11/03/2013 | 1 Comment
When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds. But the verdict was rendered a few months ago: the company is not responsible. It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.
In another case in 2007 a man lost $179,000. He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company. Fortunately for him, investigators were able to recover the funds before they were wired out of the country. Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.
In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts. His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin. Bill only discovered she had drained his account the following year. Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable Read the rest of this entry »
19/02/2013 | 1 Comment
Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System. The station was muted as the following voice-over message was recited by a somber-sounding fellow:
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”
Meanwhile, a list of the affected counties scrolled across the screen. Naturally, this worried a few folks. Many called their local police. Read the rest of this entry »
23/12/2012 | No Comments »
I’m a military brat. Most Americans are familiar with this term, because it is a common way we brats answer the question: “Where are you from?” Every other answer takes too long. You know, like explaining why being born in Italy doesn’t mean I’m Italian. And we really don’t have enough time to talk about all the schools we went to.
According to Wikipedia, we are an entire sub-culture. One component of this subculture is a company called USAA. USAA is an organization which provides financial services, loans and banking to anyone associated with the military. And in their eyes, once a brat, always a brat. This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.
The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow. He was formerly the FBI’s top cybercrime cop. Naturally I was curious to read about his tips for keeping our families safe.
1.) Go Long! – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?
Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.
07/10/2012 | No Comments »
I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point. There’s obviously something powerful about “anonymous” collaboration.
Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them. Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:
Mitt & Ann Romney tax returns
On September 4, 2012, an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release. The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.
So is it just a huge coincidence that the Romneys released their returns on September 24th? Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.
30/09/2012 | No Comments »
I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky. Here’s a link to the latest one. It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.
But it could have been “Twenty Tips”. Or even “Thirty”. Because there are at least this many small things we could do to be more secure. However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security. So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.
Here are two fun facts I want to share:
* in the year 2000, there were 316 million people on the internet worldwide
* in the year 2011, there were 2.3 billion
Stunning change in just a decade, isn’t it? Never have so many people become connected and enabled so fast. And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down. So how long will it be until 70% of the world is connected?
27/08/2012 | 1 Comment
Last week I was scouring the web and I came across a white paper on “security threats of 2011” which I hadn’t read yet. It was a 56 page document written by a top security organization (we all publish these reports but each company has a different spin).
This made me laugh! Really? I have to say that anyone who thinks there is a network perimeter anymore – meaning, a definable, non-permeable network perimeter – is either smoking crack or lost in a delusional Dilbert dream where IT guys rule. That would be the fantasy where IT actually gives us mobile/portable devices of their choosing along with a set of rules we actually follow. Useful rules like, “don’t get infected.” Ha-ha!
And the more I contemplate this idea, the more I think it was always a fantasy. Back when I was working for NEC’s Corporate Capital group – ten years ago – my laptop went home with me every day. I used it for everything – my Read the rest of this entry »
21/08/2012 | No Comments »
Why is it that we only need make the most innocent of unequivocal statements and suddenly things pop up everywhere to prove us wrong?
Last week I gave a presentation to a partner of ours. I was discussing the state of cybercrime and some of the most urgent threats. On the subject of Hactivism I said, “these guys are the unruly mob of the internet. The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”
Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience). So I have to admit I’ve not been much on their side. But this weekend I read an article in Security Week about an attack I agree with. It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release. Who knew Anonymous had such a sense of humor?
Right now Uganda has legislation on the table which mandates death for all homosexuals. Really. So Anonymous Read the rest of this entry »
24/07/2012 | No Comments »
Okay, I really love this article where they speculate that Katie Holmes’ use of a disposable cell phone may have been instrumental in keeping the divorce demand a secret from Tom Cruise – and therefore maintaining the advantage of surprise.
Because yes, it’s true: if you tell someone you will call them at 3:15 pm, they will pick up even though they don’t know the number (and I rarely pick up unknown numbers). I love this because it’s about security in the sense that it’s keeping OUR secrets safe from THEM (whoever THEY are). And that is the whole point of security, isn’t it? We decide what information we want to keep private, and sometimes we decide what information other people should NOT keep private (for example, the fact they have other spouses or belong to a freaky cult). And if we have very good security we can enforce those boundaries. This is the same reason we should sometimes buy those disposable credit cards at the local drug or grocery store with $100 of credit on them for teens in the household who are making their own purchasing decisions. If they need a credit card to to “make it happen”, and you don’t want to be charged again every month…think about it. Sometimes the “this is a subscription” details are in such fine print on the website that it’s not even fair to expect a kid to notice.
25/06/2012 | No Comments »
Last week we had a work meeting on the island of Cyprus. On our final day, as I meandered down the beach, I snapped this pic of what passes for security there.
Obviously it’s not a very effective barrier. So why bother? Well, it turns out that they are attempting to solve a problem which is quite analogous to policing the internet.
In order to grasp the analogy, it’s helpful to consider the following question about physical security.
Which of these three problems is the hardest to solve?
a.) Keeping everyone out – imagine an area which is nuclear-contaminated or ecologically fragile
b.) Only let in a trusted few – Area 51 or any other military base
c.) Let everyone in, except for a distrusted few – example: a shopping mall during a “high alert” situation (where threats have been called in)
The first one is fairly simple: your goal is to make potential trespassers give up and go away. Erect some barbwire, add cameras, throw in a few landmines and you’re done. Read the rest of this entry »