Posts Tagged ‘security’

Target breach update – how were HVAC passwords stolen?

Thursday, February 6th, 2014

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: (more…)

Has Target Done Enough?

Saturday, February 1st, 2014

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  (more…)

The Most Important Things to Know About Internet Safety While Traveling

Saturday, November 23rd, 2013

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. (more…)

The real reason Mitt Romney released his tax returns – his accountants got hacked

Sunday, October 7th, 2012

I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point.  There’s obviously something powerful about “anonymous” collaboration.

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:Dark-haired man with graying hair at the temples, dressed in dark suit, at a nighttime indoor event

___________

Mitt & Ann Romney tax returns

On September 4, 2012,[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24th?  Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

(more…)

The Pitch for Paying Attention to Internet Safety

Sunday, September 30th, 2012

I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky.  Here’s a link to the latest one.  It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

 

(more…)

The Holy Grail of Internet Security – finally, all our problems solved!

Monday, August 27th, 2012

Last week I was scouring the web and I came across a white paper on “security threats of 2011” which I hadn’t read yet.  It was a 56 page document written by a top security organization (we all publish these reports but each company has a different spin).

There on page 41 was the fix for all our security woes!    Sure it took me a while to get there, but well worth it don’t you think?  The answer was (drum roll, please): “Secure the network perimeter.”

This made me laugh!  Really?  I have to say that anyone who thinks there is a network perimeter anymore – meaning, a definable, non-permeable network perimeter – is either smoking crack or lost in a delusional Dilbert dream where IT guys rule. That would be the fantasy where IT actually gives us mobile/portable devices of their choosing along with a set of rules we actually follow.   Useful rules like, “don’t get infected.”  Ha-ha!

And the more I contemplate this idea, the more I think it was always a fantasy.  Back when I was working for NEC’s Corporate Capital group – ten years ago – my laptop went home with me every day.  I used it for everything – my (more…)

Against my better judgment…a Hacktivist cause I like!

Tuesday, August 21st, 2012

Why is it that we only need make the most innocent of unequivocal statements and suddenly things pop up everywhere to prove us wrong?

Last week I gave a presentation to a partner of ours.  I was discussing the state of cybercrime and some of the most urgent threats.  On the subject of Hactivism I said, “these guys are the unruly mob of the internet.  The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”

Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience).  So I have to admit I’ve not been much on their side.  But this weekend I read an article in Security Week about an attack I agree with.  It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release.  Who knew Anonymous had such a sense of humor?

Right now Uganda has legislation on the table which mandates death for all homosexuals.  Really.  So Anonymous (more…)

Katie Holmes: good security secures her freedom from unhappy matrimony!

Tuesday, July 24th, 2012

Katie HolmesOkay, I really love this article where they speculate that Katie Holmes’ use of a disposable cell phone may have been instrumental in keeping the divorce demand a secret from Tom Cruise – and therefore maintaining the advantage of surprise.

Because yes, it’s true: if you tell someone you will call them at 3:15 pm, they will pick up even though they don’t know the number (and I rarely pick up unknown numbers).  I love this because it’s about security in the sense that it’s keeping OUR secrets safe from THEM (whoever THEY are).  And that is the whole point of security, isn’t it?  We decide what information we want to keep private, and sometimes we decide what information other people should NOT keep private (for example, the fact they have other spouses or belong to a freaky cult).  And if we have very good security we can enforce those boundaries.  This is the same reason we should sometimes buy those disposable credit cards at the local drug or grocery store with $100 of credit on them for teens in the household who are making their own purchasing decisions.  If they need a credit card to to “make it happen”, and you don’t want to be charged again every month…think about it.  Sometimes the “this is a subscription” details are in such fine print on the website that it’s not even fair to expect a kid to notice.

Best,

cj

Darn Security Questions and the Day I Wished for More Numbers

Tuesday, June 19th, 2012

How many of you have been locked out of an on-line account at least once?  Everyone, right?

It happens after trying too many passwords.  Maybe because SOMEONE was multi-tasking with the caps-lock on.

Of course we can always call and ask the security police to retrieve it.  Two weeks ago I had to do this, and along the way I glimpsed a whole new level of security interrogation.  My experience went something like this:

“Name of your first pet?”

Hmm, I wonder: do I count the Gerry the gerbil, even though he was actually my brother’s?  Or what about the stray tabby we fed every day when we lived in Chevy Chase?  I’m not sure so I settle on “Fritz”, the fluffy French poodle Grandma gave us, who unfortunately only lasted three weeks.  But my security wench with the Indian accent doesn’t like this answer and skips to a question about cars.

“What was your first car?” (more…)

Writing Down Website Passwords versus Old-School Rules

Saturday, June 9th, 2012

There is an awful rule of basic password management which actually works counter to good security.  Yet it continues to be suggested by even the top security organizations in the world.  The rule is this: don’t write down your passwords.

There are lots of problems with this idea.  Not the least of which is the fact that if we make our passwords so easy to remember that we don’t have to write them down, well, they may well be too easy.  Or, if we decide to make it simple and use the same password for everything, that means all our banking accounts could be compromised the minute someone breaks into our gun club registry or recipe-swapping website.  And one glaring reality this rule hasn’t kept pace with is that these days we need way too many passwords: one person can easily visit 15 different sites in a few hours – all of which require passwords.

I like to write them on my mirror.

So why the dumb rule?

In their defense, this was accepted wisdom twenty years ago for two reasons.  Back then there was only one password that mattered: the one to get onto your computer.  Naturally you didn’t want that password to be in the same place as the system!  And apparently in those days people weren’t clever enough to write down passwords anywhere except on sticky notes attached to the computer.  (Duh!  At least put it in your shoe!)

More importantly – reason #2 – in those days what we worried about most of all was what we call “internal threats”.  That is, we worried about other people at our place of business gaining unauthorized access to the computer or the network. (more…)