Tuesday, May 9, 2017

Google Docs and the Mailinator

   You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.

   You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment.  This one appears to come from someone you know.  The subject and body of the message seem consistent with a Google doc sharing message.

   Problem clue #1 - look at the "To:" line.  Clearly, this message wasn't sent to you.

   Problem clue #2 - were you expecting this email and file?  Has this sender sent you Google docs in the past?  Did this email arrive at work or home - and do you normally use Google docs there?

   But, you are rushed and don't have time to send your friend a message to see if this email is legit.  So you click.  If you're not already logged in to your Google account, you're asked to log in.  What you see next is...

Tuesday, April 25, 2017

World Password Day and Teen Power

   Thurs May 4, 2017 is World Password Day!  I know that's coming up fast, but don't worry, you still

have time to plan your celebration.  No, that's not the day when you share your password with the world.  Nor is it about changing your bank password from 123456 to 1234567.

   I've written about this in the past.  World Password Day is a day to learn and it's yet another opportunity to take a look at what is protecting your personal information, your financial information, your medical information as well as your internet presence and reputation.  Most passwords provide a thin veil of protection

   On World Password Day, we should at the 4 main problems we can very easily fix:
  1. People choose weak or easily guessable passwords - the simple fix is to choose better passwords!  As I've said many times in the past, when it comes to passwords, size matters!  Make 'em long.  But even if you choose a good password...
  2. Passwords get reused among sites - this is a major problem because the attackers will try stolen passwords at other sites.  And it works.  So choose a unique password for every site on which you have an account.  But...
  3. We can't remember all our passwords - so, as we've discussed in the past, use a password vault.  The vault is a program that will help you choose great passwords, recall those passwords and protect them.  But sometimes that's not enough because...
  4. Even well-chosen passwords can be guessed or hacked - so for extra protection use two-factor authentication (also called multi-factor authentication).  Typically this means using an app on your smartphone as part of the login process.  That means, to break into your account, an attacker would need both your (long, strong) password AND your smartphone.  That's hard for the attacker to do.  And using multi-factor is easy!    Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including Google, Facebook and Twitter.  Here's some info on sites offering 2-factor authentication.

   The WPD website has some high level guidance on each of these as well as those great Betty White videos!

   And if those all aren't enough reasons to move to 2-factor authentication, now... that pinnacle of journalism... Teen Vogue, has put out a really good article on the subject!  You can read it here.

   In addition to really good coverage of 2-factor methods and websites, the article also goes into more advanced topics like the use of a physical fob called a Yubikey.

   What is really significant is that this article is directed at a population who both grew up with technology and is used to sharing everything. The key message is that there are good reasons for protecting your information and reputation, even if you don't yet have financial assets or a job.

   So, are you ready to take the World Password Day challenge?  Start slowly.  Get a password vault and start with your most important sites: banks, insurance, investment and social media.  Change the passwords to unique long strong ones.

Tuesday, April 11, 2017

Cyberbullying and the New Math

   According to Cyberbullying Research Center, the National Crime Victimization Survey (NCVS) is a large-scale data collection effort led by the U.S. Census Bureau and the Bureau of Justice Statistics.  This study has been going on since 1973.  In 1989 they added supplemental questions focused on school-related incidents, and stepped this up to a more in-depth biennial survey in 2005.

   Cyberbullying is still a major issue.  It's been over 4 years since I've written on this subject.  While there is perhaps more visibility, the basic problems haven't changed.

  Based on the above benchmark, at first glance, bullying appears to be trending down over the past decade.


   While there have been some high-profile cases over the years, this is a real, current and ongoing issue.

Tuesday, March 28, 2017

Big Problems, Small Packages (part 1)


    We're constantly hearing about data breaches in the news.  Many are due to external attacks as happened to Yahoo! or OPM.  Many others are caused by well-meaning staff or contractors who carry with them on laptops that then get lost or stolen.

   USB flash drives, often called thumb drives because they're about the size of your thumb, first hit the market in around 2000.  They had relatively little storage space and weren't cheap, but quickly became a security issue both for the potential to carry and load malware as well as taking data out of the office.  I remember discussions about this issue back in the early 2000s and some organizations were even thinking about using hot glue guns to fill in and block the USB ports on computers!  That would have been a mess!

   Before long the prices came down, the storage space went up and the problems multiplied.  Many organizations were not ready for how quickly these drives got integrated into every day work.

   Today we're going to focus on data that is copied on to USB flash drives and taken out of the office.

   The highest capacity USB flash drives we can find today are around 1 TB, though there are plans for 2 TB drives coming on the market before long.  Drives over 512 GB or larger are still pretty expensive.  But we know that prices of the high capacity drives will drop as new larger drives come out.

   To give you an idea of that size... 1 TB is about the size of 1500 CD-ROMs or 143,000,000 Word documents!  That's a lot of data potentially leaving your organization.

   So how do you combat this at your organization?  You don't!  We're not dealing with an adversary who's efforts need to be defeated.  These are well-meaning staff trying to get work done.  Always assume positive intent.

Tuesday, March 14, 2017

A Culture of Security - The Best Infection! (repost)




   This week we're relaunching our Security Awareness campaign at work.  In honor of that, I thought we should re-sample a past post on this subject.  Enjoy!



   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.

Tuesday, February 28, 2017

Seriously, You Can't Make This Stuff Up!

   Fake news and alternative facts aside, the truth really is stranger than fiction.

   We finally get to the point where the only thing left to talk about concerning Yahoo! is their upcoming turbulent buyout by Verizon.  But noooo...

   They're back, with another breach announcement.  This one is from sometime in the 2015/2016 timeframe (am I the only one who is concerned that they can't pin it down better than that????).  It seems to be more limited in scope (i.e. less than the 500 Million users affected last time!).

   We seriously just "finished" talking about this issue.  Normally when an old problem comes back again (like always do), I consider re-running an older post with any needed updates (and rarely are any major updates needed).  But I just posted about Yahoo!'s problems TWO MONTHS AGO!

   This time around the root cause is supposed to be a forged cookie that could be used to access an account without using a password.  Yahoo! is saying that the attackers must have had access to the source code and that a similar method may have been used in the previous attacks.  Maybe... maybe not.

   In other news... the price for Verizon to buy Yahoo! keeps dropping.  Could "free" be far behind?

   You know, the funny thing is that I really like the Yahoo! home page layout with its news summaries.  If they could just protect my account data for more than a month or two we might actually have a service worth salvaging.

   Vote... are you dumping your Yahoo! account or keeping it?

Tuesday, February 14, 2017

ID Fraud, Taxes and Doctors Again (Still?)

   It's that time of year again.  Brian Krebs just put out an article on "darkweb" sales of W-2 information.  You can read that article here.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:

  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here)

   Here's a re-run of my article on this subject from two years ago.  It's all still true...

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 31, 2017

Hello Dearest One

   I just got some incredible news!  I really love working in Information Security, but with this windfall it's certainly time to retire.

   And I wanted to share this news with all of you!

   Here's the email I received that covers it all... this is so exciting!




Hello Dearest One,

I am Mrs. Jessica W the Administrative manager at a vault of financial & security Institute in Madrid, I am contacting you as regards an abandoned sum of $31.7 Million Us dollars (Thirty One million, Seven Hundred Thousand United State Dollars) in our safe deposit vault, that belongs to one of our foreign customers that share the same surname with you, who died along with his entire family on the 11th march 2009 in a ghastly motor accident in Porto Portugal.

The banking policy can only allow the release of such funds to a benefactor through an application as next of kin to the deceased. After his death, the bank has been expecting a possible beneficiary, but nobody came for the claim, this institute has exploited all its ethical possibilities in other to contact possible relation or inheritor, but no success, I have made my own research with the help of private investigator, it is my knowledge that this man has been living in Barcelona for the past 19 years and has never returned back home. I also leant that his wife and 7 year old daughter died with him during this accident, however because of the international financial crises, a lot of reform has been made within the Spanish financial system; this includes the new law on succession/claims which indicates a duration in which such inheritance could be tolerated,

Upon your acceptance to partner with me, I urge you to please kindly get back to me with your direct contact details for further details via my email address: EMAIL: jessica_jessicaxx@yyy.com  or Alternative Email: jessica_vivian@yyy.com on how you and me can make a claim to the funds in question. I GUARANTEE you that this process would be executed under a legitimate and risk free arrangement. Thanks as I wait to hear from you as soon as you receive this proposal e-letter.

Best Regard,
Mrs. Jessica W
EMAIL: jessica_jessicaxx@yyy.com
Alternative Email: jessica_vivian@yyy.com


   I did alter the email addresses!

   I'm not sure what I did to get so lucky to receive this gift, but it sounds like the greatest thing ever!  And the thing is, I'm lucky that I even saw this message because it was in my spam folder.

   😃😄😉


Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think

Tuesday, January 3, 2017

New Year, Don't Click!

   Well, it's a new year and, as we've discussed in the past, the more things change the more they stay the same.

   My advice for 2017... Don't Click!

   Of course, that's easier said than done.  We've discussed phishing and malicious email here, here and here.

   But on a more practical note, and because I like things that come in 3's, here's some info from the way-back machine... it's advice from Brian Krebs from 2011.  It is his 3 basic rules for online safety.  They are every bit as relevant now as when this was first published.  And it was relevant for years before that.

   The 3 rules are:
  1. If you didn’t go looking for it, don’t install it - this means when you get a pop-up asking you to install some software... don't click!  Only install software that you look for and intend to use.  And, wherever possible, install from reputable websites.  Do your research.
  2. If you installed it, update it - After you install the software you want, you need to keep it up to date.  This is not trivial, but I like using Secunia PSI (Personal Software Inspector) on my home systems for keeping software up to date.
  3. If you no longer need it, remove it - software will have vulnerabilities.  The less software you have, the fewer opportunities there are for vulnerabilities and malware.  This is especially true on your smartphone and tablet, where excess software really slows the performance of the device.
   Here's to a safe and secure 2017!