We know there are spurious websites offering products and services, while at the same time soliciting personal information: Name; address; date of birth; credit card number; expiration; and so on. There are many other websites, legitimate and otherwise, that make the simple divulging of e-mail address necessary – and frankly, that can be the beginning of identity theft.
Fortunately, most of us have robust malware protection, virus protection, and even spam guards in place. But recognize that most data breaches and identity thefts are due to human error and misjudgments. Even a routine online job search can have peril.
In particular, be wary of job proposals or company notices that come your way on an unsolicited basis. Invitations to apply will include the divulging of highly personal information – and I don’t even give my name and address to someone or any entity that I don’t know, or can’t research to a very high degree of certainty for legitimacy.
As to that last point, it may in fact be difficult to certify a company as “legitimate.” Social media and marketing make it easy for false-front organizations to pose as a legitimate enterprises, with products, services, and testimonials handily displayed on Facebook and social media accounts or fancy webpages. However, regardless of your ability to certify the positive, you can dig for the negative: Search the company’s name on the web with the word “scam” after it. Other terms that come to mind are “ripoff,” “illegal,” “court action,” “shut down,” etc. You get the idea.
These days, sad to say, you must limit personal information when sending a resume. Even when sending to a trusted, known, entity or person, you cannot be entirely sure to whom that person will pass the information… and so on… through each iteration of pass. So: Don’t divulge your birthday or your social security number. In the case of your present and past jobs, don’t reveal employee ID numbers. Professional certifications, licenses, badge numbers, etc., are also a no-go. Also keep in mind that there are websites that merely pose as known, high-profile, organizations: Verify web addresses. Search to any company’s legitimate website – for example, don’t take hyperlinks that are delivered in e-mails for granted.
You should also be very circumspect about your education. Schools, years graduated, and other attendance information can give thieves a ready handle by virtue of alumni information, opening a view to all sorts of other data regarding you.
While online enablements offer broad powers to all sorts of human endeavor, be aware that these same deliver power to identity and data thieves. Job seekers need to exercise extreme caution: be sure to vet all sources and contacts.]]>
Word comes that more than 500,000 Macintosh machines are potentially infected with a virus – one that is specifically targeting Macs: It’s called Flashback Trojan. The virus is a variation on one that is normally aimed at PCs – typically powered by a Microsoft (MS) Windows operating system. The PC virus has been re-engineered to slip past typical Mac defenses.
A Finnish-based computer security firm, F-Secure, first spotted and noted the virus, followed quickly with qualification by a Russian anti-virus program vendor, Dr. Web.
“All the stuff the bad guys have learned for doing attacks in the PC world is now starting to transition to the Mac world,” according to McAfee Labs Director of Threat Intelligence Dave Marcus.
Flashback lets hackers steal passwords and financial account numbers. Mac users are tricked into opening this specific vulnerability: The virus’ designers have made its installation look like a routine update to Adobe Flash video viewing software.
Once upon a time, people who labored in the Mac realm had a rather smug view of security: Macs escaped specific targeting, it seems, and nefarious malware creators seemed to concentrate their deeds to the world of the PC. No more. While Mac’s position in the past seemed to be that they weren’t vulnerable to PC malware (true, in a specific sense), they are now vulnerable to Mac malware – as adapted to, and specifically created for, that environment.
Malware developers concentrated on Windows PCs because they dominated the market. This allowed Apple to claim that PCs were more prone to hacking: True, technically, but perhaps not so much due to any particular superiority of security of operating systems; rather, merely the luck of being a smaller target. Now that Macs are increasing in popularity, the Apple operating system is becoming a much more attractive target.
The IT field, like any, is rife with people who talk a good game. Some walk like they talk – some don’t. The average candidate for your IT department will appear conversant in technical matters, they will profess a belief in quality of service principles, and of course they are brought on board with high expectations. We know that many people fall short of these expectations – in all fields and areas of endeavor. But in cases of flat-out bad IT hires, we have an enormous drain on resources. In the IT department, a sub-optimal hire compounds across the organization in a very detrimental way, since IT supports virtually the entire organization and almost every effort within.
We also know how much time and effort it takes to dismiss an employee. Often an employee must be left within a performance arena in order for us to record and document poor performance. For IT, this is a cruel irony and a ticklish game – trying to maintain security and solid support while leaving job duties in the hands of a poor performer. The associated inefficiencies brought about by increased oversight, double-checking, and counseling are their own drain – in addition to the lack of results. There is also the impact to staff morale. For these reasons, you need an IT leadership that can smoke out the true candidates worthy of hire, investment, and promotion.
These things make it imperative for your IT leader to understand something about most areas of IT technical endeavor. This person does not need to have a deep background in all areas or even specific areas. This person just needs to have a solid understanding of the principles that guide areas, and a good familiarity with the higher-level best practices for managing each area. Much of the vetting of personnel falls to the managers just under the top leadership. Therefore, top leadership needs to qualify in making those managers the best possible investment that your organization can make, as those managers groom the rest of the department.
Image credit: digitalart]]>
We’ve discussed password liabilities before: Consider that many people use the same password (and often User ID) for multiple accounts. This can include online bank credentials, work accounts, social networking sites, other critical sites such as ebay and PayPal…
A breaching entity can hack one account, gain credentials, and then spin them through all other associated user accounts they identify.
Of course, password liabilities also include easy-to-guess things, which are subsequently hacked – either by manual human activity, or password-breaking softwares that simply tumble random words/characters, through authentication mechanisms. This morning, while having my auto serviced, I tried “password” in trying to gain access to a couple wireless networks in the vicinity – alas, no luck – but worth a try. Consider: About 5 years ago, Slovak hackers gained access to Slovakia’s National Security Bureau (NBU). The NBU maintains a huge body of classified information, which is supposed to enjoy strong security. However, the hack and breach wasn’t particularly sophisticated: The respective login ID and password was nbu/nbu123.
Might want to put a little thought into your organization’s passwords and their associated strength: Set a minimum amount of characters, and consider making some measure of required special characters (!@%, etc.). Also, see the four basic requirements at the bottom of this article for maintaining a solid password security posture.
Here are PC Magazine’s worst passwords of 2011:
Finally, remember to employ four basic, yet critical, practices for maintaining secure passwords:
1) Use unique passwords for each account.
2) Change your passwords on a schedule. How frequently is up to you, but anything from monthly to semi-annually.
3) Don’t share your passwords.
4) Avoid common passwords.
NP: Hi Lili, Hi Lo, Bill Evans, jazz24.org]]>
Well, I guess it already has. But an interesting opinion was rendered recently regarding the United States’ position regarding cyber crime. According to Trend Micro’s global CTO, Raimund Genes, the US’ lax security standards are facilitating cyber crime in the public cloud.
Cloud adoption and loose standards regarding online banking show serious security flaws, according to Genes. In fact, he states, “The US has no sense about data security, and I could be very brutal there.”
This isn’t particularly good news for those individuals and organizations who harbor their content, and even processing, in the cloud, by virtue of various solutions providers. Often, these folks have no idea exactly where their information is – relying on the providers’ discretion and standards… and whether those standards comport with current and best practice can be anyone’s guess.
When security lags in one area, it often creates a lax situation in evolving and debuting areas. For example, a looming vulnerability involves Near Field Communication (NFC) – a brief description about NFC and then an example:
NFC allows simple transactions and data exchanges between wireless devices in close proximity. It will likely support regular use of smartphones for making payments. Already many of the smartphones on the market contain NFC chips; the chips are capable of containing credit card information, and a simple wave of your phone near a retail cash register’s reader, for example, will be a fast and effective way of making payment. No more digging for, and swiping of, a credit card.
However, Genes warns of this arena too: The use of NFC by credit card companies, again in view of lax security standards and measures, is a “security disaster,” in his words.
As individuals and organizations grapple with rapidly changing IT issues, such as cloud computing and storage, and NFC communications, be certain to examine and qualify your providers and procedures. Update security policies, and update your security checks. Remember: You must lead threats, in closing vulnerabilities, and in thwarting crime.
When hiring service providers and solutions partners, be certain they’re on the most responsible security edge possible.
NP: Soul Burnin’, Red Garland, jazz24.org]]>
The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use policy: Make certain people in your organization are not opening security vulnerabilities. They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.
They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism. Make everyone in the organization a security officer.
NP: Purple Passages, Deep Purple.]]>
Today, any organization is dead without its technical supports. Even an attack on content – information, business intelligence, data – can put business at risk.
By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission: Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor. You have business that needs to be conducted on a daily, ongoing, basis.
Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content. Lose it all, and it most definitely will go out of business.
And now comes word of cyber-terror. What the heck does the local organization do about that?? Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach. He’s a thought leader as regards emerging perils. According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”
That doesn’t sound too hopeful. Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.
“There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.
So – what’s the local organization to do? There is a need to protect yourself. With ever-more power and knowledge being available to individuals and small groups, imagine: Imagine a disgruntled ex-employee wiping out your organization’s assets, for example. But further: Can the average organization make a contribution to the larger, surrounding, public security?
I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example). Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.
It’s going to become a necessity: Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack. In a 12-page report to Congress, made public, the Pentagon said:
“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”
The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.
But, again, what of your locale? What if simple everyday “hacktivists” decided to take down some service providers that were key to you? It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.
It’s something worth thinking about… at least start to think about it – and where effective, efficient, contributions by your org might be made.
NP: Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.
Beyond hacking, breach of data can include: Unintended exposures by “insiders” through accidental dissemination; lack of solid authenticating protections, allowing the “stumble” to sensitive data by “outsiders”; and of course other things such as the exposure of data through loss of portable devices like outboard drives, thumbdrives, smartphones, laptops, etc. A new wrinkle regarding data’s security evidenced itself to me, however, when thinking about MA – but first -
Massachusetts’ Attorney General Martha Coakley released notices – notices that her office receives as required by a 2007 state law. Any company doing business in the state must inform customers and state regulators about any breach that may result in identity theft. The law followed a huge 2007 breach at retailer TJX Companies, when 45.6 million cardmembers’ data was stolen over an 18 month period.
Initially, TJX refused to reveal the size and scope of the breach, but finally came clean and divulged how massive it was, and notified credit and debit cardholders. That breach and delay led to MA’s present law requiring notification.
Today, the law’s yield is sobering: One in three people suffered compromise of data – in a mere 20 months.
In reading about the situation in Massachusetts, I began a mental exercise to explore other risks to data, and sound business standing: Things beyond the typical insecure posture due to ignorance, or lack of planning, and things that result in hack, loss, and resultant breach. Are there other general areas of unsurveyed risk?
ou bet there are.
There are bad outcomes for data that don’t involve breach, of course: There’s corruption. There’s accidental deletion (between backups, or in light of no backups). And… other things…
What of a hardware/software vendor who would deliberately lose your data, within a warranty window, by virtue of a stated, official, policy of selective (vs. comprehensive) backup and restoration?
More to follow…
NP: Led Zeppelin, eponymous, original vinyl LP]]>
Back in my misspent youth, us kids used to ride our bikes as fast as we possibly could, trying to leave group members behind. The slowpokes invariably whined… “Hey!”… “Wait up!”… and if we could actually get someone to cry, so much the better! We’d laugh maniacally, looking back over our shoulders at our hapless slower counterparts. Oh, the inhumanity!
My father once saw a group led by me, leaving my little brother behind – and he heard my brother’s protestations. Upon return to home, I was punished – banished to my room for some measure of time – with the stern counsel of my father, “Never leave your brother behind.”
Some folks and organizations are pedaling pretty fast these days, in trying to stay up with, and ahead of, the pack in matters of security: Trying to keep up with best and burgeoning practices, and trying to stay ahead of new threats and potentials of harm. But many surprising entities are at the back, and if they ain’t cryin’ yet, they soon may be.
Consider this: “Cyber-cops” in the U.S. were surprised, caught off-guard, by a case of cyber-espionage thought to be unprecedented in scope and size. It’s been described as a five year hacking scheme (five years!), as mounted and exercised by a single “state actor.” The espionage targeted computer systems of the U.S. government, United Nations, defense firms and private industries. The state actor is thought to be China, but that info hasn’t been released.
Hmmm… did some measure of government agency discover the hacking? Perhaps some U.N. security expert? Or surely one of those leading defense or private industries had some proactive, forward thinking, cybercop scanning and discovering the breaches (after five years!)? Sorry to report, but it was McAfee. According to Fox News, McAfee’s vice president of threat research, Dmitri Alperovitch, said “Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators.”
Mr. Alperovitch’s report indicated 72 victims of the spying, 49 of which were American agencies and firms, during which massive losses of information occurred – there is potential for a huge economic threat. We must recognize too that state actors don’t rest – just because this five year effort has been busted, they’re constantly evolving their spying means and mechanisms. A U.S. official has confirmed the espionage and theft, and as pertains to McAfee’s report, told Fox “The report is fairly accurate.”
If McAfee’s report is correct, our government didn’t learn of a successful multiyear cyber-spying effort from its own internal cyber-police, but from McAfee. What’s embarrassing, and scary, is that Janet Napolitano, head of the Department of Homeland Security, became aware of the McAfee report – and large scale breach – only on the same day the report was released to the press. She further said, “We obviously will evaluate it and look at it and pursue what needs to be pursued.” Obviously. The White House has been briefed, so too has the U.S. Cyber Command at Ft. Meade, MD, and on and on… lotsa people pedaling on this block, you see.
Just not very fast: National Security Agency director General Keith Alexander serves as the head of the Pentagon’s new Cyber Command. He has stated that our military may not have the present capability to safeguard Pentagon networks from cyber-attack. “The Department has a shortfall of cyber force capacity to plan, operate, and defend its networks and ensure freedom of action and maneuver for our nation in cyberspace. Additionally, we are still discussing across the Administration how to best defend against a ‘Cyber 9/11′ that affects our critical infrastructure and beyond.”
Private industry is vulnerable too: Lockheed Martin was the victim of a cyber hack earlier this year, as well as others.
What does this mean for you? Beyond “state actors” (such as China), and dedicated teams targeting private industry (such as the insiders referenced in yesterday’s article), there are malicious hackers who are simply out for fun. They’re looking for websites and networks to hack just for the opportunity to wreak havoc. All of these levels are pedaling at a fast clip, looking to breach, steal, and harm – and likely… laughing maniacally with each success, at the expense of those at the back of the pack.
How fast are you pedaling?
On this day (Oct. 11th): The Juliana, 1st steam-powered ferryboat, begins operation in 1811.
A colleague recently made a cogent argument for timely – in fact immediate – application of all suggested updates as they pop up on various devices; desktops, laptops, smart phones, etc. He examines it from a security perspective, being that many of these updates address security issues. A week doesn’t go by that I don’t get at least one “recommended update” or another on my laptop from various software providers.
The colleague is not a fan of the “Remind Me Later” option/button – he claims that it’s “the most dangerous button you can push” (hmmm… my vote might go to the “Delete Permanently” option…). He likens “Remind Me Later” to discovery that your home alarm is broken, and then deciding to post a reminder to your calendar to look at it later. Another (false) analogy he uses is: Leaving your car unlocked, and asking someone to remind you later to go back and lock it. More on his analogies in a bit…
However, it’s now well-established that hackers and crafters of malware are providing their own “update” notifications: Spoofs of legitimate updates, that upon acceptance install viruses, keystroke monitors, collection of authentication info, website tracking, information relays, and other nefarious things you most definitely want no part of. Further, they employ various tricks in “legitimizing” the look and feel of their activies – one of which is an actual “Remind Me Later” option, figuring you’ll accept it at some point.
A little examination may be in order before reflexively clicking that “OK,” “Install,” or “Update Now” button. Look the popup over carefully: Its aesthetics (does it look typical? If you’re able to remember the last update, that is); the way it’s worded; and further, is it an update that corresponds to your environment (that is, is it for something you’re actually running)? If you receive an Adobe update, and you don’t have Adobe in your environment – don’t install.
Another consideration: Oftentimes updates will create a conflict between the updated application, and another one. There is published documentation of known problems and conflicts between resources, and frequently there is published counsel to forgo a particular update, because another non-conflicting one is due to be released by the software publisher, applications developer, plug-in provider, etc.
A really savvy user will know certain schedules. For example, if receiving a Microsoft operating system update, it would be useful to know if MS was actually sending one out. Googling around for this type of info can help. There are also some great message boards that discuss this topic, and subscription can yield solid info and protections.
But here’s today’s take-away for you: Just because you don’t update an element immediately doesn’t mean you’re completely unprotected (such as leaving your car doors unlocked, or home unsecured). Security elements are still in your environment, running, and protecting: A good provider will LEAD threats, so that you may indeed have a little room for a “Remind Me Later” – particularly if you suspect an update might be a spoof; a threat masquerading as a legit update.
When all is said and done, any specific user, and any specific organization, has to make its own decisions regarding notifications of updates. You’re tasked to know your environment better than anyone.
But keep in mind that “Remind Me Later” can be a legitimate buffer as you research and vet an update notification. It’s not just a procrastination tool.
NP: Soul Bird, Cal Tjader, jazz24.org