Tuesday, February 20, 2018

ID Fraud and Your Taxes - Take Action!

   It's that time of year again.  Brian Krebs just put out two articles on the ongoing issue of tax fraud.  As is so often the case, the advice to protect yourself hasn't changed - and be assured, you must protect yourself because no one else will, certainly not the IRS!

   As noted below and in the Krebs' article, what you need to do now and always is:
  1. file your taxes early
  2. monitor your credit (I covered that topic here... in 2013!)
  3. freeze your credit (two articles from Krebs, also from 2015)
  4. become you before someone else becomes you (I wrote about that subject here and here)
   Here's a re-run of my article on this subject from three years ago.  It's all still true!  As I wrote nearly 5 years ago, the more things change the more they stay the same.

   I did a series of posts last year (2014) on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 30, 2018

Speculative Speculation

   Patch.

   NO WAIT!... DON’T Patch!

   It may cause unexpected reboots (as opposed to the expected kind???? J).

   It may cause system slowdowns.

   It may conflict with your other system controls.

   It sounds kind of like the “fine print” in one of those pharmaceutical adds… patching side effects may include arrhythmia, faintness, moderate to severe amnesia, flushing of the face, dry mouth, blurry vision, visual distortions or white spots, nausea and vomiting, constipation, muscle twitches, confusion, euphoria, sedation, itchiness, and increased anxiety, respiratory or cardiac arrest, coma, hypoventilation (inadequate ventilation), and possibly death.

   This whole Spectre/Meltdown thing has gotten so much attention lately. But the reports are loaded with misinformation, speculation (!), and even some facts.  I’ve have seen some uber-geeky explanations of what is going on.  If you haven’t seen the major rant by the father of linux Linus Torvalds, check this out.

   One thing that has been lacking is more simple, straightforward explanations of this complex topic.  I think Steve Gibson did a great job talking about this recently in his SecurityNow! podcast.  He actually explained the underlying mechanism of speculative execution years ago when he was talking about how modern processors work.

   Speculative Execution is really pretty cool.  It can be complex, but a good example is when there are two choices in how some code may execute, i.e. GO here or GO here, the processor does both!  And it executes steps ahead from where you are in the code now.  The overall effect is that the code executes faster.  It’s kind of like paying it forward with extra computing cycles.  Here's a great explanation.

   Here’s the point about this vulnerability… we’ve had plenty of named vulnerabilities.  They are all the rage these past few years – a name and a logo.  But most of these vulnerabilities are code or protocol problems.  Yes, some of those were very wide ranging.  However, this newly discovered problem is a vulnerability in the underlying architecture of nearly every modern computer chip created since 1995.  Everywhere.

   And while this has not been exploited in practice, that will happen.  The Fix is not yet in.  For now, the advice is to not panic, patch selectively and we’ll all watch and wait!

Tuesday, January 9, 2018

Meta-Predictions

   Well, it's a new year and we all know what that means... every security publication, and plenty of non-security publications, come out with their annual security predictions.

   I predict that this year's predictions will be as boring and vanilla as last year's.  And we don't even have to wait until the end of the year to see if I'm right!

   So, rather than adding to the noise, I'll save you some clicks.  Everybody's saying the same things... cybercrime, blockchain, cryptocurrency, breaches, yada yada.

   But some people went above and beyond to make the prediction reading experience special!  Here are my favorites:

   Best presentation.  Kudos on the production value of this prediction post by Watchguard.  Between the nice graphics and videos, I was engaged.  They didn't say anything new... but the way they said it makes it worth a look.
https://www.watchguard.com/wgrd-resource-center/2018-security-predictions

   Best use of AI.  This is a great idea... how about machine-generated predictions!  Great fun.  And I, for one, welcome our AI overlords.  Even the text that doesn't make sense makes more sense than some other predictions!  Well done Kelly and Medium.
https://medium.com/@kshortridge/2018-cyber-security-predictions-d493e25162e7

   Best prediction of the death of passwords.  Well, really they said that password-only authentication will decrease faster.  OK, either way, we've been down this road many times before and, unfortunately, passwords ain't goin' nowhere.  We're stuck with them.
https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html

   Remembering what we said in 2017 award.  This post doesn't say anything particularly interesting, but I like that they go back and grade their 2017 predictions.  Of course, those predictions were pretty bland but they only gave themselves a generous 9.5 out of 10.  http://resources.infosecinstitute.com/2018-cyber-security-predictions/

   tl;dr award.  I seriously did not even read this one.  Really Forbes?  60 predictions?  I guess all the ad networks you hit us with aren't enough?  I guess quantity wins.
https://www.forbes.com/sites/gilpress/2017/11/26/60-cybersecurity-predictions-for-2018/

   What are your favorite predictions?

   Here's to a great 2018!

Tuesday, December 26, 2017

BBB - Best Business Books

   As we close out this year and think about the new year, it's a great time to think about your own development and learning.

   I really enjoy audiobooks.  While SciFi is typical favorite, I also mix in business and self-development titles.  I've been keeping a list of my top self-development books and had been meaning
to share them here... and now here they are!

   This list is not exactly in priority order, however my favorites are definitely at the top.  So, more or less, the first third of the list is 5-star books, middle third 4.5-stars, and the final third are 4-star.  These are all great books, regardless of where they are on this list.

   Here we go...
  • Start With Why – Simon Sinek
  • The 5 Levels of Leadership – John C. Maxwell
  • The Chrisma Myth – Olivia Fox Cabane
  • Pitch Anything – Oren Klaff
  • What Makes an Effective Executive – Peter F Drucker
  • A Whole New Mind – Daniel H. Pink
  • Eat That Frog! – Brian Tracy
  • Getting Things Done – David Allen
  • The New One Minute Manager – Ken Blanchard , Spencer Johnson
  • The Introvert Advantage: How to Thrive in an Extrovert World – Marti Olsen Laney, PsyD
  • It’s Your Ship by D. Michael Abrashoff
  • Multipliers by Liz Wiseman
  • Just Listen – Mark Goulston
  • Influencer – David Maxfield

Tuesday, December 12, 2017

Ho-Ho-Holiday Spams and Scams

   It's that time of year again folks.  And whatever holiday you may, or may not, celebrate... there's something we're all likely to see.  It's not presents, though maybe there are some for you.  It's not snow, though we're already seeing that here in the upper midwest US.

   It's malware and holiday scams!

   Unfortunately, it happens every year.  Sometimes it's malicious attachments.  Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.

   Here is my 2017 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...

Tuesday, November 28, 2017

You Don't Have to Outrun the (Fancy) Bear

   Two hikers are walking through the woods.  They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars.  One hiker quickly bends down to tighten his boot laces.  The other hiker says, "what are you doing? You can't outrun a bear!".  The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".

   One of the biggest changes in information security over the past two decades has been with the attackers.  Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded.  Instead of defacing websites for fun and notoriety, attacks today are a business.

   It's a simple risk/reward equation.  There is a cost to any attack.  Email-based attacks are very inexpensive to launch.  Developing sophisticated malware is expensive.  And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.

   Information security is very complex.  It's as much an art as it is a science.  There are basic things that everyone should do, like patching systems and using strong, long passwords.  And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.

   There are so many high profile breaches in the news.  Some of these are the result of highly skilled and motivated attackers going after a specific target.  But many more are "crimes of opportunity".

   As I see it, there are basically three kinds of online attacks:

Tuesday, November 14, 2017

It's All About the Squirrels!

   Did you know that in 2016 there were more selfie-related deaths than shark-related deaths?  Same is true in 2015.  We'll see what happens in 2017!

   That might seem counter-intuitive.  And that's exactly the point... we are programmed through evolution to focus on the sensational risks.

   We've been hearing plenty about cyber-war and state-sponsored attacks.  These are big and scary things.  It seems that the power grid is a key target.  Well, it turns out that cyber attack is not the top issue that effects the power grid.  Not even close.  And what's a more serious and regular threat???  Squirrels!  No, that's not a joke.

Here's a great presentation at this year's ShmooCon, an annual security conference:


   But here's the point of all this... while it's fun to laugh at, or dislike, squirrels, there's an important lesson here.  We do need to speculate and consider the future when conducting risk assessments.  But we also need to have strong focus on reality!  That means assuring you are considering mundane, but very real threats and vulnerabilities that are actually happening.  It's far to easy for us to focus on high impact, very low likelihood events to the exclusion of those high-probability, common attacks like phishing.

   So skip the sharks and watch out for the squirrels!