"Practical Security Stories to be Shared With Others"
from Scott Wright - The Streetwise Security Coach 
Issue #16. December 2015  
 HOME  l   ABOUT SCOTT   l   BLOG   l    SSN ARCHIVES   l    SIGN UP NOW
Quick Topic Links
* Feature Story: You may fear the tax man, but don't be fooled by this scary scam...
* Terminology: "Pharming attack" 
* From Scott's Blog: How ID badges can hurt security and what can be done about it
* Shared Security: How your search queries on Google and other search engines could end up putting you on a SUCKER list 
* Cyber Security Challenge Question
* Streetwise Security Tip: Use "Full Disk Encryption" on laptops and mobile devices 
Other Interesting Stuff...
Third parties with trusted access were responsible for 41% of the detected security incidents at financial services organizations

According to this PWC report, more than half of respondents said they would increase spending to better monitor third party security in the next 12 months.

Read More... 

It's getting harder for victim organizations to say, "There's no evidence that the stolen data was abused in any way."

According to a threat report from Trend Micro, here's an example based on the Hacking Team breach - a 400 GB dump of stolen information led to the discovery of five major zero-day vulnerabilities, as well as spying tools for iOS and Android.
Something I've been working on...
I've found a way of creating short, engaging animated video clips that can be used for educating staff.

Have a look at this clip, called "Dave's adventure with a USB drive at work..."


Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.

- Scott



Welcome to Issue #16 of the Streetwise Security News.

As another year draws to a close, I hope you are able to look back on it and recognize a few moments in which you learned something, where you have matured and where you have had some notable accomplishments.

For myself, I'm proud to have been able to keep this newsletter going for the entire calendar year of 2015 (starting in September of 2014). I've also managed to work through the rebranding of the Social Media Security Podcast into the Shared Security Podcast with my co-host Tom Eston, to allow us to up with the changing times.

This month, I also relaunched my new Security Perspectives website. The site now has a more professional look, and a more focused marketing message, which I hope will make it easier for prospective business customers to find security awareness education and assessment solutions.

I wish you and those close to you a very happy and successful 2016.

See the list of clickable topics on the left for a quick view of this issue's stories and content. 

If you're not already a subscriber, and would like to sign up, please click HERE. Even if  you don't want to subscribe, I'd love to hear your favorite story. It doesn't have to be about security.

Cheers,
Scott Wright
[email protected]

Story1You may fear the tax man, but don't be fooled by this scary scam...
A number of people have told me stories of having received calls from the Canada Revenue Agency (CRA), telling them - often in a very threatening manner - that they owe taxes, and must pay immediately.

I just wanted to make sure you were aware of this scamming technique. While this one is obviously targeting Canadian individuals, the same thing could happen to people in any other country.

Playing on your fear of being taken to court

In most cases I've heard of this phone scam, the primary method the caller uses to try to get immediate cooperation is to say that if the matter isn't settled immediately, the individual may be called in front of a magistrate, may face court charges, or may go to jail.

For this particular scam, or any similar types of calls, the CRA has more information on one of its resource pages.

There's always a way to verify if a call is legitimate

When a call or email like this is received, there are a couple of things I recommend, in order to protect yourself.

Firstly, here in Canada, the federal government has a facility called Service Canada (1-800-O-Canada or 1-800-622-6232), which is like the government's help desk for citizens. If there is something in a department's file that urgently needs your attention, it should be known by Service Canada. So, you should be able to call them up to verify any legitimate issues with your files. Other countries probably have similar services. If you don't live in Canada, you should check to see if such a service exists in your country. If they don't have any record of any issues with your government files, Service Canada can also verify any phone numbers you have been asked to call by any other government department.

So, the first thing I would suggest doing if you receive this kind of call claiming to be from the government (at least in Canada) is to ask the caller to provide a reference or file number. Once they give it to you, ask for the phone number where you can call back once you have verified the file.

Don't go into authentication mode just because they ask

Never give out personal or private information to somebody who calls you. You never know who it might be. Instead, call the publicized number for whatever organization the caller is claiming to work for.

At this point, if the caller is fake, they will probably give up. If not, they will understand your concern for verifying the legitimacy of their call.

Terminology2Terminology -  "Pharming attack"
Pharming attack - An attack where the attacker alters the Domain Name System (DNS) used by the victim, which means that the actual URL's requested by the victim are translated to malicious IP addresses of sites the attacker controls. This allows the attacker to use spoofed websites to gather real login passwords and other sensitive information from the victim without them suspecting anything.

This is less common than phishing attacks, but are likely to be more successful, since it does not occur when a user clicks on a phishing link or attachment. It can occur when the user thinks they are visiting a known and trusted website.
 
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
 
BlogFrom Scott's Blog

Here's one of the most-viewed articles of all time from my Security Views blog...


Most of us accept the need for ID badges in organizations that have more than a few people who recognize each other. It makes sense that we need a way to recognize those who are authorized to be there, even if we don't know them personally. ID badges help fulfill this need, for the most part. But they can be a weak link in security of the organization. 
 
SMSECShared Security
How your search queries on Google and other search engines could end up putting you on a SUCKER list
 
You probably already know that search engines make money from allowing advertisers to display ads in your search results. But many people don`t realize that the search terms you enter are valuable, too - especially when they are correlated with other information about you, such as the sites you visit or like.

Not only can this data result in you being presented with creepy ads that seem to know too much about you, but your search queries could allow unscrupulous operators who pay for this information to trick you into visiting sites that are designed to further categorize you - potentially as a sucker for many different types of predatory ``deals`` such as pay day loans, etc.

This is a story, among others, that Tom Eston and I discuss in Episode 49 of the Shared Security podcast.

I co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips related to the people, apps and technology you trust. This program is available on iTunes, and via email subscription at the bottom of the post on our site. We also have a Twitter account at @sharedsec and a Facebook page.


Pinterest
Scott's Picture of the Month
How will you know when the Internet of Things is getting out of control?...

ChallengeA Cyber Security Challenge Question
What is pharming?:

 

a)   A corny type of agriculture

b)   Phishing attacks that cause physical injury to victims

c)   An attack on a live audience at an event

d)   An attack that alters IP addresses for real sites


Answer:
See the bottom of this newsletter for the answer. (or click HERE)
TipStreetwise Security Tip - Use "Full Disk Encryption" on laptops and mobile devices
Laptops and mobile devices can contain lots of important data. You never expect to lose a device, but many people do. And once it's gone, you will start to remember all the documents, pictures and email messages that may have been on the device.

Using a "full-disk encryption" facility means that the data on your device will be scrambled, so nobody can see it without the password.

I also recommend that when using a laptop with full-disk encryption, that you always SHUT IT DOWN, rather than putting it to sleep or on stand-by. There are attacks that could allow somebody to recover the decryption key, or access data that is still accessible because you are logged in. Full-disk encryption usually works best when the device is completely shut down.
.
Many businesses now require employees to only use laptops and USB drives that automatically encrypt all data on their devices.

For Windows laptops, you can use Microsoft Bitlocker (you may need to upgrade your Windows to access it). For MacBooks you can use Apple's built-in FileVault feature. For USB drives, there are many different solutions, but I prefer using devices that have automatic encryption, such as Kingston Data Traveler.

Story2A Data breach story: When stolen banking data is used for extortion
A bank in the UAE - identified in  a Wired article as Invest Bank - was reportedly hacked, and became the victim of an extortion attempt by the hacker. After the bank did not pay the requested ransom, the attacker began releasing details of customer transactions and credit card data.

The data also include spreadsheets and entire SQL databases containing bank balances on thousands of cards.

It doesn't appear that the data included as much damaging personal information as it could have. But this may not be the end of the story.

The bank says it refused to pay the ransom because it does not give in to extortion attempts. Unfortunately, when businesses do not invest in adequate data security for their customer accounts, the customers are the ones whose data is immediately at risk.

Here's a Wired Magazine article on the breach with more information.

Answer to the Cyber Security Challenge Question (from above)
 answerWhat is pharming?:

Answer: The correct answer is: d)   An attack that alters IP addresses for real sites.

Attackers can sometimes make changes to the DNS system used by a computer to find the Internet Protocol (IP) address for an intended site, allowing them to hijack the user, and spoof the site they are trying to reach.

Thanks for Reading!

I get a lot of positive feedback on this newsletter when I'm speaking to people in person or on the phone who are subscribers. But it's always nice just to get an email that lets me know you feel this newsletter is a worthwhile read.

If you found this issue to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note.

In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of.

Sincerely,

 
Scott Wright
The Streetwise Security Coach
Security Perspectives Inc.



Scott's Blatant Advertising

For those of you who are interested in learning more about my products and services for business, here's some additional information for you.



Security Awareness Education and Assessment
  • Live Training Sessions -
    I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
  • Comptuer-Based Training (CBT's) -
    Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
  • Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
  • Social Media Risk Management -
    The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
  • Games and Quizzes -
    Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
  • Subscription-based security awareness content updates -
    An effective way to keep people eng aged with current security threats is to provide them with periodic updates that include case studies, tips and snap quizzes. These can even  be made auditable, and form part of a Perforamance Objectives system within your business
  • Demo Example: Dave's adventure with a USB drive from work...
    Streetwise Security Awareness  Animated Clips -
    Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".

You can inquire about any of these products or services by emailing me at: [email protected]