Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

More phishing leaks into Gmail

I’ve been a Gmail user since its beginning in 2004. Unlike Yahoo! email, Gmail has historically done an exemplary job of blocking spam and phishing.

Until this year.

New forms of phishing are evading Google’s filters: the first is what I call the “invoice scam,” where the sender emails an attachment claiming to be an invoice. I surmise that either the attachment has malware embedded in it, or they are hoping that I will pay the invoice by sending money to who-knows-where.

Another form of phishing I’m seeing a lot (several each day) are emails in which the entire contents of the message is a single image. The image claims to originate from a major retailer such as Home Depot, Ace Hardware, and others. I’m told that I have been selected to win a product of some sort. Like the invoice scam, I’m certain that clicking the image will take me to a watering hole attack, a page where I’ll be asked for login credentials or payment information.

I don’t doubt that Google will figure out how to block these types of phishing messages. But the senders are not going to give up so easily. We must continue to be on our guard and practice the principles of incoming emails:

• Be wary of emails from people you don’t know.
• Be wary of emails from people you DO know that are out of character.
• Confirm the message through independent means (NOT a reply).
• Do not be curious and click, just to see what happens next.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Preventing browser hijacking

Browser hijacking occurs when an intruder is able to successfully exploit a vulnerability in a user’s browser program.  When a browser is hijacked, the intruder is able to control how the browser operates. Examples include changing the default home page, as well as other settings.

Why is this a problem?

Some browser settings can cause all of the traffic between your browser and Internet web sites to be routed through the intruder’s system. This allows the intruder to follow your every move, and it may also allow the intruder to capture passwords you enter at sites such as online banking and e-mail.

Are you concerned yet?  You should be! If your browser has been hijacked, you could become a victim of fraud or identity theft.

Quick Fixes
(assumes you have a Windows computer)

1. Turn on Automatic Updates. This will cause your system to automatically download and install all the latest security patches for Windows and Internet Explorer
2. Install Microsoft Security Essentials or other anti-virus program.  AVG has a very good free anti-virus program.
3. Scan your computer for malware using your on-board anti-virus program.
4. Scan your computer for malware using one of several good web-based anti-virus programs, such as: Panda, Symantec, Trend Micro.
5. Turn on Windows Firewall.
6. Update to the latest version of Internet Explorer, which has a better design and better security controls.
7. If you don’t want to update Internet Explorer (or if you already have the latest), reset your IE settings.
8. Manage and disable add-ons. A lot of browser hijacking is the result of add-ons.

Even after you do these things, you’ll still be running a combination of software that is vulnerable by design and requires constant vigilance. Read on.

Long-Term Fixes

If you are running Windows, I highly recommend you stop running Internet Explorer altogether. Use it ONLY for running Microsoft Update, online virus scans (from step 4 above – most require IE), and those occasional website that do not render well in other browsers.

For greatest security when browsing on Windows, use Firefox with the NoScript and FlashBlock add-ons. This combination is the safest possible browsing when using Windows. You’ll still have to run anti-virus and automatic updates, though.

Paradigm Shift

Most people use Windows, but few people HAVE to. There are two excellent alternatives:

• Linux. The “ubuntu” release of Linux is highly reliable, easy to use, and secure. If you have a good PC, you can download ubuntu, burn it onto a CD, and try it out on your own computer. If you really, really like it, you can install ubuntu Linux onto your computer and say goodbye to Windows forever. We have done this on two systems here. Linux runs so much faster on a PC than Windows that you will think you got a hardware upgrade!
• Linux in a virtual machine. If you *have* to run Windows (because of that expensive software that runs only on Windows), then I recommend you download VirtualBox and install Linux as a guest. Then, do all of your Internet browsing from the Linux machine (running Firefox, Noscript, and Flashblock as described earlier). You can run it in full screen mode, which is the next best thing to running Linux on your hardware. Another nice thing about this method is that if you do get malware on your Linux system, you can reset your Linux system back to an earlier state (I have never had this happen, but if I did mess something up in the Linux system, reverting to a recent snapshot is still a nice feature).
• Mac OS. If your PC is not that great and you want to upgrade to new hardware, this is a great time to buy a Mac. While they may initially seem more expensive, you get excellent value and performance. On Mac OS, you can download Open Office, which is free and compatible with Microsoft Office. We have three Macs at home (a Mac Mini, a MacBook, and a MacBook Pro) and are totally satisfied with them. They are great computers.

Note regarding purchasing a Mac computer: do not get caught up in feature comparisons (e.g. a Windows system with a larger screen for less money than a Mac).  A Windows system is still just a Windows system, vulnerable by design and more expensive in the long when when you consider all the time you have to spend to keep it secure / make it secure. These videos say it better than I can:

FBI mystery man identified

The Federal Bureau of Investigation has allegedly identified the “mystery man” who has as many as 32 aliases. He is identified as Scott Andrew Shain.

Articles:

John Doe identified as Boston man

Six new photos of FBI’s Seattle mystery man

Fake fingerprints, multiple aliases, in FBI custody; name=??

Fake fingerprints, multiple aliases, in FBI custody; name=??

The FBI has taken a career identity thief into custody in Seattle. Problem is, they have no idea who it is.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

More on this FBI web site (now a dead link)

Update: Six new photos released

Stories:

Seattle Times

KOMO TV Seattle

Seattle Post-Intelligencer

Fraudulent Microsoft Update

There is lots of activity around an email and a fraudulent Microsoft Update web site (that the email directs you to), claiming that there is an urgent Microsoft update.

The web site looks like a legitimate Microsoft site and contains an “Urgent Install” button that, when clicked, attempts to download and install malicious software on your system. The file that attempts to download is not signed by Microsoft and is called “WindowsUpdateAgent30-x86-x64.exe”.

This web site is using fast flux DNS for its web hosting. That make it hard to track and close down, so we expect it to be around for awhile.

Please advise your users, if they receive this type of email, they should just delete it. Microsoft does not distribute updates by sending emails directly to individuals or distribution lists.

Credit to NW WARN for the contents of this advisory.

Americans must take personal responsibility to curb identity theft

I have been thinking a lot about identity theft as I’ve covered the massive TJX security breach this year. I have recently reported that the size of the breach has increased from its original 47 million cards to 94 million cards, which is nearly one card per U.S. household.

The TJX breach certainly is a high-watermark breach, but it’s nowhere near the only one, nor the only big security breach. To get an idea of just how many security breaches there have been and where they have occurred, the Privacy Rights Clearinghouse has chronicled a history of security breaches here.

The credit issuing and reporting system in the U.S. is out of control. Rather, it might be more accurate to say that the credit system has not institutionalized changes to reflect changing risks in the Internet era. The factors that have led to the epidemic of data security breaches include:

• The proliferation of financial and private information in banking, merchant, service provider, and consumer information systems
• The exuberance with which creditors grant credit to consumers
• The lack of controls to ensure that the person requesting credit is actually who they claim to be

If we just sit around and wait for the government to fix this, we’ll all be robbed blind first. We must take some action on our own, now, until the credit system introduces effective controls on its own. I recommend you take these measures to protect yourself.

1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
2. Examine your credit report carefully at least once per year.
3. Close credit accounts that you no longer use.
4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
5. Reduce or discontinue your use of credit.
6. Pay cash. Whenever you are paying with a credit or debit card, you are leaving information behind that can be used to commit fraudulent transactions.
7. Double-lock your banking and credit information in your home and place of business. In other words, put all documents containing private and financial information in a safe or locked room within your home or business.

While it is true that all of these measure take time and money, they take far less of each than the effort required to clear your credit if you fall victim to identity theft.

We have been victims ourselves. My wife’s driver’s license was stolen, and it was subsequently used to write bad checks in her name. My credit card number (and name+billing address) was stolen from employees at a shipping company, and over $2,500 in fraudulent transactions charged against my debit card. Neither resulted in a wide scale identity theft against us, but they could have had we not taken action quickly.

Don’t wait for someone else to fix this for you.