Monday, March 11th, 2013

When Your 401K Gets Hacked

When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds.  But the verdict was rendered a few months ago: the company is not responsible.  It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.

In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable Read the rest of this entry »

Tuesday, February 19th, 2013

Zombies Attack Montana! (US Emergency Alert System Gets Hacked)

Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System.  The station was muted as the following voice-over message was recited by a somber-sounding fellow:

Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police. Read the rest of this entry »

Sunday, December 23rd, 2012

Gordon Snow on Cybersecurity at Home

I’m a military brat.  Most Americans are familiar with this term, because it is a common way we brats answer the question: “Where are you from?”  Every other answer takes too long.  You know, like explaining why being born in Italy doesn’t mean I’m Italian.  And we really don’t have enough time to talk about all the schools we went to.

According to Wikipedia, we are an entire sub-culture.  One component of this subculture is a company called USAA.  USAA is an organization which provides financial services, loans and banking to anyone associated with the military.  And in their eyes, once a brat, always a brat.  This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.

The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow.  He was formerly the FBI’s top cybercrime cop.  Naturally I was curious to read about his tips for keeping our families safe.

You can find the on-line article here, but they cut out a lot of the good stuff (nice reference to my employer though).  Here are my two favorite useful tips:

1.)  Go Long!  – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?

Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.

Read the rest of this entry »

Sunday, October 7th, 2012

The real reason Mitt Romney released his tax returns – his accountants got hacked

I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point.  There’s obviously something powerful about “anonymous” collaboration.

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:Dark-haired man with graying hair at the temples, dressed in dark suit, at a nighttime indoor event

___________

Mitt & Ann Romney tax returns

On September 4, 2012,[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24th?  Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

Read the rest of this entry »

Sunday, September 30th, 2012

The Pitch for Paying Attention to Internet Safety

I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky.  Here’s a link to the latest one.  It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

 

Read the rest of this entry »

Monday, August 27th, 2012

The Holy Grail of Internet Security – finally, all our problems solved!

Last week I was scouring the web and I came across a white paper on “security threats of 2011” which I hadn’t read yet.  It was a 56 page document written by a top security organization (we all publish these reports but each company has a different spin).

There on page 41 was the fix for all our security woes!    Sure it took me a while to get there, but well worth it don’t you think?  The answer was (drum roll, please): “Secure the network perimeter.”

This made me laugh!  Really?  I have to say that anyone who thinks there is a network perimeter anymore – meaning, a definable, non-permeable network perimeter – is either smoking crack or lost in a delusional Dilbert dream where IT guys rule. That would be the fantasy where IT actually gives us mobile/portable devices of their choosing along with a set of rules we actually follow.   Useful rules like, “don’t get infected.”  Ha-ha!

And the more I contemplate this idea, the more I think it was always a fantasy.  Back when I was working for NEC’s Corporate Capital group – ten years ago – my laptop went home with me every day.  I used it for everything – my Read the rest of this entry »

Tuesday, August 21st, 2012

Against my better judgment…a Hacktivist cause I like!

Why is it that we only need make the most innocent of unequivocal statements and suddenly things pop up everywhere to prove us wrong?

Last week I gave a presentation to a partner of ours.  I was discussing the state of cybercrime and some of the most urgent threats.  On the subject of Hactivism I said, “these guys are the unruly mob of the internet.  The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”

Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience).  So I have to admit I’ve not been much on their side.  But this weekend I read an article in Security Week about an attack I agree with.  It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release.  Who knew Anonymous had such a sense of humor?

Right now Uganda has legislation on the table which mandates death for all homosexuals.  Really.  So Anonymous Read the rest of this entry »

Monday, August 13th, 2012

Add Your Own Security – say yes to the “s”

Here’s a tip I haven’t heard from anyone except my CISSP study-buddy, Amir .  He manages global IT for a big company, so he’s smart about these things.  I tell everyone about it now because it’s very easy, makes you safer, and it’s not obvious.  I hope it won’t be long before it’s not necessary, but right now it’s still a great idea for those of you who engage in on-line banking, or are toying with the idea of adding such an app to your cell phone.

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:

http://

for example, http://bankofamerica.com

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:

https://

for example, https://bankofamerica.com

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!

Best,

cj

* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!

Tuesday, July 24th, 2012

Katie Holmes: good security secures her freedom from unhappy matrimony!

Katie HolmesOkay, I really love this article where they speculate that Katie Holmes’ use of a disposable cell phone may have been instrumental in keeping the divorce demand a secret from Tom Cruise – and therefore maintaining the advantage of surprise.

Because yes, it’s true: if you tell someone you will call them at 3:15 pm, they will pick up even though they don’t know the number (and I rarely pick up unknown numbers).  I love this because it’s about security in the sense that it’s keeping OUR secrets safe from THEM (whoever THEY are).  And that is the whole point of security, isn’t it?  We decide what information we want to keep private, and sometimes we decide what information other people should NOT keep private (for example, the fact they have other spouses or belong to a freaky cult).  And if we have very good security we can enforce those boundaries.  This is the same reason we should sometimes buy those disposable credit cards at the local drug or grocery store with $100 of credit on them for teens in the household who are making their own purchasing decisions.  If they need a credit card to to “make it happen”, and you don’t want to be charged again every month…think about it.  Sometimes the “this is a subscription” details are in such fine print on the website that it’s not even fair to expect a kid to notice.

Best,

cj

Monday, June 25th, 2012

Mixing it Up: Sand, Sunshine and Security

Last week we had a work meeting on the island of Cyprus.  On our final day, as I meandered down the beach, I snapped this pic of what passes for security there.

Obviously it’s not a very effective barrier.  So why bother?  Well, it turns out that they are attempting to solve a problem which is quite analogous to policing the internet.

beach security in Cyprus

In order to grasp the analogy, it’s helpful to consider the following question about physical security.

Which of these three problems is the hardest to solve?

a.)    Keeping everyone out  – imagine an area which is nuclear-contaminated or ecologically fragile

b.)    Only let in a trusted few – Area 51 or any other military base

c.)     Let everyone in, except for a distrusted few – example: a shopping mall during a “high alert” situation (where threats have been called in)

The first one is fairly simple: your goal is to make potential trespassers give up and go away.  Erect some barbwire, add cameras, throw in a few landmines and you’re done.  Read the rest of this entry »