|
Other Interesting Stories...
|
23% of recipients open phishing email messages, and 11% click on links or attachments
According to the latest Verizon Data Breach Incident Report, phishing emails are still extremely successful in getting people to open messages and click on things. This is sad news. More training required!Read the report... |
Attackers would pay $82.90 per record for data that relates to the health condition of Americans
Trend Micro and Ponemon have released an interesting study on "Security and Privacy in a Connected Life", which has some cool statistics, including a breakdown of the going prices for different types of personal information within cybercrime black markets.
Read More... |
 |
|
How can you find out if your organization's employees and business processes are vulnerable to phishing, social engineering and other threats?
Many organizations are now trying to address security awareness by conducting basic awareness training. However, a determined attacker can often trick employees into clicking on links or attachments, or entering sensitive information into fake web forms - even if they've had basic awareness training.
My phishing and social engineering audit services can test your employees in more creative ways, to see if they make good risk decisions. This can help you determine what kinds of training they need to mitigate risks to your most important assets and business processes.
Give me a call at 613-693-0997 if you'd like to discuss your situation and how it can be addressed.
Learn about Security Perspectives services...
|
Stay Connected
|
| Security educators and entrepreneurs... |
I've got ideas and plans for creating new security assessment and education products for businesses and individuals. If you'd like to collaborate and get more things done faster, please contact me. We may be able to work together.
- Scott
|
|
|
|
Welcome to Issue #8 of the Streetwise Security News. Sadly, I'm feeling a little discouraged about the general state of society when it comes to our attitudes toward security. It's not deep depression, by any means, but I think there's reason for concern. Here's what put me in this funk. I just finished reading a fascinatingly scary science fiction book by Daniel Suarez called Kill Decision. It deals with autonomous drones, which are un-piloted aircraft that would be programmed to take action based on programming, and no human would make the actual decision to launch missiles, shoot guns or drop bombs. The possible outcomes are very alarming. It just got me to thinking about our current course of technology evolution, where I believe we will soon have self-driving cars. How will we deal with machine-decisions that end up breaking the law? We are nowhere near understanding how to deal with this inevitability that will literally turn our legal system on its head. Bruce Schneier has some interesting thoughts on key issues we must deal with very soon. We're not really understanding the implications of these new technologies fast enough. So, please give this important issue some thought as you read about "Smart Devices" below, and let me know what you think. Maybe you can cheer me up! See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis.
Cheers,
Scott Wright
|
|
 Don't be silly. Your TV isn't spying on you... or is it?
|
 Just when you thought it was safe to have a serious discussion in the family room... If you're going to talk about sensitive topics like your health condition, political or religious beliefs, or how what you think of your neighbor's dog, you might want to unplug your new flat panel TV. Recently, an online news publication, The Daily Beast, stumbled on the privacy statement of Samsung's new "Smart TV". The fine print you must agree to when turning on the "Voice Control" feature has raised a lot of concerns about privacy. (This is just the beginning of the privacy iceberg for Smart Devices.) It turns out that, to enable the TV to interpret your voice commands, it captures ALL AUDIBLE SOUND in the device's vicinity, and sends it over the Internet - to a third party company speech recognition company called Nuance - to determine if any voice commands have been issued to the TV. This has led to many news headlines like, "Is your new Smart TV spying on you?" While the intent may not be to collect personal information, Samsung really is doing something that must be treated carefully, from a privacy point of view. This situation will begin to occur frequently for companies that never thought they had to worry about their customers' privacy before. We need to hold them accountable. The basic concept of sending spoken information out for analysis isn't really new. Many organizations like Google and Apple have gone through this challenge with products like Siri, which search out answers for you. But you're expecting those products to have to talk to the Internet to find things. It's a little disturbing when you don't get much warning about devices sending your personal information out for analysis, when you didn't intend for this to happen. You'd kind of like to know that it is going to be done securely, at least. Companies will have to do a lot better job of both implementing security when handling personal information their Smart Devices collect, as well as setting expectations with customers and communicating what's really happening to their personal data. |
Terminology - "Cyberphysical"
| |
Cyberphysical - A term used to describe the integration of physical sensors and/or controls with computers that allow devices to have "smart capabilities", but which also represent vulnerable points where attackers could monitor or take control of the system for malicious purposes.
For example, the radar sensors on your new car send information to a computer. The computer analyzes that information and decides when you need to slow down due to the fact that you're getting closer to a slower vehicle in front of you. The computer sends a signal to your car's throttle (and maybe the brakes) to slow the car down.
Because the car's computer is relying on sensors to tell it what's happening in the real world, and because the computer is trying to control other systems in the car to respond to them, computers are not just processing information automatically now. They are making decisions about the car's actions that affect our safety. Not only that, but the sensor inputs to the computer, as well as the commands from the computer to the car's controls, can become the targets of attackers (for revenge, for amusement, for terrorism, for criminal purposes, etc.)
The implications are that we should be concerned with not only the security of information, but how systems can be manipulated, commandeered or abused to enable malicious actions in the physical world.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
Smart devices are coming.
If you haven't heard the term the Internet of Things, you may have already been exposed to the concept and didn't realize it. That is, one day in the not too distant future, just about any object you can imagine will be available in a Smart version... New and Improved! the ads will read. Anything labeled as being Smart will be expected to be able to connect to the Internet and communicate with you, of course. But it also implies that these Smart things will be able to communicate with other Smart things via wireless communications, and probably with other entities across the Internet. Sounds great, right?
Well, not so fast...
|
Social Media Security
|
Investigating your Digital Shadow with some cool tools.
I recently came across a great website called myshadow.org that has many tools and resources for learning about and managing your personal presence on the Internet. It has tools that show you what kind of personal information you may be exposing, as well as tools to help protect your privacy online. One of my personal favorites that is shown on the website's "Tools and Tips" page is called "Please don't stalk me", which is an online tool (from a different website) that lets you choose an arbitrary location that gets shown when you post a Tweet on Twitter. It's kind of like spoofing your caller ID when you make a phone call. Imagine a stalker trying to follow you to South America one day, then finding out you're in Beijing a few days later. Loads of fun!... all while protecting your own privacy. Of course, you've got to follow all the other tips to make sure you don't accidentally leak other information to your stalker about where you really are. I also co-host a podcast program on Social Media Security, soon to be renamed as Shared Security. Tom Eston and I discuss security and privacy risks and tips on this program available on iTunes.
|
Pinterest Pic of the Month
|
The next time you feel confused when somebody says its "in the cloud", just substitute it with, "on somebody else's computer," and see what security questions come to mind; like who else can see it? How do I delete it? Etc.
Courtesy: https://pbs.twimg.com/media/CCxrwXsWgAACR5k.png:large
|
A Cyber Security Challenge Question
|
 Which of the following would be related to a cyberphysical risk?:
a) A phishing link in an email message
b) A pop-up window that says your computer is infected with a virus
c) A post made by a friend about what they are eating for breakfast
d) A mobile app that reports on your home's temperature and lets you control the furnace and air conditioner.
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Securely dispose of old memory sticks, smartphones and other electronics.
|
|
 It can be tempting to try to resell, or even recyle electronic devices these days. It makes sense. However, there are security and privacy concerns when it comes to disposing of memory sticks, smartphones and even electronic devices such as printers. All of these devices contain memory, and probably have some sensitive information that you may have forgotten about. So, it's a good idea to locate the memory components, remove them and destroy them completely, rather than selling or recycling them. The rest of the devices can, and probably should be, recycled.
How to destroy the memory components is yet another problem. If you have a power drill, you can drill a few holes in the device, whether it's a memory stick or card, or even if it's a disk drive. If your smartphone has internal memory, you should at least do a "factory reset" to wipe the internal memory. If you're really paranoid, you should find somebody who has an industrial shredder.
Note: Even printers and photocopiers have been known to store documents on a disk drive inside, which can be recovered with the right tools. So, they should be disposed of securely, too, if they've had anything sensitive on them.
|
A Data breach story: 25,000 patient healthcare records compromised by phishing attack on a hospital employee's email account
|
We tend to think that all attacks are becoming more sophisticated because our defenses are getting better. It is true that attackers are getting sophisticated when it comes to targeted attacks. But plain old phishing is still one of the most effective ways that attackers are gaining access to sensitive information.
In this case, St. Agnes Hospital in Baltimore, MD, was targeted by a phishing attack that succeeded in getting one employee to fall victim. The result was that the attacker was apparently able to access the employee's email account to gain direct access to 25,000 patient healthcare records. That's it.
Basic phishing attacks are simple in form, but it's the messages that manage to trick people into taking action that are really the key. If an attacker can learn enough about an employee, they can probably formulate an email message that will get the employee to click on a link or attachment, or get them to enter sensitive information into a fake web page form.
In this case, we could ask why an employee had an email message or (messages) in their inbox, presumably containing an attachments that had detailed patient healthcare records. However, this practice is probably not that unusual. But all it takes is a compromised email account to expose all of this information.
Based on the information I have on this case, it's not clear if the hospital had a web-based remote access to their email (e.g. Outlook Web Access or OWA is commonly used). But if they did, it's a good idea to require "two-factor authentication" such as an RSA SecurID authentication token, or some kind of SMS message loop that provides extra verification on the identity of somebody accessing their email remotely.
My guess is that this attacker tricked an employee into logging in to what they thought was an official internal website, so they could capture their user ID and password. They could have used the employee's stolen user ID and password to access the corporate email remotely (if it didn't have two-factor authentication). It's a very simple attack without two-factor authentication in place for remote employees.
This is something your security team should make sure is addressed if you have remote access to corporate email. And of course, it goes without saying that employees need to be sensitized to phishing attacks. This can be addressed effectively using phishing audits and training.
You can read more about this data breach case HERE.
|
Answer to the Cyber Security Challenge Question (from above)
|
Question - Which of the following would be related to a cyberphysical risk?:
Answer: (d) A mobile app that reports on your home's temperature and lets you control the furnace and air conditioner.
The fact that your home's temperature information is being sent to a computer (your mobile phone, and maybe a website for your Smart thermostat), and also that the furnace and air conditioner can be controlled by a computer (maybe somebody else's), could both be considered as Cyberphysical risks.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
|
|
