Cyber Security Made Easy – Part 1

English: A candidate icon for Portal:Computer ...
English: A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

October
is national cyber security month and offers an ideal opportunity for online
security professionals to reach out to help educate their community.  This is the month when security-wise people
help their friends, family and colleagues in taking proper steps to be safe online.
People
are more receptive to learn how to be cyber safe after incidents such as Wired
magazine
seditor, Matt Honan, had his online life hacked. Honan said his life was ‘digitally destroyed’. He lost a year’s worth of
photos, as well as documents and email that he hadn’t stored anywhere else.

A recent LinkedIn article by Daniel Solove talks about the
real weak link in security: people.

“According to a stat
in SC Magazine, 90% of malware requires a human interaction
to infect.  One of the biggest data security threats isn’t technical –
it’s the human factor.  People click when they shouldn’t click, put data
on portable devices when they shouldn’t, email sensitive information, and
engage in a host of risky behaviors.  A lot of hacking doesn’t involve
technical wizardry but is essentially con artistry.  I’m a fan of the
ex-hacker Kevin Mitnick’s books where he relates some of his clever
tricks.  He didn’t need to hack in order to get access to a computer
system – he could trick people into readily telling him their passwords.”

To
help with mitigating the human error through security education, we’ve created a blog series that
will offer best practices on how to be cyber safe.

Today
we look at best practices for email and twitter links.
Recent
real life examples include links sent through Twitter as direct messages
containing a fake Facebook update that infected the user’s device. The direct message suggested that someone
had posted or tagged the receiver in a Facebook video. Those who clicked on the
link had their computer infected with malware.” 

Also
recently in the news was an email that contained ‘here you have’ in the subject
line. The body of the email would typically read
as “This is The Document I told you about, you can find it Here” or “This is
The Free Download Sex Movies, you can find it Here.” Those who clicked on the link in the email message found they had downloaded and launched
a program that spams the same Trojan Horse out to everyone in their address book,
flooding and crippling e-mail servers.

Should
you click on that link in your email or Twitter direct message?
 Answer “yes” or “no” to each of the following.
If there’s even one question where you answer “no”, then don’t click on the link. As the
saying goes, ‘When in doubt don’t click.’

  1. Do
    you recognize the email address of who sent the email?
  2. Is
    the subject line and content of the message written in the same style that your
    friend, family, acquaintance or the corporation usually communicates?
  3. Does
    the email contain a link with no text introducing the link?
  4. Is
    the spelling correct?
  5. Is
    the email sent at the usual time that is typical of the sender?

Tip:
If you are still curious about an email or link you can search text from the
suspicious email or link to see if it comes up as a malware. But as said if you
have any hesitations don’t click on link – it’s just not worth the risk.

Our next blog will look at tips for searching safely on
engine searches.

Enhanced by Zemanta

Canadian Security Partners’ Forum – Effective Resource for Security Executives

Canada
Canada (Photo credit: palindrome6996)
Canadian security executives have long needed the proper
support system and forum regarding the landscape of security in Canada.  The Canadian Security Partners’ Forum (CSPF)
is answering that need. The Forum is a unique network that in just one year has
grown to include over 80 organizations that represent most horizontals in most
verticals across industry sectors.
The Forum’s success can be traced back to its founder, Grant
Lecky, who has a diverse background in security and risk management and a
strong focus on business continuity planning and emergency planning and
organizational resilience. Lecky was recently acknowledged by Security Magazine for his efforts, identifying him as one of ‘The Most Influential People in
Security 2012’.
Security executives, educators and thought leaders have all
embraced the Forum’s concepts and goals, helping to overcome the isolation of
silos that often gets in the way for most other organizations.
Bonnie Butlin, Executive Director for CSPF, has observed that “you usually don’t see such swift growth in helpful agile networks. It’s more
often observed in threat networks.”
One of the many ways the CSPF helps to work with the
security community is to be a catalyst and facilitator to help inspire
conversations followed by action to build new networks that fill recognized
voids. As the Forum’s Executive Director, Butlin tracks trends in the news as
well as in forum discussions to identify gaps in the community, and then brings
them forward to be addressed by the Forum participants. By proactively engaging
discussions on observed trends the Forum and its participants can respond to
topics of concern as they arise, not just after the fact.
In the upcoming October issue of Vanguard, CSPF
will be featured in an article outlining just how effective the organization
has become in addressing the foundation needs in joint force development. The
article is based on the Joint Staff’s study “Decade of War Volume I: Enduring
Lessons from the Past Decade of Operations”, which highlights 11 strategic themes
for enabling responsiveness, versatility and affordability for collaborative
mission focused groups. Originally used as a post-Iraq evaluation, the themes
are applied to the security community and the CSPF.
Defence Intelligence is proud to support the CSPF and the
security community at large in proactively combatting threats to Canadian and
North American networks.

Enhanced by Zemanta

Taking Responsibility for a Data Breach

Anti-Sexual Harassment Graffiti reading: No To...
Anti-Sexual Harassment Graffiti reading: No Touching allowed: Castration Awaits You (Photo credit: Wikipedia)

A data breach can cause both public
embarrassment and significant cost to the company involved, as well as
employee turmoil and time spent dealing with the incident internally.
This can similarly be compared with handling a sexual harassment
incident. Equally embarrassing and perhaps costly if handled wrong,
there is a follow up surge in both cases for training and awareness
given to the employees at large, hoping to prevent another incident.
The big difference between these
examples is individual blame and repercussions. There is training and retraining or best practices suggestions, but who is getting fired? Even if a company
didn’t fire the people responsible for the sexual harassment, they
would know who to watch for future mistakes and both sides would know
that a second lapse in judgement would be the final one. With a data
breach however, the parties involved may still be a mystery following
the incident and no one would know who to watch or even who to blame
when it happens again.
Government legislation forced
corporations to adjust their company policies and provide staff
training. The high cost of fines and loss of reputation made acting
responsibly no longer a choice. It is now common practice for most
companies to have a human resources department that ensures sexual
harassment behaviour and the punishment for it is written into the
corporate policy. Is enough training combined with clearly defined mandates and consequences being given to deal with network breaches and data loss?
While the corporation suffers a
financial loss and damaged reputation, the result of a company breach
can cause the company to lose on so many more levels: financial and
proprietary information loss, lost sales, damaged reputation, lost
trust from their customers and vendor-partners, the list just goes on
and on. So why is this not being handled by organizations with more
importance and aggression?
A security breach is usually attributed
to sloppy habits and an irresponsible attitude that leads to
behaviour that creates or allows a breach. It doesn’t matter what
people use as an excuse for sloppy habits it needs to be tidied up.
Right now the attitude of the average employee toward information
security is pure apathy. They don’t care and they have no reason to
care. They take no personal ownership over the data they handle for
the company so they feel no responsibility, and no one is ever
singled out for information security misconduct. People’s thinking
would change quickly if there were a red flashing light that went off
on their computer monitor, laptop or device when they specifically
broke corporate security rules.
Companies should be writing fines and
repercussions into corporate policy for incidents such as:
  • opening an email link or
    attachment that did not fit the proper profile
  • going to a forbidden or untrusted site
  • using a USB from an unknown source
Until we can track back data breaches
without fail to individuals that caused it with certain behaviour,
begin with deterring the behaviour that could cause the breach.
Touch that girl inappropriately? You’re fired. Two “red light”
incidents at your workspace? You’re fired. Organizations need a more
aggressive approach to security, because the whole company benefits
and the whole company suffers when reckless and indifferent
behaviour is ignored.
Related articles
Enhanced by Zemanta

Mariposa Botnet: Iserdo on Trial

Slovenia
Slovenia (Photo credit: phault)
Slovenia is more than a beautiful European country. Surrounded by Austria, Hungary, Croatia
and Italy, it offers a fascinating history, from their celebrated wines and prehistoric caves to their majestic castles. They have a strong showing at the London Olympic Games too, receiving four Olympic medals to date: one gold, one silver and two bronze. (They have the best per capita medal of the 59 countries that have medals.)
Not everything coming from Slovenia however is a source of pride. On August 7th, the trial began for malware kit author Matjaž Škorjanc, 26, AKA Iserdo. Iserdo is being tried as the purported ‘mastermind’ behind the Mariposa botnet.
The Mariposa botnet is famous for its widespread reach into more
than half of the Fortune 1,000 companies and more than 40 major banks. Its main focus being information theft, the Mariposa botnet was used to steal PII and various login credentials from its victims. Spanish police arrested three men in 2010 who were believed to be running the botnet. Iserdo, now on trial, was connected as the author of the original malware used as the foundation for Mariposa.
Robert Swan Mueller III (born August 7, 1944) ...
Robert Swan Mueller III (born August 7, 1944) – Director of the United States Federal Bureau of Investigation (Photo credit: Wikipedia)

FBI director, Robert S. Mueller III as quoted in the Inquirer,

 “In the last two years, the
software used to create the Mariposa botnet was sold to hundreds of other
criminals, making it one of the most notorious in the world. These cyber
intrusions, thefts, and frauds undermine the integrity of the Internet and the
businesses that rely on it; they also threaten the privacy and the pocketbooks
of all who use the Internet.”
Defence Intelligence, due to its direct involvement with Mariposa, will be closely watching the outcome of the trial, but these kinds of legal proceedings are important to the security community as a whole.  Progress is being made worldwide in regards to punishing those behind malware and botnets, but conviction is often based on very specific or very vague laws.

Georgy Avanesov, the author of the Bredolab malware, received a four year sentence in Armenian courts only three months ago. His sentencing was based on the use of the malware for DDoS attacks. His charges for creating and distributing the malware however, as well as using it for data theft, were dropped.

Just last month three men in Britain were sentenced to multiple years in prison for violating the British Computer Misuse Act of 1990. They were using SpyEye malware to steal banking credentials from compromised users.

Let’s hope Slovenian law is able to encompass Iserdo’s deeds and find a proper sentencing. I know little of Slovenia’s cybercrime laws, but considering Iserdo only wrote the initial malware, conviction may not be imminent. 

For more details
on the identification and dismantling the Mariposa botnet visit: http://defintel.com/about-research.php
Enhanced by Zemanta

Mind the Security Gap

London 2012 banner at The Monument.
London 2012 banner at The Monument. (Photo credit: Wikipedia)

The dangers of the games are not limited to those in attendance. For those watching and following at home, Olympics related spam, phishing, and malware distribution will be in abundance. See one email example reported here by TrendMicro that actually presents itself as a safety advisory about emails promoting sites selling fake Olympics tickets.

Spam or virus email campaigns with special Olympic news or a special deals can include an infected attachment or link as in the example above. These are designed to fool you into installing malware onto your systems. If you don’t recognize the sender address or the email seems out of character (spelling errors, no content other than a link, unsolicited attachments) don’t click it. If you get an email saying you won tickets but you don’t recall entering a contest, you didn’t win. Sorry. If you are interested in buying tickets for the Olympics or just getting information on the Olympics, go to http://www.london2012.com/. When searching for videos or information on the Olympics, many new sites are going to be dedicated to malware distribution. Stick to the official Olympic website or your favorite news site. Don’t venture out into unfamiliar territory.

A great FAQ for Olympic related online safety is offered by TrendMicro here. It explains things well for any reader and talks about scams and threats to expect before, during, and even after the London 2012 Olympics.

Be safe and you’ll enjoy the Games even more.

Enhanced by Zemanta

London 2012 Olympics Threats, Online and in the Queue

A team of over 16,000 outsourced security personnel, military troops and police officers will be on guard at the London 2012 Olympics, but physical security for Olympic fans may not be enough to keep them safe.  The Olympics, like any other large publicly favored event, is a hot target for cyber criminals and a hot topic for luring unsuspecting Internet users.

NEW YORK, NY - JULY 11:  A free Wi-Fi hotspot ...

While at the games you may be on the lookout for pickpockets, but also guard yourself against Wi-Fi thievery. Wi-Fi connections can potentially put you at risk for data theft, particularly your passwords
and private information. One of the best ways to ensure your information isn’t compromised when
using a public Wi-Fi network is not to send any sensitive information over the network, or by securing what is sent as much as possible. The best tip is don’t use public Wi-Fi. If you’re going to anyway, don’t do online banking.

For the insistent on using Wi-Fi while at the games, read PC Magazine’s Ten Tips for Public Wi-Fi Hotspot Security.
Related articles
Enhanced by Zemanta

Time’s Up for DNSChanger Victims

Last November I wrote about DNSChanger, the estimated millions of victims, and the FBI’s involvement with dismantling the botnet. Victims of the malware were forced to use alternate DNS servers run by the botnet operators. Just shutting down the rogue servers would have ended the botnet, but it also would have prevented possibly millions of unaware victims from reaching the Internet as they know it. Rather than bringing down the servers, alternate servers with benign intentions were put in place to allow victims of DNSChanger to continue reaching their favorite websites without interruption. These servers, however, will effectively discontinue service for those same victims as of Monday, July 9th, 2012.

From krebsonsecurity.com
http://krebsonsecurity.com/wp-content/uploads/2012/06/dnscchrono.png

The average user knows little of DNS and how to alter their DNS settings, which is likely why the deployment and maintenance of these replacement servers has been allowed to continue for so long. After nine months or more, including a court ordered extension of service, these DNS servers will be shut down for good. It’s now estimated by some that this may only effect anywhere from 40,000 to 500,000 users. Regardless, many users will be caught off guard Monday with no clue as to what happened. I assume many an angry call will be made to ISPs this same day.

For those doing a last minute check for possible infection, sites listed below will be of great assistance:
For Canadians:
www.dns-ok.ca
Go to the bottom of the page and click “I agree”. If you see green, you’re good. Red, you’ll need to clean up your system.

For Americans:
http://www.dns-ok.us/
No clicking necessary. Green is good.

DNSChanger detection sites hosted in other countries listed here:
http://www.dcwg.org/detect/

Other help and information:
http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-002-eng.aspx
http://www.dcwg.org/fix/

-Matt Sully

The Problem With Passwords

I’m often embarrassed by my inability to remember phone numbers now that they’re saved in my phone.  I realize now though, that the space in my memory that used to be reserved for phone numbers has now been replaced by a ridiculous amount of usernames and passwords.

I have 92 passwords to remember.  That’s right, 92.  At least once a day I find myself resetting a password or going digging through my notes to find one.  Security is my business, and yet every day I’m tempted to eliminate all of my unique passwords and to choose a couple of simple ones that I might remember.

Granted, I might have more passwords than most, but they add up if you stop to think about it.  You probably have more than you realize:

  • banking passwords
  • email passwords
  • social media passwords
  • computer passwords
  • sites, blogs, games, etc.
  • hardware passwords (modems, routers, phones)

Much has been written about best practices for passwords, but few people have taken the advice.  The simple reason is that it’s a pain to use “strong” passwords. 

How many of you out there use one password for multiple things/places on the internet?  I’m betting almost all of you.  I imagine you wouldn’t carry one key that unlocked for your car, office and home, but that’s exactly what you’re doing online.  If your password for facebook is exposed, do you really want someone to be able to log in to your bank account, your email account, your online dating profile?

Is your password “password123, iloveyou, michael74” etc?  If so, it’s time to change.  Now.  Online crime is a massive business.  In terms of scale, it has been compared to the illicit drug trade.  This is 2012, not 1993.  There is simply no excuse for being lazy when it comes to securing your information and your privacy.

Don’t feel too badly, you’re not the only one.  Plenty of big name companies, governments, and even security groups have been burned by using lazy passwords.

How to Choose

There are lots of methods to choosing a more secure password.  I won’t argue the benefits of each, I’m just going to share my tips with you.  There will be no math, no discussion of entropy, just my personal process for choosing a password that is likely much more secure than what you are using now.

Unless your house is secured by a moat, infrared detection, and attack dogs, I doubt you want to try to remember a password like “QctT8’*t*$!.hHne[+)^`.,knbB,”.  Don’t worry, there are all kinds of easy options that will help you remember your passwords while making them more secure, you just have to take the time to think about it. 

Make your existing passwords stronger

Let’s say that your email password is “whiskers”, the name of your no doubt lovable cat.  You can easily keep the familiarity of the password while increasing it’s effectiveness as a password.

Old password:  whiskers
New password:  I have loved Whiskers since 2004!

Easy to remember, and vastly more secure than the original password.  If you can’t use spaces, simply remove them.

If you’re one of those who is determined to use birthdays as a password:

Old password:  120896
New password: (Dec. 8th 1996)

Password for a site you don’t often visit:

Old password: myspacepw
New password:  #MySpace has been dead since 2005#

These are just my suggestions.  I like phrases and sentences.  If you prefer math, try something like:

Old password: 120896
New password: 12+08 doesn’t = 96 or 12*8=ninety-six

Perhaps you prefer pictures?

Old password: ilovejessica
New password: I <3 Jessica 🙂 or Miss Jessica makes me 😀

A few things to consider:

Password vaults and their ilk.  I don’t use them and I don’t recommend them.  How do you secure your password vault?  With a password.  So if an attacker gets one password he gets them all?  No thanks.  Convenient, yes.  Ideal, no.

Some companies, banks, and sites limit the security of your password by not allowing special characters, having a character limit, etc.  For now, just work within their limitations until they come to their senses.

Whenever possible, use words and terms which can’t be found in a dictionary.  This sounds harder than it is.  You can use altered spelling, nicknames, and clues instead of the actual term.

If you can deal with the hassle of two factor authentication, I recommend using it if available.  Gmail and Yahoo offer this to all users, I’m not sure about others. 

Storing your passwords

It’s likely that you will need to write your passwords down in case you forget them.  It’s not ideal, but can you really be expected to remember 92 passwords?  My solution is not exactly high tech, but it’s handy and effective.  Post-its.  That’s right, I store my passwords on post-its. 

The key to this is not to put the username, password, and what it’s used for on the post-it.  My passwords often contain a hidden reference to what they are related to.  For example, let’s say that you bank at TD Canada Trust and your branch is located close to a Costco store.  Your password could be something like:

$Across from Costco$

Most people looking at this post-it wouldn’t know that it was a password at all.  If they did, would they know what the password was for?  Sure, they could try this password everywhere, let them.  Absolute security is a myth, we’re trying to make this as difficult as possible.  If someone is determined to gain access to your data, chances are good that your passwords won’t help you anyway.  A few reminders:

  • Don’t store a password list on your computer.
  • Don’t keep your passwords in your laptop case, or in the same location as your computer.

Remember

The goal with a password is to make it easy to remember while making it extremely hard to guess or fall victim to a brute force attack.  If your computer has already been compromised and your keystrokes are being recorded, strong passwords won’t help.

We’re aiming for increased difficulty here, not impossibility.  If there’s one thing we’ve learned, it’s that anything too annoying to remember will end up being reset to password123.

7 Security Resolutions for 2012

I have spoken before about how we in the security industry need to spend less time talking amongst ourselves and more time trying to educate the average computer user.  The following 7 security resolutions for 2012 are part of that pledge.

For anyone in the industry, there is nothing new here.  Having said that, security experts are just as guilty as most when it comes to some of the basics.  Do you really use a unique password everywhere? Have you never clicked on a shortened link?

We often talk about being proactive and not reactive.  Now is the chance to practice what we preach. We created the following hoping that people would send it to that aunt that keeps forwarding the powerpoint slideshows.  That friend on messenger that keeps getting “hacked”.   Instead of helping them clean up their infested computers when it’s too late, maybe we can help keep them from being compromised in the first place.

http://www.defintel.com/images/security%20resolutions.png

Happy New Year!