March 15, 2015

OPSEC

What is OPSEC?

Operations Security, otherwise known as OPSEC, is a five step risk management process that looks at protecting critical information that may give the adversary an advantage if discovered.  OPSEC complements the traditional security disciplines and works together in protecting critical pieces of information. Below are two videos from the U.S. Department of Energy that depict a vintage 1950s era government film to remind you that OPSEC really is not that difficult to put into practice, just remember not to let the cat out of the bag. They're an entertaining way to learn about an important security discipline.

Atomic OPSEC Part 1 vintage video featuring the Atomic Bomb Commission Orchestra. Atomic OPSEC Part 2 vintage video.

Here's hoping you continue to talk about Operations Security, or OPSEC.

March 1, 2015

Scam U: Digital redirect

Con artist, scammers, hackers, regardless of what you call them, they're opportunistic parasites looking for any opportunity to exploit for financial gain. The Internet has become a playground for these cretins to hide while weaving webs of deceit. When you're cruising through the inter-webs be cautious.

Back in 2014, the Better Business Bureau (BBB) warned people about scammers exploiting eBay's editing feature to redirect users to a realistic lookalike site to steal their login information.

The ploy.

The con artists list really low prices for popular items, such as laptop, iPad, or cell phones. Intrigued by the listing, people click on the listing. Instead of opening the item's page, the site redirects them through a series of websites to a fake eBay page requesting their username and password. The requesting page looks similar to eBay's login page, but its not. It is a spoofing attempt in trying to collect login information to hijack eBay accounts.

Paul Kerr, an IT worker from Alloa and eBay PowerSeller was the first to flag this issue. He uploaded the below video to YouTube as proof of this trickery and to help inform users how to identify crooked sites.


How does this happen?

eBay allows sellers to use Javascript and Flash to add design elements to their listings, which allows scammers enough flexibility to add malicious code to redirect users to malicious websites. Don't be lulled into a false sense of security if you think that you're immune to this threat since you don't shop on eBay. Most online retailers are susceptible to this ploy, since scammers can easily manipulate the site's Javascript code. Only days after this incident was reported, a security researcher uncovered Amazon was vulnerable to a similar attack that impacted Kindle libraries. Fortunately that exploit has been fixed now.

How to keep yourself safe?
  • Check your URL. If you watch the above video, you'll notice the fake website's URL is very different from the legitimate website.
  • Look for secure connection. When doing any action requiring sensitive information, to include log information, double check for a secure connection.
  • Be careful of too good to be true listings. The old adage, if it is too good to be true, it probably is. Scammers use ridiculously cheap deals to entice people to click where they really should not be.
  • Change your account passwords often. With so many articles circulating about passwords being exposed, you make a healthy habit of changing them often. 


References:
Better Business Bureau (24 October 2014). Fake eBay listings steal users' passwords. Scam Alert email.
Cook, J. (27 September 2014). Hackers target eBay users with faki iPhone listings. Business Insider U.K. Retrieved from http://uk.businessinsider.com/hackers-target-ebay-users-with-fake-iphone-listings-2014-9?r=US
McCarthy, J. (18 September 2014). Fake eBay listings redirecting users to spoof account-stealing phishing pages. The Drum. Retrieved from http://www.thedrum.com/news/2014/09/18/fake-ebay-listings-redirecting-users-spoof-account-stealing-phishing-pages