May 31, 2012

Out-of-office reply

OPSEC
It's a typical business practice to set your email account to auto reply to emails alerting the sender that you're out of the office and will not be able reply in a timely manner; however, are we giving out too much information with these replies?
I received an out-of-office reply stating:
"I am at (location blocked) for an assessment, so I'll be out from 1-10 July."
Since the location was in a different country, it tells me his home will be vacant. Additionally, the message states how long he'll be out, so it's a good indicator on how long he'll be out of the house.

Oh, you say that I don't know where he lives?

OPSEC
With a little reserach, I could probably find out where he lives, since people tend to post too much on Facebook (as mentioned in our post "Status Update Overload?") and data aggregators  (like Spokeo or Pipl)  typically provide address/contact information.

For those unaware of the digital data aggregators, they search through the internet, public record databases and elements in the deep web. If you haven't used either Spokeo or Pipl, I suggest you give it a try. They do a more indepth search than Google or any other typical search engine. There is more information about you out there than you realize.

Once I find an address, it's time to do some surveillance...I prefer to start out with Google Earth, which lets me do extensive research of the area visually, as well as develop routes of travel, all from the comfort of my home. Additionally, I can find out how far his home is from local law enforcement, which allows me to calculate the response time.

Then I do a drive through the neighborhood and by the house to see if there are any other indicators that the house is not occupied, such as lawn unkept, no vehicles in the drive way, or multiple newspapers laying at the end of the driveway.

But back to the out-of-office reply. Is it really necessary to tell me exactly where you are? I'm certain that the important people with a valid reason to know, know where you're at and why you're out, so you don't need to advertise it in your out-of-office that automatically goes out to anybody who happens to send you an email.

What should the out-of-office reply state? How do you prevent me from going down this rabbit hole? Check out the below.
"I am currently out of the office from 1-10 July and will not be able to respond."
Nice, simple and straight to the point. It accomplishes the point without giving out more than required.

May 21, 2012

Exploiting Technology: 3 Methods Identity Thieves Use

Earlier this month in the Financially Fit section in Shine from Yahoo, there was an article by Woman’s Day Daisy Chan on “How to Prevent Identity Theft.” With a title like that, you’re thinking it will be chock full of useful tips in keeping your identity out of ill-intent hands. Sadly, it only covers 3 recently developed approaches identity thieves and other cybercriminals are taking. While still good information, it left me wanting more. I suppose my expectations were a little higher. Enough with the review, let’s get to the information you can use.
Those sneaky thieves are adaptable creators and are using popular technology trends to help them in parting you with your money. We’re going to look at three methods they’re using.
Method: Using Social Networks.
Image from Mashable
The best scams are where the perpetrator comes off as a trusted source and/or somebody that the “mark” can easily relate to. .. With the increase of over-sharing in social networks, finding out information on somebody else shouldn’t be too difficult.  Checkout the different Facebook and Twitter accounts and I’m sure you can learn a lot about an individual. In fact, in another article by 24/7 Wall Street’s “Nine Major Ways Criminals Use Facebook,” mining unprotected information was listed, since “users frequently reveal their emails, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information is often used as passwords or as answers to secret security questions…it can be a means to more pernicious ends such as…identity theft.” [cue horrifying music, dum dum dum].
Security Measure: As stated in our March  post, “Status update overload?”,  use the privacy settings,  use a strong password, only accept friend requests from actual people you know and  “Spring clean” your profile.  The main thing is, don’t place that information on your profile in the first place. The only thing you really need for a Facebook or Twitter account, is an email and a name. In fact, it doesn’t even need to be your real name, just a name. Come up with a good stage name. Granted they might ask for your birthday, but are they actually going to check your birth certificate or other official documentation to see the information you’re providing is correct? Um, the answer is no.
Method: Smartphone apps.
There are thousands and thousands of applications out there for you to easily download to your handy, dandy, little smartphone. Some are innocuous, but some are nothing more than cleverly disguised malware that install spyware or keyloggers on to your beloved mobile device. With more and more people using their mobile devices to access sensitive accounts (i.e. bank account), you can start to see the dangers of having these menacing apps.
Security Measure: In our “Secure That App” post, we covered some useful security tips to counter against this threat, such as only download apps from known sources, avoid brand new apps and be leary of apps that require access to your sensitive information. Of course, sometimes it is not always easy to tell what is a legitamite or fake application. Just like a computer, if your smart phone starts to run very slow all of a sudden, it might of caught a bug. Additionally, CSO Online states "keep an eye on your wireless bill. Some rogue apps... make expense calls [or subscribe you] to one of those annoying services that automatically bill you every month for things like ring tones..."

Method: Wi-Fi Hot Spots.

Think twice before you connect your laptop up to a free public wireless network while waiting for your next flight at the airport or sipping on your fu-fu coffee at the local coffee shop. These hotspots are not encrypted, leaving hackers and potential identity thieves a venue into your laptop or smartphone to collect sensitive information stored or typed on your device. According to the Better Business Burea (BBB), you don't need to "be sophisticated computer hackers. The computer hacking tools are available on the web for free and show how to snatch unencrypted information."

Security Measure: If you're browsing the Internet through your smartphone, use your phone's 3G or 4G network capabilities instead of using the wi-fi option. If you're going the laptop route, use secure connections (https) or a virtual private network (VPN). Don't access the hotspot through the adminstrator account; use a guest account with limited rights. If a hacker does manage to snag you, the damage will be minimized if your using a basic account with limited permissions.

May 18, 2012

Secure That App!

The use of smart phones is becoming prevalent throughout our society, especially as technology adapts to provide these items at lower prices. They're pretty handy acting as portable cameras and computers... oh, I think they also take phone calls, too. In essence, mobile devices have invaded our lives to become essential tools in our daily endeavors, both professionally and personally.

Got an app for that.

Of course the great thing about smart phones are different applications you can download. We install various games and software on our computers, so why wouldn't we do the same for our hand-held mini computers?

There are thousands and thousands of various applications to choose from. It seems like the numbers grow by the second. Some are fun little games to play while sitting in a waiting room, others are awesome little time savers that streamline your social media life (need to keep my thousands of followers updated on my whereabouts).

Of course with so many apps, there are also a wide variety of sources...some very reputable, others from questionable backgrounds.

Back in February 2012, SANS Securing The Human, released their monthly security newsletter, OUCH! covering tips on how you could secure your mobile device apps. What's nice is the newsletter is written to the basic user level, so you don't need to be a techy to learn the best security practice in securing your device. Below are top 6 tips:

6 Security Tips for Smart Phone Apps:

1) Download from known, trusted sources. Seems common sense, so why are so many downloading from concerning sites?

2) Avoid brand new apps. Let somebody else be the Guinea pig to work out the bugs, you got better things to do with your time.

3) Remove unwanted/unused apps. Each additional app creates a vulnerability. Why accept the vulnerability if it does not provide you with a continuing benefit?

4) Be leary of apps requesting personal sensitive information. Does the app really need access to my birthday, contacts and such to fullfill its purpose?

5) Update it! It's basically like any other software or operating system; it needs updates.

6) Don't store payment information or app store credentials on your device.

Bonus Tip: If you see an app you don't recognize, do a little research. You can search through your favorite search engine or through other sites like AppWatchdog.

May 15, 2012

Warning for Laptop Travel Abroad

Laptop
Did you recently return from a trip overseas? There’s a possibility your little laptop brought back a souvenir of its own.
Earlier this month the F.B.I. warned business and academic travelers about being targeted with sneaky malware installing itself through pop-up windows while the user tries to establish Internet connection from the comfort of their hotel room. It starts with an innocuous pop-up warning notifying you to update a legitimate, widely-used software product.
Beyond this, the F.B.I. warning does not provide any details on exactly what actions the malware performs. With the scary stories about the disastrous things malware can do, I’m sure your imagination could come up with a few ideas.
Additionally, no further details were provided as to what countries or hotel chains the attacks were reported, or exactly what software the malware is trying to pass off as.
While this appears as an industrial espionage trick targeting business travelers, it is only a matter of time before identity thieves and other ill-intent computer savvy people start using it. The Federal Trade Commission recently released complaint statistics for 2011, with identity theft topping the list. If the tactic works, why limit it to just one sector of the population?
Recommendations:
-          Conduct software updates before traveling.
-          If updates are required while abroad, download updates directly from the vendor’s site.
-          Check the author or digital certificate of prompted updates to see if it corresponds to the software vendor.
-          Use a VPN.
-          If you have a cheap, old laptop you no longer want, use that on your trip, then dispose upon your return.
As always, “Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office, and promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.” - Internet Crime Complaint Center (IC3)

May 1, 2012

Your Ad Here Car Scam

With the economy still lagging and unemployment still fairly high, scammers are taking advantage of the cash-strapped environment with a new variation of the work-from-home scam. It is the Ad-on-your-car scam.
According to a post by the Better Business Bureau (BBB), the Internet Crime Complaint Center (IC3) is receiving multiple complaints by people conned by this scam.
It starts out with the victim responding to an online ad posting advertising the chance to earn money just by driving your car. All you need to do is strap an advertisement sign to your vehicle and you can start earning $400-$600 a week. Sweet! It seems legit, since they’re using “the names of well-known companies, such as Coca Cola or Heineken Beer…”[i] What an awesome deal, make a couple grand a month by doing nothing, but driving your car around. Sign me up!
But wait!
After responding to the ad for some quick money, the victim receives a check for more than the promised amount. They’re asked to cash the check and wire the difference to a third party. If you previously read the ploy to the top internet scams over the past few years, red flags should start alerting you that something is not right.
The BBB states “Any time you are sent a check or money order and asked to cash it and write a check to send to someone else, it is almost always a scam.” In the unfortunate event that this should happen to you, don’t cash it, and notify the authorities immediately.
It goes back to the old cliché grammy and grampy use to tell me, “if it’s too good to be true, it probably is.”




[i] Odell, Carol (25 April 2012). “Putting Ads on Your Car Scam… says Carol.” Southern Colorado Better Business Bureau (BBB). Retrieved from http://southerncolorado.bbb.org/blog/post/putting-ads-on-your-car-scam-says-carol-18229 (accessed 1 May 2012).
Enhanced by Zemanta