Tuesday, April 24, 2018

Unprecedented Growth in the Fight to Eradicate Scam

   My first thought when I saw this email was that it's from someone with the same name as the guy
from Arrested Development.  Of course, that's Michael Cera!

   The only thing missing is a link or attachment.

   Of course, there are tons of emails like this around.  And people do respond.

   Would you respond?  How many people at your workplace would respond?  How would you help people recognize this kind of email and not respond?



International Debt Funds Recoup Unit of
United States Department of the Treasury Washington DC.
1500 Pennsylvania Avenue, NW;
Washington, DC 20220


Hello,


International Debt Funds Recoup Unit, incorporated November, 2016 as affiliate of United States Department of the Treasury Washington DC, established for the control of recouped international debt funds, within the short time of this establishment, we have experienced unprecedented growth in the fight to eradicate scam and terrorism.

With Our vast experience cutting across several facets of the world and affiliations with numbers of reputable foreign and local organizations, International Debt Funds Recoup Unit has brilliantly done very well in contributing to the effort of the American Government to curtail fictitious and nefarious activities of scam via the internet, which is perpetually taken out on citizens of United States and innocent citizens of other part of the world by impostors through our vast networking.

We implore your earnestly attention on our resent activities in affiliation with Federal Bureau of Investigation FBI. Your computer and telephone communication  were under surveillance device manipulation on discovery that you have been in communication with impostors, imposing as important dignitaries to the undisclosed organization.

The transaction database of Western Union and Wal-Mart Money Gram recently went through screening on evidence for transaction made on your name overseas and the statements of your bank account were properly studied on evidence for transaction made within the states and overseas. However, the collective findings urged the setup of multifaceted maximum security on your everyday activities most specially your email correspondence and telephone communications.

The state of affairs grows to be interesting that intelligent agent of International Debt Funds Recoup Unit and Federal Bureau of Investigation FBI,
where deployed to investigate on issues of debt funds as a result of Contract Payment Funds, Lottery Winning Funds and Inheritance Funds owe to you by the undisclosed conglomerate under impersonation of impostors imposing as important dignitaries to rip you off your hard earned money and to our dismay, it was discovered that your name appeared as owner of funds valued US$10.5Million United States Dollars.

Representatives of American Government bureaus sent on your behalf on this exploit confirmed that the blueprint of your funds recoup was plain and the outcome of the event was a solution to curtail activities of con artist and indeed a perfect solution to your quest on your funds. The recouped funds are deposited in the pecuniary basement of the International Debt Funds Recoup Unit here in Washington.

To apply for claims, we urge you to reconfirm your personal information stated as following below; the details will be used to conduct lawful underlying principles of verification on your reputation as the beneficiary own of the recouped funds lodged in our basement.

1.  First Name:
2.  Middle Name:
3.  Last Name:
4.  Home Phone Number:
5.  Cell Phone Number:
6.  Home Address:
7.  Date of Birth (mm/dd/yyyy)
8.  Driver's License/ Passport Copy:
9.  Marital Status:
10. Current Employer Name:
11. Position/Title:

This is compulsory instruction. REPLY BACK TO THIS ADDRESS ONLY IF YOU WANT FAST RESPONSE TO YOUR E-MAIL ( mrmichealcenadesk@webmail.hu )

God Bless America.
Sincerely yours,
Mr. Michael Cena

   I do enjoy these kinds of emails!  It unfortunate that some people do fall for these scams.  Interesting that this one doesn't ask for my SSN, but wants a copy of my driver's license and/or passport - that can be very valuable to the scammer.

   While there are no links or attachments here, but is still danger.  I've written about these kinds of scams in the past, and the prior advice still holds.

  1. You didn't win!  An unsolicited email promising some kind of prize or payoff is not real.
  2. Don't respond to unsolicited email.  It just lets the spammer know you are a live person.  And definitely don't respond and provide information about yourself.
  3. Use care with links in unsolicited email.  There's a good chance that link leads somewhere you don't want to go... like a phishing site or a malware download.
  4. Watch out for attachments... even pictures.  Stop and think before you click on that attachment.  Even if it looks like it came from a friend.  Were you expecting the email and attachment?
  5. Be stingy with your personal information.  Much of what happens in today's world happens online.  And you will have to provide some information sometimes.  But every site doesn't need all your personal information.  And just because a site asks for information doesn't mean you have to provide it.  Before you fill out that form, stop and think, then decide how much information you want to provide.

   You can find a few more tips here.  These steps can help you at home and at the office.

   What's your favorite example of this kind of scam?

Tuesday, April 3, 2018

Keeping Up with the Podcasts!

   I listen to a lot of podcasts.  Probably way to many.

   But podcasts are just such a great way to keep up with timely information in security, technology, news, finance, sports and other topics.  So I listen... a lot!

   I did a post on this topic nearly 6 years ago!  In that post I provided a list of podcasts.  It's way short compared to the list I'll be sharing here.  I also wrote about using podcasts as a learning resource here and here.

   Before I provide the actual list, here are few important notes:

  • I’ve tried to put these into categories
  • Within each category, the order is not how much I like the podcast but just the order they are in my podcatcher (and that order has little rhyme or reason)
  • Yes, I am crazy
  • Yes, I do constantly have earbuds in my ears
  • I do use a podcatcher that has variable speed and I typically listen at 2.2x! (I still use DoggCatcher)  Yes, we’ve already established that I’m crazy.  And, I have a lot of casts to get through.
  • Some of these podcasts may no longer exist.  Since my list is so long, if some drop out of existence I really don’t notice unless they are one of my few top favs.
  • I actually left some off – I have an casual interest in real estate investing and subscribe to 6-8 casts on that subject
   With that... let's get to the list!

Tuesday, March 13, 2018

We Encounter a Serious Issue



   I just received this voice message on my home phone (landline).

   Here's the text:
   We encounter a serious issue coming out of your computer.  It seems to be someone is trying to hijack your computer and try to steal your personal information.  If it's not fixed right away then your computer will become obsolete and all of your credential information may got compromised.  If you are the one who is using Microsoft Windows in your computer then please call 302-316-9259 or press 1 now to speak with security team now.  Please ignore if we called you by mistake.  Thank you.

   The only serious issue here is that people fall for these scams.  Let's break it down:
  • The Voice - who wouldn't believe a bad computer-generated voice?  Seriously though, there are plenty of pre-recorded and generated junk voice messages we get all the time.  My general rule of thumb - ignore them all and erase is your friend.
  • Bad Grammar - this is practically a throw-back to the old days of spam.  I've written about this in the past.  Someone willing to get past the bad grammar is more likely to continue on to other poor choices.
  • Fear Factor - the message is playing on many people's fear of technology and loss of their personal information.  While we've become almost numb to breach announcements, the idea that there is an attack on our personal home computer is still a scary concept.  Words like "hijack", "steal", "obsolete", and "compromised" invoke fear.
  • Call To Action - "if it's not fixed right away...".  For a person who doesn't understand the complex issues of their computer, the call for immediacy further plays upon the fear state.
  • Microsoft Windows - what are the odds that if a call was made to any household, someone would be using, or would have used int eh past 24 hours, Microsoft Windows?  I'd guess that's pretty high.
  • Politeness - bad voice and grammar aside, the call does say please and thank you.  That further instills a sense of confidence in a person already affected by fear and the call to action.

   As I covered in a past posts, while I did not call the number (and I suspect it's already been disconnected), if I did get through to someone I bet that they would be very helpful!  That is, as long as I was cooperating.  If I was not forthcoming with information, then these kinds of folks often get forceful.

   Obviously, the best course of action is to just have a good laugh and hit delete when you get a message like this.  We also need to assure that less technical, or more vulnerable, people understand the issues and are prepared when the call comes.

   Have you, or someone you know, received a call like this?  What happened?

Tuesday, February 20, 2018

ID Fraud and Your Taxes - Take Action!

   It's that time of year again.  Brian Krebs just put out two articles on the ongoing issue of tax fraud.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:
  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here and here)
   Here's a re-run of my article on this subject from three years ago.  It's all still true!  As I wrote nearly 5 years ago, the more things change the more they stay the same.

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 30, 2018

Speculative Speculation

   Patch.

   NO WAIT!... DON’T Patch!

   It may cause unexpected reboots (as opposed to the expected kind???? J).

   It may cause system slowdowns.

   It may conflict with your other system controls.

   It sounds kind of like the “fine print” in one of those pharmaceutical adds… patching side effects may include arrhythmia, faintness, moderate to severe amnesia, flushing of the face, dry mouth, blurry vision, visual distortions or white spots, nausea and vomiting, constipation, muscle twitches, confusion, euphoria, sedation, itchiness, and increased anxiety, respiratory or cardiac arrest, coma, hypoventilation (inadequate ventilation), and possibly death.

   This whole Spectre/Meltdown thing has gotten so much attention lately. But the reports are loaded with misinformation, speculation (!), and even some facts.  I’ve have seen some uber-geeky explanations of what is going on.  If you haven’t seen the major rant by the father of linux Linus Torvalds, check this out.

   One thing that has been lacking is more simple, straightforward explanations of this complex topic.  I think Steve Gibson did a great job talking about this recently in his SecurityNow! podcast.  He actually explained the underlying mechanism of speculative execution years ago when he was talking about how modern processors work.

   Speculative Execution is really pretty cool.  It can be complex, but a good example is when there are two choices in how some code may execute, i.e. GO here or GO here, the processor does both!  And it executes steps ahead from where you are in the code now.  The overall effect is that the code executes faster.  It’s kind of like paying it forward with extra computing cycles.  Here's a great explanation.

   Here’s the point about this vulnerability… we’ve had plenty of named vulnerabilities.  They are all the rage these past few years – a name and a logo.  But most of these vulnerabilities are code or protocol problems.  Yes, some of those were very wide ranging.  However, this newly discovered problem is a vulnerability in the underlying architecture of nearly every modern computer chip created since 1995.  Everywhere.

   And while this has not been exploited in practice, that will happen.  The Fix is not yet in.  For now, the advice is to not panic, patch selectively and we’ll all watch and wait!

Tuesday, January 9, 2018

Meta-Predictions

   Well, it's a new year and we all know what that means... every security publication, and plenty of non-security publications, come out with their annual security predictions.

   I predict that this year's predictions will be as boring and vanilla as last year's.  And we don't even have to wait until the end of the year to see if I'm right!

   So, rather than adding to the noise, I'll save you some clicks.  Everybody's saying the same things... cybercrime, blockchain, cryptocurrency, breaches, yada yada.

   But some people went above and beyond to make the prediction reading experience special!  Here are my favorites:

   Best presentation.  Kudos on the production value of this prediction post by Watchguard.  Between the nice graphics and videos, I was engaged.  They didn't say anything new... but the way they said it makes it worth a look.
https://www.watchguard.com/wgrd-resource-center/2018-security-predictions

   Best use of AI.  This is a great idea... how about machine-generated predictions!  Great fun.  And I, for one, welcome our AI overlords.  Even the text that doesn't make sense makes more sense than some other predictions!  Well done Kelly and Medium.
https://medium.com/@kshortridge/2018-cyber-security-predictions-d493e25162e7

   Best prediction of the death of passwords.  Well, really they said that password-only authentication will decrease faster.  OK, either way, we've been down this road many times before and, unfortunately, passwords ain't goin' nowhere.  We're stuck with them.
https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html

   Remembering what we said in 2017 award.  This post doesn't say anything particularly interesting, but I like that they go back and grade their 2017 predictions.  Of course, those predictions were pretty bland but they only gave themselves a generous 9.5 out of 10.  http://resources.infosecinstitute.com/2018-cyber-security-predictions/

   tl;dr award.  I seriously did not even read this one.  Really Forbes?  60 predictions?  I guess all the ad networks you hit us with aren't enough?  I guess quantity wins.
https://www.forbes.com/sites/gilpress/2017/11/26/60-cybersecurity-predictions-for-2018/

   What are your favorite predictions?

   Here's to a great 2018!