Posts Tagged ‘internet safety’

Target breach update – how were HVAC passwords stolen?

Thursday, February 6th, 2014

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: (more…)

The Most Important Things to Know About Internet Safety While Traveling

Saturday, November 23rd, 2013

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. (more…)

Internet Safety While Traveling – Deeper Dive

Saturday, November 23rd, 2013

A “man in the middle” or MIM attack is not particularly difficult to pull off, and it represents one of the biggest cyber security threats we face when we are traveling – or in fact, any time we consider using an unknown wireless network.

Here’s how it works: it’s rather easy to find software which will monitor or “sniff” network traffic.  It’s even easier to set up a wireless network – by example, like many business travelers these days, I carry a portable wireless hub in my purse. If the intent is to trick other people into using it, all that’s left is giving it a name which sounds legit like, “Marriott SecureWifi”. These can even be set up as far as 15 miles away from the wifi area.

As people try to connect to the criminally controlled network, the cybercriminal allows them to do so (using the same password as the real network, or no password at all). Then the cybercriminal becomes the “man in the middle” (MIM). Sample scenario (there’s a more detailed example of a MIM in my book):
1. You ask for the gmail page in your browser and type in your gmail password.
2. The MIM intercepts your request and provides you a fake gmail login page (which looks pixel by pixel exactly like the legitimate one, including “https/gmail” in the browser, which indicates that it is securely linked to the gmail server).
3. The MIM sends your password to Google.
4. Google assumes it’s talking to you, and opens your gmail.
5. The MIM passes the gmail back to you and continues passing requests and information back and forth until your session is done.

(more…)

Solving the End User Problem

Saturday, September 7th, 2013

Every IT manager knows that poor behavior of the part of end users is the biggest challenge in cybersecurity.  The problem is primarily due to a lack of education – users don’t realize which of their actions (or inactions) put their companies at risk.  And it’s hard to blame them for what they don’t know: We security professionals haven’t made it easy for them. 

 

I believe the second biggest problem in cybersecurity is something I started began speaking about in April in my job with Kaspersky Lab.  I call it The Cybercrime Comprehension Gap.  With regard to the average consumer, most available information is simply too complex.  Very often we speak and write in terms unique to our field, and the average employee’s curiosity is exhausted long before they can discern what is relevant to them.   

  (more…)

The Zen of Internet Safety: Patience, Little Grasshopper *

Friday, June 8th, 2012
Patience!

The two best things you can do to stay safe on your PC (as long as you insist on being internet-connected) are:

a.)    make friends with your anti-virus and

b.)    cultivate an attitude of patience.

In fact, we could call this the Zen of Computer Health and Internet Safety.  Your AV is the equivalent of a security guard, a Rottweiler, and a good alarm system.  If you don’t sit back and let them do their work, you may as well save your money.

I might say that it’s really surprising that people will install AV and then argue with it.  But that would be dis-ingenuous of me, because it really isn’t surprising at all.  We are an impatient species, made even more impatient by a culture that insists on as much stimulation and instant gratification as possible (note Eric Schmidt, Google’s CEO telling college grads to “unplug” for a whole hour a day!).  I get all that, but I suggest that in the case of our PC’s AV, we fight these proclivities.

Let’s review some of the AV Commandments:

(more…)