November 27, 2015

Personal Holiday Security Reminders


The holiday season is upon us once again. Before all the festivities get started, let me provide you some simple security tips you can use to make it a safe and secure holidays.


March 15, 2015

OPSEC

What is OPSEC?

Operations Security, otherwise known as OPSEC, is a five step risk management process that looks at protecting critical information that may give the adversary an advantage if discovered.  OPSEC complements the traditional security disciplines and works together in protecting critical pieces of information. Below are two videos from the U.S. Department of Energy that depict a vintage 1950s era government film to remind you that OPSEC really is not that difficult to put into practice, just remember not to let the cat out of the bag. They're an entertaining way to learn about an important security discipline.

Atomic OPSEC Part 1 vintage video featuring the Atomic Bomb Commission Orchestra. Atomic OPSEC Part 2 vintage video.

Here's hoping you continue to talk about Operations Security, or OPSEC.

March 1, 2015

Scam U: Digital redirect

Con artist, scammers, hackers, regardless of what you call them, they're opportunistic parasites looking for any opportunity to exploit for financial gain. The Internet has become a playground for these cretins to hide while weaving webs of deceit. When you're cruising through the inter-webs be cautious.

Back in 2014, the Better Business Bureau (BBB) warned people about scammers exploiting eBay's editing feature to redirect users to a realistic lookalike site to steal their login information.

The ploy.

The con artists list really low prices for popular items, such as laptop, iPad, or cell phones. Intrigued by the listing, people click on the listing. Instead of opening the item's page, the site redirects them through a series of websites to a fake eBay page requesting their username and password. The requesting page looks similar to eBay's login page, but its not. It is a spoofing attempt in trying to collect login information to hijack eBay accounts.

Paul Kerr, an IT worker from Alloa and eBay PowerSeller was the first to flag this issue. He uploaded the below video to YouTube as proof of this trickery and to help inform users how to identify crooked sites.


How does this happen?

eBay allows sellers to use Javascript and Flash to add design elements to their listings, which allows scammers enough flexibility to add malicious code to redirect users to malicious websites. Don't be lulled into a false sense of security if you think that you're immune to this threat since you don't shop on eBay. Most online retailers are susceptible to this ploy, since scammers can easily manipulate the site's Javascript code. Only days after this incident was reported, a security researcher uncovered Amazon was vulnerable to a similar attack that impacted Kindle libraries. Fortunately that exploit has been fixed now.

How to keep yourself safe?
  • Check your URL. If you watch the above video, you'll notice the fake website's URL is very different from the legitimate website.
  • Look for secure connection. When doing any action requiring sensitive information, to include log information, double check for a secure connection.
  • Be careful of too good to be true listings. The old adage, if it is too good to be true, it probably is. Scammers use ridiculously cheap deals to entice people to click where they really should not be.
  • Change your account passwords often. With so many articles circulating about passwords being exposed, you make a healthy habit of changing them often. 


References:
Better Business Bureau (24 October 2014). Fake eBay listings steal users' passwords. Scam Alert email.
Cook, J. (27 September 2014). Hackers target eBay users with faki iPhone listings. Business Insider U.K. Retrieved from http://uk.businessinsider.com/hackers-target-ebay-users-with-fake-iphone-listings-2014-9?r=US
McCarthy, J. (18 September 2014). Fake eBay listings redirecting users to spoof account-stealing phishing pages. The Drum. Retrieved from http://www.thedrum.com/news/2014/09/18/fake-ebay-listings-redirecting-users-spoof-account-stealing-phishing-pages

February 15, 2015

Scam U: Checking Scam, got an app for that

Remember the standard check cashing scam?If not, then here is a recap for you. It starts with a scammer sending you a fake check for winnings or overpayments. The scammer instructs you to deposit the check and wire some of the money (from the overpayment or to process "winning" fees) to a separate account. Usually it is to an overseas account. The fake checks often  look so real that bank tellers cannot tell if they are real or not. Look at our image below. Would you be able to to tell if it was the real deal or a crummy fake? 

Cheque sample for a fictional bank in Canada. ...
Sample Canadian fictional bank check.
How would you be able to tell if it was real or not?
(Photo credit: Wikipedia)

Unfortunately, by the time the bank realizes the check is a forgery, the scammers made off with the additional money and the victim is on the hook for it. Bummer!

Scammers are starting to take a modernized twist to this scam by trying to target you for your smart phone banking apps. They con account holders into sharing their banking information and using the bank's bank app to deposit fake checks into the victim's account. Typically scammers approach the victim offering to pay several hundred dollars (sometimes even more) if they would cash a check for them. If a stranger makes you this offer, bells and whistles should immediately be going off in your head. Some scammers even pose as potential employers or lenders who need access to the victim's account to deposit money. Sadly in this difficult economy, people are desperate enough to believe it. Scammers withdrawal money from the account before the bank discovers the checks are frauds and leaving the victim on the hook for the illicit funds.

Don't fall prey to this tactic or any other version of it.
  • Don't cash strange checks. If a stranger is offering you money to cash a check on their behalf, it is probably illegal. Think about it, why would they pay you to do it, when they can open a bank account for free or get somebody they already know to do it?
  • Do not give out your banking app information. This should go without saying. However, the Better Business Bureau wouldn't have sent out warnings about this scam if people followed this rule. 
  • Do not accept overpayments. Only accept exact payment. If they keep trying to talk you into accepting the overpayment and sending the extra to a different location, walk away from the deal.
  • Make sure the check clears before withdrawing. If you are going to cash strange checks despite my previous advice, make sure the check clears before spending any of the money. This may take anywhere from one to two weeks. In the mean time the con artist will keep hounding you for the money.
  • Remember the saying, if it is too good to be true, it probably is. Nobody will give you something for nothing, and you should exercise caution when somebody offers.


References:
Better Business Bureau (5 December 2014). Check cashing scam gets a high tech twist. Scam Alert! email.

Federal Trade Commission (n.d.) Consumer information: Fake checks. Retrieved from http://www.consumer.ftc.gov/articles/0159-fake-checks  

February 1, 2015

No time security newsletter

Extra! Extra! Read all about it!

Security newsletters can be a great tool if done right; however, they can be a bit time consuming. Who really has time to be an author, editor, and publisher in addition to the regular 9 to 5 job duties? Not a whole lot of people, at least nobody I know. After awhile, it becomes difficult trying to keep coming up with fresh, relevant material. Trust me, I speak from experience on this one. After the first couple of editions, you begin to struggle and dread coming up with a newsletter. May be that's why the majority of them go be the wayside after so many editions?

This is why I am excited about Paper.li. If set up properly, you have a self-generating e-newsletter that requires little maintenance, so your program can easily reap the benefits while you focus most of your time doing other things. As Paper.li states on it's Learn More page, it "is the easiest way to collect, publish and share content on the web." (2014)

From their site:
The platform. Unparalleled power.
The key to a great newspaper is a great newsroom. The Paper.li platform gives you access to an ever-expanding universe of articles, blog posts, and rich media content. Paper.li automatically processes more than 250 million social media posts per day, extracting & analyzing over 25 million articles. Only Paper.li lets you tap into this powerful media flow to find exactly what you need, and publish it easily on your own online newspaper.
That's sounds like a lot of power. Within 30 minutes, I registered for an account, set up my paper, and published my first edition. Needless to say, I was impressed. They also have multiple posts, videos, and customer service to help you out if you get stuck.

Great features:
  • Automatically pulls from selected sources. You can select up to 25 sources which can be RSS feeds, social media accounts, or hashtags.
  • Apply filters on sources. You can further refine what stories to feature in the different sections.
  • Provides clean layout.
  • Uses click and drag to reorganize stories.
  • Archives previous editions.
  • Embed newsletter widget onto your site. This could be a great feature on a security website.
  • Set up publishing schedule. You can set it up to auto-generate a new edition twice daily, daily, or weekly
Plus I'm only talking about the free edition. If you opt for the paid Pro version you get even more control to customize.

By the sound of this post you would think that I'm doing a paid write up, but I'm not. I'm just that big of a fan. Currently I'm only playing around with the free version and am fairly impressed. Go ahead and leverage technology to increase security and threat awareness.

Not sure what content provider to choose? You can start off with some of my content resources I opted for:
  • Brian Krebs @briankrebs
  • Securing the Human @SecureTheHuman
  • State Department travel warning/alert RSS feeds
  • BBB Consumer News and Opinion Blog RSS feed
  • Tweets mentioning "espionage" and "terrorism"
Of course you can always opt to use our free security newsletter on Paper.li instead if you want an absolutely hassle free newsletter to use. :)

January 18, 2015

Scam U: Court Summons Scam


Don't fall for this classic bait and switch scam!

The court summons scam.

In September 2014, the Better Business Bureau (BBB) warned about scammers,  posing as fake law firms, emailing out convincing  notices that claim the receiver is involved in a lawsuit and being summoned to appear in an upcoming court hearing. The email bears a law firm's logo and contained an attached "court notice." Details within the email are vague on specifics such as where, date, involved parties, and reason. If you want that information, the email urges you to open the attached bogus court document, which silently runs an "exe" file in the background to install malware onto your computer. It is a classic phishing scam using fear tactics to entice  the victim into clicking onto the attachment.

Back in December 2013, criminals used a similar ploy to spread malicious malware. It was so successful, many US courts, like the Maryland courts system, issued public notifications warning people of this ruse. The following was taken from the Administrative Office of the U.S. Courts. (2014)
"According to the Security Operations Center of the Administrative Office of the U.S. Courts, the emails are instructing recipients to report to a hearing on a specified day and time. The emails also instruct recipients to review an attached document for detailed case information... Several state courts have reported similar schemes, and also are warning the public about potential viruses."
This scam also made productive rounds throughout the United Kingdom infecting unsuspecting victims' computers.

How to keep yourself safe? 
Here are some easy to follow tips.
  • Be leery of any "official" notification through emails. Most government agencies do not operate that way, let alone the US Court system. As the BBB mentioned, "unless you are involved in a case and have opted into receiving email communications, courts normally communicate through mail." (2014)
  • Don't fall for pressure tactics. Ignore the immediate call to actions within the email. Scammers often use such language to create a sense of urgency and to scare the victim into acting prior to thinking. You have time to research and think things through prior to randomly clicking on links and attachments.
  • Delete. Ideally, you should automatically delete unexpected notices such as these. Please do not click on any attachments or links without verifying the sender. You may end up with regrets later.
  • Call. If you are concerned whether you really need to appear in court, call the court system or attorney's office to verify. Do NOT use the number within the email as you will likely reach the con artist who will use further scare tactics. Do your independent research to find the official phone number to call. You can also use the US Court locator to help with your search.


References:
Administrative Office of  the U.S. Courts (13 January 2014). Public alert: Scam emails about phony court cases carry computer virus. Retrieved from http://news.uscourts.gov/public-alert-scam-emails-about-phony-court-cases-carry-computer-virus
Better Business Bureau (5 September 2014). You're due in court! Classic email scam is back. Scam Alert email.
Kristof, K. (8 September 2014). Beware the court-summons scam. CBS News Money Watch. Retrieved from http://www.cbsnews.com/news/beware-court-summons-scam 
Ragan, S. (25 June 2014). Court summons scam makes a comeback. CSO online. Retrieved from http://www.csoonline.com/article/2367527/data-protection/court-summons-scam-makes-a-comeback.html 
Patterson, E. (5 September 2014). Court summons scam emails carry malware. Better Business Bureau. Retrieved from http://www.bbb.org/blog/2014/09/court-summons-scam-emails-carry-malware/ 

January 3, 2015

Consumer Lawsuit Against Target to Proceed

Remember the major retailer, Target's data breach back in December 2013 that exposed approximately 40 million payment cards and personal details for 70 million customers?

Well, it continues to be in the headlines even a year after the major breach, and it does not appear to be leaving any time soon.

Recently, U.S. district court judge, Paul Magnuson denied Target's motion to dismiss the class action lawsuit filed on behalf of impacted customers. In the lawsuit, the plaintiffs allege Target committed negligence, violation of various state consumer laws and data breach statutes, breach of implied contract, and breach of  REDcard account agreements. The lawsuit contains various pages listing out damages customers dealt with as result of the data breach. Damages include unlawful credit/debit card charges, restricted or blocked access to bank accounts, inability to pay other bills, late payment charges, and new card fees.  The plaintiffs are seeking unspecified damages and compensation for breach-related expenses.

The decision came only weeks after the same judge ruled that the class action lawsuit filed on behalf of several banking institutions could move forward. The banks are seeking compensation for breach-related expenses to include fraud costs and reissuing payment cards. Target argued the banks did not have a case since a third-party firm handles their credit and debit card payments. Unfortunately for Target, the judge presiding over the case did not see it that way. According to Judge Magnuson in a December 2, 2014 memorandum, "Target played a key role in allowing the [breach] to occur."

After the 2013 data breach was made public, various lawsuits were filed against Target. The courts consolidated all the federal cases into two lawsuits, one involving financial institutions and consumers in another. Both appear to be progressing forward.

It appears Target will spend a good bit of 2015 battling it out in court, which will entail major legal expenses. When you combine this with previous breach related costs, this data breach will probably cost Target more than the hackers earned.  If there is a lesson businesses can take away from incident, it is merchants will be taken to court for neglecting to address proper security in network and point-of-sale terminals. It is time to actually get serious about implementing an effective security program. As the old adage goes, an ounce of prevention is worth more than a pound of cure. I know I have stated that in previous posts, but it bears repeating. Based upon a recent Retailing Today's article, thankfully it appears major retailers are heeding this cautionary tale as retail cyber security becomes a CEO top priority.

References:
Acosta, G. (3 December 2014). Target data breach lawsuit to go forward. Retailing Today. Retrieved from http://www.retailingtoday.com/article/target-data-breach-lawsuits-go-forward?ad=target 

Dahlhoff, D. (12 December 2014). Retail cyber security a CEO priority. Retailing Today. Retrieved from http://www.retailingtoday.com/article/retail-cyber-security-ceo-priority

Roman, J. (3 December 2014). Target breach suit won't be dismissed: Judge rules banks can move forward with case.  Data Breach. Retrieved from http://www.databreachtoday.com/target-breach-suit-wont-be-dismissed-a-7635?

Roman, J. (22 December 2014). Target breach consumer lawsuit to proceed. Gov Info Security. Retrieved from http://www.govinfosecurity.com/target-breach-consumer-lawsuit-to-proceed-a-7709