|
Other Interesting Stories...
|
Something doesn't add up. Are companies adequately securing their networks or not?
Cisco's 2015 Annual Security Report shows that while most Chief Information Security Officers feel their security processes are optimized... the study also found that less than half of the respondents said they use standard tools such as patching and configuration programs to prevent breaches. (The report requires a form to be completed to access it.) Read More...
|
|
This kind of thing makes me trust ALL mobile apps a little less...
It's more than a little unsettling when a major hotel chain like Marriott releases an app that makes it this easy for a hacker to manage customer reservations and access personal information. I'm a little afraid that this may not be an isolated case of not enough security review being done on mobile apps.
Read More...
|
Tailored Security Awareness Assessment and Training Solutions to meet your organization's needs for compliance or risk reduction.
Whether you need customized webinars, live workshops, audio, videos or instructional CBT content, Security Perspectives Inc.'s Streetwise Security Awareness Tailored Assessment and Training programs can help you deploy a solution quickly and economically. You can go from requirements, to pilot to full roll-out within weeks. We also have quiz modules and games that can provide self- assessment or auditable records for compliance.
Learn about Streetwise Security Awareness Training
|
Stay Connected
|
| Security educators and entrepreneurs... |
I've got ideas and plans for creating new security assessment and education products for businesses and individuals. If you'd like to collaborate and get more things done faster, please contact me. We may be able to work together.
- Scott
|
|
 |
|
Greetings!
To begin 2015, we have a scattering of stories, but nothing really earth-shattering (unless you think it's really big news that most people don't use good passwords, and some will tell anyone who asks what they are). The year is young, but I've tried to dig up some interesting articles for you.
I'd love to devote more articles to security success stories, but I just don't see that many. While the number of incidents is clearly increasing, I know that there are a lot of people who make good security decisions every day. These stories are what I'm looking for. If you know of any cases where somebody did the right thing and prevented or limited damage or losses, please let me know. I'd love to tell others about it.
See the list of topics on the left for a quick view of this issue's stories and content.
If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis. 
Cheers,
Scott Wright
|
|
 If you had a really bad password, wouldn't you tell Jimmy Kimmel?
|
 It just sounds too silly to be true. But it is. This past week, just for fun, Jimmy Kimmel sent a reporter onto the streets to ask people what their passwords were. Do you think anyone cooperated? Absolutely. Not only did they cooperate, but if the answers people gave were truthful, these people had really bad passwords. Who knows how many people they had to ask before they found some who would divulge what their passwords were.
But it is pretty funny. One thing it does illustrate is that people don't think things through when they are asked something on the spot. This is a phenomenon that many social engineering attackers try to exploit.
|
Terminology - "Zero Day Vulnerabilities"
| |
Zero Day Vulnerability:
A weakness in a product or system that was previously unknown, and for which there is no current fix or patch. Of course, zero day vulnerabilities don't usually last very long, but it depends on who discovers them. If an attacker finds one, they aren't likely to tell many people; in fact they may sell the information.
For example, security researchers, as well as hackers, will go to work when a new version of Microsoft Office comes out, to see if there are any weaknesses in it. There might be new features that weren't very well designed, from a security point of view. So, they can be "hacked". If the bad guys find it first, they are likely to find a way to "exploit" it to their advantage. Often, zero day vulnerabilities can open the door to letting an attacker take control of your computer.
So, we hope the ethical security researchers find them first, and notify the software company. But that doesn't always happen. So, while the bad guys get excited about zero day vulnerabilities, the good guys have to be very diligent in finding and fixing security holes in every version of software that gets published.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
I was speaking this week at the local c hapter of the Information Systems Security Assocation (here in Ottawa) on the topic of social engineering. The presentation was entitled: "Fool Me Once: How Attackers Use Social Engineering to Exploit Human Vulnerabilities".
As the talk progressed, I came to my main message: It's important to educate employees about this type of threat, among many other important security topics that employees need to understand.
At this point, one attendee commented that, while awareness is important, it seemed to him that most security awareness training programs are not very engaging, and as a result, do not seem to be very effective. It's sad, but I tend to agree. It's not that most awareness training presentations or online programs don't cover the right topics. The problem is really one of engagement. It's very hard to design a program that will effectively hold everyone's attention long enough to get the message across.
Based on my own experience in teaching live courses and also preparing online courses, here are my top 3 ways to make security awareness training programs more engaging and effective...
|
|
Social Media Security
|
New Facebook malware tags friends to propagate
 This new piece of malware appears as an enticing video post on Facebook. When people click on it, the video apparently starts, but then pauses while it asks you to update your Adobe Flash video software.
If you click on the link, as suggested, it installs malware on your computer that targets your Facebook friends and their networks of friends by creating a post and tagging your friends in it. Once your friends are tagged, their friends may see it in their feeds, and if they click, they may spread the malware. Apparently, this particular trick of using tagging may have the affect of causing the malware to spread faster than normal because of the way tagging notifications propagate.
Threatpost.com explains a bit more of the technical detail behind this malware.
Due to unforeseen circumstances, we weren't able to record a Social Media Security Podcast episode in January. But we hope to get back on track next month.
|
Pinterest Pic of the Month
|
For heaven's sake, please at least attempt to read the file name to see if something you're about to download looks reasonable. Something like this, I'd say, does not look reasonable.
|
A Cyber Security Challenge Question
|
 Facebook malware that tags your friends spreads quickly because:
a) Notifications for tags are usually sent to your
"friends' friends"
b) It doesn't rely on a human action to infect a
computer
c) People expect a reward for clicking on something
that's been tagged
d) It employs larger links that are easier to click on
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - When choosing passwords and security questions, spell words and names incorrectly
|
|
Unless you have a mind like Mike Ross on the TV series "Suits", you probably struggle to come up with good passwords that you can remember. One of the common security guidelines for choosing passwords is to " not use dictionary words or even recognizable names." Unfortunately, however, this can make it hard to remember your new password because you can't just choose words or names that mean something to you. But one trick I've seen work pretty well for passwords, as well as security questions (the ones they  ask you to remember when you register for an account, in case you forget your password) is to misspell a word or name intentionally. By this, I don't mean substituting a $ for the letter "s" or the number "0" for the letter "o", since attackers have dictionaries that automatically try all of these "clever" substitutions. I mean a simple, intentional mistake, like leaving one vowel out of a word, such as "bokkeepper" instead of "bookkeeper"; or repeating the second, third or fourth letter of a word, such as "Maarie" instead of "Marie". Similarly, for security questions, the answer to the question, "What is your favorite pet's name?" could be: "Pnelope" (rather than Penelope). There are also other variations on this strategy that can make it even stronger, such as adding (not substituting) a number or special character in the middle of a word (e.g. "Pn%elope"). Then, if you're forced (or decide) to change your password, you can simply shift the number or use a different one. Then all you have to remember is how you are changing that character. If you use this approach consistently, without telling anyone, then you should be able to base your passwords on things you can remember, but somebody using a dictionary attack will not find it. Even somebody who may be able to guess the names or words you are likely to use will not realize that you spelled it differently in your password. Just remember to never tell anyone what your "bad spelling" strategy is, or even that you use intentional spelling errors. Of course, it's always better to base your incorrectly spelled words on things or people that nobody else would guess, in case they do find out your strategy. If they know it, they will probably start their attack by guessing variations on people and things they know are meaningful to you, like family members, pets and special dates. |
A Data breach story: Online merchant Zappos did some things right, but there's room for improvement
|
Back in 2012, the online merchant Zappos - famous for being the online shoe merchant that was purchased by Amazon for about $1 billion - notified customers that its website had been hacked.  The personal information of about 24 million customers was affected, including their names, addresses, telephone numbers and the last 4 digits of their credit card numbers. The attackers also stole files with encrypted passwords (sometimes attackers can decrypt them, depending on how well they were encrypted). The news reports showed that Zappos did some things well, and was proactive in a number of areas, including: - Storing full credit card numbers in encrypted form in a separate database that would make it more difficult for attackers to get at
- Having a breach response plan in place that clearly identifies actions and responsibilities in the event of a breach.
- Notifying customers and all employees immediately. It's important for employees to be notified, so they can respond professionally.
However, there were some customers who reported in comments on news articles that they did not receive any notification. (Perhaps they registered with a different email address, and didn't check the one to which Zappos sent the notifications... who knows?) However, it seems that there were some things Zappos could have done better. For example, they had no obvious notifications on their website for people to learn more about the incident, or what to do about it. In fact, some customers outside the USA couldn't even get to the website for a while. If you receive an email with a breach notification, you should be suspicious that it could be a phishing attack that is trying to exploit the situation. So, you should always go directly to the company website without clicking the link, and look for an official statement and instructions on what to do. Recently, Zappos settled this case with a payout of $106,000. I'm not sure how that will be divided among the 24 million customers. They could issue everyone who was affected with coupons for a "0.5% discount" on anything in the store... This article by Dark Reading explains more of the details and the lessons learned from this breach story. One more note on this story: A year or two ago, I read the business book " Delivering Happiness" by Zappos CEO Tony Hsieh (pronounced SHAY). I really enjoyed the book and the innovative and entrepreneurial culture he embedded into Zappos. But the one thing that bothered me - and still does - about most startup success stories is the fact that they have to defer good security practices to gain that success. It's clearly a trade-off for startups. Why invest a lot in security when you're not sure your business will even be successful? It's a mindset that those responsible for security in the organization (including within management) have to try to influence. Take every opportunity to analyze risks. You can take calculated risks, but you can't go forever without implementing good security. Fortunately, for Zappos, it looks like Amazon did put a measure of security prudence into the business. Otherwise, this breach could have been much worse. |
Answer to the Cyber Security Challenge Question (from above)
|
Question - Facebook malware that tags your friends spreads quickly because:
Answer: (a) Notifications for tags are usually sent to your "friends' friends". This automatically extends the visibility of an enticing post to an exponentially greater number of people, and greatly increases the likelihood that more people will click on the link.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
|
|
