly mention four of the best known and provide some links where you can get more info.
  • LastPass - the basic product is free.  It has most of the features you'd want, but the free version only supports use in a web browser.  If you want a mobile app and to support password fills in mobile apps then you need to get LastPass Premium, $1/month or $12/year.
  • DashLane - this is another very popular product.  It's free to download and use on any device.  However to have your passwords synced across devices, a very important feature, you need to use the Premium product which costs $40/year.
  • KeePass - this is well known and solid product.  It always has been free and is open source.  It was designed to support an exportable vault.  That means the primary way to use this tool is to keep it on a thumb drive and plug it in to the computer you use it on.  That can be either handy or inconvenient depending upon how many computers you have and how you do your work.  With KeePassX you can store the vault in free cloud storage like GoogleDrive, OneDrive, Dropbox, etc. and can connect with apps on mobile devices.
  • 1Password - many people like this product and consider it easy to use.  It's design is similar to KeePass in that it's basic use is on a single system and you can share your vault using free online cloud storage services.  It's free to download and there is a one-time license fee.  There is also mobile support and that requires a valid license.
   Here are a few review articles that go into more detail about the features of these, and some other, products.

Tuesday, February 23, 2016

Hospital Held Hostage, FBiOS and CEO Phishing

   I usually don't do "news of the week" commentary posts, but too much has happened this past week and we need to discuss it!

Hospital Held Hostage.

   I'm sure by now you've seen some info on what happened at Hollywood Presbyterian Medical Center in California.  Just in case you were on a desert island... on Feb. 5 HPMC experienced a cryptoware attack.  We've talked about those before... it's malicious software that encrypts files so that only the attacker can read them... the people who need to can't.  The story broke about 10 days later.

   Cryptoware becomes ransomware when the attackers offer to fix the problem - decrypt the files - for a "small consulting fee", usually not small and paid in bitcoin, an untraceable online currency.

   The situation itself is, unfortunately, not unique.  These kinds of attacks have been happening everywhere for years.  But there are two things that happened in this case that are unique.  First, the cryptoware completely shut down all the computerized systems in the hospital.  That means no electronic medical records, radiology, anesthesiology... just about any -ology and most hospital functions are computerized.  The hospital reverted to paper and had to turn away surgery patients or those needing more complex diagnosis, tests or procedures.  

   Second, the hospital paid the ransom.  This is the first publicized case of both a hospital shut down in this way and paying the ransom to restore their files.

   Most hospitals have procedures, called "down time procedures" for operating without some computerized resources.  And there is an incident handling process called HICS - Hospital Incident Command System - based on US FEMA (Federal Emergency Management Agency) NIMS (National Incident Management System).  But there are still medical procedures that can't be done with out access to the electronic data or computer-controlled systems.

   This attack is not OK.  Stealing people's data is bad enough.  But this affects lives.

   Can this happen here (wherever "here" is)?  It can, it has, it does and it will.  All industries and even home systems have been hit.  It's not "if", but "when".

   Can't we prevent it?  Yes!

   Wait.  What?  There's more to that story.  An attack like this can be prevented, but systems would have to be locked down so tight that they might not be usable.  And that's not a solution.  But there are some proactive things that can be done:
  • Don't click!  Most of these kinds of attacks start with the click of a link on a website or in an email, or opening an email attachment.  We've discussed this many times before... if you're not expecting it, if it doesn't look right, if it's not consistent... don't click!
  • Endpoint controls.  These are controls on your desktop or laptop computer including old-school anti-virus, application whitelisting, and execution controls; operational procedures like having a standard workstation configuration and regular patching.
  • Network/System controls.  Like monitoring and keeping all applications up to date with the latest versions and patches, and reliable and tested offline backups.
  • Internet controls.  Like web site filtering and email controls.
   So why did they pay?  Isn't that bad?  In some cases, if the cryptoware infection gets so bad that the organization cannot recover, there may be no other choice then to pay.  And even that's no guarantee that the attackers will or can give you the key to decrypt the files.  In some attacks, if the victim doesn't pay in time, the key is deleted and the files could be unrecoverable.  It's obviously better not to pay (or not to have to pay!), but the organization might not have a choice.

   CSI:Cyber did an episode on a hospital malware attack in Nov. 2015.  I wrote about that here.

   Just a quick commentary on the other two issues.

CEO Phishing.

   Or perhaps more correctly... phishing from your CEO!  In this phishing attack variant, an email comes from "the CEO" (or other highly placed official) demanding some kind of immediate action, typically involving wiring money.  All too often, the recipient does what they're told and sends the funds.

   Recent issues in the US and in France have kept this in the news.  Now Microsoft is getting in on the act, trying to make improvements to Outlook to help with this problem.

   As we've discussed in the past, if something on a web page or email doesn't look right, it probably isn't.  Don't click; Report it!  And even if you did click, report it!


   After the San Bernadino, California terrorist shooting last December, Federal authorities captured one of the attacker's cell phone.  It is an Apple 5C.  Because of the way Apple encrypts its phones, law enforcement has been unable to view the contents of the phone.

   This week a federal judge ordered Apple to help unlock the phone.  The order is based upon the 1789 law called the All Writs Act.  Apple has chosen not to comply and that has led to plenty of discussion on both sides of the issue.  Apple says helping would set a bad precedent and weaken their phones' protections.  The FBI says it's Apple's duty to help with this criminal investigation.

   As is so often the case, there is no perfect answer.

   As Benjamin Franklin famously did not say, "Those who give up liberty for security deserve neither".  The reality for encryption is, if we make technology that law enforcement can crack, then anyone can crack it.  This is true because of the law no one can break - the law of mathematics!

   However, the Apple 5C uses an older encryption method than their newer phone.  So in this case, Apple could help without compromising everyone else's security and privacy.

   There's some great in-depth discussion of this issue on the TWIT podcast this week.

   Here are some good articles with more details.  We'll watch to see how this plays out.