“Citizen Four”, the documentary of Edward Snowden, won an Oscar. Director Laura Poitras, journalist Glenn Greenwald and Edward Snowden himself particitpated in a chat on Reddit yesterday. One question stood out. This from GCHQ – Graham Cluley’s Security Newsletter:
The NSA whistleblower, who now lives in Moscow, was asked if he would do anything differently in retrospect.
Mr. Snowden, if you had a chance to do things over again, would you do anything differently? If so, what?
Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:
Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.
Don’t let it happen in your country.
You’ve heard it before and you’re going to hear it again from me. When it comes to using the internet, TRUST NO ONE. For anyone who may be receiving this data in some way other than reading it with your own eyes, that mantra is written in red, all caps, bold, italicized and underscored text. If you are connected to the internet, you have to assume that everyone and anyone can see everything and anything originating from your computer or other connected device. We write about security all the time. We promulgate all sorts of techniques and tips about how to be more secure on line. Sure, these things may protect you from hackers and common cybercriminals, but they will never protect you from the largest criminal organizations on the planet: NSA, GCHQ and other spy agencies. Your operating system is not secure; your software is not secure; your email is not secure. It’s questionable that any commercial hardware you use is secure.
Read these articles and decide for yourself:
Lenovo slipped “Superfish” malware into laptops: http://money.cnn.com/2015/02/19/technology/security/lenovo-superfish/
Schneier on NSA’s encryption defeating efforts: Trust no one: http://www.pcworld.com/article/2048268/schneier-on-nsas-encryption-defeating-efforts-trust-no-one.html
Revealed: how US and UK spy agencies defeat internet privacy and security: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
It’s a sad state of affairs when companies we trust turn out to be engaged in criminal mischief. In 2005, Sony BMG installed rootkits on the computers of anyone who purchased and played certain music CDs. As a result of that betrayal, I and many others boycotted Sony-produced products. Now, yet another huge and trusted company, a supplier of quality computer products that many of us have in our organizations, has screwed the pooch. I didn’t join in the fray on Thursday when it was revealed that computer maker Lenovo has been shipping laptops with preinstalled malware that makes you more vulnerable to hackers — all for the sake of serving you advertisements. I like to step back and breathe a little before I react to such news. Well, I’ve breathed a bit since Thursday, looked it over, and have decided that I’m mad as hell. And, as in my personal boycott against all things Sony, I’ll do my damnedest never to buy anything made by Lenovo again.
At the college where I work I have a mobile computer lab comprising 20 Lenovo ThinkPad Edge notebooks. Lenovo says they didn’t install the malware on this model, but can I really trust them? I don’t think so. I’m thankful that when I initially took delivery of these notebooks, I wiped the Microsoft Windows 8 factory image and installed our own Windows 7 image. It contains no factory-installed software. Nevertheless, we won’t be buying any more of these or anything branded Lenovo despite their completely BS we-didn’t-think-we-were-doing-anything-wrong statement:
In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques.
. . .
To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.
Be careful to wear high boots and proper protective clothing while you’re “digging in on this issue,” Lenovo, and consider this: Cybercriminals go to jail for doing what you did.
To any other companies looking to “enhance our user experience,” why don’t you just give us bug-free, secure products that do what WE want them to do and stop treating us like lemmings.
Not rubbing it in, but I recently spent a little time where it’s warm. Specifically on the Gulf coast of Florida. That’s not a security topic, but what happened when I was on the island offers a lesson in keeping your eyes open if you want to remain safe.
The town of Sanibel Island, FL is – as the name suggests – an island. They have toll booths that keep track of the people who come over the bridge to vacation or work. And they have staff who are ready to lock down access to the island at a moment’s notice if there’s a crime or similar event in the town. That’s what keeps it pretty safe.
If you plan to rob a bank, steal a bike, take some merchandise, you’d better be prepared to swim your way to your lair. Getting away when the lock down the bridge is akin to be trapped on Alcatraz. But that’s neither here nor there. I wanted to talk to you about nature and how the professional park ranger keeps nature safe.
Seriously. Nature sometimes needs safekeeping from people who want to get too close, feed animals human food, and generally make themselves a nuisance. And on Sanibel Island, FL there is a national park called the JN Ding Darling Wildlife Refuge. AND in that refuge are plenty of examples of nature.
I told you all that back story to share a story and impart a lesson.
Here’s the lesson… If you keep your eyes open, you’re well on your way to keeping your company and facility safe. When your facility is safe, your data is likely safer. Then your entire organization is better off.
Here’s the story… I wanted a photo of an owl. I’ve been chasing owls all over the world (mostly the Northeast and Florida) for about 15 months. I had my chance with the JN Ding Darling Refuge as a backdrop for my photos.
During my mini vacation, I was informed that there was a certain nature trail where an owl liked to hang out.
I promptly made my way to that trail with my camera. Strolling along, I saw a mass of people looking up at an old palm tree that had a few holes in it. In one of those holes was a little screech owl. I waited until the crowd moved along and then steadied my camera to take some photos.
That was fine. I got some good photos, but as all humans are likely to feel…I wanted more. So I moved a bit closer to the owl, remaining on the path, and took some more photos. Then I realized I could get a photo that few other people had by lifting my camera above my head and shooting photos at eye level with the bird.
That’s when it happened. No, I didn’t get pecked or clawed or dive-bombed. I did get a sharp tap on my shoulder from a diminutive park ranger. She came up to me and sternly suggested I not put my camera in the face of the owl.
I looked at her quizzically because I was on the path, the plane where I had my camera held was in line with where I was standing and no closer horizontally to the owl. But from her perspective, the camera was starting to get too close to the bird. She told me so and explained that she was now on the lookout because another visitor had actually tried to put the camera inches away from the owl before he was warned away.
I understood. And it made me aware of how I could use the experience as a lesson. Because the ranger was vigilant and looking out for breaches in the protocol of the park, she was able to keep the animals safe. She was also smart enough to have set a perimeter so she could anticipate issues before they arose.
In my case, I was never going to get right next to the owl. He (or she) was 11-feet off the ground in the tree. I stand about five feet, ten inches tall. The physics don’t work. But when it comes to security and keeping thieves (or breaches) at bay, the approach works fine. Keep danger far enough away and you can ensure complete safety for your facilities and data.
That’s why having systems in place and setting up proven responses is paramount to good security. Think about the owl and photographer next time you’re in a meeting with IT or your CTO. Then come up with ways to keep the bad guys outside your own organization’s perimeter.
You’ll be safer and happier in the long run. Oh, I’m back north now in the cold and the snow. No danger of me bothering that owl anytime soon.
Breaches, breaches, breaches. It’s all part of the the daily news in IT security. It’s a good idea to keep tabs on your accounts, especially your email, to see if you’re relatively safe. I say “relatively” because no one is really safe on the internet anymore. I use two services: PwnedList.com and haveibeenpwned.com to periodically check my email accounts. PwndList allows you to set up all of your email addresses and will send you notifications; haveibeenpwned.com will notify you about one account but requires you to manually check for others unless you make special arrangments.
PwnedList actively protects you by continually monitoring sites that host stolen credentials and other security data. If your data has been compromised we’ll notify you immediately—but that’s not all. You can check your online accounts and know with virtual certainty whether they’ve been compromised at any time.
Once you set up an account with them, you can add as many email addresses as you want. You will only be notified if any of them show up as being compromised.
[Troy Hunt, a Microsoft Most Valuable Professional] created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.
To find out if any of your accounts have been pwned, you can visit http://www.haveibeenpwned.com, enter your email address (you can check as many email addresses as you want) and click the “pwned?” button. You’ll get one of two responses as shown below:
The one above shows you’re OK. No need to fret about it. If you get the one below, you had better take action: change your password immediately.
I just couldn’t resist letting my readers see this latest variation on the Nigerian 419 scam. I can’t believe these things are even still going on. Anyway, I got a good laugh out of this and I hope you do, too. You see, I paid “VIRTUALLY all fees and certificate,” but I still have to “SEND THE FEE FOR THE HARD DISK FIRST BEFORE I MAKE YOUR TRANSFER OR YOU BUY THE HARD DISK IN YOUR COUNTRY AND SEND IT TO ME,” before anything happens. But the great part is, “Miss Faith Okeke” will “run away from Nigeria to meet with you.” So, I get a bunch of money and a girlfriend, too boot. Fun stuff. I’m of half a mind to play along and reverse the scam on “her.”
Subject: THE TRUTH ABOUT YOUR FUND IN MY POSSESSION Dear FRIEND, I am Miss FAITH OKEKE. a computer scientist with central bank of Nigeria. I am 26 years old, just started work with C.B.N. I came across your file which was marked X and your released disk painted RED, I took time to study it and found out that you have paid VIRTUALLY all fees and certificate but the fund has not been release to you. The most annoying thing is that they cannot tell you the truth that on no account will they ever release the fund to you, instead they let you spend money unnecessarily. I do not intend to work here all the days of my life, I can release this fund to you if you can certify me of my security, and how I can run away from this Nigeria if I do this, because if I don't run away from this country after i made the transfer, I will be seriously in trouble and my life will be in danger. Please this is like a Mafia setting in Nigeria, you may not understand it because you are not a Nigerian. The only thing I will need to release this fund is a special HARD DISK we call it HD120 GIG. I will buy two of it, recopy your information, destroy the previous one, punch the computer to reflect in your bank within 24 banking hours. I will clean up the tracer and destroy your file, after which I will run away from Nigeria to meet with you. If you are interested. SPECIAL INFORMATION: YOU WILL SEND THE FEE FOR THE HARD DISK FIRST BEFORE I MAKE YOUR TRANSFER OR YOU BUY THE HARD DISK IN YOUR COUNTRY AND SEND IT TO ME,DON'T CONTACT ME IF YOU CAN NOT SEND THE HARD DISK FEE FIRST OR THE HARD DISK. AS SOON AS I RECEIVED YOUR EMAIL I WILL LET YOU KNOW HOW MUCH THE DISK WILL COST YOU. Do get in touch with me immediately, You should send to me your convenient tell/fax numbers for easy communications and also re confirm your banking details, so that there won't be any mistake. For phone conversation,please call me on +234-8052520211 Regards, Miss FAITH OKEKE
In the wake of the Anthem breach, which affected approximately 80 million customers, cyber-criminals are launching phishing attacks by faking notifications from the company. They look pretty convincing (see photo) and unfortunately, a lot of gullible people are liable to fall for the ruse.
Cyber-criminals often use alarming news stories to develop phishing campaigns and profit from unwary users who fall for the scheme. In this case, the cro0ks provide a link to a free year of credit monitoring for those who click the link. All that will happen, however, is the victim’s credit card information will be stolen.
Anthem has put up a FAQ page to deal with the breach. On that page, Anthem says, “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind.” Note that they put no time limit on said monitoring and protection.
The company has also established a toll-free number, 1-877-263-7995, which currently delivers a recording warning of the phishing attempts and also outbound call scams directed at current and former members. The recording warns, “These emails and calls are not from anthem and no notifications have been sent from anthem since the initial notification on Feb. 4, 2015.” The recording further states that all notifications will be sent out in the coming weeks via snail mail.
My standard advice in these situations is always:
- NEVER click on any links in emails.
- NEVER reply to such emails or communicate in any way with the senders.
- NEVER provide any information in any website that has popped open, whether or not you have clicked on a link in an email
- NEVER open email attachments
- NEVER give any caller who contacts you any personal information. Hang up and call the company directly.
The Federal Trade Commission has an excellent Consumer Information page on how to spot phishing scams.
Nearly six years ago, I posted “10 Immutable Laws of Security” on this blog. That post was based upon a Microsoft TechNet article “10 Immutable Laws of Security” and included my comments relative to the security universe at the time. I believe that this information is even more relevant than it was when originally posted, so I’m bringing it back with my comments relative to the security universe as it exists in 2015. We are our own enemies when it comes to security and perhaps these laws can help some see the light.
I work in a career college environment servicing the needs of students who, while having grown up in an era where technology is ubiquitous, are not conscious of its vulnerability and risks. They take it for granted. Some of them are in awe of it and consider it no less than practical magic. They have little or no understanding of what makes their devices tick. They think that every message on their screen is something they should act upon, so when the drive-by malware warns them of “1080 viruses and errors” on their computer, they click the “Fix” button. Yeah, this fixes them all right; they’re now pwned. They are trust the technology out of ignorance.
As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.
Physical security isn’t complicated. My Security Maxim #8 covers it admirably. I would also say that if a child or someone who doesn’t know better has access to your computer, it’s not yours anymore. I constantly fix problems caused by the children, the friend or the spouse.
That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.
I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. See Law #3, and heed my advice and make your passwords unguessable.
If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants. If the accounts on the computer are administrator accounts, then anyone can install anything. See Law #3 above.
Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.
Out-of-date anti-virus and anti-malware software of any kind won’t protect you against the inevitable new variants that come along. Keep it updated, automatically, if possible.
As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”
Never has this been more true than in 2015. No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.
In the wake of cyber-attacks that have occurred over the past year, we have all been more concerned than usual about our organizations’ network security. Questions such as, “Is my my security software up to date?” and “Am I current on firmware updates in my router and firewall?” and “Am I doing all I can to detect and/or prevent and attack?” tend to keep us a bit edgy. Certainly, we all do our best but there is always that nagging concern about our best being good enough. How tight does our security really have to be? Perhaps taking a closer look at the hacking universe in general might help to allay some of those fears.
The January issue of Bruce Schneier’s Cryptogram features an essay, “Lessons from the Sony Hack,” that breaks down the types of hackers and their hacking methods into a few easy-to-understand categories. Essentially, there are two types of hacks: Opportunistic and targeted. An opportunistic attack is one where the attackers don’t really care who they hit, they’re just looking for large databases of information that could be valuable. The vast majority of attacks fall under this category. Schneier cites the Home Depot attack as opportunistic. A targeted attack is one where the attackers are going after a specific victim; Sony, for example. To further divide things, he talks about the skill and focus of the hackers.
You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet. [Opportunistic]
High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so. [Opportunistic]
But even scarier are the high-skill, high-focus attacks — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame… [Targeted]
This represents a sort of scale of probability of you or your organization becoming a target: you are most likely to experience a low-skill, low focus attack and least likely to experience a high-skill, high-focus attack.
My take on it is simply that if you are timely in keeping your software patched against known vulnerabilities, your critical networking equipment updated with the latest firmware, proactively staying informed about the latest threats, and actively promoting security awareness in your organization, then you’re about as safe as you can hope to be. I don’t think that any of us can afford, either financially or mentally, to try to keep ourselves completely safe from the high-skill, high-focus attacker. I’ll leave you with this:
Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren’t sufficiently skilled, good security may protect you completely.
. . .
Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.
It’s a new year and with that comes New Year’s Resolutions. Whether or not you have made any resolutions to be more secure in 2015, it won’t hurt to make or re-affirm one now. One of the best steps you can take is to implement two-factor authentication (2FA) everywhere you can. To help you out with that, here is a roundup of my past posts on the subject along with a good, simple video that not only explains what 2FA is, but how to set up your Google account to use it.