What can we learn from Twitter?

Twitter Logo
Twitter Logo (Photo credit: Jon Gosier)

With each new breach it’s good practice to
find a takeaway that can serve as a reminder or new insight. The recent breaches with Twitter, The New
York Times and The Washington Post are no different.
Twitter has offered the most transparent
account of the breach thus far. Bob Lord, Twitter’s director of information security, offers an extensive explanation in his blog.  Lord reveals that the attack was not the work
of amateurs nor was it an isolated incident against Twitter. The hackers were
clearly targeting other companies and organizations. It was for this reason
Lord, “felt that it was important to publicize this attack while [Twitter] still
gather information, and we are helping government and federal law
enforcement… to make the Internet safe for all users.”
The Daily Mail consulted an independent
privacy and security researcher for input on the Twitter breach and what can be
gained from Twitter being so public about it. Considering the breach impacted a
relatively small number of users and how quickly Twitter was able to
effectively respond and mitigate the breach, it was deemed well contained.
This reflects the discussions we
participated in at the Women in Security Lecture Series recently.  Namely, that there is a clear need for more
communication between security executives and more learning from each other’s
mistakes. Twitter is setting a positive example in how to be transparent in process
and sharing details for others to learn from and how to proceed.
Given that it’s now understood that it’s
not a matter of if a company will be breached but when, responses like
Twitter’s go towards removing much of the taboo and shame associated with a
breach.  This is the necessary first step
towards true sharing and progress.
the communication at an early stage, which Twitter seems to have been able to
do, is an essential part of any security plan. As Lord stated in his blog,
these attacks were specific and not perpetrated by amateurs. The hackers have
gotten sophisticated and the security executive’s plan must evolve to keep pace.
Defence Intelligence’s main service
offering, Nemesis, is able to add that layer of protection. Many security
executives rely on Nemesis as the extra layer that will protect their network
from breaches. Nemesis effectively protects networks by severing communication
between the network and the attacker. This allows security groups and
traditional security tools the needed time to respond and remediate.
Contact Defence Intelligence today to find
out how easily and effectively Nemesis can fit into your current security plan. 

Enhanced by Zemanta

The Intern’s Security Practices Part 2: Links and Software

 As Defence Inteligence’s intern, I decided to survey my class at Algonquin College to find out how they protect themselves from digital threats. Here is the next section of the survey results on links and software.

To start, I asked if my classmates open links on various social media sites and in emails. Here is what they said:

Some of these results could be off because they may not have an account on LinkedIn or Twitter. Since all students have an e-mail address and the majority have a Facebook account as well, it’s not surprising that they have the highest percentage. I will open links on any of those platforms if I recognize the sender and it’s something they normally do. This is how I fall into the 67 per cent that open links from known sources.

With that said, I don’t open every link received from someone that I know. I read the text around the link and check Google for any warnings. This habit saved me from a virus spread through Twitter where you received a message from a friend saying they found a picture of you. When you clicked the link it gave you the virus. With 80 per cent of the students saying they don’t open messages that are just a link, it looks like when it comes to links they have an idea of how to act securely.

It surprised me to find that only 65 per cent of the students admitted to downloading music or movies through sharing and torrents. I’m definitely guilty of this from time to time, especially when it comes to movies.

Moving on to software, we wanted to know when students decide to update their software.

It’s interesting to note that one student wrote on the survey that that they check to see how important the update is.

The most surprising results for the survey was that 82 per cent of students said that they don’t have antivirus software on their phones. I would be curious to see how many are iPhone or Andriod users. As an iPhone user I’m not sure I have any antivirus software.

“People fail to realize that their phone is a computer and should be treated as such,” said Keith Murphy Defence Intelligence CEO.

Similarly 35 per cent of students don’t have antivirus software on their computer or laptop, and 22 per cent don’t know if they have any. This was a shock to both Murphy and myself.

“If they don’t know whether they have AV, it’s safe to assume that they don’t,” said Murphy.

With this news, it’s no surprise that 22 per cent admit to discovering a virus on their computer. Of the 43 per cent of the students that have antivirus software on their computer or laptop, 17.5 per cent use McAfee, 12.5 per cent use Symantec/Norton, two per cent use Windows Essentials, seven per cent use Avast, and five per cent use a different type of software.

Stay tuned for our last post concerning the security attitudes of the students.

By Sarah Raphael

90 Minutes to Privacy

In light of this being National Data Privacy Day for the U.S. and Canada, here are eight tips to create safe, online personal security habits. 
Previously we covered best practices when working with passwords,
ensuring your software is up to date, and that you’re working with a decent
anti-virus solution, get ready to start the timer and do what you’ve been
meaning to do for years.
Image representing Google as depicted in Crunc...
Image via CrunchBase
Reconnoiter – 15 Minutes
The first step in securing your privacy is to
find out just what is out there for the world to see.  If you’ve never Googled yourself, now is the
time.  Google searche to check on:
your name
your name + your city
your name + your employer  
your phone number
your address
your email addresses
screen names
gamer tags 
search anything that you’ve ever used to identify yourself.  Don’t forget
to do an image search while you’re at it.
You might be surprised to find that your dating
profile, gaming history, forum posts, site memberships, comments, pics from the
office party, etc. are easily uncovered.
Now find out what Google knows about you here
Turn off your Google search history here.  
Get your credit report.  You should know what’s on there, and it’s
easy and free to request it.  Look for
anything suspicious or incorrect and contact the agency immediately if anything
is amiss.

You don’t need to pay for the upgraded service, there is no charge to receive your credit report.

Canada – Equifax [PDF]
              – Transunion

USA – Equifax/Transunion/Experian

Call your doctor and get a copy of your medical
history.  Most people have details about
every oil change they’ve ever paid for but have no clue about their own health
Depending on where you live, you’ve got the
right to access different information that is on file about you.  Insurance companies, payroll companies,
social services, etc. should all supply you with what they know about you.
your footprint – 20 minutes
Haven’t used a Groupon in 6 months but still
getting spammed daily?  Sign up for 5
different streaming radio services but only use Songza? Find your true love but
still have profiles on dating sites? Now is the time to delete any accounts
that you no longer use.  It’s a pain, but
it only takes a minute.  If your myspace
page is still sparkling and blaring music out there, just put it out of its
misery.  As an added bonus, your inbox
will thank you.
Can’t remember all the crap you’ve signed up
Look through your spam folder.
Check your purse or wallet for points cards,
rewards cards, coupons, etc.
Location services – Maybe you love Google’s
location aware search results, but there is no need for most apps to know where
you are.  Similarly, nobody needs the GPS
coordinates of the party you were at last night.  If the app doesn’t need to know where you are
to work, then turn it off.
Delete –
10 minutes
Take ten minutes to go through the files and
folders on your computer.  Delete
anything and everything you can.  Be
your social media belt – 10 minutes
Adjust your privacy settings.  Facebook is the big transgressor here, but be
sure to check your LinkedIn, Twitter, Foursquare, Pinterest, etc. as well.  Even if you don’t care, your contacts might.
Your privacy settings on sites like Facebook and
LinkedIn don’t only affect you.  Take the
time to make sure that you’re not sharing any data about your friends with
people that you don’t have today.  Why
let strangers creep all of your contacts on LinkedIn and share friend’s data
with third party developers on Facebook?
Go on a
friend diet – 10 minutes
Prune your lists of friends:  Facebook, LinkedIn, Google+, Skype, MSN, ICQ,
AIM, IRC, etc.  If you haven’t talked to
them in the last year, you probably never will. 
If you need to look them up, you can always do so. 
Go on an
app diet – 10 minutes
Look through the apps on your phone.  If you haven’t used it in a month, uninstall
it.  No matter how many times you tell
yourself otherwise, you are never going to use Google Sky.  Bored with Fruit Ninja? Downloaded Layar just
to show off your phone?  Get rid of
them.  You can always install them again
later, even the ones you’ve paid for. 
The same goes for any facebook apps you may be annoying
your friends with.  Ditch them.  Nobody cares about your farm or what you just
played in Words With Friends.
 Create an
alias – 10 minutes
Not just a username, make a whole person.  First name, last name, email address,
birthday, pet.  When you need to sign up
for something non-critical, use your alias. 
If they don’t need your real name, don’t give it to them.  With the birthday/email/pet, you should even
be able to recover your password if you forget it.  Now is your chance to have the supercool name
that you always wanted.  Hello, Mr. Mike
– 5 minutes
Make sure you use lockscreens on your phone,
tablet, computer, etc. Set them to lock after 2 minutes.  No exceptions. 
Install Prey or similar tool on your devices
just in case. preyproject.org
Sign out of everything you log into, whether
it’s a site, a program or a computer.
Tell us how you did with the 90 Minute to Privacy Plan. Did it take more or less than 90 minutes? 

Enhanced by Zemanta

Cyber Security Made Easy – Part 1

English: A candidate icon for Portal:Computer ...
English: A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

is national cyber security month and offers an ideal opportunity for online
security professionals to reach out to help educate their community.  This is the month when security-wise people
help their friends, family and colleagues in taking proper steps to be safe online.
are more receptive to learn how to be cyber safe after incidents such as Wired
seditor, Matt Honan, had his online life hacked. Honan said his life was ‘digitally destroyed’. He lost a year’s worth of
photos, as well as documents and email that he hadn’t stored anywhere else.

A recent LinkedIn article by Daniel Solove talks about the
real weak link in security: people.

“According to a stat
in SC Magazine, 90% of malware requires a human interaction
to infect.  One of the biggest data security threats isn’t technical –
it’s the human factor.  People click when they shouldn’t click, put data
on portable devices when they shouldn’t, email sensitive information, and
engage in a host of risky behaviors.  A lot of hacking doesn’t involve
technical wizardry but is essentially con artistry.  I’m a fan of the
ex-hacker Kevin Mitnick’s books where he relates some of his clever
tricks.  He didn’t need to hack in order to get access to a computer
system – he could trick people into readily telling him their passwords.”

help with mitigating the human error through security education, we’ve created a blog series that
will offer best practices on how to be cyber safe.

we look at best practices for email and twitter links.
real life examples include links sent through Twitter as direct messages
containing a fake Facebook update that infected the user’s device. The direct message suggested that someone
had posted or tagged the receiver in a Facebook video. Those who clicked on the
link had their computer infected with malware.” 

recently in the news was an email that contained ‘here you have’ in the subject
line. The body of the email would typically read
as “This is The Document I told you about, you can find it Here” or “This is
The Free Download Sex Movies, you can find it Here.” Those who clicked on the link in the email message found they had downloaded and launched
a program that spams the same Trojan Horse out to everyone in their address book,
flooding and crippling e-mail servers.

you click on that link in your email or Twitter direct message?
 Answer “yes” or “no” to each of the following.
If there’s even one question where you answer “no”, then don’t click on the link. As the
saying goes, ‘When in doubt don’t click.’

  1. Do
    you recognize the email address of who sent the email?
  2. Is
    the subject line and content of the message written in the same style that your
    friend, family, acquaintance or the corporation usually communicates?
  3. Does
    the email contain a link with no text introducing the link?
  4. Is
    the spelling correct?
  5. Is
    the email sent at the usual time that is typical of the sender?

If you are still curious about an email or link you can search text from the
suspicious email or link to see if it comes up as a malware. But as said if you
have any hesitations don’t click on link – it’s just not worth the risk.

Our next blog will look at tips for searching safely on
engine searches.

Enhanced by Zemanta


We’re opening the office doors:

Defintel’s on Twitter. Check it out, drop us a line.

Facebook too. Join the Defintel group for botnet building videos, photos, and a chance to ask us questions about computers, security, videos games, comics, and just about anything else.

From the whole Definel team: