* From Scott's Blog: LastPass password manager gets hit - nobody is immune, but this is about as good as you can hope for
|
* Streetwise Security Tip: Take a moment to review that Friend Request or Invitation to Connect
|
|
Other Interesting Stories...
|
|
Security incidents in the finance sector 300 percent more frequent than others (SC Magazine)
The "2015 Industry Drill-Down Report: Financial Services" from Websense.Read More... |
Airport Security: Astoundingly Expensive and 95 Percent Ineffective
This article really makes me wonder about the problems with airport security screening.
Read More... |
Stay Connected
|
| Something I've been working on... |
I've found a way of creating short, engaging animated video clips that can be used for educating staff.
Have a look at this clip, called "Dave's adventure with a USB drive at work..."
 Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.- Scott
|
|
 |
|
Welcome to Issue #10 of the Streetwise Security News. The short summers in Ottawa mean that all you can really count on is, at some point between June and September, there will be a few nice days mixed amongst stretches of blistering heat, days of high winds and thunderstorms verging on tornadoes; all occurring at various times. But when it's nice here, it's really nice. As you may know, I like to sail. Sailing here is peaceful, and gives you a view of the city you don't get anywhere else. I also find that I'm always learning something that makes me better at it. Safety is always a major priority, because when things start to go bad on a boat, they can get quickly out of hand. Of course, there are obviously some parallels between my love of sailing and my passion for security.  Sailing is also a good way to visit and build friendships. So, if you're in Ottawa (or heading this way) and would enjoy going for a sail and a chat, please let me know. I'm sure we can find a nice, sunny day with a little wind. Even if the weather isn't perfect, there's always a place to sit and watch the boats, and share stories over a drink or meal. See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis.
Cheers,
Scott Wright
|
|
 Everything's amazing, and nothing seems secure...
|
 How could things have become this bad?
(TL:DR - You can't expect to get a whole lot of useful stuff for free. Spend the effort on understanding the risks from new products and services before you rely on them and then complain that they are flawed. But at least view the clip from Louis C.K. below...)
During the past month, we've been bombarded with endless stories of serious security failures; both in government and in the private sector. Here just a few examples: - The US Office of Personnel Management seems to have lost control of sensitive human resources records for virtually every US Government employee and retiree, as well as up to 1 million former employees. Cyber attackers reportedly also stole about 4 million exposed employee records included security clearance investigation information. Incredible.
- Numerous medical devices have been found to have vulnerabilities that could result in having fatal dosages of drugs injected into patients (...e.g. the Homeland episode where the VP's pacemaker is hacked and induces a heart attack)
- Major flaws in Apple and Samsung device software were recently discovered that could be easily exploited by attackers to gain access to sensitive information and passwords on devices.
Security breakdowns are coming from every direction, and along with them, I read editorial comments that express dismay, frustration and cynicism. Nothing seems secure any more. How did it get this bad? Well, I think all of us are expecting technology to do too much for us. In other words... We're getting lazy, impatient and greedy!... This includes the management of organizations that offer products and services, by the way. The Fallacy of an Automated UtopiaI think we need to put these things into perspective. Back in the days when personal computers weren't often connected to networks (about 1990), it was pretty easy to secure information. In fact information security wasn't even a thing yet, because the technology was pretty simple by today's standards. Now, as we connect our computers, phones, tablets, watches and medical equipment to the Internet, security starts to matter more! But while ever greater amounts of information can travel ever faster, and ever more cheaply, we really don't have any patience for things that slow us down or cost money to put in place... like security. (For some good examples, you have to view this fantastic clip of Louis C.K. - "Everything's amazing and nobody's happy".) An Observation From the 1920's Makes Sense Today...There is a famous quote I recently heard at the high school graduation ceremony for one of my children, which was very insightful...
"I'm a great believer in luck; the harder I work, the more of it I seem to have."
(Possibly, from Stephen Leacock, or Coleman Cox, according to Quote Investigator website.) I think most of us would agree with this idea. Hard work brings opportunity. Now, think about my inferred corollary to the that statement: "If I don't put sufficient effort into understanding what could go wrong in any situation, I should expect to face greater risk."
Let's Be Realistic About the Times We Live In So, before you get too cynical about how poorly security is being managed around you, think about how much you (and the providers you rely on) are spending on security. From a business point of view, if you have a limited security budget, and you don't scale back the scope of what you are building, to make sure you can afford to do security properly, you should expect the risk to be higher. Few businesses I've seen lately understand this. Until we all make an effort to put proper security in place, and demand that suppliers do so, too, we should either try to understand and accept the risks, or refuse to use the systems. You don't get "amazing" things without some expected costs. Businesses need to budget properly for security, but we, as consumers, also have to budget for security and privacy in every part of our lives. P.S. If you're wondering what the TL:DR note at the top of this article means, it stands for "Too Long: Didn't Read". I learned this from my son. Kids these days prefer an abbreviated message... maybe due to their lack of patience?
|
Terminology - "Hash"
| |
Hash - A technical term for performing a "one-way encryption" function on a piece of data.
"Why would you ever want to encrypt something that could never be encrypted?", you might ask. Well, it turns out that a "hashing a password" is one of the best ways to store password information. If you immediately encrypt it when somebody types in their password, it can theoretically never be recovered; but the value can be used for later comparisons with previously stored password hashes, to see if you're entering the right password when logging in, for example.
The "hashing" function always gives the same output for any given input data. The only practical way to use the data to attack a password is to try every possible password value, hashing it and then comparing the values with a known hashed value (i.e. the value stored by a website to represent your password). This could take billions or trillions of tries... if you use a long, complex password. With unlimited time, however, an attacker who steals a website's store of hashed passwords may be able to use networks of computers to try to guess the password values in a relatively short period of time.
So, the longer the password you choose, the longer it will take for an attacker to find it.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
LastPass password manager gets hit - nobody is immune, but this is about as good as you can hope for
(from June 16, 2015)
 Yesterday, the online password management system known as LastPass announced that they had detected an attack on their service's client data which appears to have been partially successful. This is a system that I use, but I'm not really concerned (although I recommend that all LastPass users read the following and change their master password ASAP). Here's why...
|
Social Media Security
|
Using Instagram securely
 Instagram is one of the most popular mobile apps for sharing photos. So, it's a good idea to review the security and privacy tips provided on the Instagram website. Some things to note: - By default, anyone can view your profile and posts on Instagram. But, you can make your posts private.
- If someone was already following you before you set your posts to private and you don't want them to see your posts, you can block them.
- You can block someone to get them to stop following you. People aren't notified when you block them. Learn more about blocking people.
You should really spend a few minutes learning about security and privacy settings on any new product or service before you start using it. I also co-host a podcast program on Social Media Security, soon to be renamed as Shared Security. Tom Eston and I discuss security and privacy risks and tips on this program available on iTunes.
|
Pinterest Pic of the Month
|
There's a constant struggle between automating security to keep us safe, and the tendancy for humans to do things that are insecure...
Courtesy: http://blog.knowbe4.com/bid/386493/And-in-THIS-corner-we-have-Dave
|
A Cyber Security Challenge Question
|
 Which of the following should you do before using a new product or service?:
a) Ask the vendor if they are trustworthy
b) Make sure it has a secure Friend-Finder feature
c) Spend time understanding its privacy risks
d) Make sure there's a web-based trial version
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Take a moment to review that Friend Request or Invitation to Connect
|
|
 We are so eager to connect with people, we sometimes don't stop to think about security and privacy. One of the most common ways for attackers to gain access to personal information about you is to create fake profiles - either people you may already know, or people you may want to connect with. It's very easy for attackers to create a profile for anyone, and copy a photo of somebody to use as the profile picture. Attackers do this for a few reasons. Firstly, they will often gain greater access to your private information - the stuff you only usually share with your friends and associates. Once they are connected to you, they may use some of that information to try to guess your account passwords or security questions. Sadly, this works more often than you'd think, because people use easily guessable words, names or dates in their passwords and security questions. Secondly, with a little more information about you, they can often launch a credible social engineering attack (con game) against you or your friends. They may try to phish you into clicking on a link in one of their messages, because people are much more likely to click on links from people they've explicitly designated as friends, than from random strangers. So, if you get a request from somebody, and you're not expecting it, take a moment to see if it might be a duplicate of somebody you know or are already friends with. You can also contact them by email or phone to see if they really sent you the request. This could save you a lot of pain later.
|
A Data breach story: Attackers harvest customer info on a malware infected eCommerce website.
|
Imagine you are surfing your favorite boutique website, looking for some cool, new stuff. You put some items in your shopping cart, and check out. So far, so good. Did you notice anything strange during this experience? Not really...
But you just had your credit card info and personal address info stolen.
This is what apparently happened to a number of customers of military supply company Tactical Assault Gear when they were shopping on the company's website. The culprit was a malware infection in the site.
Not All Breaches Are "Smash and Grab"Many data breaches involve attackers breaking into a webserver database and gathering whatever data they can find, before they get caught. But some, like this one, brazenly plant malware into the website's systems, and harvest customer information in real time.
What Can Consumers Do?As a consumer, there's not much you can do. But this is why I tend to trust larger retail chains a little more. Typically, they're using industry best practices to protect their websites. But it can happen to any site, if the employees are a little lazy or negligent. Sometimes people don't check to make sure their configurations are secure, which can leave a virtual backdoor for attackers.
What Can Businesses Do?Businesses need to make sure they have the latest security patches in place, and test their eCommerce software before and during operation, to make sure it is working securely. Advanced monitoring systems should also be in place for large volume websites.
You can read more about this data breach case HERE.
|
Answer to the Cyber Security Challenge Question (from above)
|
Question - Which of the following should you do before using a new product or service?:
Answer: c) Spend time understanding its privacy risks
Using a product or service without spending some effort and/or time on understanding the privacy risks can result in your sensitive information being exposed. Friend-Finder features (b) present a privacy risk, because you usually have to enter your email password into the vendor's website, which I don't recommend. Many social networking services oriented toward mobile users don't have an equivalent web-based service (d) to try out. Asking a vendor if they are trustworthy is a waste of time, because they will all say they are!
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Training
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Social Engineering Security Audits - Sometimes it's hard to know how vulnerable your team is, and to have good metrics to present to management. I can create tailored social engineering audits such as phishing assessments and USB drive handling tests (like the Honey Stick Project). I can use any of several new tools on the market to create and manage a repeatable program that you can use to guide awareness training, policy development and management reporting.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
-
|
| | Demo Example: Dave's adventure with a USB drive from work... |
NEW! - Streetwise Security Awareness Animated Clips -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
