Posts Tagged ‘anti-cybercrime’

Target breach update – how were HVAC passwords stolen?

Thursday, February 6th, 2014

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: (more…)

The Most Important Things to Know About Internet Safety While Traveling

Saturday, November 23rd, 2013

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. (more…)

Gordon Snow on Cybersecurity at Home

Sunday, December 23rd, 2012

I’m a military brat.  Most Americans are familiar with this term, because it is a common way we brats answer the question: “Where are you from?”  Every other answer takes too long.  You know, like explaining why being born in Italy doesn’t mean I’m Italian.  And we really don’t have enough time to talk about all the schools we went to.

According to Wikipedia, we are an entire sub-culture.  One component of this subculture is a company called USAA.  USAA is an organization which provides financial services, loans and banking to anyone associated with the military.  And in their eyes, once a brat, always a brat.  This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.

The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow.  He was formerly the FBI’s top cybercrime cop.  Naturally I was curious to read about his tips for keeping our families safe.

You can find the on-line article here, but they cut out a lot of the good stuff (nice reference to my employer though).  Here are my two favorite useful tips:

1.)  Go Long!  – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?

Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.

(more…)

The real reason Mitt Romney released his tax returns – his accountants got hacked

Sunday, October 7th, 2012

I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point.  There’s obviously something powerful about “anonymous” collaboration.

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:Dark-haired man with graying hair at the temples, dressed in dark suit, at a nighttime indoor event

___________

Mitt & Ann Romney tax returns

On September 4, 2012,[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24th?  Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

(more…)

The Pitch for Paying Attention to Internet Safety

Sunday, September 30th, 2012

I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky.  Here’s a link to the latest one.  It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

 

(more…)

Add Your Own Security – say yes to the “s”

Monday, August 13th, 2012

Here’s a tip I haven’t heard from anyone except my CISSP study-buddy, Amir .  He manages global IT for a big company, so he’s smart about these things.  I tell everyone about it now because it’s very easy, makes you safer, and it’s not obvious.  I hope it won’t be long before it’s not necessary, but right now it’s still a great idea for those of you who engage in on-line banking, or are toying with the idea of adding such an app to your cell phone.

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:

http://

for example, http://bankofamerica.com

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:

https://

for example, https://bankofamerica.com

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!

Best,

cj

* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!