|
Other Interesting Stories...
|
|
Last year, 60 percent of all targeted attacks struck small- and medium-sized organizations. (Symantec 2015 ISTR)
These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments.
This puts not only the businesses, but also their business partners, at higher risk.
Read the Symantec report... |
Make sure people you know don't fall for scams like the Red Bull car ad deal...
Major brands like Red Bull are big lures for scams. People are being told they will earn $600 per month by putting a Red Bull ad on their car. It's not legitimate.
(Thanks to Stu at KnowBe4 for alerting me to this!)
Read More... |
Stay Connected
|
| Security educators and entrepreneurs... |
I've got ideas and plans for creating new security assessment and education products for businesses and individuals. If you'd like to collaborate and get more things done faster, please contact me. We may be able to work together.
- Scott
|
|
 |
|
Greetings!
Welcome to Issue #9 of the Streetwise Security News. This month I've been thinking a lot about how we can get people to think more clearly about security. Ironically, just when we should be learning more about it, the news media is starting to get bored with covering cybercrime stories. In one article I read, it said that security journalists are starting to feel like it's "groundhog day" - referring to the movie starring Bill Murray, in which he relives February 2nd over and over again. No kidding. If cybercrime and security failures are reaching epidemic proportions, then important stories start to happen every day. But news organizations aren't built to report what's important. They report the spectacular, rare events. That's how you know these are getting to be real problems. As security expert Bruce Schneier says: "Remember, if it's in the news don't worry about it. The very definition of news is something that almost never happens. When something is so common that it's no longer news - car crashes, domestic violence - that's when you should worry about it."
Coincidentally, I've also been reading a very interesting book (non-fiction) called The Unthinkable - Who survives when disaster strikes, and why? by Amanda Ripley, which explores how survivors have dealt with disasters and crisis situations. It has some great lessons for us on how we can learn to overcome our natural tendancy to focus on the wrong risks. So, we must find ways to learn what the news people are no longer telling us, and start teaching those we care about how to think about security routinely. See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that h  as links and source info for the tools I use on a daily basis.
Cheers,
Scott Wright
|
|
 Will your car unlock itself for a thief with a $17 gadget?
|
 Consider this scenario:You're having a meeting with a business associate at a coffee shop. After the hour-long discussion is over, you return to your car, and drive back to the office. You've got a bit of a headache and open your glove compartment to grab the bottle of Tylenol you keep there. You're surprised that the contents of the compartment seem much more disorganized than you remember. Then you notice your digital camera is missing. You check the console compartment, and your iPod is gone, too. You've been robbed, but you swear you'd locked the car every time you left it, as far back as you can remember. And there's no sign of forced entry, or anything broken. So, what happened?A rash of car thefts has begun recently, as thieves have learned of a vulnerability in the new Passive Keyless Entry & Start (PKES) system used by manufacturers in many of their new cars. If your car unlocks as you approach, or when you touch the door handle, your key fob is probably vulnerable. Unfortunately, the system was designed with a flaw that assumes if the car can sense a signal from your key fob, that it must be nearby. There is currently no way for the car to know the difference between your PKES key being 3 feet away, and its signal being relayed with a simple radio repeater system. What this means is that a pair of thieves can put one component of the repeater system near your car, and the other near you (in the coffee shop). As soon as your key fob senses the car's signal, it responds with its own. Then the thief near the car can touch the door handle and the car will open. It's pretty simple. For a great video that describes exactly how the vulnerability is being exploited, check out Security Now Episode 508 (starting at time 1:hr 27min). The gadget used in this attack apparently is available online for $17. It's easier for thieves to just steal valuables than to steal the car, because as soon as they turn the car off, it can't be restarted without the real key being nearby (unless they have a sophisticated setup, or completely replace the ignition electronics). What can you do about it?If you're concerned that your keys are vulnerable, most of the fobs will still work in a backup mode if you take the battery out of the key fob (based on RFID technology). But each manufacturer's backup mode may work differently, so you'll have to ask a dealer about it. It may be a while, though, before this flaw gets fixed properly. Again, it's our laziness that is creating vulnerabilities. In the meantime, if you have a vulnerable key fob, don't keep any valuables in your car. Here's an article with some other ways you can reduce the risk from this vulnerability. |
Terminology - "Backdoor"
| |
Backdoor - A term used to describe the intentional insertion of an "easy way in" to any computer system or program.
For example, when a hacker uses powerful tools to find and break into your computer, the first thing they will do, once they are successful, is create a backdoor of some type. It could be something as simple as reconfiguring the computer so the attacker can get in again with less effort in future. These days, however, they often just install a program that lies dormant most of the time, but occasionally wakes up and checks for instructions from its master, over the Internet. (When many computers around the world are configured to receive instructions from a master in this way, it's called a "botnet".)
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
 One of the most difficult problems in risk management is dealing with what's called a "High impact, low likelihood incident".
An Example
Think of the risk to you from having car trouble in the middle of nowhere, where there is no cell-phone reception. If you were to try to come up with safeguards that would prevent you from being stuck in the middle of nowhere, you might imagine having a backup satellite phone, or a small motorized scooter in your car trunk.
For these kinds of rare events, it's usually extremely expensive to come up with a safeguard that could prevent the worst case of the incident occurring.
What can you do?
One thing you can usually do is prepare to respond. If you do get stranded somewhere, having some food, warm clothing, etc. can reduce the most severe impacts from a "High impact, low likelihood event" with a bit of common sense. You just have to think through the situation.
|
|
Social Media Security
|
How social networks and easy information access are causing big problems for adopted children and their families
 Not all risks from social networks are related to technical vulnerabilities or malicious attackers. As you may have guessed, new information tools affect social situations in unexpected (but not unforeseeable) ways. This sobering article describes how a young adopted girl had grown up with the unrealistic perception that her birth mother was like a "Disney princess". This was not the only misconception she had about her birth family's situation. The result of the girl's ability to find her birth mother on Facebook was that their surreptitious meeting did not go anything like she had expected. This caused a devastating impact on her adoptive family situation. The bottom line is that you have to get out in front of the curve when it comes to information access. If you know somebody is likely to be able to find out the truth, you really need to be proactive, and disclose information in a controlled and responsible way - even with young children. I also co-host a podcast program on Social Media Security, soon to be renamed as Shared Security. Tom Eston and I discuss security and privacy risks and tips on this program available on iTunes.
|
Pinterest Pic of the Month
|
Sometimes you should just try something, because these days it may be easier to fix it later than figure out what the right thing to do is.
|
A Cyber Security Challenge Question
|
 What do you call an intentional vulnerability placed in a computer system to allow easy access without proper authentication?:
a) A root canal
b) A worm hole
c) A skeleton key
d) A backdoor
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Use a good password manager program to easily manage many different, strong passwords for multiple websites.
|
|
 Using an industry-accepted password manager program is a good idea. It can store and protect all your Usernames and Passwords (and other important information to which you may need quick access) in an online vault, using a single, strong password. So, you only need to remember that one password. Most password manager programs can generate long, strong passwords automatically for each website. The good ones will encrypt (or scramble) all the passwords and then send them to their website for safe keeping. Even the password manager website can't decrypt or access your passwords. In some cases, you can also require more than just your password to open the vault. Each time you want to log in to a website, the encrypted password is retrieved, and only decrypted on your computer at the time you need to fill in the login fields. I also prefer this method over letting your browser store passwords. The browsers sometimes have been hacked, and if you store passwords in one browser (e.g. Internet Explorer), you can't easily access them from another browser (e.g. Firefox). I've used a free password manager called LastPass for the past several years, and I have over 200 sets of Usernames and Passwords in it (many are for testing purposes). It even has a mobile version for my Blackberry ($12 per year), so I can always get to my passwords, even if I'm not at a computer. There are others like 1Password or Password Safe, but I haven't used them, so I can't say how they compare to LastPass. Even more businesses are now realizing that a password manager is one of the best ways for employees to reduce risks from poor password practices.
|
A Data breach story: What happens when a single email account is hacked in a transactional email service company?... Very bad news happens.
|
SendGrid is a leading provider of transactional email services. For large companies that send millions of emails to clients, this kind of service is essential. Many of the email messages you get on a daily basis from large online merchants and social networks come from them.
But when attackers want to get access to personal information of millions of people, companies like SendGrid are big targets. They should be expecting these kinds of threats.
However, this past February/March, SendGrid was caught totally off-guard when one of their email accounts was hacked. In fact, for a while, they were in denial. After the New York Times did a story revealing the incident, SendGrid tried to minimize the bad PR by saying only one email account was compromised, but providing no other information.
After some persistence from news media and security research companies, SendGrid management later admitted that the breach had exposed several of their systems, which may have exposed a large number of customer records.
These days, you have to expect that if you're a large organization, you will one day be targeted, and you can't guarantee you'll be able to prevent an attack from being successful. So, detection of incidents and anomalies becomes very important, as does taking responsibility, and being transparent with the public regarding the exposure of client data as a result of security incidents.
You can read more about this data breach case HERE.
|
Answer to the Cyber Security Challenge Question (from above)
|
Question - What do you call an intentional vulnerability placed in a computer system to allow easy access without proper authentication?:
Answer: (d) A backdoor
An attacker who successfully breaks into a computer network the first time will usually insert some kind of backdoor vulnerability or program that makes it easy to get access again in future.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Training
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Social Engineering Security Audits - Sometimes it's hard to know how vulnerable your team is, and to have good metrics to present to management. I can create tailored social engineering audits such as phishing assessments and USB drive handling tests (like the Honey Stick Project). I can use any of several new tools on the market to create and manage a repeatable program that you can use to guide awareness training, policy development and management reporting.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
-
 Expainer Video Animations -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs.
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
