Tuesday, December 26, 2017

BBB - Best Business Books

   As we close out this year and think about the new year, it's a great time to think about your own development and learning.

   I really enjoy audiobooks.  While SciFi is typical favorite, I also mix in business and self-development titles.  I've been keeping a list of my top self-development books and had been meaning
to share them here... and now here they are!

   This list is not exactly in priority order, however my favorites are definitely at the top.  So, more or less, the first third of the list is 5-star books, middle third 4.5-stars, and the final third are 4-star.  These are all great books, regardless of where they are on this list.

   Here we go...
  • Start With Why – Simon Sinek
  • The 5 Levels of Leadership – John C. Maxwell
  • The Chrisma Myth – Olivia Fox Cabane
  • Pitch Anything – Oren Klaff
  • What Makes an Effective Executive – Peter F Drucker
  • A Whole New Mind – Daniel H. Pink
  • Eat That Frog! – Brian Tracy
  • Getting Things Done – David Allen
  • The New One Minute Manager – Ken Blanchard , Spencer Johnson
  • The Introvert Advantage: How to Thrive in an Extrovert World – Marti Olsen Laney, PsyD
  • It’s Your Ship by D. Michael Abrashoff
  • Multipliers by Liz Wiseman
  • Just Listen – Mark Goulston
  • Influencer – David Maxfield

Tuesday, December 12, 2017

Ho-Ho-Holiday Spams and Scams

   It's that time of year again folks.  And whatever holiday you may, or may not, celebrate... there's something we're all likely to see.  It's not presents, though maybe there are some for you.  It's not snow, though we're already seeing that here in the upper midwest US.

   It's malware and holiday scams!

   Unfortunately, it happens every year.  Sometimes it's malicious attachments.  Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.

   Here is my 2017 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...

Tuesday, November 28, 2017

You Don't Have to Outrun the (Fancy) Bear

   Two hikers are walking through the woods.  They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars.  One hiker quickly bends down to tighten his boot laces.  The other hiker says, "what are you doing? You can't outrun a bear!".  The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".

   One of the biggest changes in information security over the past two decades has been with the attackers.  Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded.  Instead of defacing websites for fun and notoriety, attacks today are a business.

   It's a simple risk/reward equation.  There is a cost to any attack.  Email-based attacks are very inexpensive to launch.  Developing sophisticated malware is expensive.  And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.

   Information security is very complex.  It's as much an art as it is a science.  There are basic things that everyone should do, like patching systems and using strong, long passwords.  And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.

   There are so many high profile breaches in the news.  Some of these are the result of highly skilled and motivated attackers going after a specific target.  But many more are "crimes of opportunity".

   As I see it, there are basically three kinds of online attacks:

Tuesday, November 14, 2017

It's All About the Squirrels!

   Did you know that in 2016 there were more selfie-related deaths than shark-related deaths?  Same is true in 2015.  We'll see what happens in 2017!

   That might seem counter-intuitive.  And that's exactly the point... we are programmed through evolution to focus on the sensational risks.

   We've been hearing plenty about cyber-war and state-sponsored attacks.  These are big and scary things.  It seems that the power grid is a key target.  Well, it turns out that cyber attack is not the top issue that effects the power grid.  Not even close.  And what's a more serious and regular threat???  Squirrels!  No, that's not a joke.

Here's a great presentation at this year's ShmooCon, an annual security conference:

   But here's the point of all this... while it's fun to laugh at, or dislike, squirrels, there's an important lesson here.  We do need to speculate and consider the future when conducting risk assessments.  But we also need to have strong focus on reality!  That means assuring you are considering mundane, but very real threats and vulnerabilities that are actually happening.  It's far to easy for us to focus on high impact, very low likelihood events to the exclusion of those high-probability, common attacks like phishing.

   So skip the sharks and watch out for the squirrels!

Tuesday, October 31, 2017

Easy as 1-2-3

   It's US Cyber Security Month and the key themes I've been discussing here for years are very bit as relevant today.  In honor of Cyber Security Month I'm re-running a post from 2016.  The more things change, the more they stay the same.  Happy Cyber Security Month!

   Well, I was trying for something catchy like Stop, Drop and Roll.  That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.

   Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.

   Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.

   Fortunately, the odds of your clothes catching on fire is low.

   Unfortunately, the odds of your software, browsers or accounts being compromised is very high.

   A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (DDoS) attack on Dyn, a DNS provider.  I won't go into the details here but I think I will cover DDoS in a future post.  Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do.  To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...

Tuesday, October 24, 2017

Internet Safety for our Parents

   It's US Cyber Security Month and the key themes I've been discussing here for years are very bit as relevant today.  In honor of Cyber Security Month I'm re-running a post from 2016.  The more things change, the more they stay the same.  Happy Cyber Security Month!

   I've written about Internet safety for families, kids, teens and I've even spoken on safety for pre-schoolers.  But it's important to think about online safety for parents as well.

   That's true both for parents of young children was well seniors with grown children.  The safety challenges for seniors are similar but there are some differences.  They may not be as familiar with technology and, according to the FBI:
  • they are often financially secure and/or have good credit
  • they may be more trusting and they don't think they'd be a target
   This article by the AARP lists some common scams against seniors including some we've discussed like fake Microsoft support calls or IRS-related tax fraud.

   What got me thinking about this topic was a great article entitled "10 Ways to Help Our Parents With Online Security".  The article touches on a number of themes we've discussed in the past.  I'll list the 10 items with links back to some past editions of this blog - typically they:
  1. don't think they have anything worth stealing
  2. have bad password habits - just like most people
  3. are confused by 2-factor authentication - something we all should use
  4. leave mobile devices unattended and without security measures
  5. don't recognize phishing emails
  6. don't understand social media and how it can be used in scams
  7. share too much information
  8. can be manipulated by online media
  9. place too much trust in an anti-virus product
  10. don't understand how sophisticated scams and attacks can be
   In what ways can you help your parents stay safe online?

Tuesday, October 17, 2017

Still Can't Live With 'Em

   It's US Cyber Security Month and, like clockwork, we have Yahoo! in the news again telling us that the worst case from the past just keeps getting worster (I can make up words, can't I??? :-).  They are now counting their breached accounts at over 3 billion!  How many people are there in the world these days?...  Last year at this time, they announced the breach of 500 million Yahoo! account passwords and other info (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!).  In honor of both Cyber Security Month and Yahoo!, I'm re-running a post I wrote in... wait for it... 2012!  Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach.  The more things change, the more they stay the same.  Happy Cyber Security Month!

   They're dead.  They're here to stay.

   They're safe.  They're breached.

   They're encrypted.  They're visible.

   They're complex.  They're too simple.

   Once again, the topic we love to hate... Passwords!  And, you know what else???  It's also that greatest of holiday celebrations... US Cyber Security Month!

   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site


Tuesday, October 3, 2017

Thoughts about Change

   We've all heard the cliche, the only thing that is constant is change.  Many of our organizations are undergoing all kinds of change.  We may have professional changes.  And, of course, there are personal or life changes.

   Sometimes you have control over changes - they can be choices.  Sometimes you don't have control over the change.  But you do have control over how you respond to change.

I've spoken with many people whose organizations are undergoing change.  That can lead to some uncertainty, but that is not necessarily a bad thing.  It's really just something new.  And change often brings opportunity!

   One model that can be used to help people through change is the Bridges Model of Transition.  Bridges defines a transition path that begins when a change is announced or recognized. and ends when people are successfully in the changed state.  The key is what happens in between!  Bridges describes 3 stages that people must move through.
  1. Letting Go - this means both understanding and coming to terms with the change.  It can be characterized by fear or other negative emotions.  Leaders can help by communicating, listening, and empathizing.  Recognize that different people change at different rates.  Individuals can help by talking things through with their leaders.
  2. The Neutral Zone - this occurs once people get past their initial reaction to change.  This can be a period of uncertainty.  Leaders can help by providing direction and continuing to communicate.
  3. The New Beginning - this occurs when the organization has arrived at the new state.  Since people do change at different rates, all team members may not arrive here together. Leaders can help by recognizing the state of team, providing extra direction where needed, and celebrating successes of the transition.
   I've been thinking about the topic of change for a couple of reasons.  First, my current organization is undergoing the change of integrating in a new organization.  This is actually a great synergy and creates many great opportunities both for the business and for individuals.  But as we discussed above, change affects different people differently.

   In addition, I'll be undergoing my own change soon as I transition to a new and exciting opportunity!

   Thank you to all my current colleagues for their partnership and support!  I know our paths will cross in the future.

Tuesday, September 19, 2017


   Or maybe we should say Equi-Fiasco!

   By now you've certainly heard about the Equifax breach including leaked social security numbers and other personal information on over 143 million people.  And there's plenty more info to come with this one as the facts continue to get uncovered.

   I certainly don't mean to be jumping on the bandwagon here.  There has already been so much coverage of this breach, but it is a big deal.  And, while I've seen a number of articles on what to do now, I haven't seen any that really cover everything you must do to protect yourself.

   Let's do that now!

   The bottom line is this... it's 2017... no one can or will protect your personal information.  You must take appropriate steps to protect yourself.  And here they are... in no particular order... the top-10 things you should do to protect your personal and financial information:

Tuesday, September 5, 2017

I Have Neither Read Nor Understood

   The site masthead starts out with the statement:“I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.

   This is the lead statement on the tosdr.org website.  tosdr is an acronym for "Terms of Service; Didn't Read".  It's a play on words (play on acronyms? :-)) of tl;dr, Too Long; Didn't Read.  tl;dr has been a term floating around the interwebs for many years.  It simply expresses a sentiment that many people can relate to... that we're busy, so when there is a long article, post, whitepaper, document, documentation, etc., we might just not read it.  That also leads to the idea of the tl;dr version, i.e. executive summary!

   Clearly, Terms of Service statements fit into this category.  They tend to be exceedingly long.  They are often written FLBL (For Lawyers, By Lawyers)! :-)  You see them all over the place... on your bank's website, on social media sites, when you sign up for just about any kind of service, and with just about every app you install.

   So, if no one reads them, what's the problem?  Like a contract, the Terms of Service or EULA (End User License Agreement) provides some very important information.  For example, it may cover:
  • how the app, website or company can use your personal data;
  • if the site can sell your data,
  • whether or not you own any content you upload (such as to a social media site);
  • how, when, how much you can use the app, service or website;
  • if the site can charge you money, either one time or ongoing;
  • if you have any rights to seek damages against the company if you don't like how they conduct business
  • and more...

Tuesday, August 22, 2017

Don't Blame The IRS

  In a post last month, I include a recording of an obviously fake voice message warning about payment and fines due to the IRS.  If you've read my blog in the past, I talk a lot about scams and give tips to avoid them.  We've often discussed that legitimate organizations should not just contact you and ask for personal information.

   That just makes sense.

   But telling the difference between a legitimate call and a scam call has gotten harder.

   A reader let me know that the IRS is now using collection agencies to collect back taxes!  That just makes it even tougher to tell the difference between a legit collection call and a scam!

Tuesday, August 8, 2017

You Gotta Be You

   I just received an update from the Social Security Administration.  Yes, it was real! :-)  It was a reminder to log in to the SSA website to check my information online.  That also made me think about advice I've written about in the past... it's critical that you connect and establish your presence on critical government websites before someone else can create an account in your name.

   Here's a rewind of a 2016 post with all the information...

   I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

Tuesday, July 25, 2017

The Matter at the Hand

   Check this out!...

   Here's a transcript:

   Calling from Criminal Investigation Division of I-R-S.  The matter at the hand is extremely time sensitive and urgent, as after all that, we found that, there was a fraud and misconduct on your tax which you are hiding from the federal government. This need to be rectified immediately so do return the call as soon as you receive the message. The toll free number is 1-8-6-6-9-7-8-6-6-1-8. I repeat again, 1-8-6-6-9-7-8-6-6-1-8. Thank you.

   Needless to say, this is a scam.  You can look at all of these reports on phone number lookup sites.

   Now, you may think that this obviously sounds like a scam.  However, it unfortunately works.

   So what should you do if you or someone you know receives one of these calls?

  1. Don't respond.  Just leave that alone.
  2. Report it.  Here is the FTC info page on reporting scams, spams, do not call or telemarketing violations and other issues.  Here is the complaint reporting page.
   I did file a report with the FTC.  It doesn't take long and it's the right thing to do.

   While these calls can be either annoying or entertaining, the bottom line is that they work and some people do fall for these scams.  So educate yourself and others.

   Do you have any interesting robo-call or scam stories to share?

Tuesday, July 4, 2017

All Your Bitcoin Are Belong To Us

   If you're old enough... and geeky enough, you may remember this:

   All Your Base Are Belong To Us was one of the famous early internet memes.  You can take a break and read more about it here and here.

   Memes are fun!  But ransomware isn't.  We've talked about ransomware many times in the past.  It's a kind of virus or malware (malicious software).  It's been in the news quite a bit and the healthcare industry has had particular ransomware problems.  And the news will continue after May's "WannaCry" and June's Petya/GoldenEye global attacks.

   Basically, in a ransomware attack, infected computers cause data to be encrypted.  Normally encryption is a good thing, but only when you can also decrypt your data.  In this attack, only the attacker can restore your access to the information, and will do so for a "small consulting fee".

   Payment is typically made using Bitcoin.  Bitcoin has also been in the news.  It is what is called a "crypto-currency".  It's basically an online way to pay for things, kind of like an online debit card where you already have the funds in your account.  The main reason Bitcoin is used for ransomware is that it is fairly anonymous, particularly when compared with traditional credit cards or banking.  It's not completely anonymous - it does protect identity during transactions, but eventually someone may have to turn that bitcoin into other traditional currency.

   With all the ransomware attacks, some organizations are getting bitcoins so that they are ready in case they need to pay ransom!

Tuesday, June 20, 2017


   I received this great news in email today.  For some reason gmail marked it as spam!  But it looks great to me! :-)

Tuesday, May 23, 2017

I'll Cry if I Wanna

   I try not to jump on bandwagons, but with so much coverage and affects of the whole worldwide WannaCry mess, I do have a few things to say.  I have a few different things to cover that you may not have seen elsewhere.

   There's been plenty of media coverage so I'll just give a high level overview of what happened.  Like many other nations, the US National Security Agency (NSA) studies computer flaws and develops ways to attack them.  The Shadow Brokers are a hacker group who started leaking some of these NSA-developed attacks in the second half of 2016.  The April 2017 edition of their leaks included the code that enabled the WannaCry attack.
   The attack that started on Thurs May 11 consisted of two parts.  One would encrypt files so that the owner could not get access to their files (commonly called "CryptoWare").  The other part could get remote access to any vulnerable computer.  This was a very powerful combination and this is the first time we've seen this kind of auto-spreading cryptoware.  Once infected, the victim sees a screen that directs them to pay a ransom in bitcoin - so the whole attack is considered "Ransomware".

   Now, Microsoft did release a patch in March to fix some of these problems, in particular the remote access part.  So no problem, right?  Desktops and laptops are usually easier to patch, and you should always have your home systems set to automatically update.  But servers need more testing to assure that applications continue to work as expected.

   Patching was a critical part of the fix, but there was definitely more to it including things like new anti-virus signatures, whitelisting, intrusion prevention signatures and firewall rules.

Tuesday, May 9, 2017

Google Docs and the Mailinator

   You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.

   You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment.  This one appears to come from someone you know.  The subject and body of the message seem consistent with a Google doc sharing message.

   Problem clue #1 - look at the "To:" line.  Clearly, this message wasn't sent to you.

   Problem clue #2 - were you expecting this email and file?  Has this sender sent you Google docs in the past?  Did this email arrive at work or home - and do you normally use Google docs there?

   But, you are rushed and don't have time to send your friend a message to see if this email is legit.  So you click.  If you're not already logged in to your Google account, you're asked to log in.  What you see next is...

Tuesday, April 25, 2017

World Password Day and Teen Power

   Thurs May 4, 2017 is World Password Day!  I know that's coming up fast, but don't worry, you still

have time to plan your celebration.  No, that's not the day when you share your password with the world.  Nor is it about changing your bank password from 123456 to 1234567.

   I've written about this in the past.  World Password Day is a day to learn and it's yet another opportunity to take a look at what is protecting your personal information, your financial information, your medical information as well as your internet presence and reputation.  Most passwords provide a thin veil of protection

   On World Password Day, we should at the 4 main problems we can very easily fix:
  1. People choose weak or easily guessable passwords - the simple fix is to choose better passwords!  As I've said many times in the past, when it comes to passwords, size matters!  Make 'em long.  But even if you choose a good password...
  2. Passwords get reused among sites - this is a major problem because the attackers will try stolen passwords at other sites.  And it works.  So choose a unique password for every site on which you have an account.  But...
  3. We can't remember all our passwords - so, as we've discussed in the past, use a password vault.  The vault is a program that will help you choose great passwords, recall those passwords and protect them.  But sometimes that's not enough because...
  4. Even well-chosen passwords can be guessed or hacked - so for extra protection use two-factor authentication (also called multi-factor authentication).  Typically this means using an app on your smartphone as part of the login process.  That means, to break into your account, an attacker would need both your (long, strong) password AND your smartphone.  That's hard for the attacker to do.  And using multi-factor is easy!    Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including Google, Facebook and Twitter.  Here's some info on sites offering 2-factor authentication.

   The WPD website has some high level guidance on each of these as well as those great Betty White videos!

   And if those all aren't enough reasons to move to 2-factor authentication, now... that pinnacle of journalism... Teen Vogue, has put out a really good article on the subject!  You can read it here.

   In addition to really good coverage of 2-factor methods and websites, the article also goes into more advanced topics like the use of a physical fob called a Yubikey.

   What is really significant is that this article is directed at a population who both grew up with technology and is used to sharing everything. The key message is that there are good reasons for protecting your information and reputation, even if you don't yet have financial assets or a job.

   So, are you ready to take the World Password Day challenge?  Start slowly.  Get a password vault and start with your most important sites: banks, insurance, investment and social media.  Change the passwords to unique long strong ones.

Tuesday, April 11, 2017

Cyberbullying and the New Math

   According to Cyberbullying Research Center, the National Crime Victimization Survey (NCVS) is a large-scale data collection effort led by the U.S. Census Bureau and the Bureau of Justice Statistics.  This study has been going on since 1973.  In 1989 they added supplemental questions focused on school-related incidents, and stepped this up to a more in-depth biennial survey in 2005.

   Cyberbullying is still a major issue.  It's been over 4 years since I've written on this subject.  While there is perhaps more visibility, the basic problems haven't changed.

  Based on the above benchmark, at first glance, bullying appears to be trending down over the past decade.

   While there have been some high-profile cases over the years, this is a real, current and ongoing issue.

Tuesday, March 28, 2017

Big Problems, Small Packages (part 1)

    We're constantly hearing about data breaches in the news.  Many are due to external attacks as happened to Yahoo! or OPM.  Many others are caused by well-meaning staff or contractors who carry with them on laptops that then get lost or stolen.

   USB flash drives, often called thumb drives because they're about the size of your thumb, first hit the market in around 2000.  They had relatively little storage space and weren't cheap, but quickly became a security issue both for the potential to carry and load malware as well as taking data out of the office.  I remember discussions about this issue back in the early 2000s and some organizations were even thinking about using hot glue guns to fill in and block the USB ports on computers!  That would have been a mess!

   Before long the prices came down, the storage space went up and the problems multiplied.  Many organizations were not ready for how quickly these drives got integrated into every day work.

   Today we're going to focus on data that is copied on to USB flash drives and taken out of the office.

   The highest capacity USB flash drives we can find today are around 1 TB, though there are plans for 2 TB drives coming on the market before long.  Drives over 512 GB or larger are still pretty expensive.  But we know that prices of the high capacity drives will drop as new larger drives come out.

   To give you an idea of that size... 1 TB is about the size of 1500 CD-ROMs or 143,000,000 Word documents!  That's a lot of data potentially leaving your organization.

   So how do you combat this at your organization?  You don't!  We're not dealing with an adversary who's efforts need to be defeated.  These are well-meaning staff trying to get work done.  Always assume positive intent.

Tuesday, March 14, 2017

A Culture of Security - The Best Infection! (repost)

   This week we're relaunching our Security Awareness campaign at work.  In honor of that, I thought we should re-sample a past post on this subject.  Enjoy!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.

Tuesday, February 28, 2017

Seriously, You Can't Make This Stuff Up!

   Fake news and alternative facts aside, the truth really is stranger than fiction.

   We finally get to the point where the only thing left to talk about concerning Yahoo! is their upcoming turbulent buyout by Verizon.  But noooo...

   They're back, with another breach announcement.  This one is from sometime in the 2015/2016 timeframe (am I the only one who is concerned that they can't pin it down better than that????).  It seems to be more limited in scope (i.e. less than the 500 Million users affected last time!).

   We seriously just "finished" talking about this issue.  Normally when an old problem comes back again (like always do), I consider re-running an older post with any needed updates (and rarely are any major updates needed).  But I just posted about Yahoo!'s problems TWO MONTHS AGO!

   This time around the root cause is supposed to be a forged cookie that could be used to access an account without using a password.  Yahoo! is saying that the attackers must have had access to the source code and that a similar method may have been used in the previous attacks.  Maybe... maybe not.

   In other news... the price for Verizon to buy Yahoo! keeps dropping.  Could "free" be far behind?

   You know, the funny thing is that I really like the Yahoo! home page layout with its news summaries.  If they could just protect my account data for more than a month or two we might actually have a service worth salvaging.

   Vote... are you dumping your Yahoo! account or keeping it?

Tuesday, February 14, 2017

ID Fraud, Taxes and Doctors Again (Still?)

   It's that time of year again.  Brian Krebs just put out an article on "darkweb" sales of W-2 information.  You can read that article here.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:

  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here)

   Here's a re-run of my article on this subject from two years ago.  It's all still true...

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 31, 2017

Hello Dearest One

   I just got some incredible news!  I really love working in Information Security, but with this windfall it's certainly time to retire.

   And I wanted to share this news with all of you!

   Here's the email I received that covers it all... this is so exciting!

Hello Dearest One,

I am Mrs. Jessica W the Administrative manager at a vault of financial & security Institute in Madrid, I am contacting you as regards an abandoned sum of $31.7 Million Us dollars (Thirty One million, Seven Hundred Thousand United State Dollars) in our safe deposit vault, that belongs to one of our foreign customers that share the same surname with you, who died along with his entire family on the 11th march 2009 in a ghastly motor accident in Porto Portugal.

The banking policy can only allow the release of such funds to a benefactor through an application as next of kin to the deceased. After his death, the bank has been expecting a possible beneficiary, but nobody came for the claim, this institute has exploited all its ethical possibilities in other to contact possible relation or inheritor, but no success, I have made my own research with the help of private investigator, it is my knowledge that this man has been living in Barcelona for the past 19 years and has never returned back home. I also leant that his wife and 7 year old daughter died with him during this accident, however because of the international financial crises, a lot of reform has been made within the Spanish financial system; this includes the new law on succession/claims which indicates a duration in which such inheritance could be tolerated,

Upon your acceptance to partner with me, I urge you to please kindly get back to me with your direct contact details for further details via my email address: EMAIL: jessica_jessicaxx@yyy.com  or Alternative Email: jessica_vivian@yyy.com on how you and me can make a claim to the funds in question. I GUARANTEE you that this process would be executed under a legitimate and risk free arrangement. Thanks as I wait to hear from you as soon as you receive this proposal e-letter.

Best Regard,
Mrs. Jessica W
EMAIL: jessica_jessicaxx@yyy.com
Alternative Email: jessica_vivian@yyy.com

   I did alter the email addresses!

   I'm not sure what I did to get so lucky to receive this gift, but it sounds like the greatest thing ever!  And the thing is, I'm lucky that I even saw this message because it was in my spam folder.


Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think

Tuesday, January 3, 2017

New Year, Don't Click!

   Well, it's a new year and, as we've discussed in the past, the more things change the more they stay the same.

   My advice for 2017... Don't Click!

   Of course, that's easier said than done.  We've discussed phishing and malicious email here, here and here.

   But on a more practical note, and because I like things that come in 3's, here's some info from the way-back machine... it's advice from Brian Krebs from 2011.  It is his 3 basic rules for online safety.  They are every bit as relevant now as when this was first published.  And it was relevant for years before that.

   The 3 rules are:
  1. If you didn’t go looking for it, don’t install it - this means when you get a pop-up asking you to install some software... don't click!  Only install software that you look for and intend to use.  And, wherever possible, install from reputable websites.  Do your research.
  2. If you installed it, update it - After you install the software you want, you need to keep it up to date.  This is not trivial, but I like using Secunia PSI (Personal Software Inspector) on my home systems for keeping software up to date.
  3. If you no longer need it, remove it - software will have vulnerabilities.  The less software you have, the fewer opportunities there are for vulnerabilities and malware.  This is especially true on your smartphone and tablet, where excess software really slows the performance of the device.
   Here's to a safe and secure 2017!