|
Other Interesting Stuff...
|
|
23% of people still use the same passwords everywhere
59% said they use 5 or fewer passwords. This study of 1,000 people was published by Roboform in March of 2015, and includes quite a few other interesting statistics about password security. Read More... |
Security awareness education is on the rise in businesses
73% of organizations are turning to education and training to make users less susceptible to social engineering and spear phishing - up 4% from the previous year. - ISACA 2015 APT Awareness Study (must register at the site to download report)
|
Stay Connected
|
| Something I've been working on... |
I've found a way of creating short, engaging animated video clips that can be used for educating staff.
Have a look at this clip, called "Dave's adventure with a USB drive at work..."
 Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.- Scott
|
|
 |
|
Greetings!
Welcome to Issue #14 of the Streetwise Security News. It's October, and you know what that means! Yes, it's National Cyber Security Awareness Month. I hope your organization has done something to recognize this important time of year. Because, as some people may believe, if you do something this month to highlight the importance of security awareness, then you really don't need to do anything else the rest of the year. Your team will work securely, and your CIO can sleep at night, right? (Just kidding...)
I just think it's a bit sad that we need a special month to remind people to work securely. In fact we need 12 such months. But that's just my bias showing. The best managed companies just seem to have a culture of security awareness. OK. I will end my rant now.
 This month I've started reading a book that gives me hope for any kind of team-based work environment, which is to say, almost all of business. The book is called Scrum: The Art of Doing Twice the Work in Half the Time by Jeff and JJ Sutherland. If you've worked at all in software, you'll know about the Agile software development methodology, and if not, you've probably seen teams of software developers literally "standing" in a meeting for 15 minutes. This is not only the new wave of software development that works much better, but it turns out you can apply this to almost any team. I haven't finished the book yet, and I have some burning questions when it comes to the effects on security from doing quick "sprints" to create results faster, especially when teams I've seen try to do this end up doing it in half-measures. But I think there's potential for great things here.
See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're  not already a subscriber, and would like to sign up, please click HERE. Even if you don't want to subscribe, I'd love to hear your favorite story. It doesn't have to be about security.
Cheers,
|
|
 The life-or-death question to ask before your next next MRI exam, or any computerized procedure...
|
|
If I were about to go in to a hospital or clinic for an MRI examination, here's the question I would now definitely ask the technician before agreeing to enter the machine: "Has the default password for this machine been changed to something strong?". I would also want to know if the machine is connected directly to the Internet.
Medical Devices Connected to the Internet
Security researchers Scott Erven and Mark Callao presented some shocking findings at the security conference Derbycon in Louisville, Kentucky recently. It turns out that over 68,000 computer-controlled medical devices operating in clinics and hospitals of a single institution were actually connected directly to the Internet.
In fact, in that single institution, the researchers were able to identify administrator account exposures in the following areas: "21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear".
What's That Password Again?
But wait... it gets worse! Many of these devices were operating with user ID and/or passwords that had not been changed from the default values set by the manufacturers when they are shipped; or they used weak passwords that could be guessed easily. This means, that anyone who knows how to use the Shodan search engine for devices, and can find out the default credentials for a device like an MRI machine can literally log in to the machine over the Internet at any time!
I'm sure most of us have never thought much about the security, privacy or safety of the medical equipment being used on us.
[Personally, I fear malfunctions, at least, in most of MRI machines after watching a a few seasons of the TV series House. But that's another type of phobia.]
But Who's Going to Try to Hack a Defibrillator?
Now, you're probably thinking, "OK, but how many deranged people would actually try to do this?" By now, if you've been reading the Streetwise Security News for any length of time, you probably know the sad answer to this question. And to illustrate the likelihood of a machine being attacked, the researchers set up a Honey Pot (one of my favorite things, as you know) that simulated a defibrillator machine connected to the Internet.
Their honey pot attracted over
55,000 actual logins from unauthorized people over the Internet, and the honey pot contracted
almost 300 malware infections.
So, the risks are real, and include theft of personal information, denials of service (outages), and possibly even malfunction or malicious operations that,
in some cases, could be deadly.
I have no idea why many of these devices need to be connected to the Internet. But in all seriousness, if I were going in for a procedure that involves a piece of computer-controlled medical equipment, I would call ahead to ask:
"Could you please make sure your scanner/laser/etc. machine has a good password, and can it please be disconnected from the Internet during my procedure?"
Here are a couple of links to stories with even more interesting facts regarding the above research: Here and Here.
|
Terminology - "Vector"
|
Attack Vector - The primary mechanism by which an attacker gains access to sensitive information assets.
When you hear about a new virus or a story about a company suffering a security breach, understanding the method the attacker used is important in preventing or responding to future attacks. In a past newsletter, I described the "Kill Chain" as the sequence of events that lead to a security breach. This can be a complex path to follow. However, the idea of an Attack Vector is usually a little simpler to understand, even if the mechanism itself is complex. It's a way of describing an attack that suggests what defenses might have the best chance of stopping it.
For example, if an attacker gains access to a corporate network by using a phishing message to trick the recipient into clicking on an attachment that tries to infect their computer, then the Attack Vector could be described as a "phishing message with an infected attachment". That's how the attacker aims to gain access to your computer. You could defend against this attack vector by automatically stripping suspicious attachments, or by training people not to click on unexpected attachments.
The term is used in many ways, especially by security professionals, and they might use a wide range of attack vector definitions. This helps the security folks in understanding what the attacker is trying to do, and what techniques or tools might be able to thwart the attack in future.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
From Scott's Blog
|
Here's one of the most-viewed articles of all time from my Security Views blog...
If you might ever plan to sell something privately by advertising online, you need to be aware of the sneaky scams that bad guys are running these days. As I learned from the true story related to me below by a member of the Streetwise Security Zone community, they can be very slick; and what seems like a credible offer to purchase a vehicle or other high value item can quickly turn into a nightmare of stress and lost cash. One such scam now preys on sellers of items on sites like the free classified advertising site, Kijiji.
The tricks that make the scam work
The key elements that make this kind of scam work are:
1- The prospective "buyer" offers to pay the full asking price, or more, without any negotiation. They usually have a plausible story for why they are so interested in securing the item quickly. Sellers are always interested in getting full asking price.
|
|
Shared Security
|
Everyone you know will be able to rate you on the terrifying 'Yelp for people' - whether you want them to or not
So, how do you like the idea of anyone posting a comment or rating about their personal experience with you on your profile? If you don't find this to be very creepy, I think you might need to go into Social Media Rehab (if there were such a thing - maybe there should be...). This story is evolving at the moment, but it looks like the popular business review site YELP is backing a new site called PEEPLE, that will let anyone rate anyone else, based on their mobile phone number. I have so many concerns with this business model and its impact on individuals and society in general, it isn't funny. There was talk that they were scrapping the service, but now it seems to be coming back. This is a story we cover in Episode 46 of the Shared Security podcast. But you probably haven't heard the end of it. I co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips related to the people, apps and technology you trust. This program is available on iTunes, and via email subscription at the bottom of the post on our site. We also have a Twitter account at @sharedsec and a Facebook page.
|
Scott's Picture of the Month
|
This one is worth a smile...
|
A Cyber Security Challenge Question
|
 Which of the following is NOT a security or privacy risk from medical devices being connected to the Internet?:
a) An attacker causing the device to shut down
b) Death via a malicious command sent to the device
c) An attacker doing a better job of the procedure than the authorized technician
d) Theft of personal information from the device by an attacker
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Don't forget to turn off "Discoverable Mode" on your mobile devices after pairing them.
|
|
Aside from the fact that anything with wireless connectivity carries some risk, Bluetooth connections on devices are not usually a big risk these days, unless you leave them in "Discoverable" mode.
If you have recently paired the device - such as pairing your phone with your car - it might be in "Discoverable" mode, which is what you have to do so that the two devices you want to be connected can find each other. But leaving "Discoverable Mode" turned on can make it more vulnerable to attack. After pairing, you should turn the Bluetooth "discoverable" setting to "Off". This way, it will be harder for an attacker to find your device and trick it into connecting, and potentially making the data on your device accessible to them.
You can usually find the "Discoverable" setting in the Bluetooth settings of your device. Just turn "Discoverable" mode "OFF" if you're not in the process of pairing the device. In fact, why not check any devices that do Bluetooth right now, to make sure they're not Discoverable?
|
A Data breach story: When Uber's driver database key was exposed, it's not surprising that predators appeared
|
When your business model depends on software your organization develops and runs on the Internet, you need extreme Quality Assurance in every part of the process.
Uber slipped up, and it may hurt their drivers...
An incident in May of 2014 involving the Internet-based "transportation network" Uber resulted in their online driver database being exposed. The company had been using the popular site GitHub for managing its software development. However, somebody inadvertently exposed the digital security key for its database in a public page on GitHub. Just a Little Slip Up Can Have Major EffectsThis exposure apparently let one individual who saw the key have access to Uber's driver database, containing personal information on 50,000 current and former Uber drivers. A subpoena was issued to GitHub to provide details on everyone who accessed the page with the key, including IP addresses. Uber was apparently able to trace the ownership of the IP address to the Chief Technical Officer of Uber's main rival, Lyft. Of course, it will be difficult to prove exactly who was behind any intentional, unauthorized access to the Uber database. It's also hard to say how much direct damage it caused. However, it's clear that this kind of incident does not reflect well on Uber's quality assurance practicies for the development of its operational software. The Bottom Line for BusinessesIf your organization develops software and/or uses operational software that is accessible over the Internet, you need to take extra care to protect every aspect of its development and deployment. Otherwise, you could suffer major direct and indirect consequences from an unintentional exposure, or malicious attack on the software and databases. If you can't afford to invest in reasonable protection for your web-based software systems, you probably shouldn't be in that kind of business. Here's an SC Magazine article on the breach.
|
|
Answer to the Cyber Security Challenge Question (from above)
|
Which of the following is NOT a security or privacy risk from medical devices being connected to the Internet?:
Answer: The correct answer is: c) An attacker doing a better job of the procedure than the authorized technician
The rest are real risks from having medical devices connected to the Internet.
|
Thanks for Reading!
I get a lot of positive feedback on this newsletter when I'm speaking to people in person or on the phone who are subscribers. But it's always nice just to get an email that lets me know you feel this newsletter is a worthwhile read. If you found this issue to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Education and Assessment
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
- Subscription-based security awareness content updates -
An effective way to keep people eng  aged with current security threats is to provide them with periodic updates that include case studies, tips and snap quizzes. These can even be made auditable, and form part of a Perforamance Objectives system within your business
-
|
| | Demo Example: Dave's adventure with a USB drive from work... |
Streetwise Security Awareness Animated Clips -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
