Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

« January 2010 | Main | March 2010 »

February 2010

Got an App for that?

You see all the commercials about mobile device apps?  Nowadays it seems just about everyone has an app for just about anything.

So what does this have to with security? Well, it appears that there have been some malicious apps that target the financial industry. Google has removed a number of malicious apps this past December.

This is a phishing derivative which gets the victim to voluntarily download the app from a well-known app provider such as Google, Apple, Research in Motion, Palm, and others instead of redirecting them to a fraudulent URL. Once the app is downloaded and executed, the application can collect personal and financial information entered by the mobile subscriber, or collect sensitive data that resides on the mobile device. App stores are working to validate these programs but with the popularity and quantity of apps, some will get through unchecked. There are several reasons that indicate why this will get worse before it gets better.

Financial institutions are pushing for additional services for mobile banking. As they add more transaction-based services, there is additional information for the fraudsters to get. Currently, in most mobile banking app, for example, they can only get your balance and last five transactions. When they add transactions like the ability to move between accounts, additional account numbers and passwords will be exposed to theft.

The people committing the fraud are very aware of mobile capabilities. A malicious app could go undetected for long periods of time. When it is noticed and determined to be malicious, it could take longer to notify those affected and get them to uninstall it.

Most people are not ready for mobile apps fraud.  Criminals will prey on the naivety of mobile subscribers who believe the apps they are using are legitimate (perhaps because of the reputation of the place from which they downloaded it).

How do you prevent yourself from becoming a victim? One way is be very suspicious of apps that require sensitive information to be used like social security number or account number(s). You could contact your financial institution and see if they have validated the app to accomplish the same function (perhaps downloadable from the institution’s own web site).

Read the full article “Fraudulent mobile applications will threaten mobile banking securityhere.

Jeff Gibson on 26 February 2010 | | Comments (0)

| | | | | |

How to Stay Clear of Census Scams

Every ten years Uncle Sam asks each of us to provide some information through a Census, in an effort to distribute billions of dollars into appropriate infrastructure and services projects each year. It's purpose is important, however it also opens the door to scammers and criminals alike, who can't wait to take advantage of situations like this.

How will you be counted?

A form will be sent to your home via the mail, which will ask 10 questions, and no it isn't available on the Internet for 2010. These questions are aimed at determining the number of residents per home, and a minimally invasive set of information about each resident. You won't be asked to share your social security number at any time. It's very important that you fill out the form and send it back, or a "Census Taker" may visit your home to gather your answers in person.

What should you be aware of?

Legally you must provide the answers to the Census, whether via the form, a Census Taker who visits your home, or both.

Scams which may pose as the 2010 Census are sure to be in abundance. These scams may come across as emails, websites, telephone calls, or even people knocking at your door.

Do we have any tips for protecting your information?

  • Online Information

Read through the 2010 Census website, and contact them if you have any questions or concerns.

Remember, the 2010 Census will never ask for your information online, via email or a website.

  • The Form

Know how to identify the census form, any request will be clearly marked as coming from the U.S. Census Bureau and as OFFICIAL BUSINESS of the United States.

  • Census Taker

A Census taker may visit your home even if you mailed the form back. Your form may have gotten lost or not arrived yet, you still need to provide the Census Taker with the answers shown on the form you received.

Identifying a Census Taker can be confusing, remember they will not ask to enter your home, if they do, be wary.

It's a good idea to ask to see 2 forms of identification, the first will be a badge with the persons name, and the second could be any form of photo identification, like a drivers license, or state id.

If a census taker contacts you via the phone, you still need to provide the information which is on the official form, but it's a good idea to gather the persons name, the office they work from, the date and time they called, and a phone number to reach them back on. Most scammers won't provide you this information.

  • The information you share

Remember you only need to provide the answers to the questions which are on the form, you don't need to provide any other information.

Jake Harris on 16 February 2010 | | Comments (0)

| | | | | |

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost  Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves.  There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect.  Really take the time to think about it.  Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers.  These are easy ones, but how about your customer contact lists?  new product ideas?  customer order histories?  etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control?  In addition to data loss, think about data integrity.  When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers?   How important are the decisions you make from your data.  The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located.  In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone.  Ask yourself these questions:

  • Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
  • Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
  • Where do you store and how do you protect your system backups?
  • Could someone gain access to a system backup and restore the information to their computer?
  • Can you reduce the number of locations that your critical information or copies of it are stored?
  • Are you relying on third parties to protect your information when it is in their systems?  Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information.  You should align your controls across systems based on the value of the information you are trying to protect.  You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored.  Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently.  Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Bill Murray on 08 February 2010 | | Comments (0)

| | | | | |