March 30, 2014

The threat from the other side of the screen

"The Internet and social media are part of today's battlefield."
                 - Congressional Testimony, 6 Dec 2011, Brian Jenkins.

The Internet has shaped an ambiguous battleground by erasing the traditional boundaries of conventional conflicts, which means the impact is not limited to the military. As technology continues to interconnect our world, it's imperative to take preventative steps to protect yourself and not paint yourself as a target.

"A post on a jihadist website instructs followers to gather intelligence about U.S. military units and the family members of U.S. service members, including 'what state they are from, their family situation, and where their family members (wife and children) live,' and to 'monitor every website used by the personnel ... and attempt to discover what is in these contacts.'"
                -"Embedded with Facebook: DoD Faces Risks from Social Media," Naval Postgraduate School.

How much information do we let the rest of the world see in our social network profiles?

Of course the threats are not just limited to terrorists or traditional fighters, but can be from the criminal element (i.e. identity thieves). In a 2012 survey by the National Cyber Security Alliance (NCSA) and McAfee, "one in five Americans have come in contact with someone online who made them feel uncomfortable through stalking, persistent emails, and other aggressive outreach attempts... [Additionally,]one in five Americans have been victimized through experiences like identity theft, data theft, stalking, bullying or auction fraud... " Is this really any surprise when we look at what information we so readily provide online?

Keep in mind, social network sites were originally designed to share information to the maxim extent to provide an enhanced and personalized social experience online. They were not designed with security in mind. The site will default to setting that will give you more connections all in the name of giving you a "social" experience. Not all the connections are necessarily the ones you may want.

Act now.

1)      Check your privacy settings. The wide world web does not need to read everything you post. Proper privacy settings,  will limit who can see what and ensure you are not sharing with unintended audiences.

2)      "Spring Clean" your online profile. You don't need to include your phone number, home address, or other contact information. Your real friends already know this information, so why place it out there for it to potentially fall into the wrong hands? When Facebook implements updates, they temporarily set all profiles to the default settings.

3)      Don't accept "friend" request from strangers. It's mother's old advice, don't talk to strangers, brought into the cyber realm. The Robin Sage experiment, which was a fake profile, "accumulated hundreds of connections... includ[ing] executives at government agencies...[and] much of the information revealed to Robin Sage violated OPSEC procedures."

4)      Think about what photos you post. Are you unintentionally giving away personal or sensitive information?  Many digital photos include geotags, which provides people with location information. In 2010, MythBusters host Adam Savage posted on his Twitter account a photo of his car with the update "off to work." The photo had geotags, so with this one status update, he provided the exact location of his home, what vehicle he drives and the time he leaves his house.

5)      Create a STRONG password. The top method attackers used to gain access was through exploitation of weak or guessable passwords. The more complex, the better. The whole point of passwords is not to inconvenience you but to help ensure it is YOU accessing the account.

6)      Don't use location-based services. If used too often or publically, these services can help somebody see where you go and track you down. All they have to do is see where and when you typically check-in, as well as pull up an online photo of you, to easily find you or worse.


Resources:
US Army Public Affairs Social Media Division Social Media Roundup, "Dangers of location-based social networking and geotagging" Link:
http://slidesha.re/xe8bSG

U.S. Army Social Media Handbook, August 2011. Link: http://slidesha.re/nsDOO3

Please Rob Me, Raising awareness about over-sharing. Link: http://pleaserobme.com/why

Facebook Security Handbook. Link: http://on.fb.me/o5qLsZ

March 26, 2014

Stupid on Social Media




Within the past ten years we have seen an explosion in social media use. Everybody is using it, including my grandma. People have become very comfortable in placing their lives online for others to see, even larger unintended audiences. In past posts here, I warned about identity thieves using social media in "Exploiting Technology: 3 Methods Identity Thieves Use," and mentioned that one out of five Americans felt victimized online in "Status update overload?"

The image above contains five cases of five young ladies dealing with the unintended consequences from what they posted online. You can read each of the captions to get the gist of their situation. What started as a little inside joke with their friends online quickly escalated out of hand. These posts went viral and made national headlines. Even when you have your privacy settings on, friends-of-friends can see, your friends can share the pictures, or the platform glitches disabling privacy settings.

The three cases dealing with military members are being investigated by their chain-of-command. While the results and penalties will probably not be made public, I am fairly certain they will be heavily reprimanded. In Ms. Dana Snay's case (upper right hand corner), the family is missing out on a $80k settlement due to her bragging post. That is punishment enough. As for Ms. Lindsay Stone's case, her employer fired her after mounting public pressure and outrage caused by her photo.

We all do stupid things in our lives, myself included. The only thing dumber than doing something stupid is documenting it and posting on to the Internet for other people to see. Information from social media has been used for criminal investigations and potential employers look at that stuff. Do not let one moment in a lapse of judgment haunt you for the rest of your life. Remember, your freedom of speech does not mean you have freedom from the consequences of your action.

You have the right to be stupid but please don't abuse it...Especially online!

Enhanced by Zemanta

March 17, 2014

Army uses TSP in phishing awareness exercise gone awry

Last month, an Army signal commander conducted an unannounced spear phishing test on a small group of his unsuspecting employees. The email subject "Thrift Savings Plan Alert: Passcode Reset," strongly urged the receiver to log-in to check their Thrift Saving Plan, since it was involved in a security breach. It appeared to come from the account services department at "tspgov[.]us." For those not familiar with the Thrift Savings Plan (TSP), it is a 401(k) style retirement accounts for federal employees. The email directed people to a fake TSP website (a variation of the real address, www.tsp.gov), which asked people to verify their account information.

Instead of doing a little research to see if it was a legitimate email from TSP, the employees forwarded it off to other Department of Defense employees to warn of the "security breach." This set off a panic wave amongst federal employees. It took over three weeks to trace the original email back to the command.

According to the Washington Post article on this story, TSP "officials are furious that their trusted brand was tampered with..."(Rein & Yoder, 2014)

Hello, McFly! Real phishers don't care about tarnishing your "trusted brand." If anything, this type of scenario is exactly what they want. They want receivers to believe the spoofed email (take the bait), panic, follow the instructions, and forward onto others to repeat the cycle.

Instead of learning a valuable lesson from this, people are screaming for the commander's head. Okay, I may have sensationalized that last line, but you get that sense after reading the various posted comments from other articles on this story. In one article you have one union representative crying, "the big government bullies are just pushing us around and using us as guinea pigs."

Really? I'm sorry, it's not about the big ol' bullies! The exercise was about placing the cybersecurity awareness training into practice. Phishers notoriously use banks, Pay-Pal, and other trusted brands as bait, what makes them think TSP would be the exception? Considering TSP holds close to $400 billion for 4.6 million  current and retired federal employees, it makes for a lucrative target.

The commander's intentions were good. Admittedly, he needs some refinement on the execution piece. In hindsight, the email should have contained a link that would have directed people to a website teaching them about phishing and letting them know it was a test. This would have eased the panic a bit and help the exercise from spirally out of control like it did. Additionally, military organizations gradually build-up to unannounced exercises in a "crawl, walk, run" phased approach, meaning there is training, announced exercises, and drills. The exercise did not have any controls in place to prevent it from spirally beyond the intended scope. 

Apparently this is not the first time that a military commander had a phishing exercise  get out of control. Back in 2010, airmen in Guam received email invitations to apply for an appearance in the Michael Bay movie, Transformer 3. Many of the airmen more than willingly submitted sensitive information to the emailed link.

Lessons:
-Don't forward emails that you don't are true. A little homework goes along way.
-Don't conduct exercises without adequate controls.
-Don't mess with a fed employee's money.

References:
Dunn, J. (2014 Mar 17). U.S. Army red faced after phishing test sets off Defense Department email storm. London, UK: Tech World. Retrieved from 
http://news.techworld.com/security/3507002/us-army-red-faced-after-phishing-test-sets-off-defense-department-email-storm/ 
Rein, L. and Yoder, E. (2014 Mar 14). Gone phishing: Army uses Thrift Savings Plan in fake e-mail to test cybersecurity awareness. Washington, DC: The Washington Post. Retrieved from http://www.washingtonpost.com/politics/gone-phishing-army-uses-thrift-savings-plan-in-fake-email-to-test-cybersecurity-awareness/2014/03/13/8ad01b84-a9f3-11e3-b61e-8051b8b52d06_story.html 

March 15, 2014

Security Spring Clean



Do a little security spring cleaning
this season. Use our little declutter
checklist to get you started.
Spring is right around the corner. With the slow passing of winter, many grow anxious to purge the home in preparation of the season of rebirth as Mother Nature awakens from her winter slumber. This purging is the tradition of "Spring Cleaning," where people open the shutters, and do a deep cleaning to rid the home of dust, dirt, and other items that collected over the long, cold nights of winter. This is also a great time to do a little security related spring cleaning. My little declutter checklist will help you protect your personal information and hopefully prevent yourself from becoming a victim of identity theft.
  • Clear out and shred unwanted papers. Burglars will break into homes to steal documents with personal identification information to be used for identity theft. Considering major credit reporting bureau, Experian warns about monitoring for identity theft after a home break-in, it may be more common than you think.  By reducing the paper clutter, you reduce your risk. Think about it, do you really need that monthly bank statement from 3 years ago? Use a cross-cut shredder (confetti like) to get rid of unneeded paperwork.
  • Get rid of old prescription medication bottles. Another hot ticket item burglars try to snag is prescription drugs. Soak the bottles in water for 5-10 minutes so you can easily scrap off the paper with your personal information on it.
  • Social Media clean-up!
  • 
    Spring clean your social media
    profiles.
    • Spring clean your social media profiles, even those old profiles you don't use anymore.
    • Check your privacy settings. As social media platforms are continuously updated, privacy settings may change. It is a good idea to periodically check on them.
    • Go through your "friend list." We all know you're a very popular individual, but do you really know all 579 people on your friends list? Each one of them can access and share your posts, pictures, and information, which kind of make your privacy settings a bit pointless.
    • If possible, use different permission groups like Facebook has acquaintances and friends permission groups.

  • Remove unwanted apps on your smartphones and social media accounts. Each app brings the potential for vulnerabilities, and needs to be updated on a regular basis. Why unintentionally accept risks for app you stopped using months ago? 

References:
Johnson, K. (2012 February). Securing your mobile device apps. OUCH! SANS Securing the Human. Retrieved from http://abclocal.go.com/ktrk/story?section=news/local&id=9442783.
Quinn, K. (2014 February 24). HPD: Burglars break through walls in foiled attempt to steal prescription drugs from north Houston pharmacy. Houston, TX: ABC 13 KTRK-TV. Retrieved from http://abclocal.go.com/ktrk/story?section=news/local&id=9442783   

Sweet, M. (2012 May 09). Protecting yourself from identity theft after a burglary. Experian Blog. Retrieved from http://www.experian.com/blogs/ask-experian/2012/05/09/protecting-yourself-from-identity-theft-after-burglary/ 

March 8, 2014

Personal Security Measures

Practicing personal safety could prevent
you from being targeted as a
criminal's next victim.
As a woman working in the security field, I may be more preoccupied with personal safety than most people. It's hard not to be when you routinely read reports about tourists being mugged, attacked, or kidnapped. I am not sure if it is the unfamiliar surroundings that makes travelers more susceptible to these types of crime, or something else. Criminals are typically opportunistic creatures that search for certain environment elements and target characteristics that will get them low-visibility and the element of surprise. This increases their likelihood of success. Practicing simple personal security measures makes it difficult for criminals to succeed, which means they'll look for a different target. Below are my personal safety tips I use when traveling.

Hotel.
Choosing a hotel with adequate security
will help you rest easier while away
from home. The money you save at a
cheaper, less secure one may not
 be worth it.
Choose a hotel with adequate security (i.e. door locks) and perimeter lighting. Stay away from seedy parts of town.

Use the elevator instead of the stairwell. I know that the stairs are good exercise, but you are usually isolated from others in the stairwell.

Make your room appeared occupied when you leave. You can achieve this by leaving the television on, placing the "do not disturb" sign on the door knob, and having the curtains drawn closed.

Keep valuables (i.e. laptop) in the hotel safe.

Try to stay in hotel rooms on the 2nd to 7th floor. Ground level rooms are easier for burglars to break into, and in the event of a fire, most fire truck ladders do not extend past the 7th floor.

On the road.
Road Trip!
When ever possible, travel with other people you know. There is strength in numbers. If this is not possible, make plans to meet up with other people attending the same event. For example, when I travel to conferences I meet up with colleagues traveling from different locations. Another option is to periodically check in with a family member. If you don't make contact, this is an indicator that something unfortunate happen to you, and they should start trying to locate you.

Before leaving, study the route. Choose to stick to main thoroughfares, which means you will be seen should your car break down or get a flat tire. Know where potential safe havens (i.e. hospitals, fire stations) are located along the route.

Bring a cell phone with a hands-free device. Ensure you bring a car phone charger, so you don't have to worry about the phone battery dying on you. Pre-program important numbers (i.e. AAA). Before leaving on your trip, double check the numbers are the most current (learned this one the hard way!).

Try to do most of your travel during daylight hours. If you must travel during evening hours, only make rest stops at well lit stops with a moderate amount of traffic.

Use a GPS to travel, since this permits you to be more focus on the road and what is going on around you; however, keep a map with marked alternate routes as a back-up.

Don't sit in an unlock car. If you need to sit in your vehicle in a parking lot to study a map or something, ensure your doors are locked and windows rolled up while you're not paying attention to your surroundings.

If you step away from your vehicle, lock the doors and do not leave any valuables sitting in your vehicle in plain site. This entices criminals to conduct the old smash and grab.

Do not make your car look like you're packed for a road trip. Pack luggage in the trunk.

General.
Don't post travel plans on social media. Save all trip posts and photos for after you return home safe and sound.

Only bring what valuables you need on your trip, such as minimum number of credit cards. Leave jewelry, Social Security card, electronic gadgets and other nonessentials at home.

Make copies of important documents and credit cards you're bringing with you. Leave the copies with a trusted person at home, so if your purse or wallet becomes stolen you'll have the important numbers necessary to report them missing.

Don't flash expensive items (to include smartphones!) or large amounts of cash in public. You only paint yourself as a potential target when you do this.

If you're traveling through a major city, try to avoid carrying backpacks or other baggage. They attract thieves.

Dress conservatively so as not to attract unwanted attention.

Keep valuables you do bring with you close to your body. Look to use pockets located inside your jacket or a money belt for identification, credit cards, and other valuables. This a great deterrent to pickpocketers!

Pay attention to your surroundings, which means stop staring at your smartphone and keep the headphones out of your ears. Criminals want the element of surprise on their side, so being alert and attentive is a natural deterrent.

Avoid using outside ATMs during the evening. Opt for ATMs located inside banks or stores that are well lit and have moderate foot traffic.

Don't go jogging by yourself, especially at night with headphones on!

Should the unfortunate happen and an attacker confronts you, DO NOT GO WITH THEM! Run away, scream, and try to draw attention to yourself.

These are only some of favorite ones and I am certain I unintentionally overlooked some good personal protection measures. If you know of any that I missed leave a message down in the comments section.

What are some person safety measure you use?

As always, don't be a target. Use your personal security measures.