December 19, 2012

Happy Birthday! Reaching a milestone...

This blog made it to the one year mark!

H-A-P-P-Y   B-I-R-T-H-D-A-Y!

While sitting in a public affairs briefing with my mind somewhere between day dreaming and wondering when the speaker was going to be done talking, I heard a line that stuck with me. Most blogs do not make it to the one year mark.

Admittedly, when I first started this blog, I had grand visions in my mind of how my readership would quickly swell and I would rake in big bucks from the site advertisements. Within the first month, I had nine posts with many more in draft form waiting to be published for my adoring fans. I was reading anything I could find on successful blogging and increasing readership. I was going to make a name for myself in the security field. I knew it!

Let me tell you that those fantasies crashed and burned big time. Life began to get in the way of my blogging success. Family, work, and eventually school began to interfere with my blog writing. My posting began to slowly dwindle down to only a couple of postings a month, to going a couple of months without a post. I was lucky if I got over 200 views in a month. The only comment I received the entire year on any of my postings was easily categorized as spam.
Thankfully, I have a steady paycheck from my non-blogging job, which allows me to attend to this blog as a hobby. As I mentioned in the "why this blog" post, the primary point of this blog was not to strike it rich, but to improve my skills. I hope my writing improved over the year. If not, I guess I will keep torturing you and other readers with another year's worth of posts! Here is to another year :)
Enhanced by Zemanta

Instagram Update!

 
Instagram is updating their updated terms of agreement, due to the recent cries from users and news outlets about them. This provides a great example of what happens when users push back against intrusive policies.

Instagram's recent blog post addressing the controversial changes to their terms, stated:

           "From the start, Instagram was created to become a business. Advertising is one of many ways that Instagram can become a self-sustaining business, but not the only one. Our intention in updating the terms was to communicate that we’d like to experiment with innovative advertising that feels appropriate on Instagram. Instead it was interpreted by many that we were going to sell your photos to others without any compensation. This is not true and it is our mistake that this language is confusing. To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear...The language we proposed also raised question about whether your photos can be part of an advertisement. We do not have plans for anything like this and because of that we’re going to remove the language that raised the question. Our main goal is to avoid things like advertising banners you see in other apps that would hurt the Instagram user experience. Instead, we want to create meaningful ways to help you discover new and interesting accounts and content while building a self-sustaining business at the same time."

You can read the entire post at: http://blog.instagram.com/post/38252135408/thank-you-and-were-listening.

December 18, 2012

Instagram Policy Changes



As part of their merger with the social media giant, Facebook, Instagram changed their user policy. In case you were not aware, Instagram is a quirky photo sharing platform that lets you add various filters and share with friends. Earlier this year, they were bought out by Facebook. The new terms are not in the users' favor and go into effect January 16, 2013.
 
Located in the "Rights" section of the updated terms: "Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to this provision (and the use of your name, likeness, username, and/or photos (along with any associated metadata)) on your behalf." 
 
Another way to say it is, we're going to make money off your stuff and you get nothing. But wait, there is more. The updated agreement also states "You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such." Certainly a fancy way of saying, we're not telling you when we're making money off of your stuff. 

You can read all terms for yourself at http://instagram.com/about/legal/terms/updated/.
 
All of a sudden that free cool app all of a sudden came with a price tag! Considering not many people read the terms of agreement before clicking "I agree," I wonder how many people will unwittingly provide their information and pictures for somebody else's profit. This certainly adds a new dimension to privacy concerns. The only way of getting out of these new terms is to delete your account and stop using their services. 
 
 

December 17, 2012

Creating Real Security Awareness: STEP 2


Identify your audience
After starting the first step in the security awareness cycle, it's time to continue on with the next step.

Step 2: Identify the Audience.

As with any briefing, article or other forms of communication, you need to identify the audience you are trying to target. Why? Because if you are going to have an effective security awareness program, your content must be engaging. To catch people's attention you must tailor your message to them. Prior to crafting that special message, you need to know who you are tailoring it to. Identifying your audience first, helps you later down the road. Trust me!

Now back to identifying the audience. As with all general security specialist, you probably want to target the workforce. Great! We narrowed the field down some. From here, break them down into groups and possibly further into sub-groups, for instance work groups (professional vs. entry level, administrative support vs. management), age (baby boomer vs. generation Y), and educational level. Keep in mind the mentioned groupings are only suggestions. There are a variety of grouping types; the only thing stopping you is your imagination. For example, in a school setting the different audience groups you have are teachers, students, administrators, support staff, and parents. Each group is distinctively different from the other. The next two parts of this step help you in defining your audience, which will help you in crafting a message that hits the target.

Communication.
Defining the audience helps you in
crafting a message that hits the target
After identifying the audience groupings, research their communication preferences. For example, generation Y members are typically more comfortable with computer based instructions and social media, while baby boomer members typically prefer more face-to-face interactions and reading hard copy material. Identifying how the different groups communicate, allows you to focus efforts on communication platforms that provide a better return on your time. Additionally, you increase your chances of overcoming communication barriers.

Interests.
Another part of defining your audience is looking at their interests. This becomes key in creating engaging material for your security awareness program. To illustrate my point, I will use a preschool classroom as a setting. When I had to teach a preschool Sunday School class, I had to look for material that would interest the class. Considering 12 out of the 16 kids in the class were energetic boys that wanted to play super heroes, I focused on activities that required movement and taught the lesson as heroes from the Bible. This approach not only caught their interest and preoccupied them, it helped them to remember the message. After all, when you're done running your security awareness campaign, you want your audience to remember the message.

Other articles in this series:
#1. Creating Real Security Awareness: Identify the requirement
Intro. Creating Real Security Awareness

December 4, 2012

Creating Real Security Awareness: Identify the requirement

Continuing from our initial create real security awareness post, we're breaking down the process. The most logical place to start is at step one, identifying the requirement.

Step One: Identify a requirement/need
What message is convyed?
Does anybody learn about
 security?

This step is the starting point and what helps you in focusing your awareness campaign. Okay, I admit, this is not the step where you get to let your creative juices flow, but you will later. Trust me! In order to develop a true awareness program, you must identify what you are raising awareness about.  Granted you want to raise people's awareness about security, but using a generalized approach achieves nothing. It's too broad!

You need to identify a specific requirement, which does not mean quoting some regulation. YAWN! Look at your organization, workforce, and customer base to see if they are lacking in needed security knowledge or complacent in their security responsibilities.
 
Some question you may want to ask.
Is there a recent change in security policy due to a change in threat? Do people understand why we have the security rules in place? Are there multiple security infractions? Do people know how or what to report? Can people easily find security information related to their job?

Eye catching and provides a
quick take away. People will
likely remember this policy.
I hate repeating myself. If you don't believe, go ask my kids. There are so many better things to be doing with my time than repeating something already said or done. At least that is how I feel. So when I get multiple phone calls from people asking the same question, I get frustrated, because I equate it to redoing work.  (Needless to say, I don't work in customer service) Besides my own personal annoyance, this also provides a clue that information people want to know is not readily available. In the security industry, this is also referred to as an indicator. An awareness campaign focused on providing wanted information gives the workforce the required information and reduces my phone call. Win-win in my book.

You could go through the extra work in conducting a survey across the workforce, but if we're truly honest with ourselves, I think we could come up with a couple of requirements. Personally, I keep an on-going list in a small notebook as issues arise while I perform my other duties. If you are actively engaged into your security program, you will never run out fodder for an awareness campaign with this approach.

Related articles
Enhanced by Zemanta

December 3, 2012

Creating Real Security Awareness

"Oh no! Not another PowerPoint Briefing!!"

Cheesy posters that provide nothing.
No indicators of reportable info.
No threat. 
Why bother?
If people scream this as they run out to the hallways to escape the mind numbing sensation your security awareness program invokes, it may be time to rethink your approach.

Throughout major corporations and government agencies, you may see cheesy security posters hanging in various locations. If you've been employed by these entities for any length of time, you've probably endured your fair share of  the annual security "death by PowerPoint" training that contained nothing more than security jargon and corny clip art. Unfortunately, some so called security practitioners call this a security awareness program.

Effective awareness is more than annual PowerPoint slides and posters.

Generic over generalization with no
valuable information. What are people
suppose to take away from this?
Earlier this year, Ira Winkler, a top security professional (read bio here), wrote that "awareness mitigates non-technical issues that technology can't...you will find that security awareness is one of the most reliable security measures available." (Winkler, 2012) An effective awareness program is a great return on investment, but it requires more than the obligatory annual PowerPoint security training and posters. In order for a security awareness program to be effective it must engage people and impart a message. I personally find explaining the reasons, otherwise known as the "why," behind established security rules help win over converts to the cause. Additionally providing real examples of the threat the rules were designed to protect against helps users see security from a different aspect.

While there may be different models out there, I use the following steps in creating a tailored awareness program. You can call it my awareness cycle.

1) Identify a requirement/need
2) Identify audience
3) Research
4) Develop a communication plan
5) Develop material
6) Execute
7) Evaluate

Then repeat as necessary. Upcoming posts will cover each of these steps in more depth. Stay tuned!
Enhanced by Zemanta

September 22, 2012

Brief History of Security


unsecureEven though security today encompasses various high-tech equipment and specialized training, it started from very humble beginnings. According to Abraham Maslow’s hierarchy of needs model, a person’s basic needs break down into eight specific categories. After fulfilling the primary biological needs at the basis of the model, man craves safety as the second category. This craving encompasses protection, stability, and security. In medieval times, journeys outside the protected village walls were fraught with danger, so wealthier citizens employed armed men for protection. During this timeframe, people relied on their basic societal structure for security and lacked an organized police force. Back in 1285, England passed the Statute of Westminster. This formulized the watch and ward system, which required every able man to pursue criminals when somebody raises a "hue and cry."

By 1700, the social structure of rural Middle Ages England was breaking down through increased urbanization. Urbanization brought a set of different problems, since large cities lacked public law enforcement agencies to respond to the increased violence. The growing populace required a dedicated security force to efficiently enforce the societal laws. Sir Robert Peel’s London Metropolitan Police Act established a professional public police force, and major metro areas within the Western world followed suit. Unfortunately, during the 19th and early 20th Centuries localized security created jurisdiction issues. Additionally, local police were often ill equipped and lacked training. Private security stepped up to fill the void. Many people skeptic of law enforcement capabilities turned to Pinkerton’s Protective Police Patrol or similar agencies. During this era, many investigative and protection businesses started by men with little to no security experience or training, began popping up across the United States.

Within the early part of the 20th Century, the United States went through a national heightened emphasis on government security, which pushed the spotlight onto the public sector security. During this timeframe, the U.S. formed a national law enforcement entity, the Federal Bureau of Investigation, which had broader jurisdiction lines to chase running fugitives. Gradually, investigative and police techniques and training developed, increasing police departments’ effectiveness. Private security shifted its focus more towards asset protection.

References:

Fischer, R. J., & Green, G. (2004). Introduction to security. (7 ed.). Burlington, MA: Elsevier.

Johnson, B. (2004). Principles of security management. Upper Saddle River, NJ: Pearson-Prentice Hall.

Keena, L.D. (2009) CJ100 Introduction to criminal justice: History of law enforcement. Southeast Missouri State University. Retrieved from http://cstl-hhs.semo.edu/keena/history_of_policing.htm

McLeod, S. A. (2007). Maslow's Hierarchy of Needs. Retrieved from http://www.simplypsychology.org/maslow.html

August 23, 2012

Security Terms

I will routinely update this post to provide definitions to various security terms used throughout this blog.

Phishing: The best definition comes from Webopedia "The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft...also referred to as brand spoofing  or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting."

No Green Light on Using Red Light Cameras

Image from The Expired Meter
In early July, Police.com published an article about the red-light cameras in the Seattle, WA area. These cameras became a recent hot topic because a couple of recent murders occurred in the vicinity of traffic cameras in Seattle. There is a possibility that these cameras may have caught images that could help investigators, such as a picture of the gunman or fleeing vehicle. Due to the 2005 Washington State law, police investigators may never know, because the red-light cameras cannot be used in criminal investigations, including serious crimes.


Why so strict?
In the midst of protests against the placement of these cameras, Washington State law makers wrote the strict language into the law to appease the privacy right activists. These cameras were viewed as an erosion of privacy. While there are issues with red light cameras, I am skeptical about the privacy concern claim.

While State lawmakers are promising to review this law, I question how preventing law enforcement the use of these cameras during legal investigations help quell privacy concerns? Typically zero tolerance laws and policy are nothing more than "feel good" rules. If the concern is so great, why not provide the courts authority to grant permission through a special warrant, like a search warrant? This provides oversight to protect privacy concerns, while granting law enforcement investigators valuable tools.

And to all the privacy advocates that created such a scene back in 2005 about these cameras, where are your protests about the evasive practices by private companies?

July 25, 2012

Why this blog?

During a previous performance review, I was told I need to work on my written communication skills. While my supervisor at the time failed to mention any specifics on how to accomplish this (I guess his communication skills could have used some refining), I looked at ways in improving this skill set. I mean the whole point of a performance evaluation is take it under consideration and improve, right?

My organization would not pay for any writing training, since the budget was tight due to the economy. I certainly was not going to pay out of my own pocket to torture myself with writing lessons, so I started blogging to torture others...I mean to EDUCATE others. It provides a great way to practice my writing, and tangible evidence to show my boss I took his suggestion seriously. The only way to get better at writing is to keep writing. Plus it was within my price range...FREE! There will be grammatical mistakes as I continue to work on my written communication skills, but I will try my best to minimize them. With each post, I improve... well that's the theory.

I have been working in the security field for a number of years. Ever the proverbial “jack of all trades,” I dabble in all the security disciplines without really specializing in one particular area (i.e. personnel, physical, antiterrorism, information). At times I come across as a know-it-all, but I’m really not. I just really like to share information and my passion with others (another reason for the blog).

It is a scary world out there. Security does not always require high tech gadgets or living under a rock. All it really takes are some simple common sense steps. With this blog I hope to educate others on how to use simple steps in keeping themselves secure.

July 24, 2012

New Security Shoe Insole

A recent Associated Press article, "New lab working on security shoe sole to ID people" looks at the new development of shoe insoles that analyzes and reads your gait. According to Wikipedia (the unauthorized resource for all college students), gait "style can be used as a biometric identifier to identify individual people." It is only a fancy way of saying your walk is uniquely you.

These security shoe soles contain "[s]ensors in the bio-soles [that] check the pressure of feet, monitor gait, and use a microcomputer to compare the patterns to a master file for that person. If the patterns [don't match]... a wireless alarm message can go out."

For those thinking, how would these new shoes work when you hurt yourself, and start gimping, the lab has you covered. The bio-soles are being designed to detect variances of an individual's gait due to injuries and other factors, which temporarily change a persons gait.

Considering the U.S. Department of Defense and the Chinese conducted previous research in gait analysis for access control, it is not too far fetch of an idea. If the lab is successful in reaching the intended design, they would end up being just one of many biometrics options for security, such as retina scans, and finger print scan.

The article states the Carnegie Mellon University's new Pedo-Biometrics Lab in Pittsburgh, PA "is working to perfect special shoe insoles that can help monitor access to high-security areas, like nuclear power plants or special military bases." Since some military restricted areas do not permit wireless alarms due to security concerns, the shoe insoles may have a smaller buying sector than originally thought.

As a security practitioner, I am leery about whether these devices would be worth the price (installation and maintenance) and manpower involved. Retina and finger print scanning have been around for a number of years, and I find them to be more trouble than they are really worth. Don't get me wrong, they look AWESOME in the spy movies, but that doesn't always transfer over well into the real world. The equipment (software, readers and other hardware) are typically sensitive to the elements and prone to extensive maintenance upkeep. In a tough economy, where organizations are seeing shrinking budgets, I would really conduct a benefits analysis before investing in biometrics. Considering part of Pedo-Biometrics Lab's targeted clientale, "special military bases" typically are exposed to the harsh elements of mother nature, how do they intend to make the bio-sole more reliable?

Privacy Concern.
Of course any biometrics device has privacy advocates concerned, since these devices can be looked at as tracking devices. According to Lee Tien, an attorney at the free speech and privacy issue nonprofit  Electronic Frontier Foundation, potentially these biometric shoe insoles could covertly be implanted into shoes to spy on people. (Associated Press, 2012)

While this certainly provides good fodder for late night conspiracy theorists, I highly doubt these bio-soles would be massed produced to the level of tracking people. As a privacy lawyer, you would think he would be more concerned about facial recognition software (currently available), than some future gadget that may never make it out of the demonstration mode.

July 23, 2012

Facebook Phishing Trip

Image from blog How to Hack Facebook Accounts
The popular social media website, Facebook is riddled with security concerns, and with a large following (according to Check Facebook, there are over 800 million accounts) cybercriminals are finding creative ways to exploit them. According to a July 9, 2012  Hoax-Slayer update, cybercrooks added a new twist to the old phishing email scams of a decade ago, by combining it with social media.

The approach: an unsuspecting Facebook user receives a message (can be a wall posting, instant message or email) about a new Facebook site with erotic content. Does anybody else notice that most spam have an erotic appeal to it? I guess there are the spam messages from the rich lady or long lost relative in a foreign country, but I'm getting off topic.

When the user clicks on a link in the message, they're directed to a fake site set up to look like a typical Facebook page, BUT WAIT! This page quickly takes you to a spoofed Facebook login page. The scam goes a bit further, because users that try to login with their Facebook credentials are "taken to a typical survey scam site that promises them free items or prize entries in exchange for participating in various surveys or offers. Login details submitted on the fake page can be collected by scammers and used to hijack the user's real Facebook page. Users will never receive the promised gift or prize entry no matter how many surveys or offers they complete." (Christensen, 2012)

If you fell victim to this particular spoof, I have two pieces of advice for you.
First and foremost, change your password NOW. Do it while you still have access to your account.

Second, will you stop clicking on messages promising erotic delights. It's only going to get you in trouble, and I'm not just talking about computer problems. Think about it!

What cybercrooks plan to do with your hijacked Facebook account? It is hard to say, but I'm certain it is not to update your friends about what's for dinner. Perhaps they plan to use your account for another type of Facebook scam mentioned in our January post, "Scammed by Facebook Security?" Or use the information gleaned from your account for more nefarious plots, such as the one mentioned in our May post, "Exploiting Technology: 3 Methods Identity Thieves Use." Yeah, stealing your identity!

July 10, 2012

A Shredder Review

Today Yahoo featured an article from Good House Keeping on the best paper shredder. Link: http://shopping.yahoo.com/news/best-paper-shredders.html

It is really nice to see them featuring a helpful article, rather than the typical cheesy, pop culture entertainment stories that run rampant.

Identity theft is a very real threat, especially in today's cash strapped society. As previously mentioned in our post Identity Theft, Part II, shredding documents with sensitive information can save you from dealing with this major headache. The information identity thieves use can typically be found in our tras,h or for my eco-friendly readers, recycling bin.

Our shredder basic recommendation is use cross-cut, also known as confetti cut shredders. The smaller the confetti, the more better. This is far more secure than strip cut shredders, which in my opinion, is a waste of money. I guess the good people at Good House Keeping, didn't really have this basic in mind when testing "the best paper shredder," since their main criteria for being the best was how many pieces of paper it could handle.

If you are in the market for an office shredder, then that might be an important deciding factor. Honestly for home use, it shouldn't be that big of a deal. Considering most of their "best" were over $50, the average home user could get away with a cheaper shredder...a cross-cut one!

While I certainly see this featured article as a step in raising our collective security awareness, it still missing some basics.

May 31, 2012

Out-of-office reply

OPSEC
It's a typical business practice to set your email account to auto reply to emails alerting the sender that you're out of the office and will not be able reply in a timely manner; however, are we giving out too much information with these replies?
I received an out-of-office reply stating:
"I am at (location blocked) for an assessment, so I'll be out from 1-10 July."
Since the location was in a different country, it tells me his home will be vacant. Additionally, the message states how long he'll be out, so it's a good indicator on how long he'll be out of the house.

Oh, you say that I don't know where he lives?

OPSEC
With a little reserach, I could probably find out where he lives, since people tend to post too much on Facebook (as mentioned in our post "Status Update Overload?") and data aggregators  (like Spokeo or Pipl)  typically provide address/contact information.

For those unaware of the digital data aggregators, they search through the internet, public record databases and elements in the deep web. If you haven't used either Spokeo or Pipl, I suggest you give it a try. They do a more indepth search than Google or any other typical search engine. There is more information about you out there than you realize.

Once I find an address, it's time to do some surveillance...I prefer to start out with Google Earth, which lets me do extensive research of the area visually, as well as develop routes of travel, all from the comfort of my home. Additionally, I can find out how far his home is from local law enforcement, which allows me to calculate the response time.

Then I do a drive through the neighborhood and by the house to see if there are any other indicators that the house is not occupied, such as lawn unkept, no vehicles in the drive way, or multiple newspapers laying at the end of the driveway.

But back to the out-of-office reply. Is it really necessary to tell me exactly where you are? I'm certain that the important people with a valid reason to know, know where you're at and why you're out, so you don't need to advertise it in your out-of-office that automatically goes out to anybody who happens to send you an email.

What should the out-of-office reply state? How do you prevent me from going down this rabbit hole? Check out the below.
"I am currently out of the office from 1-10 July and will not be able to respond."
Nice, simple and straight to the point. It accomplishes the point without giving out more than required.

May 21, 2012

Exploiting Technology: 3 Methods Identity Thieves Use

Earlier this month in the Financially Fit section in Shine from Yahoo, there was an article by Woman’s Day Daisy Chan on “How to Prevent Identity Theft.” With a title like that, you’re thinking it will be chock full of useful tips in keeping your identity out of ill-intent hands. Sadly, it only covers 3 recently developed approaches identity thieves and other cybercriminals are taking. While still good information, it left me wanting more. I suppose my expectations were a little higher. Enough with the review, let’s get to the information you can use.
Those sneaky thieves are adaptable creators and are using popular technology trends to help them in parting you with your money. We’re going to look at three methods they’re using.
Method: Using Social Networks.
Image from Mashable
The best scams are where the perpetrator comes off as a trusted source and/or somebody that the “mark” can easily relate to. .. With the increase of over-sharing in social networks, finding out information on somebody else shouldn’t be too difficult.  Checkout the different Facebook and Twitter accounts and I’m sure you can learn a lot about an individual. In fact, in another article by 24/7 Wall Street’s “Nine Major Ways Criminals Use Facebook,” mining unprotected information was listed, since “users frequently reveal their emails, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information is often used as passwords or as answers to secret security questions…it can be a means to more pernicious ends such as…identity theft.” [cue horrifying music, dum dum dum].
Security Measure: As stated in our March  post, “Status update overload?”,  use the privacy settings,  use a strong password, only accept friend requests from actual people you know and  “Spring clean” your profile.  The main thing is, don’t place that information on your profile in the first place. The only thing you really need for a Facebook or Twitter account, is an email and a name. In fact, it doesn’t even need to be your real name, just a name. Come up with a good stage name. Granted they might ask for your birthday, but are they actually going to check your birth certificate or other official documentation to see the information you’re providing is correct? Um, the answer is no.
Method: Smartphone apps.
There are thousands and thousands of applications out there for you to easily download to your handy, dandy, little smartphone. Some are innocuous, but some are nothing more than cleverly disguised malware that install spyware or keyloggers on to your beloved mobile device. With more and more people using their mobile devices to access sensitive accounts (i.e. bank account), you can start to see the dangers of having these menacing apps.
Security Measure: In our “Secure That App” post, we covered some useful security tips to counter against this threat, such as only download apps from known sources, avoid brand new apps and be leary of apps that require access to your sensitive information. Of course, sometimes it is not always easy to tell what is a legitamite or fake application. Just like a computer, if your smart phone starts to run very slow all of a sudden, it might of caught a bug. Additionally, CSO Online states "keep an eye on your wireless bill. Some rogue apps... make expense calls [or subscribe you] to one of those annoying services that automatically bill you every month for things like ring tones..."

Method: Wi-Fi Hot Spots.

Think twice before you connect your laptop up to a free public wireless network while waiting for your next flight at the airport or sipping on your fu-fu coffee at the local coffee shop. These hotspots are not encrypted, leaving hackers and potential identity thieves a venue into your laptop or smartphone to collect sensitive information stored or typed on your device. According to the Better Business Burea (BBB), you don't need to "be sophisticated computer hackers. The computer hacking tools are available on the web for free and show how to snatch unencrypted information."

Security Measure: If you're browsing the Internet through your smartphone, use your phone's 3G or 4G network capabilities instead of using the wi-fi option. If you're going the laptop route, use secure connections (https) or a virtual private network (VPN). Don't access the hotspot through the adminstrator account; use a guest account with limited rights. If a hacker does manage to snag you, the damage will be minimized if your using a basic account with limited permissions.

May 18, 2012

Secure That App!

The use of smart phones is becoming prevalent throughout our society, especially as technology adapts to provide these items at lower prices. They're pretty handy acting as portable cameras and computers... oh, I think they also take phone calls, too. In essence, mobile devices have invaded our lives to become essential tools in our daily endeavors, both professionally and personally.

Got an app for that.

Of course the great thing about smart phones are different applications you can download. We install various games and software on our computers, so why wouldn't we do the same for our hand-held mini computers?

There are thousands and thousands of various applications to choose from. It seems like the numbers grow by the second. Some are fun little games to play while sitting in a waiting room, others are awesome little time savers that streamline your social media life (need to keep my thousands of followers updated on my whereabouts).

Of course with so many apps, there are also a wide variety of sources...some very reputable, others from questionable backgrounds.

Back in February 2012, SANS Securing The Human, released their monthly security newsletter, OUCH! covering tips on how you could secure your mobile device apps. What's nice is the newsletter is written to the basic user level, so you don't need to be a techy to learn the best security practice in securing your device. Below are top 6 tips:

6 Security Tips for Smart Phone Apps:

1) Download from known, trusted sources. Seems common sense, so why are so many downloading from concerning sites?

2) Avoid brand new apps. Let somebody else be the Guinea pig to work out the bugs, you got better things to do with your time.

3) Remove unwanted/unused apps. Each additional app creates a vulnerability. Why accept the vulnerability if it does not provide you with a continuing benefit?

4) Be leary of apps requesting personal sensitive information. Does the app really need access to my birthday, contacts and such to fullfill its purpose?

5) Update it! It's basically like any other software or operating system; it needs updates.

6) Don't store payment information or app store credentials on your device.

Bonus Tip: If you see an app you don't recognize, do a little research. You can search through your favorite search engine or through other sites like AppWatchdog.

May 15, 2012

Warning for Laptop Travel Abroad

Laptop
Did you recently return from a trip overseas? There’s a possibility your little laptop brought back a souvenir of its own.
Earlier this month the F.B.I. warned business and academic travelers about being targeted with sneaky malware installing itself through pop-up windows while the user tries to establish Internet connection from the comfort of their hotel room. It starts with an innocuous pop-up warning notifying you to update a legitimate, widely-used software product.
Beyond this, the F.B.I. warning does not provide any details on exactly what actions the malware performs. With the scary stories about the disastrous things malware can do, I’m sure your imagination could come up with a few ideas.
Additionally, no further details were provided as to what countries or hotel chains the attacks were reported, or exactly what software the malware is trying to pass off as.
While this appears as an industrial espionage trick targeting business travelers, it is only a matter of time before identity thieves and other ill-intent computer savvy people start using it. The Federal Trade Commission recently released complaint statistics for 2011, with identity theft topping the list. If the tactic works, why limit it to just one sector of the population?
Recommendations:
-          Conduct software updates before traveling.
-          If updates are required while abroad, download updates directly from the vendor’s site.
-          Check the author or digital certificate of prompted updates to see if it corresponds to the software vendor.
-          Use a VPN.
-          If you have a cheap, old laptop you no longer want, use that on your trip, then dispose upon your return.
As always, “Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office, and promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.” - Internet Crime Complaint Center (IC3)

May 1, 2012

Your Ad Here Car Scam

With the economy still lagging and unemployment still fairly high, scammers are taking advantage of the cash-strapped environment with a new variation of the work-from-home scam. It is the Ad-on-your-car scam.
According to a post by the Better Business Bureau (BBB), the Internet Crime Complaint Center (IC3) is receiving multiple complaints by people conned by this scam.
It starts out with the victim responding to an online ad posting advertising the chance to earn money just by driving your car. All you need to do is strap an advertisement sign to your vehicle and you can start earning $400-$600 a week. Sweet! It seems legit, since they’re using “the names of well-known companies, such as Coca Cola or Heineken Beer…”[i] What an awesome deal, make a couple grand a month by doing nothing, but driving your car around. Sign me up!
But wait!
After responding to the ad for some quick money, the victim receives a check for more than the promised amount. They’re asked to cash the check and wire the difference to a third party. If you previously read the ploy to the top internet scams over the past few years, red flags should start alerting you that something is not right.
The BBB states “Any time you are sent a check or money order and asked to cash it and write a check to send to someone else, it is almost always a scam.” In the unfortunate event that this should happen to you, don’t cash it, and notify the authorities immediately.
It goes back to the old cliché grammy and grampy use to tell me, “if it’s too good to be true, it probably is.”




[i] Odell, Carol (25 April 2012). “Putting Ads on Your Car Scam… says Carol.” Southern Colorado Better Business Bureau (BBB). Retrieved from http://southerncolorado.bbb.org/blog/post/putting-ads-on-your-car-scam-says-carol-18229 (accessed 1 May 2012).
Enhanced by Zemanta

March 8, 2012

Status update overload?

Image from Maggie Cakes
In a 2012 survey by the National Cyber Security Alliance (NCSA) and McAfee, “one in five Americans have come in contact with someone online who made them feel uncomfortable through stalking, persistent emails, and other aggressive outreach attempts… [Additionally,]one in five Americans have been victimized through experiences like identity theft, data theft, stalking, bullying or auction fraud… ” Is this really any surprise when we look at what information we so readily provide online?


Image from Mucky Clothing
Keep in mind, social network sites were originally designed to share information to the maxim extent to provide an enhanced and personalized social experience online. They were not designed with security in mind. The site will default to setting that will give you more connections all in the name of giving you a “social” experience. Not all the connections are necessarily the ones you may want.

Act now! Use these tips suggested by NCSA and McAee:

1)   Check your privacy settings. The wide world web does not need to read everything you post. By setting up your privacy settings, you limit the viewership to your information.

2)   "Spring Clean" your online profile. You don’t need to include your phone number, home address, or other contact information. Your real friends already know this information, so why place it out there for it to potentially fall into the wrong hands? When Facebook implements updates, they temporarily set all profiles to the default settings.

3)   Don’t accept “friend” request from strangers. It's mother’s old advice, don’t talk to strangers, brought into the cyber realm. The Robin Sage experiment, which was a fake profile, “accumulated hundreds of connections… includ[ing] executives at government agencies…[and] much of the information revealed to Robin Sage violated OPSEC procedures.”

4)   Careful about posting photos. What information are you unintentionally providing in your photos, whether is in the background or metadata?  Many uploaded photos include geotags, which is location information in the metadata. In 2010, MythBusters host Adam Savage posted on his Twitter account a photo of his car with the update “off to work.” The photo had geotags, so with this one status update, he provided the exact location of his home, what vehicle he drives and the time he leaves his house.

5)  Create a STRONG password. According to CNN, “exploiting weak or guessable passwords was the top method attackers used to gain access…” The more complex, the better. The whole point of passwords is not to inconvenience you, but to help ensure it is YOU accessing the account. (See our "Commonly Common Password" post)

6)   Don't  use location-based services. If used too often or publicly, these services can help somebody map out patterns of behavior. All it takes is looking at where and when you typically check-in, as well as pulling up an online photo of you, to easily track you down or worse.

Follow these tips and hopefully it would prevent you from being the subject of this song.

The Facebook Stalking Song


Resources:
US Army Public Affairs Social Media Division Social Media Roundup, “Dangers of location-based social networking and geotagging” Link: http://slidesha.re/xe8bSG
Please Rob Me, Raising awareness about over-sharing. Link: http://pleaserobme.com/why

Facebook Security Handbook. Link: http://on.fb.me/o5qLsZ
Enhanced by Zemanta