|
Other Interesting Stuff...
|
|
Top Facebook Click-Bait Scams
ZeroFox has compiled this extensive list of click-bait scams that have been found on Facebook, and what they try to do. (e.g. You won't believe what happens next...!)
Read More... |
"Without privacy we don't have a free society"
That's a quote from my favorite privacy professor, Rebecca Herold. This article has some powerful reasons to take note on January 28th of how your privacy is at risk... Also valid on any other day.
|
Stay Connected
|
| Something I've been working on... |
I've found a way of creating short, engaging animated video clips that can be used for educating staff.
Have a look at this clip, called "Dave's adventure with a USB drive at work..."
 Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.- Scott
|
|
 |
|
Greetings!
Welcome to Issue #17 of the Streetwise Security News. After having lived in one house for over 17 years, we've moved. I'm definitely getting too old to do this again. The next time will be to a retirement home. It was a lot more work than I expected - in pretty much every way. But it's worth it. We love our new place. It's interesting having to go through the process of signing up for every service all over again. From alarm systems to internet, phone, TV (yes, we went back to TV after cutting the cord for 6 months), and municipal utilities. It's much easier now than it used to be when you had to mail out "change of address cards". But it makes me wonder about all that personal information that is now sitting in a dozen or more databases. It's inevitable that at least one of them will get hacked at some point. Or am I just being a pessimist? On the bright side, I don't have a wireless smart TV or fridge that tracks our entertainment or eating activities; at least, not as far as I know... See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're  not already a subscriber, and would like to sign up, please click HERE. Even if you don't want to subscribe, I'd love to hear your favorite story. It doesn't have to be about security.
Cheers,
|
|
 Malicious apps can inflate each others' ratings...
|
 One of your most reliable methods of determining the reputation of mobile apps might not be so reliable now.
Google just banished 13 mobile apps from its Play marketplace. Some of these apps had over a million downloads, partly due to the fact that they had very high ratings. But those ratings were actually " voted up" by other malicious apps from the same software authors. If it was only a problem of gaming the reputation system of the marketplace, that would be one thing. But some of these apps have been found to contain malware that downloads files or programs that the user did not request. At the moment, this has only occurred in phones that were "jailbroken" to allow owners more control over the phone's features. But this can open the door for these malicious apps to cause much greater damage. So, when you're deciding on which addictive game to download from your favorite app store, keep in mind that somebody may be trying to "game" the system. While this problem has only been detected with apps in the Google Play marketplace, it's not unthinkable that this kind of activity could happen in the Apple App Store. For more information on this story, here's an article from Ars Technica. |
Terminology - "Responsible Disclosure"
|
Responsible Disclosure - The act of informing the public about security vulnerabilities in a responsible manner. The general consensus among security professionals is that it is better to let everyone know about serious vulnerabilities that have been discovered in products and systems than to keep them a secret.
Your intuition may tell you that disclosing vulnerabilities that could be exploited by bad guys isn't likely to be the best course of action. However, the reasoning behind this generally accepted philosophy is that If somebody has figured out how to break into a system, then you have to assume that at least some of the bad guys have also figured it out. Therefore, people need to be informed of the risk, so they can take action to protect themselves.
You might say, "Don't go giving the bad guys more ideas on how to break in." But there are so many very smart attackers that some of them will have either already figured out how to exploit a vulnerability, or they will very soon. So, we'd better make sure we're all aware of the risks.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
From Scott's Blog
|
Here's a recent article from my Security Views blog...
Should you use a password manager? It really depends on how many different accounts you have. The trade-off you need to decide on is:
- Should I put all my eggs in one basket, and protect them well?; or
- Should I keep them separate, and protect each one with reasonable measures?
|
Shared Security
|
Why it's important for a wireless home security system to "fail" properly
 Does your home security alarm system "fail" properly? Yes, there's a right way and a wrong way for a security system to fail. What you want is that if some part of a security system starts to fail, this condition should be detected, and you should be warned. Otherwise, if an attacker can cause a component to fail, and no alert is given, then the attacker has essentially turned off the system, and can proceed without any time pressure. This is a story, among others, that Tom Eston and I discuss in Episode 50 of the Shared Security podcast. I co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips related to the people, apps and technology you trust. This program is available on iTunes, and via email subscription at the bottom of the post on our site. We also have a Twitter account at @sharedsec and a Facebook page.
|
Scott's Picture of the Month
|
I wish I'd thought of this...
|
A Cyber Security Challenge Question
|
 Why do security experts advocate making newly found vulnerabilities in software public?:
a) Because it's fun to watch people panic
b) Because it's better for everyone to understand the risks, especially if the bad guys can exploit them
c) Because attackers are probably too dumb to exploit them
d) Survival of the fittest. If you're not using secure software, you deserve to be hacked
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Avoid participating in Facebook quizzes to stay off "sucker lists"
|
|
 You've probably seen them; the Facebook quizzes that grab your attention and entice you into participating, just to see how you fare. But you may not realize that many of these quizzes are designed to gather information about you.
I'm not trying to be a spoil-sport - I'm sure I've clicked on a few of these to see "Who I would be as a Mad Men character..." or something like that.
But it's a fact that sneaky marketers - including some who have less than altruistic motives - have found this to be an easy way of identifying targets for their products or services. It turns out that when you answer the questions in the quizzes, you are telling the author something about your personality, your preferences or your experiences. Because they can get some basic information about you from Facebook, including your Facebook identity, they can build an interesting profile of you that may tell them what kinds of things you're likely to want to buy - or click on.
In the worst case, the less scrupulous marketers who do this can narrow down who should go on a "sucker list" - a list of Facebook users who are very likely to click on certain types of ads that may appear on their page or in their feed. Even worse, those ads may lure you with a "bait and switch" scheme to pull you into a scam of some kind.
So, before you do that quiz to find out "How you are most likely to die", just think about whether it's worth ending up on a sucker list.
|
A Cyber-Crime story: Is it Crime or is it Cyber-Crime? And can it be covered by insurance?
|
 There's a fine line between Crime and Cyber-Crime, apparently. In this case, a cyber-insurance claim by Ameriforge Group was denied by Federal Insurance Co. (a division of Chubb Group) due to close technical reading of the coverage statements.
While the cyber-crime coverage was for "financial instruments", a wire transfer performed by an accounting director at Ameriforge as a result of a faked instruction from the CEO does not meet the criteria for a valid claim.
So, the company lost $480,000 because the faked message from the CEO instructed the accounting director to make the wire transfer and keep it secret, to avoid "breaking SEC regulations". This is a type of attack called "Business Email Compromise" (BEC), or sometimes "CEO Fraud". Ameriforge is suing Federal because they thought they had $30 million in coverage, and this is the kind of crime they thought would be covered.
You may think the underwriter was being a little shifty. After all, apparently, it's the second time they've been sued for this kind of failure to pay a claim. Whether or not you agree that this was a valid claim, it's important to realize that the line between cyber-crime and real crime is getting so blurred that you really need to understand what's covered by insurance and what's not.
The attackers don't really care if a loss is covered. But they will find ways to forge requests before they get to the point of involving the types of transactions that Federal says they'll cover, which will be harder for attackers to forge. So, is the insurance really worth buying?
Here's an article by Brian Krebs with more information on this disputed claim.
|
|
Answer to the Cyber Security Challenge Question (from above)
|
Why do security experts advocate making newly found vulnerabilities in software public?:
Answer: The correct answer is: b) Because it's better for everyone to understand the risks, especially if the bad guys can exploit them.
Attackers can sometimes make changes to the DNS system used by a computer to find the Internet Protocol (IP) address for an intended site, allowing them to hijack the user, and spoof the site they are trying to reach.
|
Thanks for Reading!
I get a lot of positive feedback on this newsletter when I'm speaking to people in person or on the phone who are subscribers. But it's always nice just to get an email that lets me know you feel this newsletter is a worthwhile read. If you found this issue to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Education and Assessment
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
- Subscription-based security awareness content updates -
An effective way to keep people eng  aged with current security threats is to provide them with periodic updates that include case studies, tips and snap quizzes. These can even be made auditable, and form part of a Perforamance Objectives system within your business
-
|
| | Demo Example: Dave's adventure with a USB drive from work... |
Streetwise Security Awareness Animated Clips -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
