About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

24 posts categorized "Cybercrime Trends"

23 August 2010

Sir, May I See Your Drivers License

I was reading some of the ever increasing material relating to identity theft and ran across an article that I wanted to share.  Apparently there has been a sharp increase of fraudulent identification being given to police and state troopers when they are pulling people over in traffic stops and at driver’s license examination stations.

http://www.daytondailynews.com/news/ohio-news/ohio-highway-patrol-id-theft-increase-alarming-858936.html

Imagine getting a speeding ticket in the mail or having your auto insurance go up because someone falsely used your information when they were pulled over or committed a crime.

I wonder if the police will ever consider making drivers licenses into a multi-factor credential similar to how ATM cards work.  With ATM cards, you have to have the card and know a PIN number in order to use it.  That way when you presented your drivers license you would have to tell the policeman something that he could check to ensure that you were really you.  I am sure that this approach could be easily bypassed as well. 

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance.   Sharing Knowledge. Building Trust

Posted by Bill Murray | | Comments (0)

| | | | |

23 July 2010

The Problem with Honest People

The problem with honest people is that they don’t think too seriously about how the things that they do or information that they share could be misused or be used against them.

It’s not the nature of good people to think like bad people.  I can hear people saying: “No one cares about my information.  I don’t have anything that people would want to steal.  Bad things happen to other people, not me.  I am just one person in a million; there are better targets out there.  etc…”   It’s not until something actually happens to them, or someone that they know, that they realize the truth.

Please! Please! Please! All you honest and good people living in modern world, think a little bit more about it!  What could a malicious person do with your information if they wanted to?  Even the simple messages you post on Facebook or Twitter.  Malicious people do exist.  I see it regularly in my career as an Information Security professional.  Only in hindsight does the light bulb go off for the victim.  Also, the victim might not be the person who’s information is misueed, many times one person’s information is misused to victimize another who trusts them.  Social networking sites are a ripe field for this kind of information to be harvested.

Here are some tips I ran across that talk about basic security precautions on social networking sites.  These are just some common sense things that can help reduce the probability and impact of information misuse: http://www.bankinnovation.net/profiles/blogs/10-ways-to-prevent-social-1

Even if you don’t think that YOUR information will be stolen or misused, don’t give anyone the opportunity to prove you wrong.  Keep being honest but be "Information Misuse" aware!

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance.   Sharing Knowledge. Building Trust

Posted by Bill Murray | | Comments (0)

| | | | |

01 July 2010

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused.   To help, there is the security concept of using one secret (a key) to unlock keys to other services.   The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles.  That collection of keys is kept in a locked wall-mounted cabinet.  Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied.  They are stored in a browser-managed repository which is the equivalent of the “key locker” described above.  Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials.  But there is simple way to mitigate this risk.  For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords.  This master password is the equivalent of the key to the key locker in our physical world example.   This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard.  These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments.  Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

  • you create an account at the payment service using a unique string such as your email address
  • you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
  • depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it!  Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

  • go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
  •   proceed to check out and notice that there is a PayPal option, choose it
  • Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
  • you confirm your PayPal password and then tell PayPal which of your accounts to debit
  • when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
  • PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
  • PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that?  In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information.  Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time.  So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services?  Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history.  Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust


Posted by John Brady | | Comments (2)

| | | | |

06 April 2010

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them.  I focused mostly on “apps” within these social networking communities.   These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

  • Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball).  Do you trust the requestor?  Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you  can install it now and then proceed with your original task.  Do you know the software provider?

  • Review your privacy settings periodically, there are many recommendations  in this regard in the mainstream media (see table at bottom).
  • When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy!  There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!
  • Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it.  If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk.  To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time.  When creating such accounts do be sure they are not endowed with any administrative powers.  Delete all the files they leave behind and perform a virus/spyware scan.  Don’t think of it as being distrustful, think of it as good hygiene.
  • Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials,  tax returns, medical bills/records, …).   This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have  experienced ID theft, you may decide I am not being adamant enough!  Of course, you have to find a happy medium for your circumstances.  Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy

Privacy Recommendation

facebook

High level: NY Times

Very detailed: AllFacebook

MySpace

For better privacy control, switch from profile 1.0 to profile 2.0. 

MySpace recommendation

LinkedIn

Walk-through: Network World

LinkedIn recommendation

twitter

Creating a non-public  twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

Posted by John Brady | | Comments (1)

| | | | |

05 March 2010

The Overly Eager Bird Catches a Worm

The social network phenomenon has shown many benefits.  These sites, such as facebook (FB), have great potential for people seeking friends to hang out with online.  Businesses too are finding it desirable to create a company presence on FB, myspace, twitter, etc.  Given their explosive growth, however, these sites have also attracted an unsavory element looking to exploit such new fertile ground.

Do you recall, back in the early 2000s, when email phishing was a relatively new phenomenon?  Eventually people became savvy about not following links that arrived in email messages from businesses with which they had no established relationship.  You see, in order to compromise your system, eventually the bad guys have to get you to act on their behalf ... so at some point, they have to present you with some “stuff to click on” ... thereby tricking you into giving your operating system (Windows, MacOS, linux, etc.) the go-ahead to install their evil code.

In a similar vein – have you noticed that when you go to play a game on a social site, say FB, you are presented with a dialog-box saying something like "This application requires access to your FB profile.  Do you wish to grant access?”  This is the FB security layer warning you that this application is trying to access your FB profile.  This is like a stranger asking to look through your wallet and record whatever they feel like while they’re in there browsing.  Alarm bells should be sounding in your head!  Let’s see ... a game that’s all sorts of fun to play and has really nice graphics, and which must have taken some people a lot of time to develop, all apparently, “for free”!  Too good to be true?  Gee whiz -- that's a little like those emails I occasionally get from "banks" promising to consolidate all my debt into a "Zero down, 0% APR loan” ... too good to be true indeed.

So, while most FB applications/games are not bogus fronts for bad guys that want access to your personal information, it is also true that some of those ostensible applications are in fact phony.  So be very careful before deciding to unleash these apps on your private information.

In another example of social networking abuse, there was recently a worm blazing its way through FB accounts called KoobFace ("facebook" spelled sideways, sort of).  KoobFace arrives as a FB message from a FB friend in your FB inbox.  When you open it, you are told to check out a YouTube video.  When you click on the link to the video you are sent to a fake YouTube site.  When you try to start the video playback, you are told that your system is missing an important piece of video playback software called a codec (engineering speak for coder-decoder).  It asks if you want to install the missing codec.

Let’s step back here.  At the request of a site that looks like YouTube, you are about to install and run some piece of software!  Are those internal alarms bells clanging loud and clear yet?  They should be.  The supposed missing codec is really a worm.  If you OK installation -- your system is infected.  The worm begins executing immediately, making a few "adjustments" to your Windows Registry to make sure it gets restarted whenever you reboot.  It then proceeds to wander about in your browser cookie cache finding out which social networking sites you belong to.  For each site, it authenticates and then sends messages, in your name, to all your friends!  Of course, those messages are just more infect-o-grams like the one you fell for.  And so the worm turns...

The lesson here is: think twice before accepting requests to "access" your social networking profile(s) from applications, games and gifts.  Moreover, think three times about saying yes when some web site that you have followed a link to recommends you OK installation of software you supposedly need!  If you believe you really might be running an old version of a plug-in, anti-virus program, etc., you should still always refuse the unsolicited pop-up style request.  Instead, you should explicitly type in the URL for the software maker and check if there you are missing codecs or updates to the software.  If there are updates then update your software and retry playing the video. 

If your software is already up-to-date, or if you get the pop-up again after updating, then assume the pop-up is malicious and just skip playing it!  It cannot be worth the inherent risk.  You might even go the extra step to inform the sender of your suspicions.  For example, in this particular case, the “sender” would be surprised you even got an email from them!  You’ll recall, in our scenario, it was the worm that sent it.  This is often how people find out their system is infected so you are doing them a big service.

To read further, here is a link to a technical explanation of how the koobface worm works.

Posted by John Brady | | Comments (0)

| | | | |

16 February 2010

How to Stay Clear of Census Scams

Every ten years Uncle Sam asks each of us to provide some information through a Census, in an effort to distribute billions of dollars into appropriate infrastructure and services projects each year. It's purpose is important, however it also opens the door to scammers and criminals alike, who can't wait to take advantage of situations like this.

How will you be counted?

A form will be sent to your home via the mail, which will ask 10 questions, and no it isn't available on the Internet for 2010. These questions are aimed at determining the number of residents per home, and a minimally invasive set of information about each resident. You won't be asked to share your social security number at any time. It's very important that you fill out the form and send it back, or a "Census Taker" may visit your home to gather your answers in person.

What should you be aware of?

Legally you must provide the answers to the Census, whether via the form, a Census Taker who visits your home, or both.

Scams which may pose as the 2010 Census are sure to be in abundance. These scams may come across as emails, websites, telephone calls, or even people knocking at your door.

Do we have any tips for protecting your information?

  • Online Information

Read through the 2010 Census website, and contact them if you have any questions or concerns.

Remember, the 2010 Census will never ask for your information online, via email or a website.

  • The Form

Know how to identify the census form, any request will be clearly marked as coming from the U.S. Census Bureau and as OFFICIAL BUSINESS of the United States.

  • Census Taker

A Census taker may visit your home even if you mailed the form back. Your form may have gotten lost or not arrived yet, you still need to provide the Census Taker with the answers shown on the form you received.

Identifying a Census Taker can be confusing, remember they will not ask to enter your home, if they do, be wary.

It's a good idea to ask to see 2 forms of identification, the first will be a badge with the persons name, and the second could be any form of photo identification, like a drivers license, or state id.

If a census taker contacts you via the phone, you still need to provide the information which is on the official form, but it's a good idea to gather the persons name, the office they work from, the date and time they called, and a phone number to reach them back on. Most scammers won't provide you this information.

  • The information you share

Remember you only need to provide the answers to the questions which are on the form, you don't need to provide any other information.

Posted by Jake Harris | | Comments (0)

| | | | |

08 February 2010

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost  Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves.  There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect.  Really take the time to think about it.  Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers.  These are easy ones, but how about your customer contact lists?  new product ideas?  customer order histories?  etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control?  In addition to data loss, think about data integrity.  When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers?   How important are the decisions you make from your data.  The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located.  In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone.  Ask yourself these questions:

  • Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
  • Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
  • Where do you store and how do you protect your system backups?
  • Could someone gain access to a system backup and restore the information to their computer?
  • Can you reduce the number of locations that your critical information or copies of it are stored?
  • Are you relying on third parties to protect your information when it is in their systems?  Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information.  You should align your controls across systems based on the value of the information you are trying to protect.  You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored.  Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently.  Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Posted by Bill Murray | | Comments (0)

| | | | |

10 August 2009

Four Steps to Avoid Scams: A Courage-Building Cheat Sheet

New scams are created every day which target each and every one of us.  The AMS Users group identified a prime example recently that targets independent insurance agents. This new scheme attempts to steal an agent's credit card information posing as a representative of the department of insurance.

 

Our blog posts have identified several of the scams in the past such as toner scams, and the Michael Jackson spam emails recently spread across the web.

 

Most people find it difficult to challenge these scammers, but a great courage builder is to make a simple cheat sheet and post it near your phone. Here is an example that hopefully will save you quite a bit of grief and money in the future:

 

Step 1: If it sounds too good to be true...it most likely is.

 

Don’t be afraid to ask hard questions after all they wouldn’t be calling you if they didn’t want to.

 

Step 2:    Ask for a reference for validation or a call back number.

 

A scammer probably won’t have a reference available and surely won’t want to give you a number to contact them back. If they aren’t reputable enough to have a reference, use caution.

 

Step 3:    Ask for the request or offer in writing.

 

Any offer can be provided in writing, and it provides you an easy out if someone is attempting to pose as an official or service provider.  Most companies have policies which state they must send you a notice in writing if requested.

 

Step 4:     If and when they hang up on you, take it as a compliment.

 

You most likely just avoided a scam.  Feel good about yourself, and share your experience with others.  One of the best ways to protect yourself and others is to share positive experiences.

 

Feel free to share your cheat sheets as well!

 

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

13 July 2009

The dangers of vacationing via your web browser

Now that mid summer has arrived, most people are looking forward to a vacation.  Of course it's important to let everyone know you will be away from work for a few days, but when is broadcasting your upcoming vacation on Facebook, Myspace or Twitter a danger?

Let's say you plan to travel out of state for the week, and you post to your Facebook profile about it.  It just so happens a thief may be watching by searching public profiles for the word "vacation" or "leaving", and they run across your post.  Now they know when you will be gone, and it's not very hard to lookup your full name and city from your profile.  From there a simple google search provides directions to your home.  Guess what happens next?

What can you do to protect yourself?

Take steps not to post information which could harm you or your property.

Examples: 

  • Don't post about vacations, business trips, the big graduation party at the park, or going to the mall until you've come back.
  • It's not a good idea to post about your brand new car or HD TV.

Ensure your privacy / security settings are appropriate for your accounts.

Example:

  • Set your Facebook "Privacy Settings" so you aren't broadcasting information to everyone in your "Network." Remember, "network" could mean everyone in a specific geographic region for example.  Maybe only your friends, and maybe their friends, should be able to view your profile.

There are multiple options to securing a Facebook profile:

  • Secure your basic profile to make sure only people you want to see your information can see your information.
  • Secure your search settings to determine who can search for you, and what they can see about you.
  • Secure your posts to make sure you aren't sending everything you post to everyone, unless of course you want to.
  • Secure any add-ins and remove applications which are no longer being used on your account.

Sure are a lot of options available to secure an account, but it's important to pay attention to each of them. 

I hope this encourages a few people to take another look at their profile settings, and start thinking about what kind of personal information should or shouldn't be posted.

If anyone has any great ideas or recommendations, please drop them off so everyone can benefit.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

23 June 2009

Social Networks: The Good, The Bad and The Ugly

Where were you on June 9, 2009 at 10:22am?  At that moment in history, the 1,000,000th word was adopted into the English language.  What was that word?  Web 2.0.  Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now?  Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0?  It has nothing to do with the technology or domain naming.  Mostly it is about the dynamic content and the way users interact with the Internet.  Remember how your parents read the newspaper every evening or watched a newscast on television?  The information flow was one way.  Web 2.0 is about sharing information, opinions and experiences.  You live with Web 2.0 everyday and you probably don’t even know it.  Have you read a review on Amazon?  Have you commented on a news article?  Those are just a couple examples of user provided content.  Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others.  You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune from anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good.  Social networking or social media IS the future of communication.  Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation.  Remember the US Airway’s flight that landed in the Hudson River?  Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account.  Companies are using social networks as a tool to market their brand.  Have you heard of Blendtec?  How about “Will it Blend?”  Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube.  It also helped them sell a lot of blenders.  Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events.  Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers.  Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks?  First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity.  It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones.  Additionally, companies may have a difficult time restricting or limiting the content that employees post.  A disgruntled employee may post negative information about their employer for all to see.  Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech?  Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives.  On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough?  Not quite.  Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns.  Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information.  Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach.  Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage.  Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls.  A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products.  I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit.  While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities.  It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time.  Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity.  If you feel your company is behind in addressing this issue, don’t feel alone.  Many companies are working struggling to weigh the risk versus the reward.  We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.

Posted by John Doan | | Comments (1) | TrackBack (0)

| | | | |

15 June 2009

Securing the future

Today was a day for milestones... I've reached 10 years with Westfield and my 8 month old starting saying da da. 

10 years ago information security meant keeping up with anti-virus, and making sure you sent your e-mail to the right person.  People were concerned about locking their doors, and making sure their checkbooks were still in their possession.  Schemes weren’t as complex as they are today.

 

Today information security is almost as complex as the brain teasers you can pick up at the local toy store.  You still need to keep your doors locked, but now you need to make sure you clean the circle the GPS device leaves on your windshield so your car doesn't get broken into.  You also need to shred every document which could remotely leak your identity.  If that's not enough, you need to keep your computer as secure as Fort Knox, with anti-virus software, personal firewalls, anti-spyware, anti-spam, and quite a few more anti-products that are widely available.  If people are willing to dig through trash cans, and spend countless numbers of hours creating viruses what could tomorrow hold in store?

What is information security going to be like in 10 years?  Will your home computer be joined by many other devices requiring all of the anti products above?  Will your car need them, so a hacker doesn't program it to follow their car back to a chop shop?  Will you have to use your fingerprint to access any computer information, including your email?  Will your cell phone be capable of communicating with a maintenance robot doing your laundry, as it senses an intruder breaking into your home? 

 

The message here is that we don’t know what is coming next, but it doesn’t mean that we can let our guard down.  The best we can do is to educate ourselves and others to help protect the future and prepare for the unexpected.

 

I'm interested in hearing others thoughts on this topic?  Please drop a comment, and help us keep the future secure.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

31 March 2009

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines.  The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken.  The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money.  This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats. 

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

  • Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008.  New patches are being released all the time.  I guarantee viruses and worms will be written to exploit them.

  • Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer.  We hear this all the time.  Are you doing it?

  • Don't download and run pirated software or software that does illegal things.  This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

  • Be suspicious of everything.  And even more so if someone or something is trying to help you or give you something for free.  Nothing is free.  Come on, you know that don’t you?

 The bottom line is simple. Protect the information on your computer the same as you would protect your physical property.  Lock your doors and windows.  Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars.  Change your locks if you think that someone has been inside your house.  Don't accept (or seek out) stolen property.  If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible. 

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions.  Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Posted by Bill Murray | | Comments (1) | TrackBack (0)

| | | | |

05 January 2009

Post-holiday phishes

I trust everyone had a good holiday break and hope you have a good new year. With the way 2008 ended, many people are making plans for the future. Unfortunately, some of those planners include phishers and social engineers. And as I'm sure you've seen, they are getting more and more creative and professional in their scams. The days when you could delete a message just because it was poorly written are long gone. Today's scams are targeted, well-written and spell-checked.

In particular, we are already an increase in phishing messages that reference the recipient's holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional "your account has been frozen" scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct "quality control checks" on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you're like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn't need to be sending out random emails about it.

Interestingly, the old "Nigerian fraud" is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in our archived Tips on phishing. Have a safe New Year.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

08 December 2008

Get ready for a Storm of holiday-related scams

For the past year or so, we've seen a significant uptick in attempted scams and frauds around every holiday. Many of them trace back to the Storm Warn gang, a crime ring based out of Germany that sells hacker software. Their last big attack was at the Fourth of July and tricked many thousands of users into downloading the 'storm-bot' trojan by offering a fake video clip of "the largest fireworks" celebration in the nation. Victims found their computer hijacked as part of a bot-net or had keystroke loggers and other malicious software loaded onto their computer.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you're particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any 'free' video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

10 November 2008

Just when you thought it was safe to let your kids back online

As if regular ID theft weren't enough, now there is an organized crime ring of password stealers who are targeting your online gaming accounts.

For those of you who aren't familiar with these online games, you create a character or 'avatar' who adventures through a fantasy world, interacting with other players to overcome various hazards and quests. Many people invest huge amounts of time and energy developing the character's skills and building up possessions in these online worlds. The Wall Street Journal has run several stories about the 'virtual economies' that sprang up around these games. Some players build up strong characters or search for rare possessions for the sole purpose of selling them to new players who don't want to go to the effort of building up an inexperienced character themselves. It may sound a little weird but it's all legal – the free market in action.

The hack in this case is an infection on your machine just so the hacker can steal the password to your online game account. They log on as you and sell all your carefully hoarded possessions for virtual gold coins which are then handed over to some other online confederate who sells the virtual gold for real-world cash at an online exchange like IGE. (Yes, you can make real money playing games.)

Unlike a theft of your real-world bank password, the theft is virtual so it's not clear that you can actually report it to the police (or that they could do anything if you did). Furthermore, it's very easy to launder the transaction – there's almost no chance that the hacker will get caught.

On the plus side, some of the recent security updates have closed the worst holes that these password stealers exploited. This example highlights the need to keep your computer fully-patched and your antivirus and anti-spyware up-to-date. And, of course, don't play those online games on your work computer.

Read more at CSOonline or get a copy of Exploiting Online Games by Hoglund & McGraw.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | | |

03 November 2008

Stolen laptops

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It's not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don't think you've ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee's practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don't give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet - out of sight, out of mind. Don't assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don't just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You'd never be that careless at home. Don't let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it's time to ask for your free copy of your credit report from the next agency.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

27 October 2008

Suing the scareware vendors

According to a Washington Post article, Microsoft and the state of Washington recently filed lawsuits against a number of scareware vendors. They're finally taking on the scammers who are trying to trick us into buying worthless (or worse, malicious) "security" software.

One of the lawsuits specifically charges Texas-based Branch Software with involvement in the "Registry Cleaner XP" scam. A number of other "john doe" lawsuits were filed in an attempt to learn the identities of the individuals responsible for marketing other scareware products such as WinDefender, XPDefender, Antivirus2009 and Scan & Repair Utilities.

Kudos to Microsoft for finally attempting to do something about these scammers. Now if they'd just reset the defaults in their own software so it wasn't so vulnerable in the first place…

Until they do, make sure you keep your computer fully patched, never bypass the firewall and be cautious of any suspicious links or pop-ups – especially ones telling you that your computer needs fixing.

If your office has an IT specialist, make sure he/she is signed up for regular alerts about the latest technical security vulnerabilities. These alerts will help you prioritize which patches need immediate remediation and which can wait while you test them for unintended consequences. Here are a few that I've found to be reasonably thorough:

If you don't have someone who can watch and evaluate these notifications, you probably need to set your patches to automatically update themselves and hope that the patch doesn't break anything else accidentally.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

31 March 2008

Fake check scams

Earn millions! Help a damsel in distress! Win the lottery! Work at home! Whoops, I overpaid – please send back the overpayment!

These are just a few of the scams out there. The average adult American receives 4½ emails, phone calls or pieces of mail per week attempting one of these scams. Thirty percent say they receive 10 or more a week and 18% admit that they or a family member have fallen for one of them.

The National Consumers League (NCL) recently launched a website fakechecks.org to help educate consumers about check-fraud scams like these. The website includes a "fraud test" and some great videos that show exactly how these six scams work and how to recognize them when they come in . Take a few minutes at home to see how many of these you would fall for. And remember, this is what these scammers to for a living. Some of them are very good at building a rapport and sounding trustworthy. They play on our inherent trust and desire to be helpful and courteous.

Remember also that in a check fraud scheme, the victim is responsible for the lost money and any overdraft or returned check fees. The fraudster ought to be responsible but given the odds of catching him/her, that is dangerous wishful thinking. The bank has no responsibility if you fall victim to check fraud like the ones above.

If you are a victim who recently wired money to fraudsters, report the incident immediately to the security department of the business that handled the wire transfer. If the payment hasn't been processed yet, they might be able to get your money back. If it's an older scam, report it at fakechecks.org.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

04 February 2008

Hackers do it for the money

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can't they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money. They are organized, well-educated and they're making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement's ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online."

And even if the hacker can't make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer's processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don't even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

14 January 2008

Most Americans overestimate their cyberprotection

Most people think that they're protecting their computers but few are as safe as they think they are. According to a poll conducted by the National Cyber Security Alliance (NCSA) and the anti-virus company McAfee, 87 percent of Americans say they have anti-virus software. When their computers were scanned (with their permission), 94% actually had anti-virus software but only 52% had updated it in the last month. New viruses are released daily. An out-of-date anti-virus package does you almost no good at all. Most anti-virus packages have an option to update themselves automatically. For almost all of us, that's the right choice.

73% of those surveyed said they had a firewall. 81% had a firewall but only 64% had it activated. That's like saying your money is protected by the steel door of the bank vault but leaving the door hanging open. Never disable your firewall.

70%t said they had anti-spyware software but only 55% actually have it.

The poll also reported that 61% believe they have anti-spam software installed but only 21% do. (In this case, the poll question may have been worded poorly. If your spam filtering is done by your ISP or your webmail provider, you may be protected from spam even though the anti-spam software is not on your specific machine.) Regardless of how you run it, the important point is to have an anti-spam solution.

Oddly, the study found that computers of older Americans tend to be more secure than those of the allegedly-more tech-savvy younger Americans.

To be properly protected, you need current anti-virus, an active firewall, up-to-date patches for your operating system and applications and at least one anti-spyware program running. If you don't, you are taking unnecessary risks with your personal information.

Click here to read the full study results.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

Next »