In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable because he did not follow “fund policy” (those rules written in micro-Sanskrit at the bottom of the documents we receive from fund managers) and request a change of address as soon as he moved.

Seriously: this is the basis of a judgment involving the loss of $40K in assets.  Bill neglected to file a change of address.

Over the weekend I was shredding old documents as I thought about the case.  I couldn’t help but notice how cavalier we were ten years ago about Social Security numbers!  They were often printed on every page of documents which were merely meant to uniquely identify us.  There was no thought about how many hands the docs might pass through or what a person acquiring the number might do with it.  And remember when our credit card companies stopped putting the full account number on statements which were mailed?  Old statements have every digit on every page.  Ah, the good old days before the cybercrime explosion…in retrospect, we were so carefree.

So here’s my tip of the day: consider where all your old documents are and who has access to them, whether they are in print form or electronic.  This is especially important for accounts which haven’t changed in years (as is true for many IRAs and 401Ks), because if those documents fall into the wrong hands it could really cost you.  Shred everything you don’t need and keep the rest safely stored away.  And if you dissolve a romantic or professional relationship with a person who: a.) knows your Social Security number; b.) knows your home address; and c.) is the slightest bit ethically-challenged, be sure to change all your passwords and add additional security criteria on all your retirement accounts.

Best,

cj

“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police.

But it wasn’t a shock to everyone; there are people who knew this sort of thing could happen.   

A month ago a research scientist, Mike Davis, discovered that numerous alert systems across the US have some “really, really terrible software” on them which make them vulnerable to hacking.  He warned that the flaws could allow hackers to take control and broadcast messages of their choosing, and Davis reported this to US CERT (United States Computer Emergency Readiness Team).

I have to wonder – in addition to asking whether US CERT itself has been hacked (coincidental timing, doncha think?) – does our government still believe this antiquated system would serve us best should the need arise, say, to warn citizens of the imminent arrival of a meteor traveling 40,000 miles per hour?  Because I’m thinking it’s a bit outdated.  Maybe someone should suggest they consider alerting us by using an alternate medium that we’re actually connected to most of the time…

Best,

cj

(sources: threatpost and the register )

According to Wikipedia, we are an entire sub-culture.  One component of this subculture is a company called USAA.  USAA is an organization which provides financial services, loans and banking to anyone associated with the military.  And in their eyes, once a brat, always a brat.  This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.

The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow.  He was formerly the FBI’s top cybercrime cop.  Naturally I was curious to read about his tips for keeping our families safe.

You can find the on-line article here, but they cut out a lot of the good stuff (nice reference to my employer though).  Here are my two favorite useful tips:

1.)  Go Long!  – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?

Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.

2.) Be Suspicious!  – Don’t freely allow others to connect to your home wireless.

* Gordon expects anyone who wants to connect to the home wireless to run a security scan FIRST.  In fact, here’s a link to a free, safe, security scan

* This might be overkill for most of us, but suppose your teen is hosting a party and there are just too many kids to check their individual systems.  In this case, change the router settings so that the only devices allowed to use the wireless network are those whose individual MAC addresses have been entered (this is basically a serial number which is unique to each device).  Instructions for doing this can be found here.

* This one is for our military: if Aunt Mildred says she can’t talk about when your cousin Tim is coming back from Afghanistan, it means you can’t talk about it either.  And definitely not online.  In fact with so many young soldiers using Facebook these days, the famous World War II tagline “loose lips sink ships” has been updated to “loose lips STILL sink ships” and is being aggressively recirculated.

USAA also has more good tips here, at their security and privacy center which is available to everyone (not just members).

And Happy Holidays to all you military and my fellow brats out there, wherever in the world you may be!

Best,

cj

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:

___________

Mitt & Ann Romney tax returns

On September 4, 2012,^[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.^[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.^[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24^th?  Allow me to add another data point: Today – October 7^th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

The supposed breach was widely reported on September 5^th, but of course Price Waterhouse denied the returns were stolen.  I’m skeptical.

My skepticism has nothing to do with my politics and everything to do with what we know about cybersecurity: If a brilliant hacker wants your stuff he’s going to get it.  (Interestingly, what the ransom note describes in detail is a physical breach which led to the data breach.)  Of course maybe PW is just advertising for cybercrime expertise because the purported breach made them realize they were vulnerable.

Most of the time, I teach people how to be safer from generic cybercrime threats.  That means: the malware which is out there attacking every system it comes in contact with.  But in this case, Price Waterhouse may have suffered what we call a “targeted threat”.  Targeted threats are when any competent hacker or group of hackers have decided to go after one company, or specific data that company has.  And guaranteed, if they try hard enough they will get it.  Did these hackers try hard enough?  Did they have enough time?

But more importantly, what lesson can we learn from this?  Here’s one point that most of us miss about security: Even if you personally follow every rule of internet safety – you can still be infected if you are connected to a network where your teen downloaded an infected game, or your spouse clicked on an infected website.  So if you have data which you really want to protect, the most secure way to store it is on a system which is completely stand alone.  Ideally it’s one of those old computers you have lying around the house already.  It should have no connection to any kind of network, including the internet (you can always transfer information to and from it using a security-scanned USB).  It won’t be much fun but it will be safe.  That is, unless your data is so interesting that some criminal is willing to break in, bribe the dog and risk jail to get it!

Speaking of home safety, next blog will have some interesting tips from the former top FBI cybersecurity expert, Gordon Snow, on tips to stay safer at home.

Best,

cj

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

The ramifications of this are incredible, because we’re talking about a “hobby” which is not only big fun but it allows people to engage in three behaviors simultaneously  – socializing, purchasing and being educated  – each of which, on its own, has been responsible in huge shifts in human history.  It’s all quite exciting.

The only problem is that in every group of people who gain access, there are criminals.  And the more we buy over the internet, the more opportunity we provide existing cybercriminals to steal from us.  Can you think of anything more compelling to a criminal than a stream of billions of dollars which only takes a few keystrokes to get to?    (In the US alone, $165 billion was spent in 2010.)

One of the beauties of the whole thing is that even a computer illiterate can be “up and on” in just a few minutes.  So shouldn’t we also invest a little time learning how to use this fabulous and tool more safely?  Watch the webinar, download the free tips on this site, or google the topic.  But at least do something.  And get your family and friends involved.

All right, I’m off my soap-box and on to the next project.  In fact I’d love to hear any ideas you have for this.  How do we keep teens entertained while also teaching them about safer surfing?  It will have to: be video, be funny, and be on YouTube.  That’s as far as I have gotten so far…

Best,

cj

There on page 41 was the fix for all our security woes!    Sure it took me a while to get there, but well worth it don’t you think?  The answer was (drum roll, please): “Secure the network perimeter.”

This made me laugh!  Really?  I have to say that anyone who thinks there is a network perimeter anymore – meaning, a definable, non-permeable network perimeter – is either smoking crack or lost in a delusional Dilbert dream where IT guys rule. That would be the fantasy where IT actually gives us mobile/portable devices of their choosing along with a set of rules we actually follow.   Useful rules like, “don’t get infected.”  Ha-ha!

And the more I contemplate this idea, the more I think it was always a fantasy.  Back when I was working for NEC’s Corporate Capital group – ten years ago – my laptop went home with me every day.  I used it for everything – my personal life and internet shopping included.  There wasn’t any rule which said not to.  Of course in those days there was a lot less malware out there (less than 100,000 pieces a year instead of 50 million).  Maybe this is what gave IT the feeling that they actually had a secure perimeter.

To make my point, let’s just take this recommendation and apply it to our homes.  If you want to keep your house from ever, ever being broken into, it’s not that difficult.  All you need do is “secure the perimeter.”  Here’s how:

1.)    Dig a moat.

2.)    Throw in some alligators.

3.)    Put a fence up so they don’t eat your guard dog.

4.)    Add a Rottweiler or Doberman to the mix.

5.)    Lock all your doors.

6.)    Don’t ever let anyone in.

7.)    Don’t ever let anyone out.

And voila, no more pesky solicitors.  Or…does someone see a problem with this prescription?

That’s right; unless we have Unabomber predilections, there are friends and family we enjoying seeing from time to time.  We need groceries and pizza, so we’d need to let those people in too.  We also enjoy going out, right?  The fact is: the civilized world as we know it has flexible boundaries everywhere you look.  Most of us go to work, leave at night and return again.  We’re able to fly (or walk or drive)  between countries.  Permeable perimeters are inherently insecure, but they are also essential to our happiness: they allow freedom, innovation, commerce and love – some pretty key elements of life, at least as us folks in civilized countries know it.

Of course sometimes we will get entrants we don’t want.  They may be masquerading as something else (as malware does, and sociopaths do) or someone may have brought them along unknowingly – as happens when we allow a laptop to be infected and bring it back into the network.  But there is no perfect solution.  The best we can do is “manage” our risk.  Whether it’s for business or home, get great anti-virus (like Kaspersky Lab AV) and follow best practices, but don’t imagine you’ll ever reach a point of having zero risk.

Because to implement what page 41 suggests perfectly, you have to be willing to give up pretty much everything to get it.

Best,

cj

Last week I gave a presentation to a partner of ours.  I was discussing the state of cybercrime and some of the most urgent threats.  On the subject of Hactivism I said, “these guys are the unruly mob of the internet.  The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”

Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience).  So I have to admit I’ve not been much on their side.  But this weekend I read an article in Security Week about an attack I agree with.  It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release.  Who knew Anonymous had such a sense of humor?

Right now Uganda has legislation on the table which mandates death for all homosexuals.  Really.  So Anonymous hacked the government’s main website and posted a missive purportedly from the Prime Minister.  It was essentially an apology to all gays.

Imagine the government’s upset!  How dare someone represent them in such a fashion!  They’re horrifyingly proud of their bigotry.

So what’s not to love about this particular exploit?

Of course I’m a Californian, and we do lean way left in certain ways.  We love fluffy baby seals (but not as articles of clothing), we want to save the dolphins  and we hate oil slicks on our shores.  We’re also okay if the entire population of American gays come and live in San Francisco.  It’s a “live and let live” kind of thing.  So hearing about the Ugandan government’s perspective – well, let’s just say I wouldn’t shed a tear if hackers disabled their entire internet infrastructure and sent the government back to the dark ages they obviously came from.  But not to forget: I’m in anti-cybercrime, so I can only applaud silently, and please don’t tell my boss.

Also – it’s not hard for an avenger to morph into a bully, so let’s just hope Anonymous adhere to some set of principles.  Let’s hope as their power increases (which it seems to be doing)  they have more of Robin Hood’s steady ethics and less of Jim Jones corruptibility.  And no matter what, their actions do make a person ponder: does hacking have any sort of legitimate place in policing the world?

Oh and you people over there at Anon!  Do let me know if the fun ever starts with freeing women in Saudi Arabia.    That one I’d particularly enjoy watching.

Best,

cj

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:

http://

for example, http://bankofamerica.com

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:

https://

for example, https://bankofamerica.com

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!

Best,

cj

* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!

Because yes, it’s true: if you tell someone you will call them at 3:15 pm, they will pick up even though they don’t know the number (and I rarely pick up unknown numbers).  I love this because it’s about security in the sense that it’s keeping OUR secrets safe from THEM (whoever THEY are).  And that is the whole point of security, isn’t it?  We decide what information we want to keep private, and sometimes we decide what information other people should NOT keep private (for example, the fact they have other spouses or belong to a freaky cult).  And if we have very good security we can enforce those boundaries.  This is the same reason we should sometimes buy those disposable credit cards at the local drug or grocery store with $100 of credit on them for teens in the household who are making their own purchasing decisions.  If they need a credit card to to “make it happen”, and you don’t want to be charged again every month…think about it.  Sometimes the “this is a subscription” details are in such fine print on the website that it’s not even fair to expect a kid to notice.

Best,

cj

Obviously it’s not a very effective barrier.  So why bother?  Well, it turns out that they are attempting to solve a problem which is quite analogous to policing the internet.

beach security in Cyprus

In order to grasp the analogy, it’s helpful to consider the following question about physical security.

Which of these three problems is the hardest to solve?

a.)    Keeping everyone out  – imagine an area which is nuclear-contaminated or ecologically fragile

b.)    Only let in a trusted few – Area 51 or any other military base

c.)     Let everyone in, except for a distrusted few – example: a shopping mall during a “high alert” situation (where threats have been called in)

The first one is fairly simple: your goal is to make potential trespassers give up and go away.  Erect some barbwire, add cameras, throw in a few landmines and you’re done. 

The second one is manageable – there’s a small group of people who are trusted (relative to the large group who aren’t).  They must have unique identifiers like id cards or matching fingerprints in order to enter.  There are only a few heavily guarded entry points.  Problem solved.

Now what about the last one?  It should be fairly obvious that any place (including a beach or a network) with no walls would be much tougher to defend than a fortress.  Open access and lots of people make it very difficult to locate a few bad guys among hordes of good guys.  This presents a significant security issue.  It might be solved by building fences, but then access is restricted and your merchants lose money.

One pretty good solution is a visible police force, like the one Cyprus has.  As long as there are some cops around to handle the dirty work, local hotels and restaurants feel safe inviting strangers to walk by, hoping they have euros or dollars to spend.  Businesses make a feeble attempt – with their “lite” beach barrier – to dissuade non-members (the boulders are also universally understood to mean “serious shoppers only past this point”).  According to our concierge, this works quite well – merchants are happy and crime is low.

So don’t let your latest hugfest on your favorite social network lull you into a case of the warm fuzzies about your internet connection.  If Darth Vadar  lives, he’s at least a wealthy cybercriminal.  It’s every man or woman for herself out there.   Don’t forget the basic rules: practice safe surfing, have good internet hygiene (log off when you’re finished, etc.) and be sure you use good anti-malware.

Best,

cj