|
Other Interesting Stuff...
|
|
Social Media has now become the #1 way to breach an organization's corporate network
According to a Forrester report discussed in this ZeroFox blog post, SOCMINT is the new buzzword for Cyber Threat Intelligence initiatives to track down threats that occur through social media Read More... |
7 Great pieces of ammunition to counter executive resistance to phishing assessments
This KnowBe4 article explains how to justify using phishing attacks to prepare staff and monitor their awareness for fighting phishing attacks.
|
Stay Connected
|
| Something I've been working on... |
I've found a way of creating short, engaging animated video clips that can be used for educating staff.
Have a look at this clip, called "Dave's adventure with a USB drive at work..."
 Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.- Scott
|
|
 |
|
Greetings!
Welcome to Issue #15 of the Streetwise Security News. This month I've been busy trying to complete some projects, and am starting some others. But I've also had the chance to speak more with friends and associates lately on their personal concerns about security and privacy.
Often I've heard concerns about how much information people share on social media sites like Facebook and Twitter. It's not just the younger generation who doesn't seem to fully appreciate the consequences of sharing everything they do with a large group of friends, or with the entire world. Many people just don't feel like they are at risk - they aren't really a target, they have nothing of value that anyone would want. This just doesn't matter any more. Everyone is a potential target for many reasons: the people and data with whom they are close, the beliefs they have, and even the place they live. It's hard to predict the "who" or "why" of an attack, but you can reduce the risk a lot be revealing a little less. I think we need to spend a lot more time discussing the consequences of OVERSHARING on the Internet. Please take some time when visiting with others over the next month to help people think through the risks of the sites and services they use, and how they use them. I'd love to hear your observations and tips on making progress in this area with friends, families and colleagues. As for books, I've been reading a novel called Invasion of Privacy by Ian Sutherland. This is an  extremely well-written murder mystery with an interesting mix of cyber risks and social engineering twists. It has a timely plot (somewhat adult themed, with a bit of harsh language), but also some plausible situations to which I think most people can relate. The brutal descriptions of the crime scenes give you a real sense of the WORST CASE scenarios for threats like cyber stalking... very realistic. There's also a free prequel that the author informed me about after I mentioned the book in the latest Shared Security podcast. The prequel is available HERE. See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're  not already a subscriber, and would like to sign up, please click HERE. Even if you don't want to subscribe, I'd love to hear your favorite story. It doesn't have to be about security.
Cheers,
|
|
 This phone scam exploits your trust in storage sites like Google drive...
|
 There are a number of different social engineering scams that exploit your trust in free public sites like Google Drive. Here's how the latest version works. How the attack appearsYou receive a phone call from somebody who claims to be with an organization you know of, and in which you may have an interest. It could be a charity group or some other well-known organization that an attacker - through a bit of research - expects you have an interest. They have a plausible story about an event or offering that may sound very attractive to you.
Once they have your interest, they ask if they can send you some more information about the offer or event. They tell you that they will send you a link by email to a document with full details, via Google Drive. Google Drive is a popular, free file storage service offered by Google. (NOTE: the same trick can also be used with Dropbox or any other storage site.)
You shortly receive an email, as promised, with a link to what looks like a Google Drive document. However, if you click on the link, you will be prompted to log in to your Google Account, which seems legitimate. The trick is that this is not a real Google login page, and they are harvesting your Google user ID and password.
Why the attack works
What makes this attack seem even more realistic is the fact that you receive an email that you were expecting, because of the phone call. You may feel that the chances of having a scam phone call, and receiving a a malicious email message are slim. But it this kind of attack is growing in popularity, with variations that can even simulate a Google "2-factor" or "2-step" authentication process (in what's called a "Man-in-the-Middle attack) that sends a message to your mobile phone and asks you to enter an authentication code (which works very well if the attacker happens to know your mobile phone number). Behind the scenes, the attacker can actually be logging into your real Google account using the "2-step" code you provided to them.
What to watch for
Just because you receive an email with a link you were expecting, based on a phone call, doesn't mean it's legitimate. Think about whether the original phone call might be a scam, before agreeing to open a document sent in a link to Google Drive.
Here is a link to a story that explains the basic Google Drive attack in more detail, and here's one that explains a version of the attack that uses the "2-step" authentication "Man-in-the-Middle" attack .
|
Terminology - "Man-in-the-Middle attack"
|
Man-in-the-Middle attack - An attack where the attacker gathers information from you in a fake authentication process, while they authenticate as you to a legitimate service in real time.
This is a very sophisticated type of attack, but one that is being launched more frequently, in scenarios where it is easy for an attacker to trick you due to growing familiarity with well-known services such as Google Drive and Dropbox.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
From Scott's Blog
|
Here's one of the most-viewed articles of all time from my Security Views blog...
Here are some possible reasons why organizations haven't put a security awareness program in place.
1- We're not a target - Many organizations don't feel they are a target for today's attackers, often because the feel they aren't big enough to be noticed. There's growing evidence that attackers no longer care how big you are. There are many reasons attackers might target your organization that you might not have considered. Check out the infographic produced by Brian Krebs and SANS. People need to be aware of how they might be targeted.
|
Shared Security
|
Why fingerprints are NOT a good alternative for passwords
 There are a number of good reasons why fingerprints should not be used to authenticate users to accounts or devices. This includes systems like Touch-ID for iPhones. The first reason is that your fingerprints are really not very secret at all. You leave them everywhere, and they can be lifted fairly easily, not to mention the fact that it's been shown that even a high resolution photo of your hand can yield a usable image that is good enough to fool most fingerprint readers.
There are at least 2 other good reasons why fingerprints are a poor way to authenticate users. This is a story, among others, that Tom Eston and I discuss in Episode 48 of the Shared Security podcast. I co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips related to the people, apps and technology you trust. This program is available on iTunes, and via email subscription at the bottom of the post on our site. We also have a Twitter account at @sharedsec and a Facebook page.
|
Scott's Picture of the Month
|
Be careful next time you try to use this one as a motivator...
|
A Cyber Security Challenge Question
|
 What kind of attack is used to impersonate you using information gathered from you in real time?:
a) A disguise attack
b) A time-harvesting attack
c) A Dana Carvey attack
d) A Man-in-the-Middle attack
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Disable the "tap-to-pay" feature on debit cards
|
|
 You've probably noticed the growing use of "tap-to-pay" at check-out counters, where you can just place your credit or debit card over the card reader or PIN pad, and the payment is processed. You might want to consider having your bank disable this feature for debit cards.
Attackers are starting to use specialized scanners to harvest the codes embedded in your cards, and use them to create counterfit cards that can charge purchases to your accounts.
I've disabled this feature on all my debit cards, since debit transactions are immediate and may be difficult to reverse, in the case of fraudulent use.
However, I discovered that this feature can't be disabled on my credit cards. I'm not sure exactly of the reason, but credit cards are a little less risky in this case, since the cardholder is not usually held liable for fraudulent use of the card, in any form.
There's usually a limit on how large a transaction a merchant will accept via "tap-to-pay". So, the risk isn't large, in general. But I prefer to limit the risk, since I don't mind spending an extra 5 seconds to enter my PIN when using a debit card.
You can usually tell if your card is capable of using "tap-to-pay" if it has the little icon with the propagating waves at one end of the card.
|
A Data breach story: Should the real perpetrator in the LA Times hack be prosecuted?
|
The FBI is prosecuting a former social media editor for disclosing login credentials for LA Times servers to hackers.
Even though the real perpetrator who used those credentials is apparently known, they are not being prosecuted. Go figure...
A former employee of the Los Angeles Times whose employment was terminated apparently divulged the login credentials of LA Times servers on a hacker forum. The credentials were then apparently used to attack the servers, and a number of malicious changes were then made to systems and/or accounts. A cautionary tale for anyone thinking of letting corporate account credentials "slip away"What's interesting is that it looks like the FBI is more interested in punishing the person who divulged the credentials than the person who actually committed the malicious actions on the LA Times systems. One might think that, if both individuals were known to authorities, they should be prosecuted with equal determination. So, just in case you were thinking of gaining retribution on your former employer by passing on login ID's and passwords to people who might be inclined to abuse them, you could - and probably will - be held responsible. Here's a Wired Magazine article on the breach and the strange avenue of prosecution.
|
|
Answer to the Cyber Security Challenge Question (from above)
|
What kind of attack is used to impersonate you using information gathered from you in real time?:
Answer: The correct answer is: d) A Man-in-the-Middle attack
|
Thanks for Reading!
I get a lot of positive feedback on this newsletter when I'm speaking to people in person or on the phone who are subscribers. But it's always nice just to get an email that lets me know you feel this newsletter is a worthwhile read. If you found this issue to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Education and Assessment
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
- Subscription-based security awareness content updates -
An effective way to keep people eng  aged with current security threats is to provide them with periodic updates that include case studies, tips and snap quizzes. These can even be made auditable, and form part of a Perforamance Objectives system within your business
-
|
| | Demo Example: Dave's adventure with a USB drive from work... |
Streetwise Security Awareness Animated Clips -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
