When Cybersecurity Vendors Lie

01/24/2018   |   1 Comment

When Cybersecurity Vendors Lie*

See if you can spot the problem inherent in this relatively common sales pitch: “For only $200,000 you can subscribe to our data feed today and receive truly actionable cyber-intelligence!”

taking action!!!

Assuming the company is already known to have unique sources of information, the challenge is in the rest of the phrase: how do we define the term “actionable”?  It’s an appealing word because it implies that the information will be useful to us; by taking the recommended actions we will be improving our lives.

Who doesn’t want this?  An improvement on existing conditions is what we often seek as we browse articles, watch DIY vids on YouTube, or subscribe to newsletters on stock tips.  But how often does this actually work in the complex and convoluted world of cybersecurity? Read the rest of this entry »

Small Business Advice, and Beware the Bitter ex (employee)

12/06/2014   |   No Comments »

Six Steps Small Businesses Can Take to Assure Bank Account Security

Why Angry Employees are Everyone’s Problem

 

– blogs I posted at Kaspersky Lab.  

Thanks so much for visiting!    

 

Target breach update – how were HVAC passwords stolen?

02/06/2014   |   No Comments »

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: Read the rest of this entry »

Has Target Done Enough?

02/01/2014   |   1 Comment

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  Read the rest of this entry »

The Most Important Things to Know About Internet Safety While Traveling

11/23/2013   |   1 Comment

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. Read the rest of this entry »

Internet Safety While Traveling – Deeper Dive

11/23/2013   |   No Comments »

A “man in the middle” or MIM attack is not particularly difficult to pull off, and it represents one of the biggest cyber security threats we face when we are traveling – or in fact, any time we consider using an unknown wireless network.

Here’s how it works: it’s rather easy to find software which will monitor or “sniff” network traffic.  It’s even easier to set up a wireless network – by example, like many business travelers these days, I carry a portable wireless hub in my purse. If the intent is to trick other people into using it, all that’s left is giving it a name which sounds legit like, “Marriott SecureWifi”. These can even be set up as far as 15 miles away from the wifi area.

As people try to connect to the criminally controlled network, the cybercriminal allows them to do so (using the same password as the real network, or no password at all). Then the cybercriminal becomes the “man in the middle” (MIM). Sample scenario (there’s a more detailed example of a MIM in my book):
1. You ask for the gmail page in your browser and type in your gmail password.
2. The MIM intercepts your request and provides you a fake gmail login page (which looks pixel by pixel exactly like the legitimate one, including “https/gmail” in the browser, which indicates that it is securely linked to the gmail server).
3. The MIM sends your password to Google.
4. Google assumes it’s talking to you, and opens your gmail.
5. The MIM passes the gmail back to you and continues passing requests and information back and forth until your session is done.

Read the rest of this entry »

Mobile Malware Update (and Juniper’s report)

09/09/2013   |   No Comments »

As a small part of my day job, I put together a monthly “Cybersecurity Digest”.  Most of my subscribers are IT Managers in large organizations.  I created the digest especially because I like efficiencies: If I’m going to fall asleep at night reading 45 page reports on cybercrime anyway, why not save IT Managers or small business owners some time by summarizing what I learned?  Often times, like when I was recently preparing to present details of the mobile virus Obad , I read five such reports.  Some of them are virtually useless – overly-generalized repetitions of data elsewhere – whereas others have fresh data and new perspectives.  In the excerpt below from my September  Digest, I review Juniper’s Mobile Malware report.    

Mobile Malware Update

The amount of mobile malware we’ve seen in the last year is approximately at the same point (200K – 300K samples) as Windows malware was back in 2006 which was the first year of cybercrime going completely crazy.  Is mobile malware poised to explode as well?    

The Mobile Malware Profit Model

The most successful profit model so far is sending or receiving premium SMS messaging without the user’s knowledge.  Currently this activity is heavily concentrated in China and Russia, two countries where premium SMS messaging is extremely popular.  This is also where we see the majority of mobile malware botnets.  One security company estimated the profitability of such a botnet.  The net of it is Read the rest of this entry »

Solving the End User Problem

09/07/2013   |   No Comments »

Every IT manager knows that poor behavior of the part of end users is the biggest challenge in cybersecurity.  The problem is primarily due to a lack of education – users don’t realize which of their actions (or inactions) put their companies at risk.  And it’s hard to blame them for what they don’t know: We security professionals haven’t made it easy for them. 

 

I believe the second biggest problem in cybersecurity is something I started began speaking about in April in my job with Kaspersky Lab.  I call it The Cybercrime Comprehension Gap.  With regard to the average consumer, most available information is simply too complex.  Very often we speak and write in terms unique to our field, and the average employee’s curiosity is exhausted long before they can discern what is relevant to them.   

  Read the rest of this entry »

Why We Should All Pay for Smartphone Apps

08/24/2013   |   1 Comment

Suppose Josephine and Rick have built the most incredible smartphone application ever.  They offer it up to the market for a few dollars, and next thing we know they are millionaires.  Their customers not only love the app, but they also appreciate not being deluged by incessant banner ads or pop-ups.   Jo and Rick didn’t have to bring in on-line advertisers because their profit model was simple: sell the app itself to make money.   

 

But not all developers are as lucky.  Steve and Sue can’t get anyone to pay attention to their app, and darn, they spent all their money creating it.  So they will have to figure out another way to earn their money back.  The most popular way to do this is to get paid when users view ads.  Steve and Sue decide to make their app available for free, and advertisers pay Steve and Sue to place ads alongside the application.  These ads change dynamically just as they would at a Read the rest of this entry »

When Your 401K Gets Hacked

03/11/2013   |   1 Comment

When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds.  But the verdict was rendered a few months ago: the company is not responsible.  It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.

In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable Read the rest of this entry »