Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

Breach Fatigue: Don’t Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

Government Surveillance, Time to Reform?

Spying

There has been a recent push back against the government claiming that they are impeding on the privacy rights of users. Eight companies, including AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo, co-authored a letter to President Obama stating their concerns. In this letter, the major companies broached the issue of the global interference with users’ internet accounts and discussed the fact that governments do indeed need to protect their citizens but not at the cost of civil liberties. Along with the letter, www.reformgovernmentsurveillance.com was created to raise awareness and call the government to action.

Request for Transparency

One of the biggest requests in the letter was to create transparency. The website reformgovernmentsurveillance.com stated, “Governments should allow companies to publish the number and nature of government demands for user information.” Companies like Microsoft and Twitter recently announced steps that they are further taking to ensure that they are using the most advanced forms of encryption to ensure the security of their users’ information. Transparency from the government is a great concern for users and companies worldwide.

Request for Clearer Framework

Another major request the website reformgovernmentsurveillance.com brought to the forefront was the need for a “robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty, or ‘MLAT,’ processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.” For example, it is well known that in our country we have more freedom when it comes to internet use than other countries like China An agreed upon, transparent framework would avoid conflict between differing laws.

Request for Our Rights

The question that lies beneath all of this is at what point will the rights of internet privacy and our constitution be respected? The open letter to Obama on www.reformgovernmentsurveillance.com from the major companies states our constitutional right in regards to internet safety most accurately.

“We understand that governments have a duty to protect their citizens, but this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.”

In the words of Francois-Marie Arouet, better known as Voltaire, later reiterated by Uncle Ben to a soon to be superhero, “with great power, comes great responsibility.”

 

Resources:

http://www.reformgovernmentsurveillance.com/#

http://www.scmagazine.com//leading-tech-companies-make-joint-call-for-surveillance-reform/article/324795/

Do You Know Who is Watching You? Part 2

Invisable Hand

On Tuesday we covered the basics of Remote Access/Administration Trojan also known as RATs. You can read that post here.

To dive deeper on the topic, one of the most common types of RATs is “Pandora”. The Pandora RAT allows an attacker to gain access to the following items on a compromised computer: files, processes, services, and active network connection.

If all of this doesn’t concern you, Pandora can also: remotely control the compromised desktop, take screenshots, record webcam footage, record audio, log keystrokes, steal passwords, download files, open Web pages, display onscreen messages, restart the compromised computer, hide the taskbar, and  hide desktop icons. It can even cause one of the most dreaded attacks: system failure and the blue screen of death.  Like many RATs, Pandora is user friendly, and can be mastered by expert and beginner hackers alike.

There is prosperous market of underground software sales based on RATs. They can be purchased from many websites and even appears for sale in hacking forums online.  The three main types that appear for sale are:

1) FUD which is fully undetectable by security vendors

2) Crypter which is a tool used to rearrange files in a way that the actual bytes are scrambled

3) JDB (Java drive-by) which involves a Java applet being placed onto a website disguised as a  pop-up to continue to the site

A few rules to stay protected: keep your anti-virus software up-to-date, avoid opening emails that look suspicious or if you are unsure of the sender, always be a skeptic when clicking on links that you receive from other sources, and only download files from sites that you know are secure. Always be aware of your webcam activity, if you do not have a shutter that closes then consider putting a piece of paper over the shutter as a precaution. Most importantly use common sense, if your computer told you to drop it off a bridge would you?

 

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source:

http://i.telegraph.co.uk/multimedia/archive/01961/hack_1961123b.jpg

Do You Know Who is Watching You? Part 1

Hand Through Screen

Everyone knows at least one paranoid person that insists on covering the web cam of their computer. Activities like this may be necessary due to the malicious attacks out there. These attacks use your web cam and allow it to be taken over, giving them access to your computer remotely. According to Symantec, “Remote access Trojans (RATs), or what we (Symantec) are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.”

The two most common types are Remote Access/Administration Tool and Remote Access/Administration Trojan, the biggest difference between the two is that the Trojan is installed for malicious purposes.  One of the major ways that they take advantage of your computer is to remotely access of your device; there are lots of different pieces of malware out there.

“Creepware” as Symantec calls it, flips your machine with the hacker’s, so your computer is the victim and the attacker’s computer becomes the client.  Once this has happened an attacker then has the ability to retrieve files easily from the victim’s machine. The degree to which this takes place can vary from people out to commit fraud to those who just think it is a harmless prank. Most victims don’t report this type of crime until their reputation has been damaged so often the attackers often aren’t caught.  Many of these activates often fall under the umbrella of cyber bullying.  

The hackers get crafty and downright mean, for example one instance they attacked a victim by sending a pop-up on the screen saying, “their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam.” Many victims brought their laptops into the bathroom to “steam clean” their machine, but don’t most people understand that you are not supposed to put electronics near moisture? 

Check back on Thursday for Part 2.

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source: http://www.sitejabber.com/blog/wp-content/uploads/2013/02/identity-theft-500×260.jpg

P@ssw0rdS

password

Passwords we all have them, but we all can’t remember them: A satirical observation on the complexity of passwords.

There is so much pressure on choosing the “right” or “R!6ht” password, it has to exceed 6 characters and even though we really wanted to use our dogs name “Spot,” which won’t work since it’s only four characters. So we are then left to think of some other variation to use that we then may or may not remember. Then it becomes an ordeal to just remember is it spot12, Spot123, or SPOT10 since he was ten when you created the password, but was that in human or dog years?

Passwords just aren’t fun anymore, they are stressful. Some people put too much pressure on themselves when creating a password, we promise it’s not like the pressure of trying to win a gold medal at the Olympics. On other end of spectrum some people don’t put enough pressure on creating a strong password (cough) 123456.

Faith Sale once said, “It sometimes feels like the only person from whom your passwords are keeping you safe is YOU.” 1

After forgetting your password you then feel like you need to go to therapy, after being asked enough questions about your childhood to make your head spin. Maybe you don’t have the greatest childhood memories, and you are still recovering from being called, “Chunky Monkey” for the first 13 years of your life. But sure enough, you are prompted to enter in your childhood nickname.

“It may all lead to a profound existential crisis which leaves you yelling at your computer, ‘IT’S REALLY ME, I JUST FORGOT WHO I AM!!!’”1

Some people would argue that passwords are something we have just for the sake of making us feel safe rather, than actually keeping us safe. We don’t agree, a hacker acquiring one or two of your passwords could bring you whole world crashing down. Your bank account could be drained, and even worse they could potentially acquire your social security number and really do some damage.

So adapt password habits that you will remember, and maybe if you are lucky the organization you work for will implement single sign-on, if they haven’t already.

Resource:

1.)    http://www.cbsnews.com/news/a-word-for-the-password-weary/

EU Behind the Times for Cyber Security

Night view of Europe

 

Often in our blog we focus on what is happening here in America, but we work with companies all over the globe. Recently, there was a survey done by the  where they questioned over 27,000 people in the European Union about their internet use, security attitudes and experiences. 1  The survey showed that individuals in the EU were behind the times when it came to cyber security.

Just over a quarter those surveyed only use their own hardware to go online, and just under that figure (24%) use unique passwords for different sites. Does this remind you of any recent breaches?

“Of those surveyed 48% of web users said they had not changed any of their online passwords in the last year. Out of those who had made changes, the highest figure was for webmail (31%) with social networks just behind on 26%. Online banking passwords were less likely to be changed, with only 20% changing in the last 12 months, and shopping site passwords were rarely changed, at only 12%. “1

These numbers seem slightly off because you would think the information that could obtained from hacking into your bank account would be more detrimental than a social media account.  The website Naked Security adds that maybe this is a sign that there is a need for more education.

Most of the statics in the report point back to the fact that there is a common fear of the risks associated with using the internet, so they put off taking advantage of all that it has to offer.  The catch is that most of these people are not even doing the basics to protect themselves.

If you have a fear about using the internet take the time to educate yourself and those around you, whether it’s your family or co-works.  Make sure you have strong passwords in place that cannot be easily guessed. And if you do not have anti-virus software installed on your machine then definitely take the time to do so.

You can read the full report here, for more statistics.

Resources:

1.)    http://nakedsecurity.sophos.com/2013/11/27/only-24-of-europeans-use-different-passwords-for-different-websites/

2.)    http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf

Wanted: Friendly Hackers for the “Bug Bounty Program”

HackerOne started an internet Bug Bounty program with the goal of, “Rewarding friendly hackers who contribute to a more secure internet.”1 The Bounty is sponsored by two industry leaders Facebook and Microsoft that are constantly looking to improve user experience. It has also been rumored that Google is co-sponsoring the project.2

The program identifies different vulnerabilities that have a heightened potential to adversely affect a large number of internet users, after these deficiencies are identified they are brought to the respective program owner and addressed.

“Microsoft and Facebook also assembled a list of 11 open source projects, making specific information on cash rewards available for each,” 3 according to SC Magazine.

The list of 11 open source projects includes: Python, Ruby, PHP and Perl interpreters; the Django, Ruby on Rails and Phabricator development tools and frameworks; the Apache and Nginx Web servers, and the application sandbox mechanisms of Google Chrome, Internet Explorer 10, Adobe Reader and Flash Player.

“The highlighted open source projects were chosen according to how “critical” the projects were to users.” According to Alex Rice who is a product security lead at Facebook told SC Magazine. 3

HackerOne’s reasoning for starting the program; “Some of the most critical vulnerabilities in the internet’s history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism.”4

The concept of the program is great and seeing that major companies are backing this project will only help improve the future of the Bug Bounty moving forward. Who knows, programs like this could even turn around some of the stereo types that currently surround hackers?

Resources:

1.       https://hackerone.com/ibb

2.       http://www.infoworld.com/d/security/microsoft-google-and-facebook-team-new-bug-bounty-program-230396  

3.       http://www.scmagazine.com/facebook-bug-bounty-program-for-internet-will-likely-expand-open-source-focus/article/320236/1/

4.       https://hackerone.com/faq

Internet Explorer Exploit

“Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyberattacks could now surge and affect Internet Explorer users.”1

Freelance Journalist, Dara Kerr, has reported through CNET that Rapid7’s latest Metasploit penetration testing tool makes the details of the IE exploit called “CVE-2013-3893” available to the world, especially cybercriminals.

It is thought that this exploit has been out for close to 4 months with most of the attacks occurring in Japan and Taiwan – this is according to PCWorld.

Microsoft is aware of the defect and is working on a permanent patch to guard against the exploit.  Microsoft has announced the problem and made a “Fix It” tool last month.  The next batch of security updates from Microsoft are scheduled for Oct. 8th and there has not been any indication whether a permanent fix for this issue will be included.

Here is Microsoft’s official release on the vulnerability:

Microsoft has completed the investigation into a public report of this vulnerability. We have issued the MS13-080 security bulletin to address the Internet Explorer memory corruption vulnerability (CVE-2013-3893). For more information about this issue, including download links for an available security update, see MS13-080.2

Brian Krebs has this additional information to add in his article on the topic:

Microsoft said it is aware of targeted attacks that attempt to exploit the vulnerability (CVE-2013-3893) in IE 8 and IE 9 versions of the default Windows browser. According to an advisory issued today, the flaw is a remote code bug, which means malware or miscreants could use it install malware just by coaxing IE users to browse a hacked or malicious Web site.3

 

Resources:

1.       http://news.cnet.com/8301-1009_3-57605601-83/internet-explorer-exploit-release-could-trigger-a-surge-in-attacks/

2.       https://support.microsoft.com/kb/2887505

3.       http://krebsonsecurity.com/tag/cve-2013-3893/

Malware + ATM = Free Cash

Recently, there have been malware attacks on ATM’s in Mexico. These attacks are not the typical card reader scams, rather they are a piece of malware that can dispense cash on demand. “Plotus” is the name of malware program which currently has to be manually installed on the machine via a CD-ROM drive. That means these money hungry hackers have to physically break into the machines to install the software.

Safensoft, a Russian security firm, made the discovery late last month. Stanislav Shevchenko, chief technology officer said, “The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security.”

At this point, reports show that once the machine is physically broken into there is a sequence of events that have to happen in order for the ATM to successfully dispense the money to the criminals. Part of this process includes a specific key combination that must be entered via an external keyboard.

At this time, there have only been reports of this software effecting machines in Mexico, but that does not mean these incidents are necessarily going to stay confined there. This type of crime is new and is pretty scary to banks and the owner of the ATM’s, considering the criminals can drain an ATM of all of its cash quickly.

References:

http://www.theregister.co.uk/2013/10/11/mexico_atm_malware_scam/