tag:blogger.com,1999:blog-76713182456420291582024-02-07T20:52:14.093-06:00Security and CoffeeA place to talk about information security, Internet safety and, of course... coffee!<br>Thoughtful, sometimes controversial, but not following the crowd unless I'm in line at the coffee shop.Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.comBlogger182125tag:blogger.com,1999:blog-7671318245642029158.post-89329203838777774822018-04-24T06:00:00.000-05:002018-04-24T06:00:01.223-05:00Unprecedented Growth in the Fight to Eradicate Scam<a href="https://upload.wikimedia.org/wikipedia/commons/4/46/Michael_Cera_2012.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="800" data-original-width="541" height="200" src="https://upload.wikimedia.org/wikipedia/commons/4/46/Michael_Cera_2012.jpg" width="135" /></a> My first thought when I saw this email was that it's from someone with the same name as the guy <br />
from Arrested Development. Of course, that's Michael Cera!<br />
<br />
The only thing missing is a link or attachment.<br />
<br />
Of course, there are tons of emails like this around. And people do respond.<br />
<br />
Would you respond? How many people at your workplace would respond? How would you help people recognize this kind of email and not respond?<br />
<br />
<hr />
<br />
International Debt Funds Recoup Unit of<br />
United States Department of the Treasury Washington DC.<br />
1500 Pennsylvania Avenue, NW;<br />
Washington, DC 20220<br />
<br />
<br />
Hello,<br />
<br />
<br />
International Debt Funds Recoup Unit, incorporated November, 2016 as affiliate of United States Department of the Treasury Washington DC, established for the control of recouped international debt funds, within the short time of this establishment, we have experienced unprecedented growth in the fight to eradicate scam and terrorism.<br />
<br />
With Our vast experience cutting across several facets of the world and affiliations with numbers of reputable foreign and local organizations, International Debt Funds Recoup Unit has brilliantly done very well in contributing to the effort of the American Government to curtail fictitious and nefarious activities of scam via the internet, which is perpetually taken out on citizens of United States and innocent citizens of other part of the world by impostors through our vast networking.<br />
<br />
We implore your earnestly attention on our resent activities in affiliation with Federal Bureau of Investigation FBI. Your computer and telephone communication were under surveillance device manipulation on discovery that you have been in communication with impostors, imposing as important dignitaries to the undisclosed organization.<br />
<br />
The transaction database of Western Union and Wal-Mart Money Gram recently went through screening on evidence for transaction made on your name overseas and the statements of your bank account were properly studied on evidence for transaction made within the states and overseas. However, the collective findings urged the setup of multifaceted maximum security on your everyday activities most specially your email correspondence and telephone communications.<br />
<br />
The state of affairs grows to be interesting that intelligent agent of International Debt Funds Recoup Unit and Federal Bureau of Investigation FBI,<br />
where deployed to investigate on issues of debt funds as a result of Contract Payment Funds, Lottery Winning Funds and Inheritance Funds owe to you by the undisclosed conglomerate under impersonation of impostors imposing as important dignitaries to rip you off your hard earned money and to our dismay, it was discovered that your name appeared as owner of funds valued US$10.5Million United States Dollars.<br />
<br />
Representatives of American Government bureaus sent on your behalf on this exploit confirmed that the blueprint of your funds recoup was plain and the outcome of the event was a solution to curtail activities of con artist and indeed a perfect solution to your quest on your funds. The recouped funds are deposited in the pecuniary basement of the International Debt Funds Recoup Unit here in Washington.<br />
<br />
To apply for claims, we urge you to reconfirm your personal information stated as following below; the details will be used to conduct lawful underlying principles of verification on your reputation as the beneficiary own of the recouped funds lodged in our basement.<br />
<br />
1. First Name:<br />
2. Middle Name:<br />
3. Last Name:<br />
4. Home Phone Number:<br />
5. Cell Phone Number:<br />
6. Home Address:<br />
7. Date of Birth (mm/dd/yyyy)<br />
8. Driver's License/ Passport Copy:<br />
9. Marital Status:<br />
10. Current Employer Name:<br />
11. Position/Title:<br />
<br />
This is compulsory instruction. REPLY BACK TO THIS ADDRESS ONLY IF YOU WANT FAST RESPONSE TO YOUR E-MAIL ( mrmichealcenadesk@webmail.hu )<br />
<br />
God Bless America.<br />
Sincerely yours,<br />
Mr. Michael Cena
<br />
<hr />
I do enjoy these kinds of emails! It unfortunate that some people do fall for these scams. Interesting that this one doesn't ask for my SSN, but wants a copy of my driver's license and/or passport - that can be very valuable to the scammer.<br />
<br />
While there are no links or attachments here, but is still danger. I've written about these <a href="https://securityandcoffee.blogspot.com/2017/06/payday.html">kinds</a> of <a href="https://securityandcoffee.blogspot.com/2015/03/good-day.html">scams</a> in the <a href="https://securityandcoffee.blogspot.com/2017/08/dont-blame-irs.html">past</a>, and the prior advice still holds.<br />
<br />
<ol>
<li>You didn't win! An unsolicited email promising some kind of prize or payoff is not real.</li>
<li>Don't respond to unsolicited email. It just lets the spammer know you are a live person. And definitely don't respond and provide information about yourself.</li>
<li>Use care with links in unsolicited email. There's a good chance that link leads somewhere you don't want to go... like a phishing site or a malware download.</li>
<li>Watch out for attachments... even pictures. Stop and think before you click on that attachment. Even if it looks like it came from a friend. Were you expecting the email and attachment?</li>
<li>Be stingy with your personal information. Much of what happens in today's world happens online. And you will have to provide some information sometimes. But every site doesn't need all your personal information. And just because a site asks for information doesn't mean you have to provide it. Before you fill out that form, stop and think, then decide how much information you want to provide.</li>
</ol>
<br />
You can find a few more tips <a href="https://securityandcoffee.blogspot.com/2016/07/brexit-protection-click-here.html">here</a>. These steps can help you at home and at the office.<br />
<br />
What's your favorite example of this kind of scam?Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-41448794332576209092018-04-03T06:00:00.000-05:002018-04-03T06:00:31.102-05:00Keeping Up with the Podcasts!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlhpyZj1UJdo2_HoXVIkKvQLgehy-F99QZ3hmeYkRR94JqZ_j84be5RmoJPbZCiQigMm5wWFj9FBZbsqjR7tDacgBDxnzgbBh8tK3NyweibAPYUMs8RO8Hr4tdzOl4ws7CobNV4Ti6B0k/s1600/podcasts+npr.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="544" data-original-width="936" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlhpyZj1UJdo2_HoXVIkKvQLgehy-F99QZ3hmeYkRR94JqZ_j84be5RmoJPbZCiQigMm5wWFj9FBZbsqjR7tDacgBDxnzgbBh8tK3NyweibAPYUMs8RO8Hr4tdzOl4ws7CobNV4Ti6B0k/s200/podcasts+npr.png" width="200" /></a> I listen to a lot of podcasts. Probably way to many.<br />
<br />
But podcasts are just such a great way to keep up with timely information in security, technology, news, finance, sports and other topics. So I listen... a lot!<br />
<br />
I did a post on this topic <a href="https://securityandcoffee.blogspot.com/2012/12/keeping-up-and-podcasts.html">nearly 6 years ago</a>! In that post I provided a list of podcasts. It's way short compared to the list I'll be sharing here. I also wrote about using podcasts as a learning resource <a href="https://securityandcoffee.blogspot.com/2016/11/information-security-learning-resources.html">here</a> and <a href="https://securityandcoffee.blogspot.com/2016/12/information-security-learning-resources.html">here</a>.<br />
<br />
Before I provide the actual list, here are few important notes:<br />
<br />
<ul>
<li>I’ve tried to put these into categories</li>
<li>Within each category, the order is not how much I like the podcast but just the order they are in my podcatcher (and that order has little rhyme or reason)</li>
<li>Yes, I am crazy</li>
<li>Yes, I do constantly have earbuds in my ears</li>
<li>I do use a podcatcher that has variable speed and I typically listen at 2.2x! (I still use <a href="http://www.doggcatcher.com/">DoggCatcher</a>) Yes, we’ve already established that I’m crazy. And, I have a lot of casts to get through.</li>
<li>Some of these podcasts may no longer exist. Since my list is so long, if some drop out of existence I really don’t notice unless they are one of my few top favs.</li>
<li>I actually left some off – I have an casual interest in real estate investing and subscribe to 6-8 casts on that subject</li>
</ul>
<div>
With that... let's get to the list!<a name='more'></a></div>
<div>
<b><br /></b></div>
<div>
<b>Security</b></div>
<div>
<div>
<ul>
<li>SANS Internet Storm Center Daily Network/Cyber Security and Information Security Podcast - https://isc.sans.edu/dailypodcast.xml</li>
<li>The CyberWire - Your cyber security news connection - http://thecyberwire.libsyn.com/rss</li>
<li>7 Minute Security - http://feeds.feedburner.com/7MinuteSecurity</li>
<li>Risky Business - http://risky.biz/feeds/risky-business</li>
<li>Security Now (MP3) - http://leoville.tv/podcasts/sn.xml</li>
<li>Codebreaker - https://feeds.publicradio.org/public_feeds/codebreaker-by-marketplace-and-tech-insider/itunes/rss</li>
<li>Down the Security Rabbithole - http://podcast.wh1t3rabbit.net/rss</li>
<li>The Risk Science Podcast - http://feeds.feedburner.com/posterous/jhtP</li>
<li>Paul’s Security Weekly - http://pauldotcom.com/podcast/psw.xml</li>
<li>Liquidmatrix Security Digest Podcast - http://liquidmatrix.libsyn.com/rss</li>
<li>InfoSecSync - http://www.infosecsync.com/feed</li>
<li>Security Current podcast - http://insight.securitycurrentnetwork.libsynpro.com/rss</li>
<li>security on Huffduffer - https://huffduffer.com/tags/security/rss</li>
<li>Security Advisor Alliance Podcast - http://securityadvisoralliance.libsyn.com/rss</li>
<li>Defensive Security Podcast - http://www.defensivesecurity.org/feed/podcast/</li>
<li>The Southern Fried Security Podcast - http://sfspodcast.libsyn.com/rss</li>
<li>Recorded Future - http://recordedfuture.libsyn.com/rss</li>
<li>Brakeing Down Security Podcast - http://brakeingsecurity.com/rss</li>
<li>CERT’s Podcast Series: Security for Business Leaders - http://www.cert.org/podcast/exec_podcast.rss</li>
<li>The Silver Bullet Security Podcast with Gary McGraw - http://feeds.feedburner.com/silverbulletsecurity</li>
<li>Healthcare Tech Talk - http://healthtechtalk.libsyn.com/rss</li>
<li>IANS Information Security Podcast - http://iansresearch.libsyn.com/rss</li>
<li>On The Wire - https://www.onthewire.io/feed/podcast</li>
<li>IoT This Week - https://craigsmith.net/feed/podcast/</li>
<li>The Scammercast - http://www.2guystalking.com/category/scammercast/feed/</li>
<li>Komando On Demand - http://feeds.podtrac.com/qjDxovCnSaSq</li>
<li>The Kim Komando Show Clips - http://feeds.podtrac.com/Z-qqqQ6XZl5n</li>
<li>Smashing Security - http://smashingsecurity.libsyn.com/rss</li>
<li>Business of Security Podcast - http://154688.buzzsprout.com/</li>
</ul>
</div>
<div>
<b>Tech</b></div>
<div>
<ul>
<li>This Week in Tech (MP3) - http://leoville.tv/podcasts/twit.xml</li>
<li>Tech News Weekly - http://leoville.tv/podcasts/tnt.xml</li>
<li>Technology: NPR - http://www.npr.org/templates/rss/podlayer.php?id=1019</li>
<li>WSJ Tech News Briefing - http://feeds.wsjonline.com/wsj/podcast_wall_street_journal_tech_news_briefing</li>
<li>Triangulation - http://feeds.twit.tv/tri.xml</li>
<li>This Week in Google - http://leoville.tv/podcasts/twig.xml</li>
<li>O’Reilly Radar Podcast - http://feeds.feedburner.com/OreillyRadarPodcast</li>
<li>IRL: Online Life Is Real Life - https://feeds.mozilla-podcasts.org/irl</li>
<li>The Feed with Amber Mac & Michael B - http://ambermac.podbean.com/feed/</li>
</ul>
</div>
<div>
<b>News/Politics</b></div>
<div>
<ul>
<li>This Morning With Gordon Deal - http://feeds.wsjonline.com/wsj/podcast_wall_street_journal_this_morning</li>
<li>NPR Politics Podcast - http://www.npr.org/rss/podcast.php?id=510310</li>
<li>POLITICO Playbook Audio Briefing - http://feeds.soundcloud.com/users/soundcloud:users:251497137/sounds.rss</li>
<li>NPR News Now - http://www.npr.org/rss/podcast.php?id=500005</li>
<li>Pod Save the World - http://feeds.feedburner.com/pod-save-the-world</li>
</ul>
</div>
<div>
<b>Sports</b> (football and football)</div>
<div>
<ul>
<li>Nickel Package - http://sports.espn.go.com/espnradio/podcast/feeds/itunes/podCast?id=2544457</li>
<li>NFL Live - http://www.espn.com/espnradio/feeds/rss/podcast.xml?id=11504795</li>
<li>College Football Live - http://www.espn.com/espnradio/podcast/feeds/itunes/podCast?id=13250702</li>
<li>LOCKED ON NFL - https://audioboom.com/channels/4725698.rss</li>
<li>Football Weekly (soccer) - http://www.guardian.co.uk/football/series/footballweekly/podcast.xml</li>
</ul>
</div>
<div>
<b>Finance/Economics</b></div>
<div>
<ul>
<li>The Indicator from Planet Money - https://www.npr.org/rss/podcast.php?id=510325</li>
<li>Motley Fool Money - http://feeds2.feedburner.com/MotleyFoolMoney</li>
<li>Planet Money - http://www.npr.org/rss/podcast.php?id=510289</li>
<li>Freakonomics Radio - http://feeds.feedburner.com/freakonomicsradio</li>
<li>Motley Fool Answers - http://motleyfoolanswers.libsyn.com/rss</li>
</ul>
</div>
<div>
<b>Science/Health</b></div>
<div>
<ul>
<li>Scientific American Podcast: 60-Second Mind - http://rss.sciam.com/sciam/60-second-mind</li>
<li>Scientific American Podcast: 60-Second Science - http://rss.sciam.com/sciam/60secsciencepodcast</li>
<li>BrainStuff - http://www.howstuffworks.com/podcasts/brainstuff.rss</li>
<li>Scientific American Podcast: 60-Second Space - http://rss.sciam.com/sciam/60-second-space</li>
<li>The Nutrition Diva’s Quick and Dirty Tips for Eating Well and Feeling Fabulous - http://www.quickanddirtytips.com/xml/nutrition.xml</li>
<li>The House Call Doctor’s Quick and Dirty Tips for Taking Charge of Your Health - http://www.quickanddirtytips.com/xml/housecall.xml</li>
<li>Science Friday - http://www.npr.org/rss/podcast.php?id=510221</li>
<li>Science Times - http://www.nytimes.com/services/xml/rss/nyt/podcasts/scienceupdate.xml</li>
<li>The Infinite Monkey Cage - http://downloads.bbc.co.uk/podcasts/radio4/timc/rss.xml</li>
<li>Get-Fit Guy’s Quick and Dirty Tips - http://www.quickanddirtytips.com/xml/getfitguy.xml</li>
</ul>
</div>
<div>
<b>Business/Productivity</b></div>
<div>
<ul>
<li>The 1-3-20 Podcast - http://feeds.soundcloud.com/users/soundcloud:users:337182027/sounds.rss</li>
<li>Money Girl’s Quick and Dirty Tips for a Richer Life - http://www.qdnow.com/money.xml</li>
<li>Kwik Brain - http://kwikbrain.libsyn.com/rss</li>
<li>The Public Speaker’s Quick and Dirty Tips for Improving Your Communication Skills - http://www.quickanddirtytips.com/xml/speaker.xml</li>
<li>The Stuff of Genius - http://www.howstuffworks.com/podcasts/stuff-of-genius.rss</li>
<li>Manager Tools Basics - http://www.manager-tools.com/podcasts/basics-rss.xml</li>
<li>Manager Tools - http://www.manager-tools.com/podcasts/feed/rss2</li>
<li>Fuel For Leaders with Dr. Dewett - http://feeds.newstalkradiowhio.com/FuelForLeadersWithDrDo-it</li>
<li>The Great Work Podcast - http://feeds2.feedburner.com/FYGWinterviews</li>
<li>Lead to Win with Michael Hyatt - http://leadtowin.libsyn.com/rss</li>
<li>This Is Your Life with Michael Hyatt - http://feeds.feedburner.com/TIYL</li>
<li>This Week in Law - http://leoville.tv/podcasts/twil.xml</li>
<li>HBR IdeaCast - http://feeds.harvardbusiness.org/harvardbusiness/ideacast</li>
<li>Read to Lead Podcast - http://readtoleadpodcast.com/feed/podcast</li>
<li>TED Talks Daily - http://feeds.feedburner.com/TEDTalks_audio</li>
<li>We Study Billionaires - The Investors Podcast - http://theinvestorspodcast.libsyn.com/rss</li>
<li>The James Altucher Show - http://altucher.stansberry.libsynpro.com/rss</li>
<li>The McKinsey Podcast - http://podcasts.mckinsey.com/fp/main</li>
<li>Leverage: Productivity Tips - http://optimizeautomateoutsource.libsyn.com/rss</li>
<li>Corner Office - https://feeds.publicradio.org/public_feeds/corner-office/itunes/rss</li>
<li>Six Pixels of Separation - Marketing and Communications Insights - http://www.twistimage.com/podcast/feed/itunes.xml</li>
<li>Mental Mastery Mondays - http://gocoastalmedia.libsyn.com/rss</li>
<li>Gartner ThinkCast - http://www.gartner.com/imagesrv/podcast/thinkcast/feed.xml</li>
<li>Tribe of Mentors - https://rss.art19.com/tribe-of-mentors</li>
</ul>
</div>
<div>
<b>Misc</b></div>
<div>
<ul>
<li>Tiny Desk Concerts - http://www.npr.org/rss/podcast.php?id=510306</li>
<li>LifeAfter - http://feeds.feedburner.com/themessagepodcast</li>
<li>Homecoming - http://feeds.gimletmedia.com/homecomingshow</li>
<li>Limetown - http://feeds.soundcloud.com/users/soundcloud:users:125221818/sounds.rss</li>
<li>Serial - http://feeds.serialpodcast.org/serialpodcast</li>
<li>Invisibilia - http://www.npr.org/rss/podcast.php?id=510307</li>
<li>Star Wars 7x7 - http://sw7x7.libsyn.com/rss</li>
<li>Tell Me Something I Don’t Know - http://feeds.podtrac.com/5EZzzED0uv_k</li>
</ul>
</div>
</div>
<div>
<br /></div>
<div>
What are your favorite podcasts?</div>
<br />
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-23530561282889195002018-03-13T06:00:00.000-05:002018-03-13T06:00:23.160-05:00We Encounter a Serious Issue<iframe allow="autoplay" frameborder="no" height="300" scrolling="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/411650727&color=%23ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true&visual=true" width="100%"></iframe><br />
<o><br /></o>
<o> I just received this voice message on my home phone (landline).</o><br />
<o><br /></o>
<o> Here's the text:</o><br />
<blockquote class="tr_bq">
<o> We encounter a serious issue coming out of your computer. It seems to be someone is trying to hijack your computer and try to steal your personal information. If it's not fixed right away then your computer will become obsolete and all of your credential information may got compromised. If you are the one who is using Microsoft Windows in your computer then please call 302-316-9259 or press 1 now to speak with security team now. Please ignore if we called you by mistake. Thank you.</o></blockquote>
<br />
<o> The only serious issue here is that people fall for these scams. Let's break it down:
</o><br />
<ul>
<li>The Voice - who wouldn't believe a bad computer-generated voice? Seriously though, there are plenty of pre-recorded and generated junk voice messages we get all the time. My general rule of thumb - ignore them all and erase is your friend.</li>
<li>Bad Grammar - this is practically a throw-back to the old days of spam. I've written <a href="https://securityandcoffee.blogspot.com/2013/07/want-someones-password-just-ask.html">about</a> <a href="https://securityandcoffee.blogspot.com/2013/10/online-self-defense-dont-phall-for.html">this</a> in the past. Someone willing to get past the bad grammar is more likely to continue on to other poor choices.</li>
<li>Fear Factor - the message is playing on many people's fear of technology and loss of their personal information. While we've become almost numb to breach announcements, the idea that there is an attack on our personal home computer is still a scary concept. Words like "hijack", "steal", "obsolete", and "compromised" invoke fear.</li>
<li>Call To Action - "if it's not fixed right away...". For a person who doesn't understand the complex issues of their computer, the call for immediacy further plays upon the fear state.</li>
<li>Microsoft Windows - what are the odds that if a call was made to any household, someone would be using, or would have used int eh past 24 hours, Microsoft Windows? I'd guess that's pretty high.</li>
<li>Politeness - bad voice and grammar aside, the call does say please and thank you. That further instills a sense of confidence in a person already affected by fear and the call to action.</li>
</ul>
<br />
<div>
As I covered in a <a href="https://securityandcoffee.blogspot.com/2016/09/its-microsoft-calling-not.html">past</a> <a href="https://securityandcoffee.blogspot.com/2017/07/the-matter-at-hand.html">posts</a>, while I did not call the number (and I suspect it's already been disconnected), if I did get through to someone I bet that they would be very helpful! That is, as long as I was cooperating. If I was not forthcoming with information, then these kinds of folks often get forceful.</div>
<div>
<br /></div>
<div>
Obviously, the best course of action is to just have a good laugh and hit delete when you get a message like this. We also need to assure that less technical, or more vulnerable, people understand the issues and are prepared when the call comes.</div>
<div>
<br /></div>
<div>
Have you, or someone you know, received a call like this? What happened?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-8253389594788307542018-02-20T06:00:00.000-06:002018-02-20T06:00:04.586-06:00ID Fraud and Your Taxes - Take Action! It's that time of year again. <a href="https://krebsonsecurity.com/">Brian Krebs</a> just put out <a href="https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/">two</a> <a href="https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/">articles</a> on the ongoing issue of tax fraud. As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!<br />
<br />
As noted below and in the Krebs' <a href="https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/">article</a>, what you need to do now and always is:<br />
<ol>
<li>file your taxes early</li>
<li>monitor your credit (I covered that topic <a href="http://securityandcoffee.blogspot.com/2013/12/are-you-target.html">here</a>... in 2013!)</li>
<li>freeze your credit (<a href="https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/">two</a> <a href="https://krebsonsecurity.com/2015/11/report-everyone-should-get-a-security-freeze/">articles</a> from Krebs, also from 2015)</li>
<li>become you before someone else becomes you (I wrote about that subject <a href="http://securityandcoffee.blogspot.com/2015/03/sign-up-now-at-irsgov.html">here</a> and <a href="https://securityandcoffee.blogspot.com/2017/08/you-gotta-be-you.html">here</a>)</li>
</ol>
Here's a re-run of my article on this subject from three years ago. It's all still true! As I wrote nearly 5 years ago, <a href="https://securityandcoffee.blogspot.com/2013/07/the-more-things-change.html">the more things change the more they stay the same</a>.<br />
<hr />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://fm.cnbc.com/applications/cnbc.com/resources/img/editorial/2014/01/18/101347448-185301212.530x298.jpg?v=1397563733" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://fm.cnbc.com/applications/cnbc.com/resources/img/editorial/2014/01/18/101347448-185301212.530x298.jpg?v=1397563733" width="200" /></a></div>
I did a series of posts last year (<i>2014</i>) on the <a href="http://securityandcoffee.blogspot.com/2014/09/supervalu-wrote-me-letter.html">problem</a> <a href="http://securityandcoffee.blogspot.com/2014/09/who-am-i-or-who-was-i.html">of</a> <a href="http://securityandcoffee.blogspot.com/2014/11/got-id-fraud-stop-drop-and-roll.html">ID</a> <a href="http://securityandcoffee.blogspot.com/2014/11/the-4-rs-of-id-fraud-part-1.html">Fraud</a>. This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.<br />
<div>
<br /></div>
<div>
The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.</div>
<div>
<br /></div>
<div>
We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches. But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.</div>
<div>
<br /></div>
<div>
It's that wonderful time of year again in the US. Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.</div>
<div>
<br /></div>
<div>
Imagine you are doing your civic duty, filling out and filing your tax return. You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!</div>
<div>
<br /></div>
<div>
Unfortunately, <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/24/d-c-physicians-swept-up-in-tax-id-theft-scam/">this</a> <a href="http://www.physicianspractice.com/blog/tax-related-identity-theft-scam-targets-physicians">has</a> <a href="https://krebsonsecurity.com/2014/04/states-spike-in-tax-fraud-against-doctors/">happened</a>. And, as we've discussed in the past, these attackers are smart. This is a business. They need to be able to maximize profits because there is a limited timeframe in which to commit the crime. So they need to attack a sub-population who:</div>
<div>
<ol type="a">
<li>makes good money;</li>
<li>might have many deductions;</li>
<li>might have complex returns, and;</li>
<li>for whom a large refund might not raise red flags.</li>
</ol>
<div>
How about... Doctors!</div>
</div>
<br />
And, just as I finishing writing this article, we have new news out about <a href="http://krebsonsecurity.com/2015/02/citing-tax-fraud-spike-turbotax-suspends-state-e-filings/">tax fraud this year</a>! Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns. Maybe Turbo Tax is just the scammers software of choice! :-)<br />
<br />
<div>
As always, we want to talk about what you can do.</div>
<div>
<br /></div>
<div>
<a href="http://www.capitalotc.com/wp-content/uploads/2015/02/tax-fraud.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="133" src="https://www.capitalotc.com/wp-content/uploads/2015/02/tax-fraud.jpg" width="200" /></a> In addition to the steps outlined in <a href="http://securityandcoffee.blogspot.com/2014/11/got-id-fraud-stop-drop-and-roll.html">these</a> <a href="http://securityandcoffee.blogspot.com/2014/11/the-4-rs-of-id-fraud-part-1.html">previous</a> blog <a href="http://securityandcoffee.blogspot.com/2014/12/the-4-rs-of-id-fraud-part-2.html">posts</a>, here is the <a href="http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft">IRS Guide on Identity Theft</a>. The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:</div>
<div>
<ul>
<li>protecting your personal information, primarily your social security number</li>
<li>don't click on links sent to you via email or in social media - type the link in yourself or do a search</li>
<li>use link rating applications like Web Of Trust (WOT)</li>
<li>don't give our your personal information via web, email, phone unless you can positively identify the person on the other end</li>
<li>review your bills, credit record and other information that might provide early warning of a problem.</li>
</ul>
<div>
Have you been the victim of tax-related ID Fraud? Do you have any additional tips to share?</div>
<div>
<br /></div>
<div>
Of course, this issue is not just about doctors! Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.</div>
</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-91466567843433437462018-01-30T06:00:00.000-06:002018-01-30T06:00:31.455-06:00Speculative Speculation<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDiZOGktHdGBwsOScJMng1ynV-XXGXdJe9DJJY35txNLEbXYDSFZAWNvQjOa2OQc4CSOTds3Z9sq92y78dYbjhGj6UCkokCa_EvgcpQgLdX0iKuwWgjx2dr_o_6oDZcQ0hTNhdg4ubKXU/s1600/patch5.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="290" data-original-width="425" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDiZOGktHdGBwsOScJMng1ynV-XXGXdJe9DJJY35txNLEbXYDSFZAWNvQjOa2OQc4CSOTds3Z9sq92y78dYbjhGj6UCkokCa_EvgcpQgLdX0iKuwWgjx2dr_o_6oDZcQ0hTNhdg4ubKXU/s200/patch5.jpg" width="200" /></a></div>
<u></u> Patch.<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
<u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
NO WAIT!... DON’T Patch!<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
It may cause unexpected reboots (as opposed to the expected kind???? <span style="font-family: "wingdings";">J</span>).<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="" white="">
It may cause system slowdowns.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
It may conflict with your other system controls.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
It sounds kind of like the “fine print” in one of those pharmaceutical adds… patching side effects may include arrhythmia, faintness, moderate to severe amnesia, flushing of the face, dry mouth, blurry vision, visual distortions or white spots, nausea and vomiting, constipation, muscle twitches, confusion, euphoria, sedation, itchiness, and increased anxiety, respiratory or cardiac arrest, coma, hypoventilation (inadequate ventilation), and possibly death.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
<a href="https://images.idgesg.net/images/article/2018/01/meltdown-spectre-100745814-large.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="457" data-original-width="700" height="130" src="https://images.idgesg.net/images/article/2018/01/meltdown-spectre-100745814-large.jpg" width="200" /></a> This whole Spectre/Meltdown thing has gotten so much attention lately. But the reports are loaded with misinformation, speculation (!), and even some facts. I’ve have seen some uber-geeky <a href="https://medium.com/@mattklein123/meltdown-spectre-explained-6bc8634cc0c2">explanations</a> of <a href="https://blog.barkly.com/meltdown-spectre-bugs-explained">what</a> is going on. If you haven’t seen the major rant by the father of linux Linus Torvalds, <a href="https://www.theregister.co.uk/2018/01/22/intel_spectre_fix_linux/">check this out</a>.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
One thing that has been lacking is more simple, straightforward explanations of this complex topic. I think Steve Gibson did a great job talking about this <a href="https://media.grc.com/sn/sn-645.mp3">recently in his SecurityNow! podcast</a>. He actually explained the underlying mechanism of speculative execution years ago when he was talking about how modern processors work.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
Speculative Execution is really pretty cool. It can be complex, but a good example is when there are two choices in how some code may execute, i.e. GO here or GO here, the processor does both! And it executes steps ahead from where you are in the code now. The overall effect is that the code executes faster. It’s kind of like paying it forward with extra computing cycles. Here's a great <a href="https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html">explanation</a>.<u></u><u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
Here’s the point about this vulnerability… we’ve had plenty of named vulnerabilities. They are all the rage these past few years – a name and a logo. But most of these vulnerabilities are code or protocol problems. Yes, some of those were very wide ranging. However, this newly discovered problem is a vulnerability in the underlying architecture of nearly every modern <a href="https://www.fastcompany.com/40513416/spectre-and-meltdown-chip-flaws-touch-almost-every-system-say-researchers">computer chip</a> <a href="https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw">created since 1995</a>. Everywhere.<u></u></div>
<br />
<div 12.8px="" arial="" class="MsoNormal" color:="" font-family:="" font-size:="" sans-serif="">
And while this has not been exploited in practice, that will happen. The Fix is not yet in. For now, the advice is to not panic, patch selectively and we’ll all watch and wait!</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-18458958579608966142018-01-09T06:00:00.000-06:002018-01-09T06:00:04.334-06:00Meta-Predictions<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeO3rfujb9aQgBHhAwaqi2VkuaTZDi48_oULvhSjFukJ6q81R6GH5aPwoacNRd0cqottRhOvFcbBh0y_QkN5ry1Q3t7mosytl0OdRNHCePefuODPZcWcIdCx5LGHdAluSz3RCcczNcw94/s1600/fireworks.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1030" data-original-width="1600" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeO3rfujb9aQgBHhAwaqi2VkuaTZDi48_oULvhSjFukJ6q81R6GH5aPwoacNRd0cqottRhOvFcbBh0y_QkN5ry1Q3t7mosytl0OdRNHCePefuODPZcWcIdCx5LGHdAluSz3RCcczNcw94/s200/fireworks.jpg" width="200" /></a></div>
Well, it's a new year and we all know what that means... every security publication, and plenty of non-security publications, come out with their annual security predictions.<br />
<br />
I predict that this year's predictions will be as boring and vanilla as last year's. And we don't even have to wait until the end of the year to see if I'm right!<br />
<br />
So, rather than adding to the noise, I'll save you some clicks. Everybody's saying the same things... cybercrime, blockchain, cryptocurrency, breaches, yada yada.<br />
<br />
But some people went above and beyond to make the prediction reading experience special! Here are my favorites:<br />
<br />
Best presentation. Kudos on the production value of this prediction post by Watchguard. Between the nice graphics and videos, I was engaged. They didn't say anything new... but the way they said it makes it worth a look.<br />
<a href="https://www.watchguard.com/wgrd-resource-center/2018-security-predictions">https://www.watchguard.com/wgrd-resource-center/2018-security-predictions</a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir_ArZqF4ixD6QgeMHuEP0idWE7Mslz0RgNRdMNH1lXYZkyxQ6pUIHiMIi-sbLUJfvUuMFbgJT3Prp87vRnkFj6NRnF418NR5nR8U5zQzXh9DIQ1CysSkbqDOoLldveZdL6E39m3pVK7s/s1600/i-for-one-welcome-our-new-ai-overlords.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="376" data-original-width="500" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir_ArZqF4ixD6QgeMHuEP0idWE7Mslz0RgNRdMNH1lXYZkyxQ6pUIHiMIi-sbLUJfvUuMFbgJT3Prp87vRnkFj6NRnF418NR5nR8U5zQzXh9DIQ1CysSkbqDOoLldveZdL6E39m3pVK7s/s200/i-for-one-welcome-our-new-ai-overlords.jpg" width="200" /></a> Best use of AI. This is a great idea... how about machine-generated predictions! Great fun. And I, for one, welcome our AI overlords. Even the text that doesn't make sense makes more sense than some other predictions! Well done Kelly and Medium.<br />
<a href="https://medium.com/@kshortridge/2018-cyber-security-predictions-d493e25162e7">https://medium.com/@kshortridge/2018-cyber-security-predictions-d493e25162e7</a><br />
<br />
Best prediction of the death of passwords. Well, really they said that password-only authentication will decrease faster. OK, either way, we've been down this road many times before and, unfortunately, passwords ain't goin' nowhere. We're stuck with them.<br />
<a href="https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html">https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html</a><br />
<br />
Remembering what we said in 2017 award. This post doesn't say anything particularly interesting, but I like that they go back and grade their 2017 predictions. Of course, those predictions were pretty bland but they only gave themselves a generous 9.5 out of 10. <a href="http://resources.infosecinstitute.com/2018-cyber-security-predictions/">http://resources.infosecinstitute.com/2018-cyber-security-predictions/</a><br />
<br />
tl;dr award. I seriously did not even read this one. Really Forbes? 60 predictions? I guess all the ad networks you hit us with aren't enough? I guess quantity wins.<br />
<a href="https://www.forbes.com/sites/gilpress/2017/11/26/60-cybersecurity-predictions-for-2018/">https://www.forbes.com/sites/gilpress/2017/11/26/60-cybersecurity-predictions-for-2018/</a><br />
<br />
What are your favorite predictions?<br />
<br />
Here's to a great 2018!Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-65022650655166123242017-12-26T06:00:00.000-06:002017-12-26T06:00:20.564-06:00BBB - Best Business Books As we close out this year and think about the new year, it's a great time to think about your own development and learning.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSFoKzDk8xaOrBBmNfWR_XMwb5CQ2lvcoRjMuNigNSVkDG4FYMgSGrK4VKf4uUuXvxTUWvcqhqYvV-804Kg2n-CN9ubKjwsKMf3bcMa5bfjhHBD_W7hF29OXJocLTlyI6mV-kIokA3Tbo/s1600/audible+logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="310" data-original-width="310" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSFoKzDk8xaOrBBmNfWR_XMwb5CQ2lvcoRjMuNigNSVkDG4FYMgSGrK4VKf4uUuXvxTUWvcqhqYvV-804Kg2n-CN9ubKjwsKMf3bcMa5bfjhHBD_W7hF29OXJocLTlyI6mV-kIokA3Tbo/s200/audible+logo.png" width="200" /></a> I really enjoy audiobooks. While SciFi is typical favorite, I also mix in business and self-development titles. I've been keeping a list of my top self-development books and had been meaning <br />
to share them here... and now here they are!<br />
<br />
This list is not exactly in priority order, however my favorites are definitely at the top. So, more or less, the first third of the list is 5-star books, middle third 4.5-stars, and the final third are 4-star. These are all great books, regardless of where they are on this list.<br />
<br />
Here we go...<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<ul>
<li>Start With
Why – Simon Sinek</li>
<li>The 5 Levels
of Leadership – John C. Maxwell</li>
<li>The Chrisma
Myth – Olivia Fox Cabane</li>
<li>Pitch
Anything – Oren Klaff</li>
<li>What Makes
an Effective Executive – Peter F Drucker</li>
<li>A Whole New
Mind – Daniel H. Pink</li>
<li>Eat That
Frog! – Brian Tracy</li>
<li>Getting
Things Done – David Allen</li>
<li>The New One
Minute Manager – Ken Blanchard , Spencer Johnson</li>
<li>The
Introvert Advantage: How to Thrive in an Extrovert World – Marti Olsen Laney,
PsyD</li>
<li>It’s Your
Ship by D. Michael Abrashoff</li>
<li>Multipliers
by Liz Wiseman</li>
<li>Just Listen
– Mark Goulston</li>
<li>Influencer –
David Maxfield<a name='more'></a></li>
<li>The Phoenix
Project – Gene Kim, Kevin Behr, George Spafford</li>
<li>The Thank
You Economy – Gary Vaynerchuk</li>
<li>Crush It! – Gary
Vaynerchuk</li>
<li>Crucial
Conversations – Kerry Patterson</li>
<li>The Checklist
Manifesto – Atul Gawande\</li>
<li>The Back of
the Napkin – Dan Roam</li>
<li>10% Happier
– Dan Harris</li>
<li>The
Invisible Gorilla – Christopher Chabris, Daniel Simons</li>
<li>How to Talk
to Anyone – Leil Lowndes</li>
<li>Finance
Basics – Harvard Business Review</li>
<li>The Little
Book of Talent – Daniel Coyle</li>
<li>The Elements
of Eloquence – Mark Forsyth</li>
<li>Leadership
& Self-Deception – The Arbinger Institute</li>
<li>The Art of
War – Sun Tzu</li>
<li>The Go-Giver
– Bob Burg, John David Mann</li>
<li>Overcoming
the Five Dysfunctions of a Team – Patrick Lencioni</li>
<li>Ask More –
Frank Sesno</li>
<li>Peak
Performance: Elevate Your Game, Avoid Burnout, and Thrive with the New Science
of Success – Brad Stulberg, Steve Magness</li>
<li>The Energy
Bus: 10 Rules to Fuel Your Life, Work, and Team with Positive Energy – Jon
Gordon</li>
<li>Good to
Great – Jim Collins</li>
<li>The 12 Week
Year – Brian P. Moran, Michael Lennington</li>
<li>Essentialism
– Greg McKeown</li>
<li>The 21
Irrefutable Laws of Leadership – John Maxwell</li>
<li>Chatter –
Patrick King</li>
<li>The Art of
Negotiating the Best Deal – The Great Courses</li>
<li>Steal the
Show – Michael Port</li>
<li>Good
Strategy/Bad Strategy: The Difference and Why It Matters – Richard P. Rumelt</li>
<li>The 7 Habits
of Highly Effective People: Powerful Lessons in Personal Change – Stephen R.
Covey</li>
<li>What Every
BODY Is Saying – Joe Navarro, Marvin Karlins</li>
<li>How We
Decide – Jonah Lehrer</li>
<li>Where Good Ideas
Come From – Steven Johnson</li>
<li>Steve Jobs –
Walter Isaacson</li>
<li>Eat, Move,
Sleep – Tom Rath</li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
I'm always looking for more books to read. What are your essential business and self-development books that are not on my list?</div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Happy New Year and good reading!</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-64533018259353882282017-12-12T06:00:00.000-06:002017-12-12T06:00:59.420-06:00Ho-Ho-Holiday Spams and Scams<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaQCeeC3LFmLCI8bwmPYzRX4M8uBzDp3QToEC-Y5nt6Kqa4o0C7756SjF1cZxaIbpiZYjPRE4d1XCcmSj5xEWLwfQpzjThSdWJJT9CnPM95NG7cTApDEYbVJK0sQlIdaZ_aNrnJnci9LY/s1600/scam2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="800" data-original-width="1200" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaQCeeC3LFmLCI8bwmPYzRX4M8uBzDp3QToEC-Y5nt6Kqa4o0C7756SjF1cZxaIbpiZYjPRE4d1XCcmSj5xEWLwfQpzjThSdWJJT9CnPM95NG7cTApDEYbVJK0sQlIdaZ_aNrnJnci9LY/s200/scam2.jpg" width="200" /></a> It's that time of year again folks. And whatever holiday you may, or may not, celebrate... there's something we're all likely to see. It's not presents, though maybe there are some for you. It's not snow, though we're already seeing that here in the upper midwest US.<br />
<br />
It's malware and holiday scams!<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKLDWvtIT1YzX4rUoj_CI86exCBqslGhyphenhyphenrVuH2hlTPQq-jgaSxRbeeKzu4pkd0vxGLzEutMvE7Rdo8Rffwz_Exf1rLpn8xtN2b_g4S91Aj5AnvvRM_wCwP1rq2q2lHPN13oc2M6lpvYOg/s1600/infected.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="300" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKLDWvtIT1YzX4rUoj_CI86exCBqslGhyphenhyphenrVuH2hlTPQq-jgaSxRbeeKzu4pkd0vxGLzEutMvE7Rdo8Rffwz_Exf1rLpn8xtN2b_g4S91Aj5AnvvRM_wCwP1rq2q2lHPN13oc2M6lpvYOg/s200/infected.jpg" width="200" /></a> Unfortunately, it happens every year. Sometimes it's malicious attachments. Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.<br />
<br />
Here is my 2017 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...<br />
<a name='more'></a><ol>
<li>Don't respond to unsolicited email. It just lets the spammer know you are a live person.</li>
<li>Use care with links in unsolicited email. There's a good chance that link leads somewhere you don't want to go... like a phishing site or a malware download.</li>
<li>Watch out for attachments... even pictures. Stop and think before you click on that attachment. Even if it looks like it came from a friend. Were you expecting the email and attachment?</li>
<li>Be stingy with your personal information. Much of what happens in today's world happens online. And you will have to provide some information sometimes. But every site doesn't need all your personal information. And just because a site asks for information doesn't mean you have to provide it. Before you fill out that form, stop and think, then decide how much information you want to provide.</li>
<li>Compare the link to the site you're directed to. You're going to click on some links. You probably clicked on a link to get to this blog post! But stop and think. Look at the link. Mouse-over the link. Does it make sense. And, after you click, does it take to the site you thought it would? If not, close that browser tab.</li>
<li>Use the "official" website rather than clicking on the link. You can always type in a known website address, for example to your bank or a shopping site, rather than clicking on a link. Or, if you <a href="https://securityandcoffee.blogspot.com/2016/02/how-to-vault-part-1.html">use</a> <a href="https://securityandcoffee.blogspot.com/2016/03/how-to-vault-part-2.html">a</a> <a href="https://securityandcoffee.blogspot.com/2017/04/world-password-day-and-teen-power.html">password</a> <a href="https://securityandcoffee.blogspot.com/2016/05/yapf-yet-another-password-fail.html">vault</a> then use the link you have stored in your vault.</li>
<li>Check for the use of https and look for the lock symbol before entering financial or personal information.</li>
<li>Watch you bills and accounts. That way you can catch any unusual or potentially fraudulent transactions early and get them straightened out.</li>
<li>Get social media savvy. Bad links don't only come from email. Social media sites are used by scammers to pass dangerous links and malware. Remember, your "friend" is not necessarily your friend.</li>
<li>If you get new tech, then get security! Some of you might buy a new laptop, tablet or smartphone during the holiday season. Get security software and install it! Configure automatic security updates!</li>
</ol>
And here's a bonus tip!<br />
11. Watch out for links in text messages. Just like with links that come via social media, scammers can send you links in text messages. Don't click unless you know the sender and are expecting the link.<br />
<br />
And one more!<br />
12. Keep your browser software up to date. That will help both with filtering email and may provide some link protection.<br />
<ol>
</ol>
That's this year's list. It can certainly apply to past, and future, years as well.<br />
<br />
What other tips do you have? Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-26768478076396447392017-11-28T06:00:00.000-06:002017-11-28T06:00:40.514-06:00You Don't Have to Outrun the (Fancy) Bear<div class="separator" style="clear: both; text-align: center;">
<a href="https://upload.wikimedia.org/wikipedia/commons/7/79/2010-brown-bear.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="800" data-original-width="531" height="200" src="https://upload.wikimedia.org/wikipedia/commons/7/79/2010-brown-bear.jpg" width="132" /></a></div>
Two hikers are walking through the woods. They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars. One hiker quickly bends down to tighten his boot laces. The other hiker says, "what are you doing? You can't outrun a bear!". The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".<br />
<br />
One of the biggest changes in information security over the past two decades has been with the attackers. Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded. Instead of defacing websites for fun and notoriety, attacks today are a business.<br />
<br />
It's a simple risk/reward equation. There is a cost to any attack. Email-based attacks are very inexpensive to launch. Developing sophisticated malware is expensive. And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.<br />
<br />
Information security is very complex. It's as much an art as it is a science. There are basic things that everyone should do, like patching systems and using strong, long passwords. And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.<br />
<br />
There are so many high profile breaches in the news. Some of these are the result of highly skilled and motivated attackers going after a specific target. But many more are "crimes of opportunity".<br />
<br />
As I see it, there are basically three kinds of online attacks:<br />
<a name='more'></a><ol>
<li>Random attacks - these are the most cost effective to pull off. Attackers scan the internet for unpatched systems, old vulnerabilities or send out mass emails either asking for userid's and passwords, or with malicious links or attachments. There's minimal cost to pull off these attacks. The potential prizes?... login credentials to all kinds of companies and individuals, personally-identifiable information, credit card and financial data, and other information they can sell or use for profit.</li>
<li>Simple targeted attacks - these might use some of the same basic attack methods of the random attacks, but are directed toward specific target organizations or customers of those organizations, for example Equifax customers after the Equifax breach. The attackers use freely available or reconnaissance information to focus their efforts. There is more work up front, but the success may be greater than the random attacks.</li>
<li>Complex/Expert targeted attacks - these pair a skilled attacker and a high-value target. The skilled attacker may still use a basic attack method initially but will escalate to more advanced methods if needed. In these cases, the attacker typically has a specific objective in mind and expects that the value of that objective will offset the higher cost and time involved in the attack.</li>
</ol>
<div>
Of course, I've conveniently not talked about hacktivism or state-sponsored attacks. I'll over-simplify and say that these are basically simple or complex targeted attacks with the notable exception that the goal is not to make money but to disrupt operations or otherwise embarrass the target.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx_SJN-7zUVXQ-Hb9TG6Alop1prGNFEt-0VcHsmXlwViUS5AdA8NRcdMgGnlfftyWR1R4CcMyD2XosNh8eCg93a15ovolWISJQyLRZUqWLH-SWMwY03mK2_5sN8RyIKHMRpIJHfdC1W8Y/s1600/basics1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="540" data-original-width="720" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx_SJN-7zUVXQ-Hb9TG6Alop1prGNFEt-0VcHsmXlwViUS5AdA8NRcdMgGnlfftyWR1R4CcMyD2XosNh8eCg93a15ovolWISJQyLRZUqWLH-SWMwY03mK2_5sN8RyIKHMRpIJHfdC1W8Y/s200/basics1.jpg" width="200" /></a> How can we protect ourselves and our organizations from these kinds of attacks? I've written about<a href="https://securityandcoffee.blogspot.com/2012/09/stuff-i-say-kiss-keep-it-simple-security.html">tips</a> <a href="https://securityandcoffee.blogspot.com/2013/04/keeping-security-simple.html">for</a> <a href="https://securityandcoffee.blogspot.com/2015/10/celebrate-culture-of-security.html">organizations</a> and tips for <a href="https://securityandcoffee.blogspot.com/2017/10/easy-as-1-2-3.html">individuals</a>. It boils down to the same basics:<br />
this many times in the past, with </div>
<div>
<ol>
<li>Patch your stuff - try to install only the apps you actually need and use, both on your computers and mobile devices... and keep them up to date! At home, always choose automatic updates.</li>
<li>Use good password hygiene - that means long random passwords, unique for each site, and all organized in a password vault. I've written about this topic <a href="http://securityandcoffee.blogspot.com/2016/02/how-to-vault-part-1.html">so</a> <a href="http://securityandcoffee.blogspot.com/2016/03/how-to-vault-part-2.html">many</a> <a href="http://securityandcoffee.blogspot.com/2016/05/yapf-yet-another-password-fail.html">times</a> <a href="http://securityandcoffee.blogspot.com/2013/11/rhymes-with-assword.html">I've</a> <a href="http://securityandcoffee.blogspot.com/2012/08/and-password-is-monkey.html">lost</a> <a href="http://securityandcoffee.blogspot.com/2013/12/password-problems-again.html">count</a>!</li>
<li>Use care with <a href="http://securityandcoffee.blogspot.com/2015/02/it-wasnt-englebarts-fault-part-1.html">emails, links</a> and <a href="http://securityandcoffee.blogspot.com/2015/04/it-wasnt-englebarts-fault-part-2.html">attachments</a>.</li>
</ol>
<div>
What additional tips do you have?</div>
</div>
<div>
<br /></div>
<div>
What's your favorite bad joke that can be re-purposed to make an information security point?!?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-56996571421764859432017-11-14T06:00:00.000-06:002017-11-14T06:00:12.690-06:00It's All About the Squirrels!<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVkA9arB4i9elswlRCTN_pfSp0X-crGKIlHdCXvWYHwwaXZ1pft0jGWcIF8L2IrWRYWvksMNbr8AtHWicaR5_WddwcMI8lIDw1dSRS_jdH9DCHAu9FGpS8JnoF4yH3e3K4NsG9E6Zuu7w/s1600/selfie+stick+no.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1600" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVkA9arB4i9elswlRCTN_pfSp0X-crGKIlHdCXvWYHwwaXZ1pft0jGWcIF8L2IrWRYWvksMNbr8AtHWicaR5_WddwcMI8lIDw1dSRS_jdH9DCHAu9FGpS8JnoF4yH3e3K4NsG9E6Zuu7w/s200/selfie+stick+no.jpg" width="200" /></a></div>
Did you know that in 2016 there were more <a href="http://mashable.com/2015/09/21/selfie-deaths/">selfie-related deaths than shark-related deaths</a>? Same is <a href="https://weather.com/travel/news/selfies-shark-attacks-comparison">true in 2015</a>. We'll see what happens in <a href="https://en.wikipedia.org/wiki/List_of_selfie-related_injuries_and_deaths">2017</a>!<br />
<br />
That might seem counter-intuitive. And that's exactly the point... we are programmed through evolution to <a href="https://well.blogs.nytimes.com/2008/01/16/wrong-about-risk-blame-your-brain/">focus</a> on the <a href="https://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html">sensational</a> <a href="https://www.psychologytoday.com/articles/200801/10-ways-we-get-the-odds-wrong">risks</a>.<br />
<br />
We've been hearing plenty about <a href="http://time.com/3928086/these-5-facts-explain-the-threat-of-cyber-warfare/">cyber-war</a> and <a href="https://www.csoonline.com/article/2852855/advanced-persistent-threats/10-deadliest-differences-of-state-sponsored-attacks.html">state-sponsored attacks</a>. These are big and scary things. It seems that the <a href="https://www.scientificamerican.com/article/is-the-power-grid-getting-more-vulnerable-to-cyber-attacks/">power grid</a> is a <a href="https://www.nbcnews.com/tech/security/cyber-attack-power-grid-could-cost-1-trillion-report-n388581">key target</a>. Well, it turns out that cyber attack is not the top issue that effects the power grid. Not even close. And what's a more serious and regular threat??? <a href="https://theweek.com/articles/452311/forget-hackers-squirrels-are-bigger-threat-americas-power-grid">Squirrels</a>! <a href="https://www.washingtonpost.com/news/the-switch/wp/2016/01/12/are-squirrels-a-bigger-threat-to-the-power-grid-than-hackers/">No</a>, <a href="http://www.packetpower.com/blog/top-threat-to-us-power-grid-squirrels">that's</a> <a href="https://threatpost.com/squirrels-not-hackers-pose-biggest-threat-to-electric-grid/123788/">not</a> <a href="https://2paragraphs.com/2016/01/squirrels-1-threat-to-us-electrical-grid/">a</a> <a href="https://usatoday30.usatoday.com/news/nation/2007-03-11-suicide-squirrels_N.htm">joke</a>.<br />
<br />
Here's a great presentation at this year's ShmooCon, an annual security conference:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/cZPv-wro-O8/0.jpg" src="https://www.youtube.com/embed/cZPv-wro-O8?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br />
But here's the point of all this... while it's fun to laugh at, or dislike, squirrels, there's an important lesson here. We do need to speculate and consider the future when conducting risk assessments. But we also need to have strong focus on reality! That means assuring you are considering mundane, but very real threats and vulnerabilities that are actually happening. It's far to easy for us to focus on high impact, very low likelihood events to the exclusion of those high-probability, common attacks like phishing.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZYCeRF9wUuzkt5g9zkpoyEgW5TLwSpFx0STH8MqIJFUVHav00XiuB9pmasxHB1U9w19KwNAAdIA0AsqVeXVVGAuekF_IXAt3g2A0vavbD5xgLX5n-1INUHMQmHm9iCAMB4Wjw-zc8yiY/s1600/squirrel.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="988" data-original-width="1484" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZYCeRF9wUuzkt5g9zkpoyEgW5TLwSpFx0STH8MqIJFUVHav00XiuB9pmasxHB1U9w19KwNAAdIA0AsqVeXVVGAuekF_IXAt3g2A0vavbD5xgLX5n-1INUHMQmHm9iCAMB4Wjw-zc8yiY/s200/squirrel.jpg" width="200" /></a><br />
So skip the sharks and watch out for the squirrels!Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-72098063115801958252017-10-31T06:00:00.000-05:002017-10-31T06:00:05.506-05:00Easy as 1-2-3 It's US <a href="https://www.dhs.gov/national-cyber-security-awareness-month">Cyber Security Month</a> and the key themes I've been discussing here for years are very bit as relevant today. In honor of Cyber Security Month I'm re-running a post from 2016. The more things change, the more they stay the same. Happy Cyber Security Month!<br />
<hr />
Well, I was trying for something catchy like <a href="http://www.nfpa.org/public-education/resources/education-programs/learn-not-to-burn/learn-not-to-burn-grade-1/know-when-to-stop-drop-and-roll">Stop, Drop and Roll</a>. That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.<br />
<br />
Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.<br />
<br />
Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.<br />
<br />
Fortunately, the odds of your clothes catching on <a href="http://comfycozy.com/fed_flammability.pdf">fire</a> is <a href="https://www.quora.com/Can-static-electricity-cause-a-persons-clothing-to-catch-fire-or-smoulder">low</a>.<br />
<br />
Unfortunately, the odds of your software, browsers or accounts being compromised is very high.<br />
<br />
A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (<a href="http://www.webopedia.com/TERM/D/DDoS_attack.html">DDoS</a>) <a href="http://www.digitalattackmap.com/">attack</a> on <a href="https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/">Dyn</a>, a DNS provider. I won't go into the details here but I think I will cover DDoS in a future post. Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do. To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...<br />
<a name='more'></a><ol>
<li>Patch your stuff</li>
<li>Use a password vault</li>
<li>Use 2-factor authentication</li>
</ol>
<div>
1. Patch your stuff</div>
<div>
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj02lQtx11ejNnei2ZkBXuqrM3waJfU21iDYLCLE88ALg6umSf3I6eif2VmpdHFIJ_yR9vQw56BB3vFiTZ10-J2XOd5v27oaJCksZflp00wodrtdxWokkKcErvLrVhUVcjZpd3EN5Z_Szs/s1600/pirate+patch.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj02lQtx11ejNnei2ZkBXuqrM3waJfU21iDYLCLE88ALg6umSf3I6eif2VmpdHFIJ_yR9vQw56BB3vFiTZ10-J2XOd5v27oaJCksZflp00wodrtdxWokkKcErvLrVhUVcjZpd3EN5Z_Szs/s200/pirate+patch.png" width="190" /></a> While the use of smartphones and tablets is skyrocketing, most people still also use a traditional laptop or desktop computer. These are primarily <a href="https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0">Windows</a> computers, though the <a href="https://9to5mac.com/2016/04/11/apple-mac-market-numbers-idc/">Mac</a> marketshare continues to rise. Patching the basic Windows or IOS operating system that runs the computer is pretty straightforward and should always be set to automatically update for home users. Here's how for <a href="https://support.microsoft.com/en-us/kb/306525">older Windows</a> (it's the default in Win10) and <a href="http://www.howtoisolve.com/how-to-disable-enable-auto-updates-on-mac-os-x-yosemite-mavericks-and-apps/">Mac</a>.<br />
<br />
But what about all the other stuff including browsers, productivity tools, media (picture and sound) tools, games, word processors, desktop publishing, etc - basically all the software that's not part of the operating system? This is where many of the vulnerabilities and problems occur. In fact, many <a href="https://www.cvedetails.com/top-50-products.php">vulnerable</a> <a href="https://heimdalsecurity.com/blog/vulnerable-software-infographic/">software</a> products have not been from Apple or Microsoft but from Oracle (java) and Adobe (pdf reader and flash animation) and in web browsers.<br />
<br />
For patching my home computers, I use a software updater tool. The tool I use is called <a href="https://secunia.com/vulnerability_scanning/personal/">Secunia PSI</a> (PSI stands for personal software inspector). The current version is 3.0, but I actually like the interface on their slightly older 2.0 version. As always, I am not pushing any particular product and there are a bunch in this space including <a href="https://ninite.com/">ninite</a>, <a href="http://filehippo.com/download_app_manager/">FileHippo</a> and <a href="http://kcsoftwares.com/?sumo">SUMo</a>. Here are two articles that discuss <a href="https://www.digitalcitizen.life/best-tools-check-software-updates">some</a> of the <a href="http://www.bleepingcomputer.com/forums/t/589073/is-there-a-manager-that-tells-you-which-software-needs-updating/">alternatives</a>. It doesn't matter which one you use... just set up automated patching for all your home computers!<br />
<br />
2. Use a password vault<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN-h5j1o6OgMvRXNbGy2rhqDTh8iSTZb-w82IWDxWEWw4u6YEuwyuNihTFcZDrnaLlvZgSaOKBGuNP76_9shH4l2-X0wTqdSIMI6OI56rU9aAZJfubhkiIMIRLo9_vMRGJcpGPfYzpK4U/s1600/vault.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN-h5j1o6OgMvRXNbGy2rhqDTh8iSTZb-w82IWDxWEWw4u6YEuwyuNihTFcZDrnaLlvZgSaOKBGuNP76_9shH4l2-X0wTqdSIMI6OI56rU9aAZJfubhkiIMIRLo9_vMRGJcpGPfYzpK4U/s200/vault.jpg" width="200" /></a></div>
<br />
I've written about this topic <a href="http://securityandcoffee.blogspot.com/2016/02/how-to-vault-part-1.html">so</a> <a href="http://securityandcoffee.blogspot.com/2016/03/how-to-vault-part-2.html">many</a> <a href="http://securityandcoffee.blogspot.com/2016/05/yapf-yet-another-password-fail.html">times</a> <a href="http://securityandcoffee.blogspot.com/2013/11/rhymes-with-assword.html">I've</a> <a href="http://securityandcoffee.blogspot.com/2012/08/and-password-is-monkey.html">lost</a> <a href="http://securityandcoffee.blogspot.com/2013/12/password-problems-again.html">count</a>! So rather than rehash that all here, let's keep it simple... Use unique passwords for every account you have at home, make the passwords long and random and put them all in a vault! There are many great ones out there including: <a href="https://www.lastpass.com/">LastPass</a> (what I use), <a href="https://www.dashlane.com/">Dashlane</a> and <a href="https://1password.com/">1Password</a>. Get one and use it!<br />
<br />
<div>
3. Use 2-factor authentication<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJxNl5CeU-pNZ9Cew0PGHtbFruThw7zF0hbrbuj1yZHqlFPwxp2PWO17jITk7jaczavz4eKEGYsb2BLrLtsLimomijoYvHSg_Okt4HHSDe6ItXHzvD9VkxNXiyKvlHwEaSj_HYjzxP_I/s1600/authenticator.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJxNl5CeU-pNZ9Cew0PGHtbFruThw7zF0hbrbuj1yZHqlFPwxp2PWO17jITk7jaczavz4eKEGYsb2BLrLtsLimomijoYvHSg_Okt4HHSDe6ItXHzvD9VkxNXiyKvlHwEaSj_HYjzxP_I/s200/authenticator.jpg" width="183" /></a> There's just no excuse any more. It's not hard and it's not complex. And don't just believe me... listen to <a href="https://www.youtube.com/channel/UCQ64xs-7w8U9jhh9s8qNN7Q">Betty White</a>!</div>
<div>
<br /></div>
<div>
Here's why it's important. Passwords will get stolen (breached, compromised, whatever word you like). Just ask <a href="https://www.wired.com/2016/09/hack-brief-yahoo-looks-set-confirm-big-old-data-breach/">Yahoo!</a>... or ask them 2 years ago... or ask them 2 years before that! But here's what's important... the attackers aren't just grabbing your password. "They" don't even know who "you" are. The target is the big central resource with lots of goodies (passwords). If you have 2-factor authentication enabled, "they" would not only have to grab your password (well, they have that!), but they would also need to either have your smartphone or have control of your smartphone, and... here's the key part, they'd have to be able to match the two - to know which phone corresponds to which of the millions of stolen passwords they have. Now that's possible, but it's not easy.</div>
<div>
<br /></div>
<div>
Since Google and Apple pretty much own that market, an attacker could steal your Apple credentials, and get into both your iTunes and email account to bypass your 2-factor authentication, but that is way too much work. Attackers want to quickly monetize what they've stolen, so our goal is to make ourselves "expensive" to attack.<br />
<br />
Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including <a href="https://www.google.com/landing/2step/">Google</a>, <a href="https://www.facebook.com/help/community/question/?id=10151548571887325">Facebook</a> and <a href="https://www.cnet.com/how-to/how-to-enable-twitters-two-factor-authentication/">Twitter</a>. Here's some <a href="https://twofactorauth.org/">info</a> on sites offering <a href="http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now">2-factor</a> authentication.<br />
<br />
Let's be safe out there! It's as easy as 1, 2, 3!</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com1tag:blogger.com,1999:blog-7671318245642029158.post-86701167022117409552017-10-24T06:00:00.000-05:002017-10-24T06:00:03.431-05:00Internet Safety for our Parents It's US <a href="https://www.dhs.gov/national-cyber-security-awareness-month">Cyber Security Month</a> and the key themes I've been discussing here for years are very bit as relevant today. In honor of Cyber Security Month I'm re-running a post from 2016. The more things change, the more they stay the same. Happy Cyber Security Month!<br />
<hr />
<br />
I've written about Internet safety for families, kids, teens and I've even spoken on <a href="http://securityandcoffee.blogspot.com/2013/02/tech-smart-parents-and-preschoolers.html">safety for pre-schoolers</a>. But it's important to think about online safety for parents as well.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijHFhdkFs7k8eiql-FTelvE2nNUVWvWAx6xdtu8MEFArtrs6EOFDabDonJDq3vIBTSME4rWXK9zmIVZ_Y6XyyK2DtaZh9Vo7TGJOAI8SbYbeF8AuHDyLFyP1qK_lz8TB9r3EnsRB9XNpk/s1600/internet.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijHFhdkFs7k8eiql-FTelvE2nNUVWvWAx6xdtu8MEFArtrs6EOFDabDonJDq3vIBTSME4rWXK9zmIVZ_Y6XyyK2DtaZh9Vo7TGJOAI8SbYbeF8AuHDyLFyP1qK_lz8TB9r3EnsRB9XNpk/s200/internet.jpg" width="200" /></a> That's true both for parents of young children was well seniors with grown children. The safety challenges for seniors are similar but there are some differences. They may not be as familiar with technology and, <a href="https://www.fbi.gov/scams-and-safety/common-fraud-schemes/seniors">according to the FBI</a>:<br />
<ul>
<li>they are often financially secure and/or have good credit</li>
<li>they may be more trusting and they don't think they'd be a target</li>
</ul>
<div>
<a href="http://www.aarp.org/money/scams-fraud/info-2015/scams-and-frauds-to-avoid.html">This article by the AARP</a> lists some common scams against seniors including some we've discussed like <a href="http://securityandcoffee.blogspot.com/2016/09/its-microsoft-calling-not.html">fake Microsoft support calls</a> or <a href="http://securityandcoffee.blogspot.com/2015/02/id-fraud-taxes-and-doctors-oh-my.html">IRS-related tax fraud</a>.</div>
<div>
<br /></div>
<div>
What got me thinking about this topic was a great article entitled "<a href="https://heimdalsecurity.com/blog/ways-to-help-parents-with-online-security/">10 Ways to Help Our Parents With Online Security</a>". The article touches on a number of themes we've discussed in the past. I'll list the 10 items with links back to some past editions of this blog - typically they:</div>
<div>
<ol><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNUP7sxF3sJsj0RcQJ7gemxBQCZ43VG74eL-HThwiSjzzQmhUdAa5zzm7Ct3x4G8weraytHZfs7fBIP47SSOcC3QjmGqO1c9gYkaAGzfwguP2cS1EiSUaW5EyZVPb9LfohKxOAf5AFInY/s1600/fortune-cookie-phishing.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNUP7sxF3sJsj0RcQJ7gemxBQCZ43VG74eL-HThwiSjzzQmhUdAa5zzm7Ct3x4G8weraytHZfs7fBIP47SSOcC3QjmGqO1c9gYkaAGzfwguP2cS1EiSUaW5EyZVPb9LfohKxOAf5AFInY/s200/fortune-cookie-phishing.jpg" width="200" /></a>
<li>don't think they have anything worth stealing</li>
<li>have bad password habits - <a href="http://securityandcoffee.blogspot.com/2013/10/online-self-defense-passwords.html">just</a> <a href="http://securityandcoffee.blogspot.com/2016/10/cant-live-with-em-cant-live-without-em.html">like</a> <a href="http://securityandcoffee.blogspot.com/2016/05/yapf-yet-another-password-fail.html">most</a> <a href="http://securityandcoffee.blogspot.com/2013/11/rhymes-with-assword.html">people</a></li>
<li>are confused by 2-factor authentication - something we <a href="http://securityandcoffee.blogspot.com/2015/11/do-amazon-2-step-now.html">all</a> <a href="http://securityandcoffee.blogspot.com/2016/05/national-betty-whites-password-day.html">should use</a></li>
<li>leave <a href="http://securityandcoffee.blogspot.com/2015/10/keep-celebrating-mobile-and-social.html">mobile devices</a> unattended and without security measures</li>
<li>don't recognize <a href="http://securityandcoffee.blogspot.com/2013/10/online-self-defense-dont-phall-for.html">phishing</a> <a href="http://securityandcoffee.blogspot.com/2016/09/call-me.html">emails</a></li>
<li>don't understand <a href="http://securityandcoffee.blogspot.com/2013/11/its-that-time-of-year-holiday-spams-and.html">social</a> <a href="http://securityandcoffee.blogspot.com/2013/12/is-your-friend-your-friend.html">media</a> and how it can be used in scams</li>
<li>share too <a href="http://securityandcoffee.blogspot.com/2013/11/internet-safety-song-remains-same.html">much</a> <a href="http://securityandcoffee.blogspot.com/2012/11/reputation-management-101.html">information</a></li>
<li>can be manipulated by online media</li>
<li>place too much trust in an <a href="http://securityandcoffee.blogspot.com/2015/08/crypto-where.html">anti-virus</a> <a href="http://securityandcoffee.blogspot.com/2013/10/online-self-defense-your-computer.html">product</a></li>
<li>don't understand how sophisticated <a href="http://securityandcoffee.blogspot.com/2012/12/tis-season-holiday-spams-and-scams.html">scams</a> and attacks can be</li>
</ol>
<div>
In what ways can you help your parents stay safe online?</div>
</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-41866765397344146802017-10-17T06:00:00.000-05:002017-10-17T06:00:02.546-05:00Still Can't Live With 'Em<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx3hhiUeeL7cCKVW30ZkWa413-vYHqfVxAejLPOxBHyj3-zMRHSLdu5VshQPFKs3_6ok5uhHpYvBKPlI_MQsJIPA4jfcbx-a13Slsp3jS-sevjDvGR0wfCVYx5PORg35IBdPsdYD1j3vQ/s1600/yahoo-76684_1280.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx3hhiUeeL7cCKVW30ZkWa413-vYHqfVxAejLPOxBHyj3-zMRHSLdu5VshQPFKs3_6ok5uhHpYvBKPlI_MQsJIPA4jfcbx-a13Slsp3jS-sevjDvGR0wfCVYx5PORg35IBdPsdYD1j3vQ/s200/yahoo-76684_1280.png" width="200" /></a> It's US <a href="https://www.dhs.gov/national-cyber-security-awareness-month">Cyber Security Month</a> and, like clockwork, we have Yahoo! <a href="http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html">in the news</a> again telling us that the worst case from the past just <a href="http://mashable.com/2017/10/09/equifax-customers-overwhelmed-after-hack/?utm_cid=Mash-Prod-RSS-Feedburner-Bus-Partial#BMrxYojOBSqg">keeps getting worster</a> (I can make up words, can't I??? :-). They are now counting their breached accounts <a href="http://www.zerohedge.com/news/2017-10-05/yahoo-hacking-3-billion-accounts-underlines-cyber-risk">at over 3 billion</a>! How many people are there in the world these days?... Last year at this time, they announced the <a href="https://www.wired.com/2016/09/hack-brief-yahoo-looks-set-confirm-big-old-data-breach/">breach</a> of <a href="https://nakedsecurity.sophos.com/2016/09/23/change-your-password-yahoo-confirms-data-breach-of-500-million-accounts/">500 million</a> Yahoo! <a href="http://blogs.wsj.com/cio/2016/09/28/yahoo-breach-raises-questions-about-password-resets/">account</a> passwords and other info (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!). In honor of both Cyber Security Month and Yahoo!, I'm re-running a post I wrote in... wait for it... 2012! Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach. The more things change, the more they stay the same. Happy Cyber Security Month!<br />
<hr />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH0nAP2KWwSM80wlS8DjEibHdyC9BBAmcnnAcL2mKclm4Q_fzq0ZhK1TG4GKYsOnn1LV_XefrEtyoBLZw39lRG16cqvQ-Ct3eCvLG5Txl_bV9VgoNRUh7jWMGX7Qjzd9vj9g1StjzA-l8/s1600/dr+evil.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH0nAP2KWwSM80wlS8DjEibHdyC9BBAmcnnAcL2mKclm4Q_fzq0ZhK1TG4GKYsOnn1LV_XefrEtyoBLZw39lRG16cqvQ-Ct3eCvLG5Txl_bV9VgoNRUh7jWMGX7Qjzd9vj9g1StjzA-l8/s200/dr+evil.jpg" width="141" /></a> They're dead. They're here to stay.<br />
<br />
They're safe. They're breached.<br />
<br />
They're encrypted. They're visible.<br />
<br />
They're complex. They're too simple.<br />
<br />
Once again, the topic we love to hate... Passwords! And, you know what else??? It's also that greatest of holiday celebrations... US <a href="https://www.dhs.gov/national-cyber-security-awareness-month">Cyber Security Month</a>!<br />
<br />
Passwords are a mess! A "good" password has these features:<br />
<ul>
<li>hard to create</li>
<li>hard to remember</li>
<li>hard to enter</li>
<li>probably has to be changed as soon as you memorize it</li>
<li>plus other inconsistent, random rules depending upon the site</li>
</ul>
<div>
<br />
Perfect!</div>
<div>
<a name='more'></a><br /></div>
<div>
When you create a password for a site, it gets encrypted and then stored. When you log in, what you type in gets encrypted and compared to what was stored. That means that the site doesn't know your original password. Or it shouldn't if the site does things correctly. But some sites don't encrypt well. And some sites don't encrypt at all!</div>
<div>
Hint - when you click on the "forgot your password" link, the site shouldn't be able to return your actual password to you. The site shouldn't know your actual password. If it does... that's a warning sign. Of course, if it's a site that you don't care about and doesn't hold your personal information, then maybe it's not a bit deal. As long as you haven't used that same password on another, important site.</div>
<div>
<br /></div>
<div>
There have been many highly publicized site password hacks in the past year including: <a href="http://www.pcmag.com/article2/0,2817,2405453,00.asp" target="_blank">eHarmony</a>, <a href="http://www.last.fm/passwordsecurity">last.fm</a>, <a href="http://www.huffingtonpost.co.uk/2012/08/01/dropbox-password-breach-leak_n_1727338.html">Dropbox</a>, <a href="http://www.pcmag.com/article2/0,2817,2386362,00.asp">Sony</a>, <a href="http://www.pcmag.com/article2/0,2817,2405413,00.asp" target="_blank">LinkedIn</a>, <a href="http://dazzlepod.com/stratfor/">Stratfor</a>, <a href="http://news.cnet.com/8301-1009_3-57471178-83/yahoos-password-leak-what-you-need-to-know-faq/">Yahoo!</a>, and more. In each case, the encrypted password file was copied. Using the entire password file and advanced computing, hackers can decrypt many of the passwords. Then they can try those passwords on other sites!</div>
<div>
<br /></div>
<div>
As I discussed in <a href="http://securityandcoffee.blogspot.com/2012/08/and-password-is-monkey.html" target="_blank">this post</a> a few months ago, most users have accounts on 25 different sites, but use only 6.5 different passwords. So the odds are pretty good that the hackers will find another site on which some of these passwords have been reused.</div>
<div>
<br /></div>
<div>
Here are the top 3 simple things to do now:</div>
<div>
1. Don't reuse passwords among sites - I've already explained why above</div>
<div>
<br /></div>
<div>
2. Choose good long passwords - 8 characters is not enough. I try to use 20 random characters. 20 character passwords that only use upper and lower case letters are much stronger than 8 character passwords using letters, numbers and special characters! (I'll explain that one in a future post). But, how do you remember a 20 character password?...</div>
<div>
<br /></div>
<div>
3. Use a password vault - a password vault is a program that encrypts and holds all your passwords. I explain these in detail, and list some good products, in <a href="http://securityandcoffee.blogspot.com/2012/07/put-that-in-your-vault-other-day-we.html" target="_blank">this post</a> from a few months ago.</div>
<div>
<br /></div>
<div>
Here are some bonus tips. The first 2 are easy. The rest are a bit more advanced, or perhaps for the more adventuresome among you.</div>
<div>
<br /></div>
<div>
4. Only enter passwords on secure sites or pages - Look for https:// in the address bar
and a lock symbol to assure your passwords are kept confidential when traveling
across the Internet.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
5. Use care with "secret" questions - Many sites use “secret” questions to
help identify you if you forget your password.
Choose questions and answers that people can’t just look up on
Facebook! Your place of birth, high
school mascot, and other common information are not good choices. Or… you could provide fake answers to common
questions. Just be sure you know what
answers you give!</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
This is a complex topic. If you only do the first 3 (or 5) things I've listed above you will be way ahead of the crowd. For even more protection, try some of these tips:</div>
<div>
<br /></div>
<div>
6. Use login notifications - Some sites will let you know when you
last logged in, or if it looks like your account was logged in to from another
country. Some sites allow you to block login attempts from countries you specify.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
7. Be careful "linking" accounts - Don’t just log into every site using
your Facebook or Twitter logins (when available). If either of those accounts get compromised
you could lose a lot more than just the one (or two) accounts).</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
8. Try 2-step authentication - Google (<a href="https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744">2-step verifcation</a> and <a href="https://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447">google authenticator</a>), <a href="http://pages.ebay.com/securitycenter/OnlineSafetyTips.html">ebay</a>,
<a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside">paypal</a>, <a href="https://blog.dropbox.com/index.php/another-layer-of-security-for-your-dropbox-account/">dropbox</a>, <a href="https://www.facebook.com/note.php?note_id=10150172618258920.">facebook</a> and other sites now allow 2-factor or 2-step
authentication. It’s a bit more
complicated to set up but definitely worth it. Here's a great <a href="http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now">article</a> from Lifehacker talking about some of the sites that offer this service.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
9. Use separate email accounts - If you use the same email account to
associate with all your online accounts, then a hacker can own you online by
compromising that email account. For
instance, most online sites will send a confirmation email to your associated
address if a change is made or to process a password change. If you can use different email addresses,
then having one compromised won’t affect all your other online accounts.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<o:p></o:p></div>
<div>
<br /></div>
<div>
This is a lot of information, but it is a complex topic (with some simple solutions). I will write more about my thoughts on passwords and authentication in the future.</div>
<div>
<br /></div>
<div>
How do you protect your passwords? What password creation tips and tricks can you share? How many of these tips do you use?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-90457427842932578892017-10-03T06:00:00.000-05:002017-10-03T07:31:09.334-05:00Thoughts about Change<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVfkgg_vQ_tTv-3UX8VOtJ4ALCKSAvd-DBjoNupBsp7w-qd7LlO5qrhDVUkp5JI5Fb0qEHEPs8vXGHEU_sJIP9hw4yu9miIiW0KpWAx-hH60TZXk0HAH2HeM3jFIGIJx_UktIqCyCmm0U/s1600/change6.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVfkgg_vQ_tTv-3UX8VOtJ4ALCKSAvd-DBjoNupBsp7w-qd7LlO5qrhDVUkp5JI5Fb0qEHEPs8vXGHEU_sJIP9hw4yu9miIiW0KpWAx-hH60TZXk0HAH2HeM3jFIGIJx_UktIqCyCmm0U/s200/change6.jpg" width="200"></a> We've all heard the cliche, the only thing that is constant is change. Many of our organizations are undergoing all kinds of change. We may have professional changes. And, of course, there are personal or life changes.<br>
<br>
Sometimes you have control over changes - they can be choices. Sometimes you don't have control over the change. But you do have control over how you respond to change.<br>
<br>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht2n6rqvhfrACyB2_hyphenhyphenYr1L8ChIYL5xDXIiLeaEh1PgQir7p3MyC2MAqh1ZW9qfkzMTi1ckkQukEfzT9a7gd4E4xxGAzVto7uI6TLuzaTO3IFuRHe99FtSYxtXWLcoFIwzVUpmIhbpKSE/s1600/change5.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht2n6rqvhfrACyB2_hyphenhyphenYr1L8ChIYL5xDXIiLeaEh1PgQir7p3MyC2MAqh1ZW9qfkzMTi1ckkQukEfzT9a7gd4E4xxGAzVto7uI6TLuzaTO3IFuRHe99FtSYxtXWLcoFIwzVUpmIhbpKSE/s200/change5.jpg" width="200"></a>I've spoken with many people whose organizations are undergoing change. That can lead to some uncertainty, but that is not necessarily a bad thing. It's really just something new. And change often brings opportunity!<br>
<br>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieG_QiPt8FI65Zy7Iz7i5ahw9XEomT65RkS_CrqkdpT7oBJ_Sd2r8_n2s90-Ycy9BY-xTk7BSRklZ8vouR18KyubV8iraYmhyE-B89HENHsPsA8hs1nhufFipyEBAVBKCqH71QmFzcnqY/s1600/change3.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieG_QiPt8FI65Zy7Iz7i5ahw9XEomT65RkS_CrqkdpT7oBJ_Sd2r8_n2s90-Ycy9BY-xTk7BSRklZ8vouR18KyubV8iraYmhyE-B89HENHsPsA8hs1nhufFipyEBAVBKCqH71QmFzcnqY/s200/change3.jpg" width="200"></a> One model that can be used to help people through change is the <a href="https://www.mindtools.com/pages/article/bridges-transition-model.htm">Bridges Model of Transition</a>. Bridges defines a transition path that begins when a change is announced or recognized. and ends when people are successfully in the changed state. The key is what happens in between! Bridges <a href="http://www.strategies-for-managing-change.com/william-bridges.html">describes 3 stages</a> that people must move through.<br>
<ol><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC-VxC9-hZj8F15H9PKjD1TnrZo4i1PkJptn0UBLBZckGzNMyv9aok36XgzsLHU2FOOTCErMDDNBoHPdl7fJX7SwILsTI3rFJe6LC4T3JKHX0hez41VgV8Ch10pEXTTGjesoR48x5USso/s1600/change4.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC-VxC9-hZj8F15H9PKjD1TnrZo4i1PkJptn0UBLBZckGzNMyv9aok36XgzsLHU2FOOTCErMDDNBoHPdl7fJX7SwILsTI3rFJe6LC4T3JKHX0hez41VgV8Ch10pEXTTGjesoR48x5USso/s200/change4.jpg" width="200"></a>
<li>Letting Go - this means both understanding and coming to terms with the change. It can be characterized by fear or other negative emotions. Leaders can help by communicating, listening, and empathizing. Recognize that different people change at different rates. Individuals can help by talking things through with their leaders.</li>
<li>The Neutral Zone - this occurs once people get past their initial reaction to change. This can be a period of uncertainty. Leaders can help by providing direction and continuing to communicate.</li>
<li>The New Beginning - this occurs when the organization has arrived at the new state. Since people do change at different rates, all team members may not arrive here together. Leaders can help by recognizing the state of team, providing extra direction where needed, and celebrating successes of the transition.</li>
</ol>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMd_kZFVs8xbvkIEak-ZE_xWcvnYUDQ8R5C0sm1iHchKs1Jt4W9U2RCl4TEGGt-8eMVscUe6TrU39EupXM3Ph7dD00R91WRhVeWveDk0fk87ltT1Ebs4XcVXQ5ehj-_Afb8lJ19a6hJU/s1600/change9.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMd_kZFVs8xbvkIEak-ZE_xWcvnYUDQ8R5C0sm1iHchKs1Jt4W9U2RCl4TEGGt-8eMVscUe6TrU39EupXM3Ph7dD00R91WRhVeWveDk0fk87ltT1Ebs4XcVXQ5ehj-_Afb8lJ19a6hJU/s200/change9.jpg" width="200"></a> I've been thinking about the topic of change for a couple of reasons. First, my current organization is undergoing the change of integrating in a new organization. This is actually a great synergy and creates many great opportunities both for the business and for individuals. But as we discussed above, change affects different people differently.</div>
<div>
<br></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_45EbS10kOSV1Vo5u87VLRdxfbtsXYo0nsqZb65KCtRjrtMUGCvc0Pd57Qcm-1igqTv4JZ7bopaDrYlgXsTz_xKr3AEZUFutfauOCtaiwgxtMU2sOr6OIj3KcKYoUkqGrcgwTA_Mino0/s1600/change8.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="315" data-original-width="600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_45EbS10kOSV1Vo5u87VLRdxfbtsXYo0nsqZb65KCtRjrtMUGCvc0Pd57Qcm-1igqTv4JZ7bopaDrYlgXsTz_xKr3AEZUFutfauOCtaiwgxtMU2sOr6OIj3KcKYoUkqGrcgwTA_Mino0/s200/change8.jpg" width="200"></a> In addition, I'll be undergoing my own change soon as I transition to a new and exciting opportunity!</div>
<div>
<br></div>
<div>
Thank you to all my current colleagues for their partnership and support! I know our paths will cross in the future.</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-68492094568163261712017-09-19T06:00:00.000-05:002017-09-19T06:00:24.053-05:00Equi-Fail!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0benKtkN35wR8bFmvJG7sVzgVdnoTg1OZfe4HnzcDtX1x1A8_0GGU7ZuE2Y_vZYWbteQAQkeEGjn2xFveocIrHLpCuMC6NNEk3WmpPKCAicDU1F3WD_z9LAj8L0enIp_2uDTfDTXSTNE/s1600/equifax-breach.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="696" data-original-width="1600" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0benKtkN35wR8bFmvJG7sVzgVdnoTg1OZfe4HnzcDtX1x1A8_0GGU7ZuE2Y_vZYWbteQAQkeEGjn2xFveocIrHLpCuMC6NNEk3WmpPKCAicDU1F3WD_z9LAj8L0enIp_2uDTfDTXSTNE/s200/equifax-breach.jpg" width="200" /></a> Or maybe we should say Equi-Fiasco!<br />
<br />
By now you've certainly heard about the Equifax breach including leaked social security numbers and other personal information on over 143 million people. And there's plenty more info to come with this one as the facts continue to get uncovered.<br />
<br />
I certainly don't mean to be jumping on the bandwagon here. There has already been so much coverage of this breach, but it is a big deal. And, while I've seen a number of articles on what to do now, I haven't seen any that really cover everything you must do to protect yourself.<br />
<br />
Let's do that now!<br />
<br />
The bottom line is this... it's 2017... no one can or will protect your personal information. You must take appropriate steps to protect yourself. And here they are... in no particular order... the top-10 things you should do to protect your personal and financial information:<br />
<a name='more'></a><ol>
<li>If you have an account at any of the major credit bureaus, and particularly at Equifax, change your password now. Just do it.</li>
<li>Use long complex gibberish passwords. Extra credit: make your passwords an odd length like 15, 17, or even 31 or 33 characters - password cracking algorithms struggle with unusual numbers.</li>
<li>Use a password vault. I've <a href="https://securityandcoffee.blogspot.com/2016/02/how-to-vault-part-1.html">written</a> <a href="https://securityandcoffee.blogspot.com/2016/03/how-to-vault-part-2.html">about</a> <a href="http://securityandcoffee.blogspot.com/2014/10/celebrate-cyber-style.html">this</a> <a href="http://securityandcoffee.blogspot.com/2013/01/something-you-forgot-3-factors-of-fail.html">many</a> <a href="http://securityandcoffee.blogspot.com/2013/09/when-is-encrypted-really-encrypted.html">times</a>. It's time to do it!</li>
<li>Check your credit report. This is simple and it's free. You are entitled to one free credit report from each of the three major credit bureaus each year. You can order them at this official website, <a href="http://www.annualcreditreport.com/">annualcreditreport.com</a>. One way to do this is to get one report each 4 months. Here is more info from the <a href="https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report">FTC</a> and the US Federal Government site <a href="https://www.usa.gov/credit-reports">usa.gov</a>.</li>
<li>Check your online accounts at any financial organizations including your bank(s) and credit cards. Make sure you have a valid email address in place for account recovery. And... check that recovery email account. If someone is going to use your SSN to attack you, they will go after your financial accounts. They will try to take over those accounts by clicking the "forgot password" link and hoping you haven't set up your account recovery appropriately.</li>
<li>Get credit monitoring. Yes, that's exactly the information that was stolen from Equifax. And yes, Experian had a much smaller, <a href="https://krebsonsecurity.com/2015/10/experian-breach-affects-15-million-consumers/">but similar, breach</a> in 2015. That said, it's still a useful service. Each of the 3 major credit bureaus offer this service: <a href="https://www.equifax.com/personal/">Equifax</a>, <a href="https://www.experian.com/">Experian</a> or <a href="https://www.transunion.com/">TransUnion</a>. There are also private companies that offer similar services (more on that below).</li>
<li>Freeze your credit. A credit freeze simply prevents someone from pulling your credit report - meaning that they can't create any new accounts in your name. Of course, it also means that you can't create any new accounts in your name! :-) Well, you can but you'll need to pull the freeze off or create an exclusion for that new creditor. It's easier than it sounds. Also, most states have a set maximum cost for this, typically between $0 - $10 (to establish or remove a freeze at each credit bureau). I won't go into detail in this post, but here are two <a href="https://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/">great</a> <a href="https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/">references</a> on how to set up your credit freeze.
<br /> The first of the articles does not mention the fourth credit bureau, Innovis. <a href="https://www.innovis.com/securityFreeze/index">Here's a link</a> to the page to request a freeze from Innovis. This credit bureau does not provide a full credit picture like the "big 3". Innovis is most tightly tied to mortgages. So a credit report from Innovis will not list your full credit picture.<br />
</li>
<li>You can also create a fraud alert on your credit accounts. Note that this is different than a credit freeze. A fraud alert also "freezes" your credit account, and adds the restriction that the bureau must directly contact you via phone (often a home phone) before granting credit. Anyone can apply for a fraud alert - it's free - but it has a maximum of 90 days. You only need to apply at one credit bureau, and they have to contact the others. You can manually renew it each 90 day. However, if you can document that you've been the victim of identity fraud, then you can place a fraud alert that lasts for 7 years. <a href="https://www.consumer.ftc.gov/articles/0275-place-fraud-alert">Here are the details</a> on the FTC website.</li>
<li>Establish accounts at sites that depend upon your SSN like at the Social Security Administration (SSA) and the IRS. The issue is that, using your ssn, an attacker can create an account in your name on the IRS or SSA websites and then receive or alter your personal information. But not if you've already created your accounts! I covered this at length in a <a href="https://securityandcoffee.blogspot.com/2017/08/you-gotta-be-you.html">previous post here</a>.</li>
<li>Use multi-factor authentication. I've covered this topic many times in the past including <a href="https://securityandcoffee.blogspot.com/2017/04/world-password-day-and-teen-power.html">here</a> and <a href="https://securityandcoffee.blogspot.com/2016/05/national-betty-whites-password-day.html">here</a>. There was a time when this was perhaps too complicated, but not anymore. This is something everyone should use!</li>
</ol>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1w5SG8bOg6qLSOpd8mQCwWCIRamjBaFmdbdnIvPtuGojJxlpvp0C1ReHCPtOQkL-7XDmD3NaNrSwSPwBsDwSK3L5hqMqb_beKzr7NM3I5M_jzwHVWdQD4mcCLL-N_ktOmhiCaqO5Bzg/s1600/check+credit+report.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="667" data-original-width="1000" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1w5SG8bOg6qLSOpd8mQCwWCIRamjBaFmdbdnIvPtuGojJxlpvp0C1ReHCPtOQkL-7XDmD3NaNrSwSPwBsDwSK3L5hqMqb_beKzr7NM3I5M_jzwHVWdQD4mcCLL-N_ktOmhiCaqO5Bzg/s200/check+credit+report.jpg" width="200" /></a></div>
I also want to comment on Identity Fraud services like Life-Lock and others. First, these services do not prevent Identity Fraud. They may help you go through some of the steps we've outlined above, like credit monitoring, credit freeze or fraud alerts. But you can do those things yourself without paying an extra premium. Perhaps the main value of these kinds of services is that if you are the victim of Identity Fraud, they will help you with the clean-up process. I am neither for or against these services - you just need to understand what you are buying. I do not personally use these services - I follow the steps I've outlined above.<br />
<br />
That's it! :-) Do these things and you will be in very good shape. Do just some of them and you will still be far ahead of the crowd.<br />
<br />
There's an old saying that I'll adapt here... The best time to make all these changes is 2 years ago. The second-best time is today!<br />
<br />
One final thought... well-known security icon Bruce Schneier wrote a great post on this breach. You can read it <a href="https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html">here</a>. In it, he makes a great point - that we are not Equifax's customers. We, or more specifically our data, are the product! I wrote about this idea <a href="https://securityandcoffee.blogspot.com/2013/07/are-you-customer-or-product.html">here</a>.</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com1tag:blogger.com,1999:blog-7671318245642029158.post-4231298280548333022017-09-05T06:00:00.000-05:002017-09-05T06:00:24.700-05:00I Have Neither Read Nor Understood<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWPkPdmww9-8nW8ryKwzLtHjSnPZiSG8xcFHu2cmd69Dvs4rWITVkGZK4x4M6jNUT9rjwMpqQ7dJ2GntRUGXXSa_7OrsatqMS6b43ki3UahE30RjtB1Rs1Bw7MHum79aKOz8uEd6-NLE/s1600/tosdr+logo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="336" data-original-width="867" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWPkPdmww9-8nW8ryKwzLtHjSnPZiSG8xcFHu2cmd69Dvs4rWITVkGZK4x4M6jNUT9rjwMpqQ7dJ2GntRUGXXSa_7OrsatqMS6b43ki3UahE30RjtB1Rs1Bw7MHum79aKOz8uEd6-NLE/s200/tosdr+logo.png" width="200" /></a> The site masthead starts out with the statement:“I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.<br />
<br />
This is the lead statement on the tosdr.org website. tosdr is an acronym for "Terms of Service; Didn't Read". It's a play on words (play on acronyms? :-)) of tl;dr, Too Long; Didn't Read. tl;dr has been a term floating around the interwebs for many years. It simply expresses a sentiment that many people can relate to... that we're busy, so when there is a long article, post, whitepaper, document, documentation, etc., we might just not read it. That also leads to the idea of the tl;dr version, i.e. executive summary!<br />
<br />
Clearly, Terms of Service statements fit into this category. They tend to be exceedingly long. They are often written FLBL (For Lawyers, By Lawyers)! :-) You see them all over the place... on your bank's website, on social media sites, when you sign up for just about any kind of service, and with just about every app you install.<br />
<br />
So, if no one reads them, what's the problem? Like a contract, the Terms of Service or EULA (End User License Agreement) provides some very important information. For example, it may cover:<br />
<ul>
<li>how the app, website or company can use your personal data;</li>
<li>if the site can sell your data,</li>
<li>whether or not you own any content you upload (such as to a social media site);</li>
<li>how, when, how much you can use the app, service or website;</li>
<li>if the site can charge you money, either one time or ongoing;</li>
<li>if you have any rights to seek damages against the company if you don't like how they conduct business</li>
<li>and more...</li>
</ul>
<div>
<a name='more'></a> Here are a few interesting articles pointing out additional problems:</div>
<div>
<a href="http://www.npr.org/2016/08/23/491024846/do-you-read-terms-of-service-contracts-not-many-do-research-shows">Do You Read Terms Of Service Contracts? Not Many Do, Research Shows</a><br />
<a href="https://www.theatlantic.com/national/archive/2013/12/schools-everyone-else-are-not-reading-terms-service/356107/">Schools, Like Everyone Else, Are Not Reading the Terms of Service</a></div>
<div>
<a href="https://www.theguardian.com/technology/2015/jun/15/i-read-all-the-small-print-on-the-internet">I read all the small print on the internet and it made me want to die</a></div>
<div>
<br /></div>
<div>
I try to not recommend particular products on this blog. But here's one that is pretty cool! As I noted above, it's called tosdr (Terms of Service, Didn't Read). At <a href="http://tosdr.org/">tosdr.org</a> you can get plugins for the major browsers. If you install the plugin, then when you surf to a website with a Terms of Service, tosdr will provide a grade on the quality of the ToS.</div>
<div>
<br /></div>
<div>
Please remember... this is something you can use at home. You should not install consumer programs like this on your work computers. Check with your IT group for their controls.</div>
<div>
<br /></div>
<div>
Here is the tosdr grading system:</div>
<div>
<br /></div>
<div>
Terms of service are reviewed by contributors and divided into small points that we can discuss, <a href="https://tosdr.org/topics.html" style="color: #0088cc; text-decoration-line: none;">compare</a> and ultimately assign a score with a badge:<br />
<br />
<span class="badge badge-success" style="background-color: #79b752; border-radius: 0.75em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 1px 2px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;"><i class="icon-thumbs-up icon-white" style="background-image: url("../img/glyphicons-halflings-white.png"); background-position: -96px -144px; background-repeat: no-repeat; color: transparent; display: inline-block; font-size: 0.001em; height: 14px; line-height: 14px; margin-top: 1px; vertical-align: text-bottom; width: 14px;">+</i> Good</span>, <span class="badge badge-warning" style="background-color: #d66f2c; border-radius: 0.25em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 1px 2px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;"><i class="icon-thumbs-down icon-white" style="background-image: url("../img/glyphicons-halflings-white.png"); background-position: -120px -144px; background-repeat: no-repeat; color: transparent; display: inline-block; font-size: 0.001em; height: 14px; line-height: 14px; margin-top: 1px; vertical-align: text-bottom; width: 14px;">-</i> Bad</span>, <span class="badge badge-important" style="background-color: #c43c35; border-radius: 0.1em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 1px 2px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;"><i class="icon-remove icon-white" style="background-image: url("../img/glyphicons-halflings-white.png"); background-position: -312px 0px; background-repeat: no-repeat; color: transparent; display: inline-block; font-size: 0.001em; height: 14px; line-height: 14px; margin-top: 1px; vertical-align: text-bottom; width: 14px;">×</i> Blocker</span>, or <span class="badge" style="background-color: #999999; border-radius: 9px; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 1px 2px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;"><i class="icon-arrow-right icon-white" style="background-image: url("../img/glyphicons-halflings-white.png"); background-position: -264px -96px; background-repeat: no-repeat; color: transparent; display: inline-block; font-size: 0.001em; height: 14px; line-height: 14px; margin-top: 1px; vertical-align: text-bottom; width: 14px;">→</i> Neutral</span>.
Once a service has enough badges to assess the fairness of their terms for users, a class is assigned automatically by pondering the average scores.<br />
<span class="label A" style="background-color: #46a546; border-radius: 1em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: middle; white-space: nowrap;">Class A</span> are the best terms of services: they treat you fairly, respect your rights and will not abuse your data.</div>
<span class="label B" style="background-color: #79b752; border-radius: 0.75em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: middle; white-space: nowrap;">Class B</span> The terms of services are fair towards the user but they could be improved.<br />
<span class="label C" style="background-color: #f89406; border-radius: 0.5em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;">Class C</span> The terms of service are okay but some issues need your consideration.<br />
<span class="label D" style="background-color: #d66f2c; border-radius: 0.25em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: baseline; white-space: nowrap;">Class D</span> The terms of service are very uneven or there are some important issues that need your attention.<br />
<span class="label E" style="background-color: #c43c35; border-radius: 0.1em; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: middle; white-space: nowrap;">Class E</span> The terms of service raise very serious concerns.<br />
<span class="label false" style="background-color: #999999; border-radius: 3px; color: white; display: inline-block; font-size: 11.844px; font-weight: bold; line-height: 14px; padding: 2px 4px; text-shadow: rgba(0 , 0 , 0 , 0.25) 0px -1px 0px; vertical-align: middle; white-space: nowrap;">No Class Yet</span> We haven't sufficiently reviewed the terms yet.
<br />
<br />
Now, it's important to note that these ratings are "crowd sourced". That means they depend on people on the internet to rate sites.<br />
<br />
Give it a try!<br />
<br />
So, here's the question... when you see those long EULAs or Terms of Service... have you read them? If not, are you going to start?Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-12078209767104143732017-08-22T06:00:00.000-05:002017-08-22T06:00:03.744-05:00Don't Blame The IRS<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0_nE_pPrVQPyjP1X2ceXvEJwSALog8D77AaCeMFQVmfd_4ENcSc48_djSHrNfEOol8CZQJzKOy8t-XX06vzUM5yRzNeGGksYjQuMEaP0YWOY_5w-JKx7LPc1aUC5DV7_xa31t0Ay-_0c/s1600/irs+form+1040.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="683" data-original-width="1024" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0_nE_pPrVQPyjP1X2ceXvEJwSALog8D77AaCeMFQVmfd_4ENcSc48_djSHrNfEOol8CZQJzKOy8t-XX06vzUM5yRzNeGGksYjQuMEaP0YWOY_5w-JKx7LPc1aUC5DV7_xa31t0Ay-_0c/s200/irs+form+1040.jpg" width="200" /></a> In a post <a href="https://securityandcoffee.blogspot.com/2017/07/the-matter-at-hand.html">last month</a>, I include a recording of an obviously fake voice message warning about payment and fines due to the IRS. If you've read my blog in the past, I talk a lot about scams and give tips to avoid them. We've often discussed that legitimate organizations should not just contact you and ask for personal information.<br />
<br />
<div>
That just makes sense.</div>
<div>
<br /></div>
<div>
But telling the difference between a legitimate call and a scam call has gotten harder.</div>
<div>
<br /></div>
<div>
A reader let me know that the IRS is now using <a href="http://www.macon.com/news/business/article155738574.html">collection</a> <a href="https://www.newsmax.com/Finance/StreetTalk/IRS-collection-taxes-scam/2017/05/08/id/788768/">agencies</a> to collect back taxes! That just makes it even tougher to tell the difference between a legit collection call and a scam!<br />
<a name='more'></a></div>
<div>
<br /></div>
<div>
Interestingly, according to <a href="http://www.nbcnews.com/business/taxes/critics-fret-irs-prepares-sic-debt-collectors-tax-scofflaws-n494151">this article</a>, it was actually mandated by Congress and not requested by the IRS. The article even says "Don't blame the IRS". The IRS is actually concerned that this could lead to more scams and has put <a href="https://www.irs.gov/businesses/small-businesses-self-employed/private-debt-collection">information about the "service" on their website</a>. Apparently this has also been tried in the past and it didn't even result in as many collections as IRS agents themselves had! It still sounds like the IRS didn't have to implement this if they didn't want it.</div>
<div>
<br /></div>
<div>
This is not a good development. It just makes telling the difference between a scam and a legit call more difficult. The IRS says that the collection agency is supposed to send a letter first. Luckily we never get scams or junk via postal mail! :-)</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEPQAdodrWOCce_0dN3qCx6fouAZM5QaJQMaT5UOCKYgWIfiRB9dLdOvP7HzlZKqLvuq7Ob8MLVanua3JTN3NCI0ZyhTTAUqUDieABJ0PVjvO3cJljWrj-BXt0FW9ELS7aPb1pAucCRt4/s1600/antique-telephone.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="863" data-original-width="1280" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEPQAdodrWOCce_0dN3qCx6fouAZM5QaJQMaT5UOCKYgWIfiRB9dLdOvP7HzlZKqLvuq7Ob8MLVanua3JTN3NCI0ZyhTTAUqUDieABJ0PVjvO3cJljWrj-BXt0FW9ELS7aPb1pAucCRt4/s200/antique-telephone.jpg" width="200" /></a> Bottom line... the <a href="https://securityandcoffee.blogspot.com/2017/02/id-fraud-taxes-and-doctors-again-still.html">tips</a> we've <a href="https://securityandcoffee.blogspot.com/2016/03/credit-cards-calling.html">discussed</a> in the <a href="https://securityandcoffee.blogspot.com/2013/10/online-self-defense-dont-phall-for.html">past</a> about how to deal with requests for your personal information still stand. Do not provide any details to anyone who calls you asking for personal information, unless you already have an established relationship with the caller (and even then you should use care!).</div>
<div>
<br /></div>
<div>
Basically, if you do get such a call, for example from a credit card company, government agency, collection agency or anyone trying to collect money or information from you, what you should do is:<br />
<br />
<ul>
<li>Ask the person for their name, organization name, phone number and details of the request.</li>
<li>Tell the person you will call them back and hang up.</li>
<li>Do not call the number they gave you!</li>
<li>Look up the organization using a legitimate online source.</li>
<li>Call the main number for the organization and ask for the collections dept.</li>
<li>See if they know who the caller is.</li>
<li>If that connects you back to the caller, then the chances are pretty good they are legit.</li>
<li>Otherwise, ask to be connected to the fraud dept and provide the info you have on the caller.</li>
</ul>
<div>
Do you have any other tips to share?</div>
<div>
<br /></div>
<div>
Have you ever been contacted by someone pretending to represent the IRS?</div>
</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-88564475528242068712017-08-08T06:00:00.000-05:002017-08-08T06:00:30.538-05:00You Gotta Be You I just received an update from the Social Security Administration. Yes, it was real! :-) It was a reminder to log in to the SSA website to check my information online. That also made me think about advice I've written about in the past... it's critical that you connect and establish your presence on critical government websites before someone else can create an account in your name.<br />
<br />
Here's a rewind of a 2016 post with all the information...<br />
<br />
<hr />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjslVy0_1GyCSQhtPdxK4RR2RQCXIeXAwgSuoEL6ZxJ4Ri-JYr1n6oNr-8e1LSbWQR3QS3H-TlrYWIacs5-EEcvNQnIpFoLCccPoXcOMPYy0dh1ETkdUhwSJVXPz6r2T2eEcs0I-cmXPn4/s1600/SocialSecurityAdmin-Seal.svg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjslVy0_1GyCSQhtPdxK4RR2RQCXIeXAwgSuoEL6ZxJ4Ri-JYr1n6oNr-8e1LSbWQR3QS3H-TlrYWIacs5-EEcvNQnIpFoLCccPoXcOMPYy0dh1ETkdUhwSJVXPz6r2T2eEcs0I-cmXPn4/s200/SocialSecurityAdmin-Seal.svg" width="200" /></a> I recently received a letter from the SSA (Social Security Administration). It provided instructions for me to finish setting up my online account. As I've written in the past you can, and need to, create personal accounts on the <a href="https://www.ssa.gov/">SSA</a> and <a href="http://securityandcoffee.blogspot.com/2015/03/sign-up-now-at-irsgov.html">IRS websites</a>. The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you! This is ID Fraud is <a href="http://securityandcoffee.blogspot.com/2015/02/id-fraud-taxes-and-doctors-oh-my.html">still a big issue</a>.<br />
<br />
These accounts are straightforward to set up. One thing you will need to do is go through an Identity Proofing process. That process asks you for some personal information that, in theory, only you should know. I list info about the irs.gov account creation process <a href="http://securityandcoffee.blogspot.com/2015/03/sign-up-now-at-irsgov.html">in this post</a>.<br />
<br />
Here is some info from the ssa.gov website:<br />
<blockquote class="tr_bq">
<span 16.0016px="" 24.0024px="" blinkmacsystemfont="" cantarell="" droid="" fira="" font-family:="" font-size:="" helvetica="" line-height:="" neue="" oxygen="" quot="" roboto="" sans-serif="" sans="" segoe="" ubuntu="" ui="">You can create a </span><span 16.0016px="" 24.0024px="" box-sizing:="" cc0000="" class="my" color:="" font-family:="" font-size:="" font-style:="" georgia="" inherit="" italic="" line-height:="" lowercase="" quot="" serif="" text-transform:="">my</span><span 16.0016px="" 24.0024px="" blinkmacsystemfont="" cantarell="" droid="" fira="" font-family:="" font-size:="" helvetica="" line-height:="" neue="" oxygen="" quot="" roboto="" sans-serif="" sans="" segoe="" ubuntu="" ui=""> </span><span 16.0016px="" 24.0024px="" box-sizing:="" class="ssa" color:="" font-family:="" font-size:="" georgia="" inherit="" line-height:="" quot="" serif="">Social Security</span><span 16.0016px="" 24.0024px="" blinkmacsystemfont="" cantarell="" droid="" fira="" font-family:="" font-size:="" helvetica="" line-height:="" neue="" oxygen="" quot="" roboto="" sans-serif="" sans="" segoe="" ubuntu="" ui=""> account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.</span></blockquote>
Now SSA has increased their security by offering two-factor authentication (2FA) on their site. We've written about 2FA a <a href="http://securityandcoffee.blogspot.com/2016/05/national-betty-whites-password-day.html">number</a> of <a href="http://securityandcoffee.blogspot.com/2013/10/online-self-defense-passwords.html">times</a> in the <a href="http://securityandcoffee.blogspot.com/2015/11/do-amazon-2-step-now.html">past</a>. SSA had said this was coming and now it's available.<br />
<br />
I highly recommend that you create accounts on these sites and use 2FA where available. <a href="https://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/">Here</a> are the instructions for SSA. <a href="https://www.irs.gov/individuals/get-transcript">Here</a> for the IRS. You can enable 2-factor authentication on the SSA site when you create your account. <a href="http://securityandcoffee.blogspot.com/2015/11/do-amazon-2-step-now.html">Here's a link</a> to a previous post looking at other sites where 2FA is available. Double up wherever you can!Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-83104704813962250792017-07-25T06:00:00.000-05:002017-07-25T09:44:29.580-05:00The Matter at the Hand Check this out!...<br />
<br />
<iframe frameborder="no" height="100" scrolling="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/334322090&color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false" width="80%"></iframe>
<br />
<br />
Here's a transcript:<br />
<br />
Calling from Criminal Investigation Division of I-R-S. The matter at the hand is extremely time sensitive and urgent, as after all that, we found that, there was a fraud and misconduct on your tax which you are hiding from the federal government. This need to be rectified immediately so do return the call as soon as you receive the message. The toll free number is 1-8-6-6-9-7-8-6-6-1-8. I repeat again, 1-8-6-6-9-7-8-6-6-1-8. Thank you.<br />
<br />
Needless to say, this is a scam. You can look at all of <a href="http://800notes.com/Phone.aspx/1-866-978-6618">these</a> <a href="https://reportscam.com/866-978-6618/">reports</a> on <a href="https://checkwhocalled.com/phone-number/1-866-978-6618">phone</a> <a href="https://www.everycaller.com/phone-number/1-866-978-6618/">number</a> <a href="http://1-800-database.com/phone/866-978-6618">lookup</a> <a href="https://findwhocallsyou.com/8669786618">sites</a>.<br />
<br />
Now, you may think that this obviously sounds like a scam. However, it unfortunately works.<br />
<br />
So what should you do if you or someone you know receives one of these calls?<br />
<br />
<ol>
<li>Don't respond. Just leave that alone.</li>
<li>Report it. <a href="https://www.consumer.ftc.gov/articles/0076-phone-scams">Here is the FTC</a> info page on reporting scams, spams, do not call or telemarketing violations and other issues. <a href="https://www.ftc.gov/complaint">Here</a> is the complaint reporting page.</li>
</ol>
<div>
I did file a report with the FTC. It doesn't take long and it's the right thing to do.</div>
<div>
<br /></div>
<div>
While these calls can be either annoying or entertaining, the bottom line is that they work and some people do fall for these scams. So educate yourself and others.</div>
<div>
<br /></div>
<div>
Do you have any interesting robo-call or scam stories to share?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-68877851364439019012017-07-04T06:00:00.000-05:002017-07-04T06:00:05.837-05:00All Your Bitcoin Are Belong To Us<div dir="ltr">
If you're old enough... and geeky enough, you may remember this:</div>
<div dir="ltr">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyaR3RBCZ2prsgz2Ho3V8KKnWeXQDrNsqh76A-73xDQSVH5vovHHNLdfoUNwNmQtVVQhYBlsdTeWGqv-cwko2wkG6PGzbBMvFF4POjUwDMDEgZEuuMfjSHqGpZWnL8TYYpq2f9KUpz4gc/s1600/all-your-base.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="640" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyaR3RBCZ2prsgz2Ho3V8KKnWeXQDrNsqh76A-73xDQSVH5vovHHNLdfoUNwNmQtVVQhYBlsdTeWGqv-cwko2wkG6PGzbBMvFF4POjUwDMDEgZEuuMfjSHqGpZWnL8TYYpq2f9KUpz4gc/s200/all-your-base.png" width="200" /></a></div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
All Your Base Are Belong To Us was one of the famous early internet memes. You can take a break and read more about it <a href="http://knowyourmeme.com/memes/all-your-base-are-belong-to-us">here</a> and <a href="https://en.wikipedia.org/wiki/All_your_base_are_belong_to_us">here</a>.<br />
<br />
Memes are fun! But ransomware isn't. We've talked about ransomware <a href="https://securityandcoffee.blogspot.com/2015/11/hospital-held-hostage.html">many</a> <a href="https://securityandcoffee.blogspot.com/2016/02/hospital-held-hostage-fbios-and-ceo.html">times</a> <a href="https://securityandcoffee.blogspot.com/2016/06/were-going-about-it-all-wrong.html">in</a> <a href="https://securityandcoffee.blogspot.com/2017/05/ill-cry-if-i-wanna.html">the</a> <a href="https://securityandcoffee.blogspot.com/2016/06/because-math.html">past</a>. It's a kind of virus or malware (malicious software). It's been in the <a href="http://money.cnn.com/2017/05/15/technology/ransomware-wannacry-explainer/index.html">news</a> <a href="http://www.pcworld.com/article/2084002/security/how-to-rescue-your-pc-from-ransomware.html">quite</a> a <a href="https://www.wired.com/2017/05/hacker-lexicon-guide-ransomware-scary-hack-thats-rise/">bit</a> and the <a href="http://www.csoonline.com/article/3091080/security/the-rise-of-ransomware-in-healthcare.html">healthcare</a> <a href="https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/">industry</a> has had particular ransomware problems. And the news will continue after May's "WannaCry" and June's <a href="https://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/">Petya</a>/GoldenEye <a href="https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/">global</a> <a href="https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe">attacks</a>.<br />
<br />
Basically, in a <a href="https://www.bloomberg.com/news/articles/2017-05-15/how-ransomware-works-and-avoiding-the-next-attack-quicktake-q-a">ransomware</a> <a href="http://www.spamlaws.com/how-ransomware-works.html">attack</a>, infected computers cause data to be <a href="https://hotforsecurity.bitdefender.com/blog/how-does-ransomware-work-the-ultimate-guide-to-understanding-ransomware-part-ii-11856.html">encrypted</a>. Normally encryption is a good thing, but only when you can also decrypt your data. In this attack, only the attacker can restore your access to the information, and will do so for a "small consulting fee".<br />
<br />
Payment is typically made using <a href="https://en.wikipedia.org/wiki/Bitcoin">Bitcoin</a>. Bitcoin has also been in the news. It is what is called a "crypto-currency". It's basically an online way to pay for things, kind of like an online debit card where you already have the funds in your account. The main reason Bitcoin is used for ransomware is that it is fairly anonymous, particularly when compared with traditional credit cards or banking. It's not completely anonymous - it does protect identity during transactions, but eventually someone may have to turn that bitcoin into other traditional currency.<br />
<br />
With all the ransomware attacks, some <a href="https://betanews.com/2017/06/08/uk-businesses-bitcoin-ransomware/">organizations</a> are getting <a href="http://www.csoonline.com/article/3186493/security/dont-pay-ransoms-but-if-you-must-heres-where-to-buy-the-bitcoins.html">bitcoins</a> so that they are ready in case they need to pay ransom!<br />
<a name='more'></a> Law enforcement typically advises <a href="https://www.forbes.com/sites/haroldstark/2017/02/28/when-attacked-by-ransomware-the-fbi-says-you-shouldnt-pay-up/#7a507194f5e6">against</a> preemptively buying bitcoins and paying ransom... <a href="http://www.hollywoodreporter.com/news/fbi-gives-hollywood-hacking-victims-surprising-advice-pay-ransom-1001515">except</a> when they <a href="https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/">don't</a>!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKislSS2fBbmqh1lbyow682u2XPXdEtFhewSIbmsgOPPz-ghtO4lPIjbjPhlpDJ0aSBfk5IpXy3_52Z0IdvyxRVkT-E9kNl0nNkD5WrIikU2Hy9O4Dp4AtyeCGyDD8z9lQ7SsQ_1xRRSU/s1600/bitcoin1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="526" data-original-width="530" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKislSS2fBbmqh1lbyow682u2XPXdEtFhewSIbmsgOPPz-ghtO4lPIjbjPhlpDJ0aSBfk5IpXy3_52Z0IdvyxRVkT-E9kNl0nNkD5WrIikU2Hy9O4Dp4AtyeCGyDD8z9lQ7SsQ_1xRRSU/s200/bitcoin1.png" width="200" /></a></div>
<br />
Here's the thing... if an organization pays the ransom, there is no guarantee that the attacker will <a href="https://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted">provide</a> the <a href="http://www.pcworld.com/article/3196880/security/paying-the-wannacry-ransom-will-probably-get-you-nothing-heres-why.html">key</a> to <a href="https://www.bleepingcomputer.com/news/security/ultracrypter-not-providing-decryption-keys-after-payment-launches-help-desk/">decrypt</a> their data! This has happened in the past. Or, if an organization pays they have shown that they are both vulnerable and a source of income for the attacker. So wouldn't that attacker hit the same organization again? And again.<br />
<br />
That said, there could be situations in which an unprepared organization may have no other <a href="http://fortune.com/2016/05/07/health-care-ransomware/">alternative</a> than to pay the ransom. We have seen this in the news, and <a href="https://www.modernhealthcare.com/article/20160217/NEWS/160219920">not just</a> from small organizations.</div>
<div dir="ltr">
<br />
I'm not going to go into an explanation of how bitcoin works. If you're interested, <a href="https://bitcoin.org/en/how-it-works">here</a> <a href="https://www.youtube.com/watch?v=l9jOJk30eQs">are</a> <a href="https://www.forbes.com/sites/investopedia/2013/08/01/how-bitcoin-works/#5f65b0a517ff">some</a> <a href="http://www.coindesk.com/bitcoin-explained-five-year-old/">resources</a>. But unlike funds in most regulated banks or investment companies, there is no such oversight protecting bitcoin or other crypto-currency. The bitcoin holder has considerable responsibility, and needs knowledge, to protect their wallet.<br />
<br />
And, in fact, there have been some attacks on crypto-currency holders. From the highly-publicized attack on bitcoin exchange <a href="https://www.nytimes.com/2014/02/25/business/apparent-theft-at-mt-gox-shakes-bitcoin-world.html">Mt. Gox</a> in 2014, to <a href="https://www.forbes.com/sites/francescoppola/2016/08/06/theft-and-mayhem-in-the-bitcoin-world/#347d6a25644f">more</a> <a href="http://www.reuters.com/article/us-bitfinex-hacked-hongkong-idUSKCN10E0KP">recent</a> <a href="https://www.forbes.com/sites/laurashin/2016/05/30/mystery-solved-6-6-million-bitcoin-theft-that-brought-down-dark-web-site-tied-to-2-florida-men/#39da112723d5">thefts</a>, poor security has lead to losses. And without any kind of government or hard-asset backing, stolen bitcoin is likely unrecoverable.<br />
<br />
As for the future of crypto-currencies, only time will tell. If you decide to get some bitcoin or other online currencies, be sure that you're protecting your digital wallet with very strong passwords, use 2-factor authentication wherever you use online transactions, and you can even store your digital wallet offline on removable media like a usb stick. <a href="https://www.welivesecurity.com/2015/03/03/10-tips-protecting-virtual-bitcoin-wallet/">Here</a> <a href="https://nakedsecurity.sophos.com/2014/01/23/bitcoin-wallets-how-to-protect-your-digital-currency/">are</a> a few more ideas.<br />
<br />
Even if you're not considering online/digital currencies, many people use their smartphones either for payment (Apple Pay, Android Pay, etc.) or for their banking. <a href="https://www.supermoney.com/2012/12/5-important-ways-to-protect-your-digital-wallet-2/">Here are</a> <a href="https://www.cheatsheet.com/personal-finance/5-ways-to-protect-your-digital-wallet.html/?a=viewall">some tips</a> for protecting your mobile smartphone wallet.<br />
<br />
Have you, or would you, use online crypto-currencies like Bitcoin?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com1tag:blogger.com,1999:blog-7671318245642029158.post-33490956230731727982017-06-20T06:00:00.000-05:002017-06-20T06:00:23.677-05:00Payday! I received this great news in email today. For some reason gmail marked it as spam! But it looks great to me! :-)<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fbvcPogDhwbeKnNN0nnOJLD9QC0QLAxHvNtgSw43WynAUva34N-o3WsFu9rBcoCq9BhhMupL-LmcDjH6xC5qHAQPXkyaK72o1xbqixE1yF066OvWwf0xOI4mljECRlvtKd7wc0vpXVA/s1600/US+Treas+email+spam.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="660" data-original-width="1115" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fbvcPogDhwbeKnNN0nnOJLD9QC0QLAxHvNtgSw43WynAUva34N-o3WsFu9rBcoCq9BhhMupL-LmcDjH6xC5qHAQPXkyaK72o1xbqixE1yF066OvWwf0xOI4mljECRlvtKd7wc0vpXVA/s400/US+Treas+email+spam.png" width="400" /></a></div>
<div>
<a name='more'></a></div>
<div>
OK, so clearly it's not real. Let's talk about the indicators...</div>
<div>
<ol>
<li>The From line - the email address doesn't match the name of the sender</li>
<li>A Reply-To line that is yet another different address. In this case I'd expect addresses with treasury.gov or something similar</li>
<li>Generic greeting - it doesn't use my name, or any name, or a company name</li>
<li>Promise of a big payout - no, I didn't win!</li>
<li>Generic info - once again, nothing that refers directly to me. Yes, I guess this could be a generic form email, but not for this kind of payout!</li>
<li>Call to action - while the email contains no links or attachments, it first enticed me with a big payday and then wants me to take action. And what's the harm in replying?... it lets them know that I am real and that I am willing to take the next step. The next step could involve: sending my bank info, providing other personal info, or even arranging an in-person meeting.</li>
<li>Context - perhaps most importantly, this email just doesn't make sense for me. I don't own a company and there is just no context for me receiving this.</li>
</ol>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeb3Ht1vax6TGDcwyOZH2uBQlh9vbsxHab_GTHVbNcY1QeKcQke8EgBRtDte5t_a1qQc1RJpB2qQEu_LzGPHBb8QvPh_2x57HhzRkS8vCrV02QovaCBRlmq_dBA85bDPECkHpcqQOM8Io/s1600/US+Treas+email+spam2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="904" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeb3Ht1vax6TGDcwyOZH2uBQlh9vbsxHab_GTHVbNcY1QeKcQke8EgBRtDte5t_a1qQc1RJpB2qQEu_LzGPHBb8QvPh_2x57HhzRkS8vCrV02QovaCBRlmq_dBA85bDPECkHpcqQOM8Io/s400/US+Treas+email+spam2.png" width="400" /></a></div>
<div>
<br /></div>
<div>
Do you see any other indicators? Would you have responded?</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-61956872270587320152017-05-23T06:00:00.000-05:002017-05-23T06:00:12.514-05:00I'll Cry if I Wanna<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTkKbL-uyM_Yv8qYk6H1WoDtjHCFMOvMv8WpfMKsbmqsZXjKYGY-4R99nZOYuVn2-GleWiEKdWm18vpWgovK3nkylpEPD18HElLddquBEmLSsa30ItuxcNso_JMf2U2lAZbu_97_kGung/s1600/Wana_Decrypt0r_screenshot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTkKbL-uyM_Yv8qYk6H1WoDtjHCFMOvMv8WpfMKsbmqsZXjKYGY-4R99nZOYuVn2-GleWiEKdWm18vpWgovK3nkylpEPD18HElLddquBEmLSsa30ItuxcNso_JMf2U2lAZbu_97_kGung/s200/Wana_Decrypt0r_screenshot.png" width="200" /></a></div>
I try not to jump on bandwagons, but with so much coverage and affects of the whole worldwide <a href="https://en.wikipedia.org/wiki/WannaCry_ransomware_attack">WannaCry</a> mess, I do have a few things to say. I have a few different things to cover that you may not have seen elsewhere.<br />
<br />
There's been <a href="https://www.musttechnews.com/need-know-wanna-cry-virus/">plenty</a> <a href="https://bgr.com/2017/05/15/wanna-cry-ransomware-virus-windows-wannacry-explainer/">of</a> <a href="http://www.cnn.com/2017/05/14/opinions/wannacrypt-attack-should-make-us-wanna-cry-about-vulnerability-urbelis/index.html">media</a> <a href="https://www.snapmunk.com/7-wannacry-facts/">coverage</a> so I'll just give a high level overview of what happened. Like many other nations, the US <a href="https://www.nsa.gov/">National Security Agency</a> (NSA) studies computer flaws and develops ways to attack them. The <a href="https://en.wikipedia.org/wiki/The_Shadow_Brokers">Shadow</a> <a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">Brokers</a> are a hacker group who started leaking some of these NSA-developed attacks in the second half of 2016. The <a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">April 2017 edition</a> of their leaks included the code that enabled the WannaCry attack.<br />
The attack that started on Thurs May 11 consisted of two parts. One would encrypt files so that the owner could not get access to their files (commonly called "<a href="https://blog.fortinet.com/2016/06/24/ransomware-from-fins-to-wings">CryptoWare</a>"). The other part could get remote access to any vulnerable computer. This was a very powerful combination and this is the first time we've seen this kind of auto-spreading cryptoware. Once infected, the victim sees a screen that directs them to pay a ransom in bitcoin - so the whole attack is considered "<a href="https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx">Ransomware</a>".<br />
<br />
Now, Microsoft did release a patch in March to fix some of these problems, in particular the remote access part. So no problem, right? Desktops and laptops are usually easier to patch, and you should always have your home systems set to automatically update. But servers need more testing to assure that applications continue to work as expected.<br />
<br />
Patching was a critical part of the fix, but there was definitely more to it including things like new anti-virus signatures, whitelisting, intrusion prevention signatures and firewall rules.<br />
<a name='more'></a> One reason healthcare orgs seemed to be hit hard, including the British <a href="http://www.nhs.uk/pages/home.aspx">National Health Service</a> (NHS) is that heathcare often has many older systems and applications. These can be hard to update. With NHS, most of their desktop systems were running Windows XP!<br />
<br />
So much for a short overview!<br />
<br />
But now... who is to blame?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/KGUmfhURKcY/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/KGUmfhURKcY?feature=player_embedded" width="320"></iframe></div>
<br />
On his <a href="https://www.grahamcluley.com/podcasts/">podcast</a>, episode 21, <a href="https://www.grahamcluley.com/">Graham Cluley</a> asked this question. In particular, the question was, which of Microsoft, NSA, Shadow Brokers are to blame. You can listen to hear what they said.<br />
<br />
Here's my opinion. There's one group to blame and then an additional area of concern.<br />
<br />
The "blame" goes to those who carried out the exploit! Yes, they took advantage of existing vulnerabilities and companies that didn't protect their systems, but that's beside the point. I mean, just because a bank has a welcome mat at the door doesn't mean you're allowed to rob it.<br />
<br />
Now, what about these software vulnerabilities? Why do we keep having these problems? Someone has to write these in first place. I'm not picking on software developers. I've been one. It's a hard job. Code is very complex. This is something we call secure software engineering and it's not easy, but there are tools available to help us.<br />
<br />
For additional reading, security expert <a href="http://ranum.com/">Marcus Ranum</a> was talking about this whole <a href="http://www.ranum.com/security/computer_security/archives/issa-minneapolis-2005.pdf">complexity issue</a> 12 or more years ago.<br />
<br />
And, not to pick on Microsoft, but why do we give everyone a computer with a general purpose operating system when most people only do specific things like email or word processing (which can both be accomplished inside a browser). The more we can simplify the better off we'll be.<br />
And then there's the corresponding <a href="http://dan.tobias.name/thenet/monoculture.html">monoculture</a> <a href="http://www.eweek.com/security/is-computer-monoculture-the-way-of-the-world">problem</a> we were discussing 15-20 years ago - if everyone's computer is basically the same then one problem can take them all out (think <a href="https://en.wikipedia.org/wiki/Phytophthora_infestans">potato</a> <a href="https://en.wikipedia.org/wiki/Great_Famine_%28Ireland%29">blight</a>). And that seems to happen pretty regularly (to computers, not crops)! The answer here is special purpose computing, and the more scaled down the better. I'm a big fan of "thin" systems like chromebooks.<br />
<br />
What can you do to protect yourself?<br />
<br />
At home and at work:<br />
<ul>
<li>be careful with link and attachments</li>
</ul>
At work:<br />
<ul>
<li>follow security policies</li>
<li>work with your IT team on all technology needs (if it uses electricity, it could pose a security issue)</li>
</ul>
At home:<br />
<ul>
<li>use the default for windows updates</li>
<li>use <a href="https://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/">Secunia PSI</a></li>
<li>if you use windows, turn on the all the default protections</li>
<li>back up your stuff - there are many good tools available for home backups including <a href="https://www.carbonite.com/">Carbonite</a> and <a href="https://www.crashplan.com/en-us/">CrashPlan</a>, or even Microsoft OneDrive or Google Drive</li>
<li>encrypt your stuff - two good choices for this are <a href="https://technet.microsoft.com/en-us/library/cc766295(v=ws.10).aspx">bitlocker</a> and <a href="https://veracrypt.codeplex.com/">veracrypt</a></li>
</ul>
<div>
You need to take these kinds of steps now, particularly at home. We are going to see more new and bigger attacks coming in the future.</div>
Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-52924717985656653132017-05-09T06:00:00.000-05:002017-05-09T08:22:18.128-05:00Google Docs and the Mailinator You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXAhsH7BNEdaOfhVgRL7kC4rKsXneAPzP8qDYC_aO_GRl6pcrEWWPrfy8Hk7S38eVvvs5z6Pt2_xKdi-SO2hxMlzL25Bj2X1Ey4WoZTI2HrBaZHI3_ZoizDkQ0M9ld_uTy7wS_51E-7Zs/s1600/google+docs+spam+screen+shot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXAhsH7BNEdaOfhVgRL7kC4rKsXneAPzP8qDYC_aO_GRl6pcrEWWPrfy8Hk7S38eVvvs5z6Pt2_xKdi-SO2hxMlzL25Bj2X1Ey4WoZTI2HrBaZHI3_ZoizDkQ0M9ld_uTy7wS_51E-7Zs/s320/google+docs+spam+screen+shot.png" width="320" /></a></div>
You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment. This one appears to come from someone you know. The subject and body of the message seem consistent with a Google doc sharing message.<br />
<br />
Problem clue #1 - look at the "To:" line. Clearly, this message wasn't sent to you.<br />
<br />
Problem clue #2 - were you expecting this email and file? Has this sender sent you Google docs in the past? Did this email arrive at work or home - and do you normally use Google docs there?<br />
<br />
But, you are rushed and don't have time to send your friend a message to see if this email is legit. So you click. If you're not already logged in to your Google account, you're asked to log in. What you see next is...<br />
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPuV24icfBk-1OPlPOz-_wXN5fSOFMuVXIAp8DSgfi0LL5qq9bi-Gs_TQ2mnMwC5utLOoQgg1fS2pWkmfpWh6MZmqhOtUl4kH5cB1SYUYqIpx-RNcNSlVIwVBxOyah-0EwFfUGOeL_pT4/s1600/GDocs_phishing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPuV24icfBk-1OPlPOz-_wXN5fSOFMuVXIAp8DSgfi0LL5qq9bi-Gs_TQ2mnMwC5utLOoQgg1fS2pWkmfpWh6MZmqhOtUl4kH5cB1SYUYqIpx-RNcNSlVIwVBxOyah-0EwFfUGOeL_pT4/s320/GDocs_phishing.png" width="320" /></a></div>
Now here's where it gets interesting.<br />
<br />
Problem clue #3 - look at those permissions. This "document" wants to manage my email? And my contacts??? Denied! But many people clicked. (see below for information on what to do if you did click) The thing to remember here is that you should always look at what permissions an app wants and if you don't want to give those permissions, or if you don't understand those permissions... then don't click "Allow"!<br />
<br />
So <a href="http://www.telegraph.co.uk/technology/2017/05/04/avoid-google-docs-phishing-attack/">what</a> <a href="https://www.vox.com/new-money/2017/5/3/15534984/google-docs-phishing-hack">exactly</a> <a href="https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam">happened</a> <a href="https://www.wired.com/2017/05/dont-open-google-doc-unless-youre-positive-legit/">here</a>? The "attacker" created a malicious app called "Google Docs". When executed, it grabs your address book and sends a sharing message to your contacts. When you click, you first log in to your legit Google account (if you're not already logged in). The app then redirects you to a non-Google page that looks like a Google page and asks you to grant email and contacts management to the app. If you click "Allow", you have allowed the app to use your Gmail login so it has access to your contacts... and the emails continue.<br />
<br />
The way Google grants permission without just sending your password is using something called OAUTH (pronounced o-wath). I won't go into details here, but if you're interested, <a href="https://blog.varonis.com/introduction-to-oauth/">here</a> <a href="https://aaronparecki.com/oauth-2-simplified/">are</a> <a href="https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2">some</a> <a href="https://stormpath.com/blog/what-the-heck-is-oauth">good</a> explanations. The bottom line is that the app didn't need to steal your password to do this. However, the app did control your gmail, and you likely have that connected to many other accounts. This app could have easily changed your gmail password and possibly passwords to other accounts you own as well. This is why your personal email is important to protect... because it's likely connected with so many other accounts.<br />
<br />
I do think that gmail is a very good service. You should use it and protect it with 2-factor authentication.<br />
<br />
Note that for most people, this attack was on their personal gmail. However, many companies use Google Apps as their enterprise "office" solution. That means that some people's work email was compromised and that can lead to breaches or other problems.<br />
<br />
What should you do? Whether you clicked or not, it's always important to understand what apps are connected with your Google account. You can check that by going to <a href="https://myaccount.google.com/security?pli=1#connectedapps">https://myaccount.google.com/security?pli=1#connectedapps</a>. This will show you what apps are connected to your account. If you don't recognize one, get rid of it!<br />
<br />
While you're there, at <a href="https://myaccount.google.com/security">https://myaccount.google.com/security</a> you can run a total security check of your Google account. Do it!<br />
<br />
Finally, you can change your Google password, though this attack would not have stolen your password. The attacker could have changed your password, but you'd probably know that!<br />
<br />
One more note... there is speculation that a student may have created this "virus" as an experiment and it got out of hand. Stay tuned for more news...Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com1tag:blogger.com,1999:blog-7671318245642029158.post-50011195839848495562017-04-25T06:00:00.000-05:002017-04-25T06:00:26.424-05:00World Password Day and Teen Power<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-3CgB8vwqP4C7nONsRpZSXeByYC2HxCfpWlzbRSUloPCkZWQNT2CiHiTRVnIFmsJPWEV_vg4aS_POA3ZXo96egVo4QwXcWb0-ljj6Bk-HXDPRAK8BuF4bYOUO9JUSBMpJyASAOsrYm0/s1600/WPD2016-Step1-FB-Partner.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-3CgB8vwqP4C7nONsRpZSXeByYC2HxCfpWlzbRSUloPCkZWQNT2CiHiTRVnIFmsJPWEV_vg4aS_POA3ZXo96egVo4QwXcWb0-ljj6Bk-HXDPRAK8BuF4bYOUO9JUSBMpJyASAOsrYm0/s200/WPD2016-Step1-FB-Partner.jpg" width="200" /></a> Thurs May 4, 2017 is <a href="https://passwordday.org/">World Password Day</a>! I know that's coming up fast, but don't worry, you still<br />
<br />
have time to plan your celebration. No, that's not the day when you share your password with the world. Nor is it about changing your bank password from 123456 to 1234567.<br />
<br />
I've written about this in the <a href="https://securityandcoffee.blogspot.com/2016/05/national-betty-whites-password-day.html">past</a>. World Password Day is a day to learn and it's yet another opportunity to take a look at what is protecting your personal information, your financial information, your medical information as well as your internet presence and reputation. Most passwords provide a thin veil of protection<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikf2njp5o00Sy4Ibe8F05sPFDIr7SZpQghlcL4S27HV6kWsbV8ghKzO1RECpaYz_dxGzlfPd1lCilHAYU2sT1P9lRNKlLaVFkKiv9-4zCGaBe4RcxbE-xb6xpZnD0olOh6VL53bxZ3b6Y/s1600/WPD2016-Step2-FB-Partner.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikf2njp5o00Sy4Ibe8F05sPFDIr7SZpQghlcL4S27HV6kWsbV8ghKzO1RECpaYz_dxGzlfPd1lCilHAYU2sT1P9lRNKlLaVFkKiv9-4zCGaBe4RcxbE-xb6xpZnD0olOh6VL53bxZ3b6Y/s200/WPD2016-Step2-FB-Partner.jpg" width="200" /></a> On World Password Day, we should at the 4 main problems we can very easily fix:<br />
<ol>
<li>People choose weak or easily guessable passwords - the simple fix is to choose better passwords! As I've <a href="https://securityandcoffee.blogspot.com/2014/02/bad-policies-bad-passwords.html">said</a> <a href="https://securityandcoffee.blogspot.com/2013/11/rhymes-with-assword.html">many</a> <a href="https://securityandcoffee.blogspot.com/2013/12/password-problems-again.html">times</a> in the <a href="https://securityandcoffee.blogspot.com/2016/10/cant-live-with-em-cant-live-without-em.html">past</a>, when it comes to passwords, size matters! Make 'em long. But even if you choose a good password...</li>
<li>Passwords get reused among sites - this is a major problem because the attackers will try <a href="https://securityandcoffee.blogspot.com/2016/12/ya-how.html">stolen</a> <a href="https://securityandcoffee.blogspot.com/2013/10/online-self-defense-passwords.html">passwords</a> at <a href="https://securityandcoffee.blogspot.com/2013/05/so-long-and-thanks-for-all-passwords.html">other</a> <a href="https://securityandcoffee.blogspot.com/2012/08/and-password-is-monkey.html">sites</a>. And it works. So choose a unique password for every site on which you have an account. But...</li>
<li>We can't remember all our passwords - so, as we've discussed in the past, use a <a href="https://securityandcoffee.blogspot.com/2016/02/how-to-vault-part-1.html">password</a> <a href="https://securityandcoffee.blogspot.com/2016/03/how-to-vault-part-2.html">vault</a>. The <a href="https://securityandcoffee.blogspot.com/2016/11/patch-vault-n-fob.html">vault</a> is a <a href="https://securityandcoffee.blogspot.com/2015/12/whats-in-your-home-computer-security.html">program</a> that will help you choose great passwords, recall those passwords and protect them. But sometimes that's not enough because...</li>
<li>Even well-chosen passwords can be guessed or hacked - so for extra protection use two-factor authentication (also called multi-factor authentication). Typically this means using an app on your smartphone as part of the login process. That means, to break into your account, an attacker would need both your (long, strong) password AND your smartphone. That's hard for the attacker to do. And using multi-factor is easy! Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including <a href="https://www.google.com/landing/2step/">Google</a>, <a href="https://www.facebook.com/help/community/question/?id=10151548571887325">Facebook</a> and <a href="https://www.cnet.com/how-to/how-to-enable-twitters-two-factor-authentication/">Twitter</a>. Here's some <a href="https://twofactorauth.org/">info</a> on sites offering <a href="http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now">2-factor</a> authentication.</li>
</ol>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5aRMNTeHrvMYoKWFXiUVO51qX7hGBkejugYJC-yBhY_WxjT1EUmSUca7ui9R1G00R0mVV8OMX_4Hpb-3hWoSTXIyF5ufT4Pusdc81f6G1n5qjNj4C1Q5IAgZPezcouH77ewmWRh-rnws/s1600/WPD2016-Step3-FB-Partner.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5aRMNTeHrvMYoKWFXiUVO51qX7hGBkejugYJC-yBhY_WxjT1EUmSUca7ui9R1G00R0mVV8OMX_4Hpb-3hWoSTXIyF5ufT4Pusdc81f6G1n5qjNj4C1Q5IAgZPezcouH77ewmWRh-rnws/s200/WPD2016-Step3-FB-Partner.jpg" width="200" /></a><br />
The <a href="https://passwordday.org/">WPD website</a> has some high level guidance on each of these as well as those great <a href="https://securityandcoffee.blogspot.com/2016/05/national-betty-whites-password-day.html">Betty White videos</a>!</div>
<br />
And if those all aren't enough reasons to move to 2-factor authentication, now... that pinnacle of journalism... Teen Vogue, has put out a really good article on the subject! You can <a href="https://www-teenvogue-com.cdn.ampproject.org/c/www.teenvogue.com/story/why-two-factor-authentication-is-important/amp">read it here</a>.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Bx484wbRjmknLEK6LxH1P8rV-L95pCrcuG4g45TvEwDNKAMhhEUjw6XlSFtvUMlJy_kSKffJfWWmkgRpFMDwgXhap-myogriqSB2sd9IQl3A4lZZs5OxNV_FAzDdJtpROn9h-bZqIvs/s1600/WPD2016-Step4-FB-Partner.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Bx484wbRjmknLEK6LxH1P8rV-L95pCrcuG4g45TvEwDNKAMhhEUjw6XlSFtvUMlJy_kSKffJfWWmkgRpFMDwgXhap-myogriqSB2sd9IQl3A4lZZs5OxNV_FAzDdJtpROn9h-bZqIvs/s200/WPD2016-Step4-FB-Partner.jpg" width="200" /></a> In addition to really good coverage of 2-factor methods and websites, the article also goes into more advanced topics like the use of a physical fob called a <a href="https://www.yubico.com/about/background/fido/">Yubikey</a>.<br />
<br />
What is really significant is that this article is directed at a population who both grew up with technology and is used to sharing everything. The key message is that there are good reasons for protecting your information and reputation, even if you don't yet have financial assets or a job.<br />
<br />
So, are you ready to take the World Password Day challenge? Start slowly. Get a password vault and start with your most important sites: banks, insurance, investment and social media. Change the passwords to unique long strong ones.Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com0tag:blogger.com,1999:blog-7671318245642029158.post-3540821207608154872017-04-11T05:30:00.000-05:002017-04-11T05:34:20.014-05:00Cyberbullying and the New Math According to <a href="http://cyberbullying.org/">Cyberbullying Research Center</a>, the <a href="http://cyberbullying.org/new-bullying-data-definition-national-crime-victimization-survey">National Crime Victimization Survey</a> (NCVS) is a large-scale data collection effort led by the U.S. Census Bureau and the Bureau of Justice Statistics. This study has been going on since 1973. In 1989 they added supplemental questions focused on school-related incidents, and stepped this up to a more in-depth biennial survey in 2005.<br />
<br />
Cyberbullying is still a major issue. It's been over 4 years since I've <a href="https://securityandcoffee.blogspot.com/2013/03/pro-hero-instead-of-anti-bully.html">written</a> on <a href="https://securityandcoffee.blogspot.com/2013/11/cyberbullying-improvements-or-more.html">this</a> <a href="https://securityandcoffee.blogspot.com/2013/11/internet-safety-song-remains-same.html">subject</a>. While there is perhaps more visibility, the basic problems haven't changed.<br />
<br />
Based on the above benchmark, at first glance, bullying appears to be trending down over the past decade.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgghHtRXoWiyESBURRNELX7p8X-cogXn1dTNj_oWGpw-y8AqTZYtdwtlGh_-Q0qN7lGOAyvR7JPXxLyZtfY_8hab_mWjDb9lCwv4uteqr0vYsUhNjgXBjEtQoAt37hQ4yb3mUj3oc2PC9w/s1600/Bullying_Over_Time_2005-2015.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgghHtRXoWiyESBURRNELX7p8X-cogXn1dTNj_oWGpw-y8AqTZYtdwtlGh_-Q0qN7lGOAyvR7JPXxLyZtfY_8hab_mWjDb9lCwv4uteqr0vYsUhNjgXBjEtQoAt37hQ4yb3mUj3oc2PC9w/s320/Bullying_Over_Time_2005-2015.jpg" width="320" /></a></div>
<br />
While there have been some <a href="https://nobullying.com/six-unforgettable-cyber-bullying-cases/">high-profile cases</a> over the years, this is a real, current and ongoing issue.<br />
<a name='more'></a><br />
The problem with the US Census figures is that they don't line up with other studies. For example, this data from the Cyberbullying Research Center tells a different story.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_1ge0cT9nlmIUWoHLLtdp0NUJSdFL1tb-8X9_oduz3UvTqCOmvjn33tLeqcsQKyhhm1_53wBCrtv7hXxodt1D1TUcW86cZVftks38kMmJdBclcf1f7wc7o6hPNTbDoe_YhAAgxPx6tgs/s1600/Cyberbullying_Victimization_all_studies_2016.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_1ge0cT9nlmIUWoHLLtdp0NUJSdFL1tb-8X9_oduz3UvTqCOmvjn33tLeqcsQKyhhm1_53wBCrtv7hXxodt1D1TUcW86cZVftks38kMmJdBclcf1f7wc7o6hPNTbDoe_YhAAgxPx6tgs/s320/Cyberbullying_Victimization_all_studies_2016.jpg" width="320" /></a></div>
<br />
There is a need to get useful and accurate data on this for 2 reasons: to quantify the issue to know how prevalent it is so that resources will be put to solutions, and; so that victims know that they aren't alone.<br />
<br />
Good data will help understand which solutions work, and how well.<br />
<br />
So, while the experts work out the stats, let's look at some tips<br />
<ul>
<li>Keep a safe and open environment for your kids. Make sure they know that they can come to you to talk about any issues.</li>
<li>Make sure that your kids know it is not ok to participate in any kind of bullying.</li>
<li>Learn about your kid's technology - sometimes that's easier said than done.</li>
<li>Check with your school about their technology and social media policies.</li>
</ul>
<br />
Here are some great additional tips and resources:<br />
<ul>
<li>The Hero Construction Company - <a href="http://www.theherocc.com/">website</a> and <a href="https://twitter.com/theherocc/">twitter feed</a>,</li>
<li>Stop Bullying.gov <a href="http://www.stopbullying.gov/cyberbullying/index.html">website</a>,</li>
<li>Nation Crime Prevention Council <a href="https://ncpc.org/topics/cyberbullying">website</a>,</li>
<li>11 Facts About Cyberbullying <a href="https://www.dosomething.org/us/facts/11-facts-about-cyber-bullying">link</a>,</li>
<li>Common Sense Media <a href="http://www.commonsensemedia.org/cyberbullying">website</a></li>
<li>Stomp Out Bullying <a href="http://stompoutbullying.org/">website</a></li>
<li>The Bully Project <a href="http://www.thebullyproject.com/" muse_scanned="true">http://www.thebullyproject.com/</a></li>
<li>Connect Safely <a href="http://www.connectsafely.org/cyberbullying/" muse_scanned="true">http://www.connectsafely.org/cyberbullying/</a></li>
<li><a href="http://www.pacer.org/bullying/">http://www.pacer.org/bullying/</a></li>
</ul>
Finally, here's a video from <a href="http://stopcyberbullying.org/">Stop Cyber Bullying website</a>. It's part of the website, so go there and check it out. It's very powerful.Barryhttp://www.blogger.com/profile/03630515171565551105noreply@blogger.com1