Shopping Smart Series: Unsecured Wi-Fi and You

Wifi

With the shopping season upon us we wanted to give you some safe shopping tips to help keep you protected while you are out-and-about.

Free Wi-Fi is a great thing; it saves data usage on your cell phone plan, and allows you to access all of the great things the internet has to offer. Like all good things there are people out there who are looking to ruin the fun for the rest of us. Knowledge is power and with the know how you can protect yourself from these attacks, and ensure that you have a happy holiday season.

Connecting to an unsecured network can effectively expose your device, and your personal information to an unwanted third party. This can happen in a couple of different ways, via a passive attack or an active attack.

During a passive attack1 the hacker captures all of your network traffic in an almost invisible state. While tuned into your device they can capture gigabytes of network traffic and store it for later use. The data they collect can be anything from passwords, to account names, to other personal information that you would not want exposed.

The second style of attack is an active attack1, it is very noticeable, and the hacker essentially takes over your device. While the hacker has control of your device they can steal your information and attempt to destroy your device during their visit. Once the hacker has control of your device it is almost impossible to stop the attack, unless the device is destroyed.

Keep these things in mind before you hit connect on our mobile device. Check back on Monday (Cyber Monday), we will feature tips on how to shop safely online.

Resources:

1.        http://en.wikipedia.org/wiki/Attack_%28computing%29

Shopping Smart Series: Black Friday

With the shopping season upon us we wanted to give you some safe shopping tips to help keep you protected while you are out-and-about.

Black Friday was originally used to describe companies to going from red-to-black in their books or loss-to-profit for the year. In the 1960s, Black Friday was used to describe the rush of crowds to the stores, the day after Thanksgiving. According to market-research firm ShopperTrak, “Since 2002, Black Friday has been the season’s biggest shopping day each year except 2004.” 1

You may be asking yourself, what does this have to do with online security?

Great question, picture that you are standing in line at your favorite retailer and you want to use your phone to check out other deals, read email, checks your credit card balance or just kills some time. You try to connect and notice cell phone service is slow. But wait; there are a couple of unsecured Wi-Fi connections that you can link up to so you can get online. Success!

Hold your horses, not a good idea!

It is true that the store you are in may offer open Wi-Fi to their customers, but how do you know which network is supported by the store and which is not. It is common practice that the store will have signs posted with the name of the network, but if signs are not present it is best to ask an employee for the name of the wireless network and if it is a secured network?

If you connect to an unsecured Wi-Fi network you are potentially susceptible to being hacked. Check back, tomorrow we will go over the different types of attacks that can happen on an unsecured network.

Resources:

  1. http://content.time.com/time/business/article/0,8599,1942935,00.html#ixzz2llr8qXZT

Update Your Security Software before Opening “that” Email

Hackers continue to defy the odds, finding  more creative ways to plant malware on devices. Some of their tactics are highly innovative, but so simple at the same time that even a well-educated computer user  overlooks the fact that it may be a virus.

Just this past week, they built a simple email scheme that made it look like the recipient’s security software needed updating. Then it instructed the user to download an update, which was a piece of malware. The malware  used a process called ozybe.exe to perform tasks on the machine.1

Just like others have done in the past, these hackers used real company names and images to build very official looking emails. They were devious and used companies like Norton, McAfee and AVG to name a few.

According to SC Magazine, “The phony hotfix is a 323 kilobyte .ZIP file attached to an email – and because the sender of the email appears as one of those aforementioned anti-virus companies, the average computer user may be further influenced to download the bogus patch.”

This was a pretty slick trick that was hard to immediately identify, unless the recipient read the email thoroughly. There was some broken English throughout the emails from what SC reported.

It just goes to show that you need to double check and thoroughly read the whole message before downloading things to our machines.

Resource:

  1. http://www.scmagazine.com//email-offering-updates-to-real-anti-virus-actually-delivers-malware/article/322359/

The Weight of the World on Your Shoulders: The Pressure of Being an IT Professional

As an IT professional, it is safe to say you feel like the lifeline of your company’s info structure. Being that backbone can come with a lot of pressure; pressures with security, budget and making sure to keep up with the current technology are sure to top the list. It seems that there are news of malware and cyber-attacks so frequently that the fear of one may keep you up at night.

That being said, one way to “hassle the hackers” is through two-factor authentication (2FA) with a one-time password (OTP). This is not a revolutionary idea by any means, but it does make sense to employ it as a security feature within your web applications.

Recently, we reported on the Adobe breach which the effected users seem to be growing by the week. Now Cupid Media reports they too were compromised and that at least 42 million direct users have been affected. There are many ways that this could have been prevented, one of them being two-factor authentication.

When deployed successfully, two-factor authentication security features can be used with little impact on the end users usability. Two-factor authentication delivery options are easy and can be sent in many ways; SMS text message, printed OTP’s, voice messaging, email confirmation, mobile authenticator, PassiveKey and/or Hardware like a YubiKey.

This security feature is sure to enhance your company’s protection; many companies have identified this security standard and seek professional help from a security software expert like PortalGuard. Unlike attempting to develop a 2FA solution in house, partnering with an expert will allow you to avoid any trial and error that happens with developing a product in house.

Resources:

http://nakedsecurity.sophos.com/2013/11/21/hack-of-online-dating-site-cupid-media-exposes-42-million-plaintext-passwords/

IT Leaders Identify the Cost of Security Breaches Have Highest Impact

With the current state of the economy, it seems that almost every penny is scrutinized when it comes down to budgeting. One surefire way to blow an IT budget is a security breach, it costs companies more than just man hours, but also data loss and potential reputation damage. Most breaches occur at a log-in portal, then connecting horizontally across a company’s info structure until they obtain information or take down a piece of the site or system.

This week EMC, a data management and protection corporation, released the findings of their IT Trust Curve survey. This survey was compiled with responses from 3,200 IT professionals and business leaders asking them about the most costly events that happen within their IT departments.

In the SC Magazine article “Study: IT leaders count the cost of breaches, data loss and downtime” by Danielle Walker, she reported; “Security breaches cost organizations several hundred thousand dollars more on average than other commonly occurring IT incidents.”

The average loss per breach was reported at $860,273. This staggering number was broken down even further to showcase the loss of data and overall downtime. “Costing businesses $585,892 and $497,037, respectively, over the course of a year.” Walker reported.

Walker also gave this troubling statistic; “In the past year, 61 percent of participants’ companies experienced at least one security incident categorized as a security breach, data loss event or unplanned downtime.”

It was highly noted in the report that the main blockades in achieving a stronger security were due to limited budgets, resources, workload and overall lack of time for planning. It is amazing that companies are not willing to set aside time to address potential security risks before they happen given the potential impact.

There seems to be a disconnect between the overall risk that companies take by not employing a secure solution, before a breach and the cost associated with protecting their company information. Affordable options are out there, many large companies trust their log-in security to low-cost, high value companies like PortalGuard. This raises the question, how protected are you?

Resource:

http://www.scmagazine.com/study-it-leaders-count-the-cost-of-breaches-data-loss-and-downtime/article/321782/

Healthcare.gov is in the News Again

As previously mentioned in this article, the government run healthcare.gov seems to be in the news almost every day. Recently, there have been accusations made that there was a “hidden memo” which was not brought to the attention of the Project Manager, Henry Chao.

The memo expressed concern for the “limitless security risks” of the website, reports CBS News. The memo was dated September 3, 2013, and outlined all of the potential risks associated with launching the program prematurely.

The Center for Medicare & Medicaid Services (CMS), the company hired to develop the website, put very plausible deadlines on fixing the numerous security risks by early next year. However, with the tight deadlines imposed by the government it seems these warnings were intentionally over looked by lower level managers.

All of this was apparently a large surprise to Chao. He later explained that it was “disturbing” not being told about the memo, written by a senior CMS official.

Chao said “I mean, I don’t deny that this is… a fairly nonstandard way” to proceed.

The information that users are required to share on healthcare.gov is highly sensitive, including Social Security Numbers and other vital data.

This is so disconcerting, that steps were not taken to prevent a potential large scale information breach. In this day and age, we hope that companies along with the government use this as a learning exercise, and do not allow history to repeat itself.

Resource:

http://www.cbsnews.com/8301-18563_162-57611858/memo-warned-of-limitless-security-risks-for-healthcare.gov/

 

Food for thought… On Passwords

Let’s talk about forgetting your password, it has happened to all of us at one time or ano

ther.

Forgetting your password is a real pain in the you-know-where. You type in what you think is your  password, then you try another one, then with Caps and a special character. Before you know it, your account has been locked out and you need to contact the systems administrator. You dial the help desk, wait on hold for a few minutes, and then finally, success!

This always seems to  happen when you are in a time crunch. This could be during a meeting or presentation, or  when you need to check your email quickly before heading out for the night. No matter what the case it is a real pain point and a huge inconvenience.

PCWorld  cited a study done by Ian Robertson, “Illustrates the growing amount of alphanumeric clutter in our heads: the average person now has to remember five passwords, five PIN numbers, two number plates, three security ID numbers and three bank account numbers just to get through everyday life. Not surprisingly, Robertson’s research found that nearly 60 percent of those studied felt like they couldn’t possibly remember all of these numbers and letters that they were supposed to.” The number of passwords that the average person is required to remember today only continues to grow.

Today, more companies are shying away are from the “traditional” password management, to a self-service method. Self Service Password Reset is a simple service that can help avoid the anxieties associated with locking yourself out, by prompting the user to answer preselected questions or enter a one-time code sent to their phone to unlock their account or obtain a new password.

Companies like PortalGuard offer a simple and effective solution that will not only eliminate the stress that comes from a lock out, but will save money and time at a higher level.

Click here for more information on Self Service Password Reset.

 

Resources:

http://www.pcworld.com/article/150874/password_brain_power.html

Wanted: Friendly Hackers for the “Bug Bounty Program”

HackerOne started an internet Bug Bounty program with the goal of, “Rewarding friendly hackers who contribute to a more secure internet.”1 The Bounty is sponsored by two industry leaders Facebook and Microsoft that are constantly looking to improve user experience. It has also been rumored that Google is co-sponsoring the project.2

The program identifies different vulnerabilities that have a heightened potential to adversely affect a large number of internet users, after these deficiencies are identified they are brought to the respective program owner and addressed.

“Microsoft and Facebook also assembled a list of 11 open source projects, making specific information on cash rewards available for each,” 3 according to SC Magazine.

The list of 11 open source projects includes: Python, Ruby, PHP and Perl interpreters; the Django, Ruby on Rails and Phabricator development tools and frameworks; the Apache and Nginx Web servers, and the application sandbox mechanisms of Google Chrome, Internet Explorer 10, Adobe Reader and Flash Player.

“The highlighted open source projects were chosen according to how “critical” the projects were to users.” According to Alex Rice who is a product security lead at Facebook told SC Magazine. 3

HackerOne’s reasoning for starting the program; “Some of the most critical vulnerabilities in the internet’s history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism.”4

The concept of the program is great and seeing that major companies are backing this project will only help improve the future of the Bug Bounty moving forward. Who knows, programs like this could even turn around some of the stereo types that currently surround hackers?

Resources:

1.       https://hackerone.com/ibb

2.       http://www.infoworld.com/d/security/microsoft-google-and-facebook-team-new-bug-bounty-program-230396  

3.       http://www.scmagazine.com/facebook-bug-bounty-program-for-internet-will-likely-expand-open-source-focus/article/320236/1/

4.       https://hackerone.com/faq

5 More Suspects Added to FBI Cyber Most Wanted List

Last week the FBI added five new suspects to the Cyber Most Wanted list. These hackers are alleged to have been involved in hacking and fraud crimes, which cost the victims millions of dollars and potential stolen identities. The modern day bandits carried out their crimes on unsuspecting victims both domestically and abroad.

All five men are believed to have been living and operating outside of the US during their robbing sprees, deploying malware, and spyware to obtain their victims information. Once the information was obtained, they would gain unauthorized access via phone lines and the internet to execute their crimes.

The FBI’s website listed all five men on their website as follows:

  • Pakistani nationals Farhan Arshad and Noor Aziz Uddin wanted for their alleged involvement in an international telecommunications hacking scheme. Between 2008 and 2012, the pair gained unauthorized access to business telephone systems, resulting in losses exceeding $50 million. Arshad and Uddin are part of an international criminal ring that the FBI believes extends into Pakistan, the Philippines, Saudi Arabia, Switzerland, Spain, Singapore, Italy, Malaysia and elsewhere.
  • Carlos Perez-Melara wanted for a variety of cybercrimes—including running a fraudulent website in 2003 that offered customers a way to “catch a cheating lover.” Those who took the bait downloaded spyware that secretly installed a program on their computers that allowed scammers to steal the victims’ identities and personal information.
  • Syrian national Andrey Nabilevich Taame, wanted for his alleged role in Operation Ghost Click, a malware scheme that compromised more than four million computers in more than 100 countries between 2007 and October 2011; there were at least 500,000 victims in the United States alone.
  • Russian national Alexsey Belan wanted for allegedly remotely accessing the computer networks of three U.S.-based companies in 2012 and 2013 and stealing sensitive data as well as employees’ identities.

The FBI is offering separate rewards for information leading to their arrests and range anywhere from $50,000 to $100,000 each. It should also be noted that these men are all considered to still be living outside of the United States. Stay safe out there!

Resources:

http://www.fbi.gov/news/stories/2013/november/new-subjects-added-to-cybers-most-wanted-list/new-subjects-added-to-cybers-most-wanted-list