"Practical Security Stories to be Shared With Others"
from Scott Wright - The Streetwise Security Coach 
Issue #12. August 2015  
 HOME  l   ABOUT SCOTT   l   BLOG   l    SSN ARCHIVES   l    SIGN UP NOW
Quick Topic Links
* Feature Story: A fridge that gives up your Gmail password? That's just cold...
* Terminology: "Doxing"
* From Scott's Blog:  ISAC is a community-based approach to addressing cyber risks in industry verticals
* Shared Security: Vizio SmartTV's Collect a Scary Amount of Information
* Cyber Security Challenge Question
* Streetwise Security Tip: To reduce privacy and social engineering risks, use a reputable, paid email service for important electronic correspondence
* A Data breach story: Ashley Madison's big can of worms...
Other Interesting Stuff...
Don't Get Doxed: 5 Steps to Protecting Your Private Information on the Web

This article has some pretty extreme measures for trying to avoid the risks of having your sensitive information dug up and published online.

Read More... 


Q: What do Malware Infections, Proxy Avoidance, and Child Exploitation have in common?
A: These are the top 3 categories of suspicious activities going on in the Deep Web.


Trend Micro's whitepaper on "Exploring the Deep Web" reveals the very scary, larger parts of the Internet iceberg you should really know about, but may not want to...
 
Read More...
Something I've been working on...
I've found a way of creating short, engaging animated video clips that can be used for educating staff.

Have a look at this clip, called "Dave's adventure with a USB drive at work..."


Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.

- Scott


Greetings!

Welcome to Issue #12 of the Streetwise Security News.

I hope you're having a great summer (at least if you're in the Northern Hemisphere). I just finished a trip to Italy with extended family, and am feeling very much recharged. I wasn't expecting to be driving a "manual-transmission" mini-bus all over Tuscany, but I now have a great feeling of accomplishment...

Recently, I've been reading a couple of books, as well as getting a special preview of the new documentary "Deep Web". So, I've got some good recommendations for you.

First, the book Rise of the Robots is a bleak, but eye-opening look at where our economy is headed with the revolution in Artificial Intelligence, Machine Intelligence and Robotics. I'm wondering, if the majority of jobs can be replaced by robots, how will the surge in unemployment be addressed, or will it? While it has some heavy economic discussions, the message is important: that our basic assumptions about drives our economy are already shifting, in virtually every sector.

Second, the book Spam Nation by Brian Krebs provides an interesting story about the birth of botnets and what's driven cyber crime for the past 10 years. While I didn't know if a book about spam was key to information security, Brian does a good job of making the connection. It explores how those who drive the pharma-wars and other spam-based markets view themselves as legitimate business-people.

Similarly, the new documentary "Deep Web" explores the takedown of the Silk Road online drug market, and the extreme prosecution of a guy who may or may not be guilty. You should see the movie and decide. (Thanks to Trend Micro for inviting me to their special viewing of the film.)

See the list of clickable topics on the left for a quick view of this issue's stories and content. 

If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis.

Cheers,
Scott Wright

Story1A fridge that gives up your Gmail password? That's just cold...
The next time you go shopping for appliances, you might want to add this point to your checklist: "Can I trust it not to give up my password?"

The recent discovery of a vulnerability in Samsung's smart fridge illustrates one of the many security issues with connecting your everyday appliances to the Internet. It turns out that Samsung cut some corners in how it connects to your Gmail calendar, so that it could help you schedule your daily life from the kitchen.

You've probably been told by now that when you're logging in to a website, or entering sensitive information online like credit card numbers, you should always look for the "lock icon" in your browser. This tells you that the website is using a valid certificate for security, and that you should be able to trust the website.

Unfortunately, a security research organization called Pen Test Partners discovered that some models of Samsung fridges don't do the equivalent of this simple "lock check" to make sure the Google calendar site is actually the real one. This leaves the door open to an attacker tricking your fridge into thinking it's connecting with a secure site when it's not.

By setting up a wi-fi access point with a strong signal near your house, an attacker could send a "disconnect" request to your fridge, and then replicate your home wi-fi network name. There's a good chance the fridge (or any other wi-fi enabled appliance) would then connect to the Internet using the attacker's access point, given them a privileged position as a "Man-in-the-Middle". By faking a Google calendar login page, the researchers demonstrated that such an attacker could then capture the login information sent by the fridge, including your Gmail password. (Don't forget how many other Google services you might access using the same Gmail  or calendar password. That's why I've been recommending using different accounts for different Google services.)

Of course, Samsung has already promised to fix the problem. But this isn't the first time a Samsung fridge has failed to secure customer information. Previously, they apparently were not securing voice commands being sent over the Internet. So, this latest incident has to raise the question, "Can I trust it?" whenever you consider connecting an appliance to the Internet.

This article has more information on the fridge's Gmail password vulnerability.

Terminology2Terminology -  "Doxing"
Doxing -  A malicious action against an individual or organization where the attacker gathers sensitive information about their target through various means, and then publishes it on the Internet.

Doxing (or Doxxing) is usually done as a protest or some type of retribution. It can even be used as part of an ultimatum for extortion. See the Ashley Madison story below.
 
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
 
BlogFrom Scott's Blog

Here's a recent extract from my Security Views blog...

I often teach organizations to educate users on doing their jobs securely by focusing on doing only the things they are authorized to do. Anything else that comes up - like "out of the blue" requests from outsiders - should be treated with caution. This lets employees work efficiently in areas they know well, and gives them guidance on when to double-check and take extra security precautions.

A similar approach has been used successfully by cooperative industry organizations called Information Sharing and Analysis Centers (ISAC). These types of organizations offer some degree of promise for setting up guidelines and standards to reduce risks for businesses within their industry area.
 
SMSECShared Security
Vizio SmartTV's Collect a Scary Amount of Information
 


Would you trust a TV that collects and sends information
such as the identity of your broadcast, cable, or satellite television provider, the television programs and commercials you view (including time, date, channel, and whether you view them live or time-shifted)? - See more at: http://www.securprivacy.org/2014/05/vizio-interactive-smarttv/#sthash.MDLH1pF3.dpuf

This is a story we cover in Episode 43 of the Shared Security podcast.

I also co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips on this program available on iTunes. We also have a Twitter account at @sharedsec and a Facebook page.


Pinterest
Pinterest Pic of the Month
This young hacker says, "Your ignorance is my job security." Sad, but true. When you use online services or connected devices without understanding and dealing with the risks, somebody will be in a position to benefit from your exposure.

Courtesy:
http://blog.totaljobs.com/wp-content/uploads/2012/11/Ignorance-MEME.jpg

ChallengeA Cyber Security Challenge Question
Why would you not want to be "doxed"?:

 

a)   It can cause a bad rash

b)   Your personal information would be made public

c)   You would have to pay a fine

d)   You would face the same risks as being phished


Answer:
See the bottom of this newsletter for the answer. (or click HERE)
TipStreetwise Security Tip - To reduce privacy and social engineering risks, use a reputable, paid email service for important electronic correspondence
When you use free email services like Hotmail, Outlook.com, Yahoo Mail or Gmail, you may be putting your messages at greater risk.

These free email services are a big target for attackers.  For example, Sarah Palin's Yahoo mail was broken into by hackers by guessing her password reset questions.

Using a paid email service doesn't guarantee that you won't get hacked, but it can make you less of a target. When an attacker sees that your email address is "...@gmail.com" it could tempt them to try a social engineering or phishing attack, based on the well-known look and feel of the free email services.

Also, the paid email services offered by companies like Yahoo (for as little as $5 per month) often have better privacy policies and better technical support to users than their paid services.

Story2A Data breach story: Ashley Madison's big can of worms...
For those not living on Earth...

It's unlikely that you have not heard, in some way, about Ashley Madison. But if you need a refresher, here's a start.

The site offers to connect people who are willing to have an affair. In July of this year, the news story broke that the company's network had been hacked, with the attackers claiming to have stolen millions of client records. They threatened to leak all of the stolen data if the website did not shut down.

In mid-August, the hacker(s) going by the name "Impact Team" released gigabytes of data they say was stolen from Ashley Madison, apparently because the site had not complied with their ultimatum. The data includes private customer information, including their "personal preferences". It also apparently included other sensitive corporate information, including internal emails and the computer source code to their software.

The Implications

There are just so many stories to be made from this one data breach, I can't cover them all here. But I will offer some observations.
  1. When analyzing this breach, it quickly becomes apparent that there are a lot of complicating factors, both in the cause, and in the impact. The attackers apparently began their  actions against the site because they were charging customers $20 to have their profiles deleted. The attackers also revealed that the profiles of people who paid the fee were not actually deleted. So, it seems that there was some sense of retribution that contributed, at least to the scale of the attack, if not the actual cause of the itself.
  2. Avid Life Media (the Toronto-based owner of Ashley Madison) offered a $500,000 bounty for information leading to the discovery of the attackers' identities. Clearly, this approach did not work for them.
  3. After the private customer information was released, many stories emerged indicating that many members joined as a way of "checking up on their spouses". Some apparently even got refunds for cancelling their memberships almost immediately after joining. So, while you may have no sympathy for those who joined with the intent of cheating on their partners, it seems unfortunate that some innocent people may have been victimized by this breach.
  4. Some of the leaked internal email correspondence suggests that the site's management had also hacked into a competitor's network. As I said, the story just grows in all directions.
This case mixes many interesting issues together: moral, legal, security and privacy. It's not clear yet how the attackers were succesful in accessing the site's sensitive information. Some claim it was possibly done by an inside employee (or former employee). Regardless, there is now a class action law suit for hundreds of millions of dollars being launched.

You can read more about this data breach case in this Ars Technica article and in several of Brian Krebs's Krebs on Security.


Answer to the Cyber Security Challenge Question (from above)
answerQuestion -
Why would you not want to be "doxed"?:

Answer: b) Your personal information would be made public

When you get doxed, an attacker publishes information it has gathered from websites you've used.

Thanks for Reading!

If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note.

In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of.

Sincerely,

 
Scott Wright
The Streetwise Security Coach
Security Perspectives Inc.



Scott's Blatant Advertising

For those of you who are interested in learning more about my products and services for business, here's some additional information for you.



Security Awareness Training
  • Live Training Sessions -
    I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
  • Comptuer-Based Training (CBT's) -
    Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
  • Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
  • Social Media Risk Management -
    The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
  • Games and Quizzes -
    Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
  • Demo Example: Dave's adventure with a USB drive from work...
    NEW! - Streetwise Security Awareness  Animated Clips
    -
    Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".

You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com