"Practical Security Stories to be Shared With Others"
Issue #3, November 2014 
 HOME  l   ABOUT SCOTT   l   BLOG   l    SSN ARCHIVES   l    SIGN UP NOW
Quick Topic Links
Twitter never forgets, what you thought was ancient history
Cyber Security Challenge Question
A short whaling story
Other Interesting Stories...
Online Retailer Cyber Security Tips from Inc. Magazine
If you are running a business that does business online with customers, this set of key recommendations is important for you to follow.
Read More...

About 30% of companies do not have a mobile device security solution in place  
According to a recent Ponemon/Raytheon study, mobile security budgets are not keeping up with the explosive growth of mobile device usage within businesses. 
Read More...
Security Awareness Training Solutions to meet your organization's needs for compliance or risk reduction.

Whether you need customized webinars, live workshops, audio, videos, instructional CBT content or auditable quiz results, Security Perspectives Inc.'s Streetwise Security Awareness Training programs can help you deploy a solution. You can go from requirements, to pilot to full roll-out within weeks.

Learn about Streetwise Security Awareness Training
Stay Connected

 Follow me on Twitter

View my profile on LinkedIn

 Find me on Pinterest
Join Our Mailing List

We are now entering the holiday shopping season, which always brings out the bad guys in a big way. With so many people eager to get their shopping done, spreading good cheer and generally being social, there are a lot of attackers licking their chops and looking for ways to steal some valuable information.

So, please be careful in the coming month, and take extra care when shopping or responding to great deals that present themselves to you.

See the list of topics on the left for a quick view of this issue's stories and content.

If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis.



Cheers,
Scott Wright
ScammersTech Support Scammers finally get shut down by the Federal Trade Commission
 What is a Tech Support Scammer?

You've probably heard of them, and may even have received a call from them. Somebody claiming to be from a technical support organization (often Microsoft or an antivirus company, or even the Tech Support department of the individual's employer) calls an innocent individual in a household or business and tells them that errors have been detected on their computer.

To prove that they are legitimate, they ask the individual to perform a quick check of their computer by getting them to view the Windows Event Viewer utility. The logs on any computer will show numerous unimportant errors or warnings. This is something the scammer knows, but the individuals often don't. So, once the scammer is able to convince the individual that there are real problems with their computer, and that the caller can help fix them, they can be convinced to download and run software provided by the caller, which performs a fake scan and may also infect the computer with malware. The objective is to get the caller to pay for the software, or the support call, in some way. There are many variations on this con-game.

What happened?

The Federal Trade Commission (FTC) has identified and shut down a number of these scammers, located in Florida, in the last month. It looks like the authorities have so far been able to get a restraining order to shut down the operations and freeze their assets. Hopefully, they will be able to recover some of the ill-gotten funds and reimburse some of the victims.

How to avoid these scammers

Virtually no legitimate organization will call you up out of the blue to tell you that your computer has errors that need to be fixed. Try to get the name and phone number of the organization and say you'll call them back. Then contact somebody you trust - e.g. the police or the Better Business Bureau - to report the call.

If you receive a call like this at work, don't fall for it, no matter how convincing the caller is. Stall the caller, if possible, and immediately contact your organization's internal technical support (preferably on another phone, while still on the line with the caller). They may be able to trace the caller, or gather some information that can be used to report the incident to authorities.

There's not much that can be done to prevent people from starting these kinds of scams, although it should become easier to uncover them and shut them down in future. So, stay alert and tell your friends not to fall for these kinds of phoney tech support calls.
 
Terminology2Terminology -  "Ransomware"
Ransomware is a form of online extortion that usually begins with a pop-up window displayed by a malicous or infected website. When a visitor encounters it, they are often tricked into installing malicious software on their computer.
 
Once installed, the software typically encrypts (or scrambles) important files or documents - or even the entire disk drive of the computer - and then tells the computer's user that they must pay to gain access to their files. These days, the ransom is often requested in Bitcoin currency, which is an untraceable payment mechanism. It may cost between $49 and $500 to regain access to your data. Even if you do get it back, you will need to reformat your computer's hard drive to make sure the malware is completely gone.

You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
 
BlogScott's Recent Blog Posts

Here's a recent extract from my Security Views blog...

Not long ago, I remember noticing that when I did a search on Twitter, I could only see tweets going back a couple of weeks. At times, this was frustrating, especially when I knew there was something posted a little while before that arbitrary cut-off that I wanted to retrieve again. This "aging and expiring" of content was the original intent of Twitter's designers. In a way, it may have been a little bit comforting to know that whatever things you may have tweeted a year or so ago about your ex-spouse or even your favorite music artist, is long-lost in the dust of a trillion other tweets...

Not so fast!... I hate to break it to you, but probably without most of us realizing it, Twitter has made it extremely easy to do detailed searches back to the Big Tweet (the first tweet, ever). So, everything you've ever tweeted can now be retrieved... by anyone. Just think about it for a minute.

SMSECSocial Media Security
The Social Media Security Podcast - Episode 38

This episode, recorded on October 21, 2014 covers the following topics:
  • An enterprise level story about how hard it is to block specific sites, and what can be done about it
  • Twitter's former security head condemns Whisper's privacy flaws
  • Twitter sues the US Government over national security data
  • Twitter quickly withholds tweets for Turkey's 'national security'
  • Twitter 'news' spreads faster than Ebola
  • Snapchat third party service hacked
  • Facebook Fake Likes Exposed
You can listen to this episode (and past ones) online by clicking HERE. Or you can subscribe to the podcast series on iTunes by clicking HERE.
What's wrong with this picture?
This is one I shared on  Pinterest.

Go to Scott's Pinterest boards

ChallengeA Cyber Security Challenge Question

When would it be appropriate for you to share your network password with another person at work?

 

 
a)    When a system administrator asks you for it

b)    Never

c)    When you don't want to forget it

d)   When you want a co-worker to check your email


Answer:
See the bottom of this newsletter for the answer. (or click HERE)
TipStreetwise Security Tip - Regularly check the privacy settings for your accounts on social networks like Facebook and LinkedIn.
Social networks like Facebook and LinkedIn have a bad habit of changing their privacy policies and default privacy settings without you noticing. They may even be kind enough to send you a courtesy email, or even display a banner at the top of their home page, saying, "We've changed our privacy policies. Please take a moment to review them, and acknowledge them."

It's your responsibility to know what will happen to the information you post and share on any website. So, please do take some time once in a while to check out the privacy settings on any sites that have them.

Tom Eston has published a Facebook Privacy and Security Guide that tells you what each setting does and recommends settings that provide a good balance of sharing with friends and protection against unexpected disclosure of your information to people you don't know.

But always remember that what you post could become public at some point, through malicious attacks, accidental mishandling, or a change in policies by the website owners. I always say, "Don't post anything you wouldn't want your boss or your mother to see, even if it's only being shared with a limited number of people."


  WhalingA short whaling story
A senior IT manager recently explained to me how his organization was targeted in a very well-crafted spear-phishing attack. The company's VP of Finance received an email that appeared to be from the CFO, asking for a payment to be made to an external entity.

The message had very good grammar and looked official. The only clue that tipped off the VP of Finance that it might be a fake was the way the CFO signed off. He used a variation of his name that was not the way he would normally sign a message.

Because of this small anomaly, the VP decided to double-check with the CFO and found that he had not sent the message. He then reported the incident to his security team.

As I pointed out in last month's issue of SSN, this type of targeted attack on an executive is sometimes called a Whaling attack - rather than phishing or spear-phishing. The name reflects the fact that the size of the catch can be much bigger when the attacker is able to trick an executive, who has more signing authority, and sometimes deals with more valuable information than the average employee.

So, make sure your executive team is vigilant when it comes to messages from co-workers requesting significant actions or information.


Answer to the Cyber Security Challenge Question (from above)
answerQuestion - When would it be appropriate for you to share your network password with another person at work?

Answer: (b) Never. There is never a good reason to share your password for a network account at work. Even system administrators should not need to have access to your password. They can usually help you reset your password with a temporary password, but you should be forced to immediately change it the next time you log in - so the administrator will no longer know it. For email, you can use a delegation feature to let others read and send email on your behalf - maintaining individual accountability without anyone else knowing your password. 

If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note.

In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of.

Sincerely,

 
Scott Wright
The Streetwise Security Coach
Security Perspectives Inc.

Copyright 2014. Security Perspectives Inc. All Rights Reserved.