Unprecedented Growth in the Fight to Eradicate Scam

   My first thought when I saw this email was that it's from someone with the same name as the guy
from Arrested Development.  Of course, that's Michael Cera!

   The only thing missing is a link or attachment.

   Of course, there are tons of emails like this around.  And people do respond.

   Would you respond?  How many people at your workplace would respond?  How would you help people recognize this kind of email and not respond?

---

International Debt Funds Recoup Unit of
United States Department of the Treasury Washington DC.
1500 Pennsylvania Avenue, NW;
Washington, DC 20220


Hello,


International Debt Funds Recoup Unit, incorporated November, 2016 as affiliate of United States Department of the Treasury Washington DC, established for the control of recouped international debt funds, within the short time of this establishment, we have experienced unprecedented growth in the fight to eradicate scam and terrorism.

With Our vast experience cutting across several facets of the world and affiliations with numbers of reputable foreign and local organizations, International Debt Funds Recoup Unit has brilliantly done very well in contributing to the effort of the American Government to curtail fictitious and nefarious activities of scam via the internet, which is perpetually taken out on citizens of United States and innocent citizens of other part of the world by impostors through our vast networking.

We implore your earnestly attention on our resent activities in affiliation with Federal Bureau of Investigation FBI. Your computer and telephone communication  were under surveillance device manipulation on discovery that you have been in communication with impostors, imposing as important dignitaries to the undisclosed organization.

The transaction database of Western Union and Wal-Mart Money Gram recently went through screening on evidence for transaction made on your name overseas and the statements of your bank account were properly studied on evidence for transaction made within the states and overseas. However, the collective findings urged the setup of multifaceted maximum security on your everyday activities most specially your email correspondence and telephone communications.

The state of affairs grows to be interesting that intelligent agent of International Debt Funds Recoup Unit and Federal Bureau of Investigation FBI,
where deployed to investigate on issues of debt funds as a result of Contract Payment Funds, Lottery Winning Funds and Inheritance Funds owe to you by the undisclosed conglomerate under impersonation of impostors imposing as important dignitaries to rip you off your hard earned money and to our dismay, it was discovered that your name appeared as owner of funds valued US$10.5Million United States Dollars.

Representatives of American Government bureaus sent on your behalf on this exploit confirmed that the blueprint of your funds recoup was plain and the outcome of the event was a solution to curtail activities of con artist and indeed a perfect solution to your quest on your funds. The recouped funds are deposited in the pecuniary basement of the International Debt Funds Recoup Unit here in Washington.

To apply for claims, we urge you to reconfirm your personal information stated as following below; the details will be used to conduct lawful underlying principles of verification on your reputation as the beneficiary own of the recouped funds lodged in our basement.

1.  First Name:
2.  Middle Name:
3.  Last Name:
4.  Home Phone Number:
5.  Cell Phone Number:
6.  Home Address:
7.  Date of Birth (mm/dd/yyyy)
8.  Driver's License/ Passport Copy:
9.  Marital Status:
10. Current Employer Name:
11. Position/Title:

This is compulsory instruction. REPLY BACK TO THIS ADDRESS ONLY IF YOU WANT FAST RESPONSE TO YOUR E-MAIL ( mrmichealcenadesk@webmail.hu )

God Bless America.
Sincerely yours,
Mr. Michael Cena

---

   I do enjoy these kinds of emails!  It unfortunate that some people do fall for these scams.  Interesting that this one doesn't ask for my SSN, but wants a copy of my driver's license and/or passport - that can be very valuable to the scammer.

   While there are no links or attachments here, but is still danger.  I've written about these kinds of scams in the past, and the prior advice still holds.

1. You didn't win!  An unsolicited email promising some kind of prize or payoff is not real.
2. Don't respond to unsolicited email.  It just lets the spammer know you are a live person.  And definitely don't respond and provide information about yourself.
3. Use care with links in unsolicited email.  There's a good chance that link leads somewhere you don't want to go... like a phishing site or a malware download.
4. Watch out for attachments... even pictures.  Stop and think before you click on that attachment.  Even if it looks like it came from a friend.  Were you expecting the email and attachment?
5. Be stingy with your personal information.  Much of what happens in today's world happens online.  And you will have to provide some information sometimes.  But every site doesn't need all your personal information.  And just because a site asks for information doesn't mean you have to provide it.  Before you fill out that form, stop and think, then decide how much information you want to provide.

   You can find a few more tips here.  These steps can help you at home and at the office.

   What's your favorite example of this kind of scam?

Ho-Ho-Holiday Spams and Scams

   It's that time of year again folks.  And whatever holiday you may, or may not, celebrate... there's something we're all likely to see.  It's not presents, though maybe there are some for you.  It's not snow, though we're already seeing that here in the upper midwest US.

   It's malware and holiday scams!

   Unfortunately, it happens every year.  Sometimes it's malicious attachments.  Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.

   Here is my 2017 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...

You Don't Have to Outrun the (Fancy) Bear

   Two hikers are walking through the woods.  They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars.  One hiker quickly bends down to tighten his boot laces.  The other hiker says, "what are you doing? You can't outrun a bear!".  The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".

   One of the biggest changes in information security over the past two decades has been with the attackers.  Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded.  Instead of defacing websites for fun and notoriety, attacks today are a business.

   It's a simple risk/reward equation.  There is a cost to any attack.  Email-based attacks are very inexpensive to launch.  Developing sophisticated malware is expensive.  And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.

   Information security is very complex.  It's as much an art as it is a science.  There are basic things that everyone should do, like patching systems and using strong, long passwords.  And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.

   There are so many high profile breaches in the news.  Some of these are the result of highly skilled and motivated attackers going after a specific target.  But many more are "crimes of opportunity".

   As I see it, there are basically three kinds of online attacks:

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

---

Security Concepts

There are three key concepts of information security which you may or may not be familiar with:

    -      Confidentiality

o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.

    -      Integrity

o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.

    -      Availability

o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:

    -      Privacy

o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.

    -      Identification

o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.

    -      Authentication

o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.

    -      Authorization

o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.

    -      Accountability

o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

---

Information Security Learning Resources

or information security for the self-learner

by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:

• Systems Administration
• Network Administration
• Programming

It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.

“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD

Call Me

  I recently received some awesome news via email.  And it was totally unexpected.  Check it out:

   Now I can retire in style!  :-)

   Needless to say, this is a phishing email.  We've talked about phishing many times in the past.  And we keep talking about it.

   So why does phishing still work?  There are two primary reasons:

1. No cost/low barrier to entry.  It is effectively free to send out potentially millions of phishing or spam emails.  Attackers can easily relay email through open mail relay servers, but there are other ways to send spam and phishing emails.  Open mail relays are systems that send email but don't require any kind of identification.  Here's some more technical info on open relays.
2. Exploiting the human factor.  People are busy and we all receive too much email.  It's not always easy to take the time to figure out if an email is OK or not.  Attackers leverage this by sending plausible-looking email, though there are plenty of poorly-created messages as well (like the one above that I received).

   As I mentioned in a previous column, rather than looking examining an email for evidence of phishing, we can approach all email as if it's hostile and then look for indications that it's OK.

   If you'd like to have some fun... try these spot the phishing online quizzes!

   I won't be contacting the "friend" to sent me the above email.  And I did not win.

   Have you seen any interesting phishing emails you'd like to share?

Brexit Protection - click here

   Brexit Protection... or should we call it Brexitection? :-)

   How does Brexit affect your finances?  Do you care?  Plenty of people do.

   And that creates an opportunity for scammers.

   Any time there are major news events, particularly disasters or anything economic, people get worried. and the scammers are right there to play on those fears.

   According to the Telegraph, they have seen emails with subjects such as "Brexit causes historic market drop". These emails have links that supposedly connect to pages with information on how to protect your investments.  Of course, they actually download malware to the victims computer.

   This is a common problem... common because it works.

   We've covered this topic before... and the advice remains the same.  In fact, here are my top 10 email scam tips from a 2013 post!  These are just as relevant today as then.  And they will be relevant years from now:

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.

Ad Where?

   The first website debuted on Dec. 20, 1990 at CERN in Switzerland.  And less than four years later, the first banner ad.  The idea was simple... if people are reading information on a website, why not hit them with an ad?  Media has traditionally been either for-pay or ad-supported and the model for the web included that.  Of course, back then people had no idea the extent to which other screens like laptops, tablets and smartphones, and binge-watching would displace traditional TV watching.

   And shortly after website ads arrived, so did the malware. Ad-ware, also called "malvertising", was born.

   There are a few different ways website ads can cause problems:

• virus code in the ad itself - so clicking on the ad downloads or executes the malware
• malicious code that executes based on a mouse action - such as clicking on a flash animation or even just moving your mouse over an ad (called a "drive-by download")
• a link in the ad brings you to a different page that can have malware, asks for personal information or exploits your browser to grab information from another tab (kind of like phishing)

   You may ask... why would someone allow a virus in an ad on their site?  That's a great question.   The issue is that most sites don't have a direct relationship with the people creating the ads.  The way it typically works is that sites sell space on their pages to ad brokers, who resell that space either to someone wanting to place an ad, or even to other ad brokers.  And often the ads rotate.  It becomes pretty easy for crooks to insert malware into these ad spaces without detection.

   This led to the creation of ad blockers.  These are programs that work in your browser to block content from the 3rd party ad brokers.  There was a big controversy about this in 2015.  On one hand, websites that offer free content need to have a way to monetize.  On the other hand, web and banner ads are annoying, collect our information, and can contain malware.  Some businesses block ads on corporate systems as a way to cut down on malware... and it works.

   To fight back, some sites block people who block ads!

   And that's where things get interesting.

    Let's look at Forbes.com for example.  Many websites simply show their ads along with each page.  If the ads are blocked, then those parts of the pages just don't load, or show a broken image icon.  But when you go to the Forbes website, you first see a welcome page that counts down until you can click to the main page.  While that is happening, the page loads hundreds of those 3rd party ad sites.

   And earlier this year, the Forbes site was serving malware through ads!

   So there's the bind... allow sites to display their ads, including those full sites that only display if ads are allowed; or open the enterprise to malware!

   But shouldn't the responsibility for this malware be with the website that displays the ads?  Shouldn't they test to make sure there isn't executable code in those ads?  I think so.

   I also understand that sites display content that is worth something and they deserve to be compensated.

   There are some compromises.  Some sites ask you to register to see additional content.  You are "paying" by providing information about yourself that they can sell.  Some sites charge nominal subscription fees (some sites charge high subscription fees!).

   There is perhaps some middle ground with Google Contributor.  With this consumer service you pay a nominal monthly fee.  Then google distributes that to sites based upon your usage patterns.

   What are your thoughts?  Is there a middle ground?  Should consumers have to pay for content?  Do we need to be bombarded with ads?  And who should be responsible when sites serve up malware or malicious links?

Keep Celebrating! - Mobile and Social

   We continue our celebration of US Cyber Security Awareness month!  This partnership between Homeland Security, NCSA (National Cyber Security Alliance) and the MS-ISAC (Multi-State Information Sharing and Analysis Center) is an opportunity to recognize the importance of information security.  It started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   This is another of my weekly posts connected with the weekly themes put together by DHS.  This week the theme is staying protected while always connected.  That rhymes!

   We are always connected!  According to the Pew Research Center, in 2015 90% of american adults own a cell phone, 64% own a smart phone.  And one of the major uses for smart phones is... not calls but social media!  How do we stay safe online and on the move?

Celebrate! - A Culture of Security

   It's time again to celebrate that wonderful US event... Happy Cyber Security Awareness month!  This partnership between Homeland Security, NCSA (National Cyber Security Alliance) and the MS-ISAC (Multi-State Information Sharing and Analysis Center) is an opportunity to recognize the importance of information security.  It started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   This month I'll be putting out weekly posts connected with the weekly themes put together by DHS.  This week the theme is creating a culture of security.

   The message is simple... in the workplace security is a team sport.  All organizations have customers, patients, systems and data to protect.  To accomplish this, security must be part of everyone's job.

It Wasn't Englebart's Fault! (part 1)

   Douglas Englebart was an engineer, inventor and pioneer of the early internet.  He died in 2013.  He was known for a number of key ideas and inventions.  In 1967, he invented a very useful computer device that is a key component in propagating malware and facilitating phishing attacks... the Mouse!

   Of course, Englebart didn't invent email, email attachments, phishing emails or malicious links.

   The media is always buzzing with information about the latest breach or computer break-in.  We hear about advanced attacks, nation-states and possibility of cyber-war.  Many of these major attacks start with a simple click (or many clicks).

   Two of the main ways that malware is distributed or information is stolen is via:

• malicious attachments sent in an email, and;
• phishing emails with malicious links.

   For either of these methods to work, the recipient of the email needs to click... with a mouse! (well, you could also use a track-pad or track-ball).  The attachment needs to be opened.  If it's a zip file, it needs to be unzip'd.  If it's a link, clicking the link might either download malware or lead to a form asking for personal information.  Any of these actions could cause major problems.

   Let's discuss two issues:

• what do these viruses do?
• why can't my organization stop these? (or why can't I stop them at home?)

   This is, unfortunately, pretty complex and we'll probably handle these in two separate posts.

Why Viruses?

   As I've discussed in the past, this is really an economics issue.  There's illicit money to be made and there are smart people out there coming up with new ways to attack and take over systems.

   A typical computer virus does 1 of 3 things (I'm using the term virus generically - a virus is actually just one of a number of different types of malware (malicious software)).  It can even do more than one of these:

1. connect "home" and download more viruses;
       This is an optional step.  The real goals are items #2 and #3.
2. take over a computer so it can be remotely controlled, or;
       An attacker can take over a bunch of computers and use them to attack other computers or sell that capability to others. The computers taken over are called robots or bots.  They can be used to spread spam and more malware; to send a lot of traffic at target computers so they won't work properly or at all (this is called Denial of Service or DoS), or; might use other attack methods.
3. steal information (the techy word for this is exfiltration).
       The stolen personal or corporate information can be sold or used to steal money from existing or newly created accounts.
4. (bonus item) threaten to do the above (blackmail).
       An attacker might threaten to crash computers if not paid.  One kind of malware called "ransomware" encrypts your files so that only the attacker can decrypt them and charges you a fee to get your access back.

What can we do?

   This is a complex issue and we'll talk about protection methods next time.  For now, the best advice is to take measures we've often discussed here:

• use anti-malware software
• use care when opening attachments
• use care when clicking on links
• know who sent you that email, message, tweet, social network message, etc.

   I discussed these and other steps you can take in a post last year.

Is Your "Friend", Your Friend?

   An interesting topic came up the other day.  The question was whether to accept random social media
requests.  Does your "friend" need to be your friend?

   Your answer to that question might vary based on the social network and how you use that social network.

   There's also an important Security Awareness angle here.  Social networks can be a vector for malicious links, phishing attempts, malware and scams.  These malicious techniques often work better when the link/attachment/request comes from a "friend", rather than via a random email or connection.

It's That Time of Year - Holiday Spams and Scams

   It's that time of year again folks.  And whatever holiday you may, or may not, celebrate... there's something we're all likely to see.  It's not presents, though maybe there are some for you.  It's not snow, though we'll see that soon enough here in the upper midwest US.  It's malware and holiday scams!

   Unfortunately, it happens every year.  Sometimes it's malicious attachments.  Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.

   Here is my 2013 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...

Online Self Defense - Don't Click!

   This week I'm presenting at the Cyber Security Summit in Minneapolis.  I hope to see you there!

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

---

   This is the third post in my series on Online Self-Defense.  We've covered malware and passwords, two key issues effecting your online privacy and security.  If you've tried the simple tips I gave on those two subjects then you are now safer than most web surfers.

   Now, to keep you and your computer safe... don't click on that link!

Tis The Season - Holiday Spams and Scams

   We have always had the need to be careful online. We always have to be aware of what sites we are visiting and what apps were using. I've written about this in my series on Online Self-Defense.

   But at this time of year you have to be even more careful. The amount of online trouble increases. Your volume of work may increase, you're often stressed during the holidays and may not pay as much attention to what you're doing online.

   There are also many e-cards and "cute" pictures and videos that have to be shared.  This, and other information, floods our inboxes, social media timelines and chat/text lists. Many of these have links. And unfortunately, far too many of these links go to malicious sites.

   Here's a great list of some common holiday spams/scams. Here's another.

Online Self Defense - Part 3 - Don't Click!

   This is the third post in my series on Online Self-Defense.  We've covered malware and passwords, two key issues effecting your online privacy and security.  If you've tried the simple tips I gave on those two subjects then you are now safer than most web surfers.

   Now, to keep you and your computer safe... don't click on that link!