Security

Of note – this is an article that was published internally to a corporate website.  I thought it was more informative than what I had in store to write and loved the list of what you can do at the bottom.  So, it is my hope you enjoy this post on looking at threats that will be prevalent this year.

Danger AheadDuring 2012, cyber security incidents included theft of public and private intellectual property, hacktivism, ransomware, malware targeting mobile devices, and an increase in the use of malicious software including the Black Hole Rootkit and Zero Access Trojan.  What will we see in 2013?  Below is a brief roundup, listed in no particular order, of several threats and trends we can expect during the next 12 months.

Mobile Devices in the Enterprise

As the use of mobile devices grew in 2012, so too has the volume of attacks targeted to them.  Every new smartphone, tablet or other mobile device provides another opportunity for a potential cyber attack.  Risks include access to corporate email and files, as well as the ability for the mobile device apps to download malware, such as keyloggers or programs that eavesdrop on phone calls and text messages.

New capabilities, such as near field communication (NFC), will be on the rise in 2013 and will increase the opportunities for cyber criminals to exploit weaknesses.  NFC allows smartphones to communicate with each other by simply touching another smartphone, or being in close proximity to another smartphone with NFC capabilities or an NFC device.  This technology is being used for credit card purchases and advertisements in airports and magazines, and will most likely be incorporated into other uses in 2013.  Risks with using NFC include eavesdropping—through which the cyber criminal can intercept data transmission, such as credit card numbers—and transferring viruses or other malware from one NFC-enabled device to another.

Ransomware

Ransomware is a type of malware that is used for extortion.  The attacker distributes malware that will take over a system by encrypting the contents or locking the system; the attacker then demands money from the victim in exchange for releasing the data and/or unlocking the system.  Once payment is delivered, the attacker may or may not provide the data or access to the system.  Even if access is restored, the integrity of the data is still in question.  This type of malware and delivery mechanism will become more sophisticated in 2013.

Social Media

Use of social media sites has grown beyond just sharing personal information, such as vacation photos and messaging.  These sites are being used increasingly for advertising, purchasing and gaming.  For 2013, attackers will look to exploit this volume and variety of data being shared to credentials or other personally identifiable information (PII), such as Social Security numbers.

Hactivism

Attacks carried out as cyber protests for politically or socially motivated purposes, or “just because they can” have increased, and are expected to continue in 2013.  Common strategies used by hactivist groups include denial-of-service attacks and Web-based attacks, such as SQL injections.  Once a system is compromised, the attacker will harvest data, such as user credentials, to gain access to additional data, emails, credentials, credit card data and other sensitive information.

Advanced Persistent Threat

Advanced persistent threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of data.  The entry point for these types of espionage activities is often the unsuspecting end user or weak perimeter security.  Whether focused on exploiting vulnerable networks or unsuspecting end users, APT will remain a consistent threat to networks in 2013.

Spear Phishing Attacks

Spear phishing is a deceptive communication, such as email, text or tweet, targeting a specific individual, seeking to obtain unauthorized access to personal or sensitive data.  Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators seeking financial gain, trade secrets or sensitive information.  Spear phishing is often the nexus to cyber espionage/APT and will continue to increase this year.

What Can You Do?

By using sound cyber security practices, users and organizations can strengthen readiness and response to help defend against the myriad of challenges and mitigate potential impacts of incidents:

  •  Enable encryption and password features on your smartphones and other mobile devices.
  • Use strong passwords that combine upper and lower case letters, numbers, and special characters, and do not share them with anyone.  Use a separate password for every account.  In particular, do not use the same password for your work account on any other system.
  • Disable wireless, Bluetooth and NFC when not in use.
  • Properly configure and patch operating systems, browsers and other software programs.  This should be done not only on workstations and servers, but mobile devices as well.
  • Use and regularly update firewalls, anti-virus and anti-spyware programs.
  • Be cautious regarding all communications; think before you click.  Use common sense when communicating with users you do and do NOT know.  Do not open email or related attachments from untrusted sources.
  • Don’t reveal too much information about yourself online.  Depending on the information you reveal, you could become the target of identity or property theft.
  • Be careful with whom you communicate or provide information on social media sites.  Those ‘friends’ or games might be looking to steal your information.
  • Protect your access credentials – never share or tell others your credentials (user name, password).
  • If you have a device that is used for work purposes, do not share that device with friends or family.


 

To Click or Not to ClickWhile I know the internet is something that was a ‘life changer’ for all of us, one of the largest problems with the internet is not something we can totally solve with programs and access levels. One of the big things that we need to understand better – and provide more control over – is human. To be more clear (even though I have written about this before) – we need to change our behavior.

I’m going to let you know that I agree with our current Secretary of Homeland Security (Janet Napolitano) to a certain extent (more than likely on this one issue, but … who knows). Please note, I in no way want to legislate the internet or how people use it (that is a huge difference between Ms. Napolitano / current administration positions with various legislative attempts to do just that). However, she did let something out of the bag with the quote in this story – “Every individual on the net is vulner – is a potential, uh, opening.”

Our behavior is a key element in our experiences. Too often I get machines to fix with badware on it. Why is it there? Because of choices the owners or users of the machines made. Some have no virus protection (and even Mac users need that, contrary to their popular misconceptions). Some have no other protections installed against adware, malware, rootkits, you name it. But the common denominator – in my experience – is someone clicked on something, then things quickly spiraled downhill.

You don’t have to be surfing bad sites to have the opportunity to catch bad things. It could be something that seems as innocent as most anything (like an email from your mom). That email may be spoofed and the link you are clicking on could be just what a cybercrook needs to have a file installed in your computer so they can do many less than noble things with that equipment. It could be looking at a picture you have been tagged in on Facebook, and once you click on that image things start to go downhill.

The point of this post? We need to understand that there is opportunity to have bad things happen just because we are on the internet. Because we will get on the internet, it would be beneficial for all of us to have a stance of health skepticism. Just because something looks like a duck and quacks like a duck, on the internet is still may not be the duck you think it is! Protect yourself and your information by being less trusting than you would be if you were interfacing with someone face to face. It is just too easy to pretend to be someone else and send a spoofed tweet with a link asking to (no, really compelling you, for no good reason many times…) to click on it. A link in an email that promises you a happy or funny story, a video you just have to see, or a chance to get something for nothing. An too often we click on it and pay the price.

The day I wrote this article, I received a call from a customer.  They had also received a call – ostensibly letting them know they had infected computers and this individual could assist them right then by removing the infections.  They wanted to log in – through their network (over the web) and assist.  I’m thankful for their healthy dose of skepticism (and the phone call to me).  This was just another attempt at social engineering – leveraging most folks need to help others.  Imagine the damage that could have been leveled at this set of computers (about a dozen for a local business).  They just said no – excellent!

Since 2013 is still young, take a look at how you are interfacing with strangers and strange sites on the web. Are you enabling all those games and apps that communicate with information on your computer / smartphone so your contact list can be ransacked for data? Are you entering contests with lots of required information? Are you laissez faire about the links you click on? Why not make some good changes today – be skeptical! Thanks for reading.


 

Biometrics & PrivacyIt is no secret that we love convenience.  If this were not the case, most of us would still travel to a stream / river / water to wash our clothes against a rock instead of going to the laundromat / dry cleaners / washing machine in our home.  Or perhaps we would eschew electricity and heat our homes with fire, not use anything that required charging or the need to be ‘powered’ (like your computer, a television, your appliances, lights…).  Maybe we would walk more instead of using our cars to get around.

Not willing to give any of that up?  I get it!  We’re creatures of comfort and convenience.  Heaven knows we don’t have the time or patience to cook a meal instead of putting one in the microwave (or going to some fast food joint to pay for the convenience of others preparing something for us).  We built all this stuff and will hand it off to our children because we know best and have left them a better place than when we grew up in.

And that is the point of this post.  Since we marvel at the changes coming in technology and the convenience that this brings us, it is no surprise we don’t look at the long term effects or possibilities this holds for us.  We’re here in the ‘now’ and don’t have time to contemplate the future impact.  But make no mistake, the changes happening today and in our recent past continue to reverberate well into the future.

Let’s talk about privacy.  An entire organization has been built from the ground up under the auspices of protecting us – the TSA.  This very expensive and very (in my opinion) ineffective organization continues to grow and has started to permeate many other areas of society – apart from air travel – with barely any discussion of citizen concerns for their mission and tactics.  A new force of our government to dictate the behavior of the masses.

But I digress – how did we come here, what is happening now, and what is the potential impact on our (and our children’s) future.  Let’s look at a couple of experiments in our public schools.  Like it or not, once these experiments start in our schools they are more than well on their way into many other areas of society and our lives.

An article written in the USA Today (by Brian Shane) recently caught my eye – Palm scanners get thumbs up in schools, hospitals.  While many showed only superficial concern (transmission of germs by multiple folks using the device – really?  That’s all you have”  Don’t even think about all those folks grabbing the door handle of the bathroom you just existed without washing their hands…) there was one parent who opted their son out of this experiment.  Imagine that, his son would have to pay with (gasp) cash (talk about dirty!).  And would be (gasp) responsible for securing it until needing it.  How inconvenient for all involved – yet it certainly takes care of any privacy concerns.

Another article from CBS Houston had the headline of Schools’ Tracking Devices Causes Controversy.  Here the students movements are tracked like boxes of merchandise waiting to be shipped to fulfill our shopping needs at our local WalMart (or mom-n-pop store if you prefer).  RFID has been around and in use for some time, and expanding this technology seems to be on the rise.  But when one student refused to play well with this experiment (that was suppose to assist in tracking attendance, thus securing more federal funds according to the article) they were threatened with removal from the school.  How’s that for an education (or indoctrination – comply or else)?

Now my intent here is not to come across as someone that sees evil or ill intent with technology.  I did, however, want to use words to get you to think in stark terms of the initial convenience promised and the current tactics for asking for you to comply with these benevolent keepers of our kids.  And technology is good, it can be a great help, and I’m not suggesting we roll back the clock.  I am saying we may not have thought very far in the future about how these devices – and the information culled from us and shared in massive data repositories – will be used as we move forward.

Are you keeping an eye open for the advances in technology that are coming near you?  Where would you draw the line on privacy?  Biometrics (eye / finger / palm scanning)?  Naked body scanners and intrusive pat downs (coming or are already at an airport near you)?  Embedded RFID chips?  Dependence on credit cards (that are tracked well, but there are improvements and additional conveniences in the works)?  Think about the future of where all this information ends up and how the lives of those that follow will be impacted (for good, and perhaps not so good).


 

Passwords...they should be strong and secret...Passwords are a wonderful way to authenticate you – it’s a simple way of authenticating you are who you claim to be and should be able to access the information you are attempting to get at. I say it’s a simple way because there are many more complicated ways to do this! I also say it is a simple say because this is the most attacked way to gain entrance to systems by others who are not you! Simply put – passwords are how you log in to a system.

If someone can gain access to your password, they can steal your digital identity and have access to all of your information. We often take passwords for granted, forgetting that we need to craft / create / protect them well. Let’s learn more about what makes a good password and how to use them to our advantage. There are two key points to strong passwords.

First, you want passwords that are hard to guess. This means do not use passwords such as words or phrases you can find in the dictionary, your pets name, your address or your birth date.

Second, use passwords that are easy to remember. If you keep forgetting your passwords they are not very helpful.

Cyber criminals have developed programs that automate the ability to guess, or brute force attack your passwords. This means they can break into your accounts if your passwords are easy to guess. To protect yourself follow these rules for good passwords.

  • You should have at least one number in your password.
  • You should have at least one lower case and one upper case letter in your password.
  • You should have at least one symbol in your password.

But how do we a password that is easy to remember but hard to guess? At first glance this password looks very difficult. However by using the first letter of each word in a sentence, it becomes much easier to remember:

M1swb@MIH@11:25

My 1st son was born at Mary Immaculate Hospital at 11:25.

By using phrases you can pick passwords that are easy to remember and hard for people to guess.

In addition to using strong passwords, you must protect how you use and control them.

First, it is important to use different passwords for different accounts. For example, never use the same passwords for your work or bank accounts as your personal accounts, such as Facebook, YouTube or Twitter. This way if one of your passwords is hacked or compromised, the other accounts are still safe.

Second, never share your password with anyone else, including a family member, co-worker or supervisor. Remember, your password is a secret, if anyone else knows your password it is no longer secure. If you accidentally share your password with someone else, change it immediately.

Third, never use a public computer such as at hotels or libraries to log into a work or bank account (or other account that you don’t want compromised – like your email or LinkedIn account). Since anyone can use these computers they may be infected with a malicious code that is capturing all your keystrokes. Only log in to your various accounts on trusted computers you control.

Fourth, if you are no longer using an account, be sure to disable or delete it. That’s right, remove it, trash it, get rid of it – don’t just abandon it!

Finally, be cautious of websites that require you to answer personal questions. These questions are often used if you forget your account password and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even your social networking pages. Make sure that if you answer personal questions you use only information that is not publicly known. If the website provides other reset options, such as a text message to your mobile phone, you may want to consider these alternatives.

I don’t share this to scare you – I only want you to be aware of what you need to do as you practice safe computing. I hope you examine how you craft and use your passwords and make necessary changes to keep your information free from those that want to hack!

The Target Is YouIf I may be so bold, let me put forth the premise that folks are targeting you.  When it comes to infections (virus, badware, spyware, etc.) it is important to understand is that you are the cyber criminal’s primary target.

Why is that so important for you to understand?  Well, many people have the misconception that cyber crooks target only large corporations or organizations, when in reality they also target individuals – like you!  In addition, while these attackers use a variety of sophisticated tools, the simplest way to hack into an family / group / company is by targeting people.

Let’s take a company (any company) as an example.  Unaware employees are an company’s greatest weakness as people make mistakes, such as clicking on malicious links.  As a result the person has become the primary target.  Their computer and their (actually – their companies) information has tremendous value to cyber crooks. Some examples include:

  • Data Theft: Cyber crooks can steal a companies highly confidential information by hacking an employee computer or compromising their work accounts.
  • Identity Theft: Cyber crooks can steal and commit fraud with an employees personal information (not limited to, but including their credit card data, medical history or bank account information).
  • Attacking Others: Cyber crooks can use a compromised computer to harm others, including hacking other computers, launch denial of service attacks, or distribute spam.

What many may not realize is they are also a target when traveling, like while waiting for a flight at an airport, passing time at a hotel or attending a conference. You are even under attack at home, when you and your family connect to the Internet.  To help protect yourself, your family and even the company you work for, it is helpful to remember:

  • Be cautious when using unknown (untrusted) connections (search more)
    There are loads of software programs that can help here.  Here’s one for free (Hotspot Shield) but there are others.
  • When on the internet, be sure to use encryption when connecting to sites
    By this I mean when going to Facebook and entering your information (or Gmail, your online banking site or any other site you need to input your password and see personal information) put in https:// before the URL and make sure you are on a secure (encrypted) site.
  • Limit the amount of information you share on social networking
    Here I’m specifically calling out Facebook, MySpace, and all those other sites you have an account on.  Do you really need to show your birthday?  Street address?  Where you work?  Probably not, so just resist the urge to fill in all those blanks.
  • Encrypt you devices (laptops / smartphones / tablets)
    Here I saying encrypt your device so that you can deter folks from getting at your information one you misplace, lose or have your device stolen.  Once it is gone, the ‘finder’ of the device has all that information, so think ahead and do what you can to prevent that scenario.  I’ve written about TrueCrypt for laptops, but there are many other programs for most any device, even some that will wipe your smartphone / device remotely if you lose it or have it stolen!
  • Don’t just click
    I’ve written about this before, so this is just a reminder.  Even if it is someone ou know, don’t click on the links or attachments until you have done some checking to see if these are legetimate or trying to trick you.  You just clicking there could be what a cyber crook needs to gain access to your computer or device.

I’ll leave you with these 4 things to ponder.  Always be cautious and assume you are a target. You may think you or your information does not have value but it does.  On the Internet attacks are a constant threat. If something seems suspicious or wrong, it most likely is.

Think of the information you are sharing - and who is using it...The amount of information on you and I that can be located on the internet is staggering.  The most interesting thing about it (for me) is that it is information we have chosen to share about ourselves.  It wasn’t placed there illegally or with nefarious purposes, we just put it out there.  Perhaps we need to rethink that strategy as we go forward.  Why?  Here’s one example of how social networking can be used – for good or for creepers.

An article titled ‘This Creepy App Isn’t Just Stalking Women Without Their Knowledge, It’s A Wake-Up Call About Facebook Privacy‘ by John Brownlee was my introduction to the Girls Around Me app that was available for a while via Apple’s app store (it has since been pulled due to privacy concerns according to this article written by CBS – Seattle).  According to the author’s website:

Girls Around Me scans your surroundings and helps you find out where girls or guys are hanging out. You can also see the ratio of girls to guys in different places around you.

Browse photos of lovely local ladies and tap their thumbnail to find out more about them.

In the mood for love, or just after a one-night stand? Girls Around Me puts you in control! Reveal the hottest nightspots, who’s in them, and how to reach them…

By now you may be a little creeped out.  That’s understandable.  The app uses a Foursquare account and gleans information from Facebook and other social media information.  But don’t get too mad at the writers of the app, the fact remains that this is information individuals (of course you could find GUYS through this app as well…) chose to make publicly available.  These folks just had no idea that the information they willingly offer up to the world could be used for purposes they could not envision.  Well – perhaps it’s time to get a clue…

The main point I want to make is – how much are you sharing, and do you pay attention to the privacy settings?  Many companies – like Facebook – allow you to opt out of sharing information with everyone.  However, that is the rub – you have to opt out (you are automatically opting in for public consumption).

Another issue is that companies that you place your information on can still sell your information OR can change the settings as needed (they just change their policy and can then update settings globally so that it requires no intervention from you).

While this was just one illustration, it is my hope that you review the privacy settings and only share what is really necessary.  Don’t think others do not use the data you provide for any and ALL purposes.  Thanks for reading!