"Practical Security Stories to be Shared With Others"
from Scott Wright - The Streetwise Security Coach 
Issue #11. July 2015  
Quick Topic Links
* Feature Story: Just when you thought it was safe to drive a new car...
* Terminology: FUD
* From Scott's Blog: Politically correct justifications for addressing insider employee security threats
* Social Media Security: Fake Notice From Facebook
* Cyber Security Challenge Question
* Streetwise Security Tip: Wait a while before upgrading to brand new versions of software
Other Interesting Stuff...
Here's a cool site with tons of privacy tools you can use for free:
54% of all phishing attacks in the 2nd half of 2014 targeted just three brands: Apple, PayPal and Taobao

Some really significant data from the Anti-Phishing Working Group (APWG) in this PDF report.
Something I've been working on...
I've found a way of creating short, engaging animated video clips that can be used for educating staff.

Have a look at this clip, called "Dave's adventure with a USB drive at work..."

Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.

- Scott


Welcome to Issue #11 of the Streetwise Security News.

There's been another busy month of news about major hacks and vulnerabilities. So many, in fact, I had a hard time choosing stories for this issue. 

As a security professional, it's getting difficult to avoid the ire of some folks who feel that there's too much FUD (Fear, Uncertainty and Doubt) being used to oversell security products and solutions. If you aren't familiar with the acronym, I expand on it in the Terminology section below. But if the trend is getting worse, it's hard to overstate the threats and the vulnerabilities to which people and businesses are exposing themselves.

I'm also planning to do some fun work in the area of wireless security assessments that I hope to reveal more about in the future. So, the job of trying to save the world from information security risks is definitely getting busy!

See the list of clickable topics on the left for a quick view of this issue's stories and content. 

If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis.

Scott Wright

Story1This guy was brave. Would you drive a hacked vehicle on a highway?
You've probably heard the news story about the guy who's Jeep got hacked - while he was driving it...! Yes, it is true, and the guy driving didn't know what was going to happen, even though he was a journalist who had faced the same attackers before.

Just to be clear, this was a partially controlled  demonstration by two well-known security researchers: Charlie Miller and Chris Valasek. Two years ago, these guys got a grant from the US Government to see how vulnerable modern vehicles were to being hacked. Their findings at that time showed that they could connect a computer to a Toyota Prius computer system and have a level of control over the car's brakes and steering. This required them to have a computer connected to the vehicle's computer system at the time. Here's a Youtube link to a video of their presentation at a hacker conference in 2013. There's some good video footage of them in action, starting at time 36:15 in the Youtube clip.

More recently, they started trying to hack vehicles with the new Uconnect feature - a feature that links the vehicle with other services on the Internet. They were surprised to learn that they could not only locate and monitor an astounding number of vehicles remotely over the Internet (from their basement, no less), but they were literally able to tamper with their test vehicle's radio, brakes, windshield wipers, steering, and engine controls. Here's the Wired Magazine article that explains what they did in more detail, which includes some video of the journalist driver. (Warning: some harsh language as he gets ambushed by injected events while driving at 70 mph.)

I have two main comments on this story:

1- It's shocking to find these kinds of vulnerabilities in products that are used widely today, and that have extreme safety implications for everyone on the road (even if you don't own a hackable vehicle); and

2- This is just the beginning of the freak show we're about to encounter over the next few years, as everything tries to connect to the Internet without proper consideration for the security (and safety) implications.

Even products that are not intended to be used maliciously will become tools for attackers. As Gartner's Dr. Anton Chuvakin explains in his recent blog article, we have to start building tractors as if they were tanks, sadly.

I agree. We need to put more pressure on manufacturers to consider risks to security and safety due to Internet connectivity.


Terminology2Terminology -  "FUD"
FUD -  An acronym for Fear, Uncertainty and Doubt.

The term FUD is often used in a derogatory way, much like the term "fear-mongering".  There's no doubt that some sales people are extremely good at playing on your fears in order to get you to buy things like insurance and alarm systems.

I hope my stories don't come across as FUD. I try to put them in perspective for people who may not have thought of all the implications of their environment and their habits. But it's hard to overstate the importance and the potential impact that many of today's data breaches, hacks and demonstrated vulnerabilities could have on people. Sadly, people don't pay much attention to security until they are directly affected. With this in mind, I try to just get them to consider the likelihood and impact of various risks. So, depending on how self-assured you feel, you might think I over-use FUD in my stories. But I hope not. Let me know what you think.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
BlogScott's Recent Blog Posts

Here's a recent extract from my Security Views blog...

 Nobody wants to be suspected of being untrustworthy, or acting against their employer or other employees. So, senior managers can be hesitant or unwilling to deal seriously with insider security threats. They may not want to face backlash from employees who feel they are being treated like criminals. Some Apple Store employees apparently complained to Apple CEO Tim Cook that some mandatory bag searches of employees leaving their shifts are unnecessarily embarrassing, and are sometimes even done in public.

It's understandable that this is a touchy subject with employees; but there are ways that employers can start to take a reasonable position on reducing risks from insiders.


SMSECSocial Media Security
Fake Notice From Facebook
Here's a good example of how crafty attackers are getting. I received this email, apparently from Facebook Security, saying that my account had been locked due to suspicious activity. It then said, "Click here to unlock your account." I almost clicked on it. But first, I checked the email address the message was sent to. It didn't match the address I use for my Facebook account. So, it's clearly a phishing scam.

Be careful with scary emails. Taking an extra few seconds to examine them for legitimacy can save you a lot of trouble (and panic).

The reason the message here doesn't show the normal Facebook logo or images is that I turn off "image previewing" for all my emails. This way, the images aren't requested when I view or preview the message, and spammers like this don't really know if the account they sent the message to is valid. Spammers can see that the email address is valid, if images are loaded automatically when you open the message.

I also co-host a podcast program on Social Media Security, soon to be renamed as Shared Security. Tom Eston and I discuss security and privacy risks and tips on this program available on iTunes.

Pinterest Pic of the Month
A good reason NOT to use your pet's name as your password...?


ChallengeA Cyber Security Challenge Question
What does FUD stand for?:


a)   Forget, Unremember and Delete

b)   Fear, Uncertainty and Doubt

c)   Firewalls, Users and Defences

d)   Facebook Unicorn Damage

See the bottom of this newsletter for the answer. (or click HERE)
TipStreetwise Security Tip - Wait a while before upgrading to brand new versions of software
When a brand new version of software comes out - like Microsoft's Windows 10, which comes out this month (July, 2015) - it's usually a good idea to wait until most of the wrinkles are ironed out, especially in the area of security.

Just like when a new car model comes out with a totally new design, and there always seems to be a deluge of recalls, new software has very similar issues. New features in software are getting more and more complex, and they connect with numerous other components and subsystems. So, there are lots of opportunities for errors in the software code, which translates into vulnerabilities for security.

Unless you desperately need that new Windows 10 where your computer shares your home wifi password silently with visiting guests... (let's not even go there right now. I'll try to talk about this in another issue, but it just sounds bad right now. What could possibly go wrong there?)

Consider waiting a little while before upgrading when major new versions of software like Windows, MacOS or iOS are released. There's usually no rush.

Story2A Data breach story: UCLA Health System data breach affects 4.5 million patients
I'm getting increasingly angered by each new data breach story in the news. Too often, organizations make bold statements about how they take the security of their clients' personal information very seriously, and that they are working hard to improve security... But, these statements always seem to be made immediately after they've had to disclose a major security incident.

In this case, the UCLA Health System disclosed that they had a data breach affecting 4.5 million patients' health care records. Like many others, their official statement rings hollow: "We take this attack on our systems extremely seriously," said Dr. James Atkinson, interim president of the UCLA Hospital System. "For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened."

Then, we learn that despite similar organiztaions experiencing similar recent breaches, "...it seems that personal data compromised in the latest breach were still not encrypted". This is one of the fundamental ways to mitigate the risks from malicious attacks on personal information.

We don't know the details of this incident, but we do know it's huge, and while it was preventable through encryption, and there were warning signs about these risks, there seems to be a serious deficiency in security, despite the organization's reassurance that they take security seriously.

What do you think?...

You can read more about this data breach case HERE.

Answer to the Cyber Security Challenge Question (from above)
answerQuestion - What does FUD stand for?:

Answer: b)   Fear, Uncertainty and Doubt

It's a term you use to imply that somebody is fear-mongering.
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note.

In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of.


Scott Wright
The Streetwise Security Coach
Security Perspectives Inc.

Scott's Blatant Advertising

For those of you who are interested in learning more about my products and services for business, here's some additional information for you.

Security Awareness Training
  • Live Training Sessions -
    I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
  • Comptuer-Based Training (CBT's) -
    Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
  • Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
  • Social Media Risk Management -
    The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
  • Games and Quizzes -
    Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
  • Demo Example: Dave's adventure with a USB drive from work...
    NEW! - Streetwise Security Awareness  Animated Clips
    Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".

You can inquire about any of these products or services by emailing me at: [email protected]