|
Other Interesting Stories...
|
What are the most abused Android device permissions?
Trend Micro has a nice summary of what Android permissions malicious apps are exploiting, and what the risks are. Read More...
|
Beware of "Dark Hotel" while travelling.
Check out this great story on how attackers lurk on hotel wi-fi networks, waiting for you to log in with your last name and room number.
Read More...
|
Tailored Security Awareness Assessment and Training Solutions to meet your organization's needs for compliance or risk reduction.
Whether you need customized webinars, live workshops, audio, videos or instructional CBT content, Security Perspectives Inc.'s Streetwise Security Awareness Tailored Assessment and Training programs can help you deploy a solution quickly and economically. You can go from requirements, to pilot to full roll-out within weeks. We also have quiz modules and games that can provide self- assessment or auditable records for compliance.
Learn about Streetwise Security Awareness Training
|
Stay Connected
|
|
 |
|
Another year has ended, and information security is slowly, but surely, occupying more of the average person's thoughts. More security breaches in the news, with increasingly severe consequences, are causing all of us to reconsider our own vulnerabilities.
From a personal point of view, you should be considering the potential risks of everything you do online. From a business point of view, there's an increasing need to have good policies, maintain compliance and assess real risks to business from inadequate information security.
For 2015, why not take a few moments to think about how you can avoid becoming a victim, or the next big security story in the news? Please send me your questions and comments.
See the list of topics on the left for a quick view of this issue's stories and content.
If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis. 
Cheers,
Scott Wright
|
|
 Why the 2014 Sony Pictures hack has so many lessons for all of us
|
 The devastating hack that was launched on Sony Pictures Entertainment (SPE) in November, 2014 is quite mind-boggling in so many ways. The company's pockets were virtually turned inside-out, with attackers claiming to have stolen over 12 Terabytes of corporate information. It's a sensational story. But we should be using this example as a case study in "how not to secure your business and personal information". The amount and scope of the information stolen indicates a number of areas of information security in which we should all reflect, whether the reports are completely accurate or not. Lesson #1 - Businesses should create secure zones within their networks to prevent attackers from roaming freely if they do manage to break in. Think of how a submarine has many water-tight compartments, in case the hull is breached, the rest of the vessel can be sealed to prevent water from filling it up. The SPE network appears to have been easily explored by the attackers, but business networks can and should be segmented with security firewalls to prevent this.
Lesson #2 - Employees should think about what they commit to writing in emails and other business documents. In the event that documents get leaked, any inflammatory comments or opinions can cause damage to the reputation of the business, as well as the individuals involved. A number of SPE executives' email folders have been made public, with comments about actors and other business partners that will surely hurt future prospects for building trusting relationships. When you write an email - especially one that involves your emotions and your opinions of others - think to yourself, "What could happen if this email ever became public?"
Lesson #3 - Having an official Records Management program within a business can mitigate risks of many old - yet still sensitive - pieces of information being impacted by a security breach. This includes personal emails, which are typically categorized as "transitory" or not relevant to business operations, and should be erased as a routine business practice after a few months. A formalized Records Management program could have automatically purged much of this information, and may have avoided numerous business and personal exposures in the SPE incident, such as passports, drivers' licenses and even personal emails with payment account details for jewelry.
There are many other lessons that I'm sure can, and will, emerge over the next year, as we learn more about what happened in the Sony Pictures hack. So, I recommend that you read what you can about the attack - but please try to refrain from trying to view the actual leaked information. It wasn't meant for you to see. Kaspersky, a well-known computer security company, has a good description of what happened, as of December 11, 2014. But I'm sure more details will come out over the next several months. |
Terminology - "Pretexting"
|  Pretexting:
A realistic situation created by a social engineering attacker that seems plausible, and allows their victim to feel comfortable that there is no risk. For example, the old telephone repairman imposter
trick has been used many times, where an attacker wears a uniform with a logo, and carries a toolbox and ID. Everything looks official, and who would bother going to so much trouble?
Not only will attackers make themselves look like somebody you'd trust, they will do a lot of research to know the terminology of their fake trade, and even something about your organization, so they sound credible. They will often rehearse many possible courses of discussion, so they are relaxed and have an answer for basic questions, should you ask. To create a successful pretexting situation, they will do as much as they can to make themselves look real.
Other pretexting situations used in attacks and scams include:
- An adult who has lost a puppy in a park (for child abductors)
- A relative of a foreign aristocrat (for email fraud scams)
- A Microsoft or corporate IT tech support technician (for phone fraud scams)
- An IT administrator requesting you to change passwords (for email phishing attacks)
- An oil-rig worker buying a car for his wife (for classified ad email fraud scams)
What are the most interesting pretexting situations you've seen?
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
I've never been a big fan of the hype stories at the end of each year about security or privacy predictions for the coming year. But this past year had a lot of security news, and a lot of breaches. So, in this case, I think it's a good idea to reflect a bit, and see what might be coming down the road. Adam Levin of Credit.com, whose article was posted on the ABC News website, makes some important observations. Here are my thoughts on his thoughts...
|
Social Media Security
|
The Social Media Security Podcast - Episode 39
This episode, recorded on December 12, 2014 covers the following topics: - SnapCash - a new payment service from SnapChat and Square. Is it secure?
- YikYak - a new anonymous chat app for people close by. How anonymous is it?
- Twitter and Facebook privacy news
- LinkedIn security and privacy tips
You can listen to this episode (and past ones) online by clicking HERE. Or you can subscribe to the podcast series on iTunes by clicking HERE. |
Pinterest Pic of the Month
|
Remember. You're not the customer, your the product!
|
A Cyber Security Challenge Question
|
What kind of attack can be thwarted by double checking the identity of a person asking for information or access to sensitive areas?
a) Password sniffing attack
b) Brute force attack
c) Drive-by download attack
d) Pretexting or social engineering attack
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Don't use your normal work email address in online forums
|
|
One of the easiest ways for attackers to set up a credible "pretexting" or "social engineering" situation for attacking you or your associates is to find a person who is active in a discussion forum AND who also provides their work email address. Not only does it give them a reliable place to send a phishing message, but it also tells them the format of your organization's email addresses, in general. So, if they want to target any other employees, they can easily guess their email address. Email addresses aren't exactly secret, as they appear on business cards, but they do have significant value to social engineering attackers. So, there's no need to make their jobs easier. If you need to post on a forum, it's best to use a non-descript "free" email account like Yahoo or Gmail, and do not provide information on what organization you work for. You should also ask your IT department what they recommend when using forums for business purposes.  Note: Some people use the trick of spelling out the "at", "dot" and "com" in their email addresses to thwart spam bots that scan for email addresses (as in the image above). This may or may not work against some spam bots, and is definitely not recommended as a way of thwarting pretexting attacks. Anyone doing research can figure out your real email address from this kind of trick. |
| A Hacking Story - The Onion Gets Phished |
In May of 2013, writers for the online parody news site, The Onion, received an email message from a Washington Post newspaper employee, asking them to review an article. When they viewed the message, most of the recipients for The Onion recognized the suspicious nature of the sender's email address, and they didn't click on the link to the article.
However, at least one recipient did click on the link, which took the reader to what appeared to be a Google login page that asked them to log in with their Google user ID and password. Despite the suspicious email address and the unexpected Google login page, one recipient did enter their Google user ID and password.
As soon as the Google user ID and password were entered, the attacker had what they wanted. They were then able to log in to the recipient's Google account, and then sent similar messages to the recipient's coworkers. What do you think happened next?
The recipients of the message from the Google account - many of them were probably co-workers - tended to trust the sender, and more of them clicked on the link. This accelerated the attack. One of the accounts that became compromised happened to belong to the person who administered The Onion's social media accounts like Twitter. The attackers posted malicious updates on The Onion's Twitter account, causing corporate embarrassment and likely some backlash from their followers.
Once the IT group for The Onion discovered the incident, they sent out a request to all employees to reset their passwords. Because the attackers already had visibility into a number of employee corporate accounts, they saw the notice asking for people to reset their passwords. So, they sent out a quick follow up message with a link to "help" people reset their passwords. This caused more accounts to be compromised. The IT group then had to force a password reset on every employee's account.
The lesson here is that it only takes one employee being victimized in a phishing attack to cause a major enterprise security incident. People need to think twice before clicking on links, and should also stop to think about whether or not a message makes sense to act on.
[Pitch from Scott: This can be a difficult message to get across in a "one-size-fits-all" bulletin or training module. Often the best way to address this kind of risk is with focused workshops for employee teams, where they can discuss the kinds of situations to watch out for. Let me know if this is something your organization needs.]
By the way, any outside accounts used on behalf of the organization should not be ignored when it comes to password and acceptable use policies.
|
Answer to the Cyber Security Challenge Question (from above)
|
Question - What kind of attack can be thwarted by double checking the identity of a person asking for information or access to sensitive areas?
Answer: (d) Pretexting or Social Engineering attack. In a pretexting or social engineering attack, the attacker goes to a lot of trouble to make themselves look and sound convincing. They may learn a lot about the target victim, their work terminology, and even their personal preferences. Asking for more details on their identity, or checking with authorities to see if they are who they say they are, can make this kind of attack more difficult. Try to be helpful, as much as possible, but don't break policies to help people; especially without doing appropriate checks.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
|
|
