Featured Posts

<< >>

Spear Phishing

As long as there have been people, there have been scammers of some kind. Today, cyber-criminals use the same technology that helps everyone else in their daily lives – the only difference is that they use it for wrongdoing. The outcome of the JPMorgan Chase & Co., hack is that over 76 million user accounts were compromised. It

Snoops Offer Security Tips

In one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.”  To be more specific, the report recommends

BP Connects Oil Rigs to Internet

In one of the stupidest moves outside of the U.S. gooberment lately, British Petroleum (BP) has connected 650 of its oil wells to the “Industrial Internet.” The same BP that spilled 4.9 million gallons of oil into the Gulf of Mexico in 2010, now plans to connect 4000 oil rigs around the world to the

Apple favors IPv6 as IPv4 Dries Up in US

The American Registry for Internet Numbers (ARIN) has reported that the IPv4 well is just about dry in North America. On 01 July 2015, ARIN had to  refuse a request for a block of IPv4 addresses. The ARIN statement says that there are still a few IPv4 numbers available in smaller block sizes, but for all

Thought Crimes Project Managers Make

The folks at TaskWorld designed this infographic as a warning to project managers about 5 thought crimes that PM’S should never ever think. The article says these thought crimes can be a real impediment to your ability to be a good project manager. One of the characteristics of a good manager is their ability to show

Spear Phishing

Spear PhishingAs long as there have been people, there have been scammers of some kind. Today, cyber-criminals use the same technology that helps everyone else in their daily lives – the only difference is that they use it for wrongdoing.

PhishingThe outcome of the JPMorgan Chase & Co., hack is that over 76 million user accounts were compromised. It is also very likely that other banks were breached by the same attackers. The breach of JPMorgan Chase should serve as a reminder that even large, sophisticated businesses can be breached by today’s phishing expeditions.

Attackers were able to penetrate JPMorgan Chase’s defenses and roam their networks undetected for months most likely due to one worker who fell victim to a spear phishing attack. Corporate security and hackers are engaged in an asymmetric fight right now. The good guys have to protect the entire enterprise while the bad guys only need a single point of failure to gain access, just one user to fall victim to a spear phishing attack and they are in.

Nigerian princeThe bad guys have the advantage. Anyone can claim to be a Nigerian prince from behind their computer screen and bilk unsuspecting targets for their financial information over email. All it takes is a valid email account – personal or otherwise. With the hackers advantage in mind, here are some tips to help avoid spear phishing attacks and prevent the attackers access to your firm.

Know your enemy – Today’s phishing attacks are not the crude, typo filled emails from Nigeria of yesteryear. Spear-phishers carefully research their targets. They will know your manager’s name, names of your co-workers, and perhaps the projects you’re assigned to. This knowledge and detail makes spear-phishing very effective.

No matter what the nature of an email account is, it is susceptible to all the dangers of the Internet. This is bad news for businesses that use email, and  a lot of organizations out there fit that bill to a T. The more that a company uses email, the greater the chance that they will experience a data breach of some kind.

SPAMThere is really nothing stopping a well-crafted phishing scam from appearing in a corporate inbox and fooling an unwitting employee. Here is a look at three of the email-based scams that could be threatening your business right now:

1) Vendor identity fraud – According to a report from Virginia TV station WHSV, the Better Business Bureau is warning businesses of a recent scam that targets this daily operation as a way to siphon money from corporate bank accounts. The BBB describes the attack:

As part of your job, you pay invoices for several of your business’s vendors … One day, you receive an urgent email from an executive in your company telling you to change how you pay invoices from a vendor. Instead of sending a check, you now need to wire the money straight to a bank account.

This phishing attack is made possible by malicious hacking. Cybercriminals break into company emails and gain enough information to impersonate one of the organization’s suppliers. Next the send off the false email that tells some poor admin to wire the payment to the hackers instead of the supplier and leave businesses out hundreds of thousands of dollars depending on the nature of the vendor.

2) Hackers impersonate branch of FBI.  Nobody likes being accused of crimes that they didn’t commit. This is especially true when the FBI is involved. But a new scheme involving the
Internet Crime Complaint Center has many people thinking their arrest is imminent if they do not fork over a hefty fine via online transaction – something that is unheard of in actual law enforcement agencies and that the FBI has been forced to address. DailyFinance contributor Mitch Lipka wrote:

The emails claim that the victim is the subject of a criminal report and that charges are forthcoming … They are then told that they have one or two days to respond or risk arrest, IC3 said. Those who respond are told they have to send money via prepaid cards if they want to avoid prosecution.

3) New Zealand law firms fooled by “clients” – Lawyers are trained to always read between the lines and examine the fine print in legal documents, but what about in their supposedly-secure communications?

This is one concept that has been inadvertently brought up in New Zealand thanks to a scam targeting law firms and their clients. There are plenty of things that can be done over email, but that doesn’t mean that they should be. Client and lawyer communications are one of these tasks. According to The National Business Review, criminals will pose as either a law professional or someone they currently represent, asking the opposite party to make a payment or carry out a transaction. This not only puts funds in danger, but also sensitive information. This may land a law firm in serious legal trouble.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Snoops Offer Security Tips

Snoops Offer Security TipsIn one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.”  To be more specific, the report recommends that IT security pros:

  • Information securitySegregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
  • Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
  • Deploy, configure, and monitor application whitelisting to prevent malware from executing;
  • Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
  • Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
  • Network attackMaintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;
  • Implement pass-the-hash mitigation to reduce credential theft and reuse;
  • Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
  • Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
  • Implement host intrusion prevent systems to detect and prevent attack behaviors; and
  • Update and patch software in a timely manner so known vulnerabilities cannot be exploited.

The author quotes from the report;

Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.

rb-

For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software. That is some of the same stuff, they recommend installing.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

BP Connects Oil Rigs to Internet

BP Connects Oil Rigs to InternetIn one of the stupidest moves outside of the U.S. gooberment lately, British Petroleum (BP) has connected 650 of its oil wells to the “Industrial Internet.” The same BP that spilled 4.9 million gallons of oil into the Gulf of Mexico in 2010, now plans to connect 4000 oil rigs around the world to the Internet, via the Internet of Things.

BP Oil SpillAn article at FierceBigData says that by connecting its wells to the Internet of Things (IoT), BP engineers will gain real-time access to common machine and operational data sets.  The aim is to use the data to make better decisions, improve efficiency, prevent failures and reduce costly downtime.

Kate Johnson,General Electric (GEIntelligent Platforms Software CEO and GE Chief Commercial Officer who is running the project for British Petroleum said in a statement to the press.

… our strategy is simple: Get Connected. Get Insights. Get Optimized. By connecting BP’s oil wells around the world, we’re giving them access to better insights that can ultimately drive new efficiencies in their oil fields and increase oil production.

Apparently, GE’s software will allow BP to capture, store, contextualize and visualize data in real-time.

Internet of ThingsThe author clarifies that “Industrial Internet” is a term GE dubbed for Internet, there’s just more things connecting to it. And many of the same problems will grow as a result, namely security issues and data breaches galore. Here’s hoping BP and GE are careful to build security in from the ground up rather than in add-ons as an afterthought. Hopefully there were lessons learned from the Internet’s earlier days.

rb-

The latest IoT insecurity is that Chrysler cars with U-Connect can be cyber-toged from miles away. I have covered IoT insecurity issues for a while here, here and here. With all of that in mind..

Like the author says, hopefully GE gets it right, because BP’s track record is abysmal. IF they don’t get it right, economic terrorists could use flaws in the IoT to cut-off oil production from these wells to drive up the cost of oil from other wells in the middle-east. Ecological terrorists could use these same flaws to blow up oil rigs like what happened at Deep Water Horizon in 2010 and contaminate all of the Gull of Mexico or the Alaska North Slope or Africa or Saudi Arabia. What would happen if the were able to blow up all 4,000 wells due to weaknesses in the IoT stack

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Apple favors IPv6 as IPv4 Dries Up in US

Apple favors IPv6 as IPv4 Dries Up in USThe American Registry for Internet Numbers (ARIN) has reported that the IPv4 well is just about dry in North America. On 01 July 2015, ARIN had to  refuse a request for a block of IPv4 addresses. The ARIN statement says that there are still a few IPv4 numbers available in smaller block sizes, but for all intents and purposes, There are no more unassigned public IPv4 addresses. As of July 18, 2015 the ARIN IPv4 Deletion page reports only 335 /24 IPv4 address ranges are available.

The good news, according to FierceEnterpriseCommunications, is the IPv4 drought isn’t yet affecting most of the internal networks of enterprises, but it’s just a matter of time before it starts to have a greater impact on the largest of enterprises. Microsoft (MSFT), for instance, found it was out of IPv4 addresses a few weeks ago. And for the first time in ARIN’s history, they denied a company that requested a large block of IPv4 addresses. Tom Coffeen, chief IPv6 evangelist at Infoblox, in a statement to FierceEnterpriseCommunications explained:

Though the IPv4 well has run dry and threatens service providers, the sky hasn’t yet landed on enterprise networks … Most enterprises still rely on private IPv4 for their internal networks. The small number of public, routable IPv4 addresses required to connect enterprise networks to the Internet is typically provided by the ISP, making IPv4 much more critical for Internet services providers.

IPv6One company that is reacting to IPv4 scarcity is Apple (AAPL). Apple’s latest operating systems – iOS 9 for iPhones and iPads and OS X El Capitan for Macs are designed to take advantage of IPv6. The new operating systems select the fastest connection with the lowest latency, whether IPv4 or IPv6, using the Happy Eyeballs algorithm, explained David Schinazi, CoreOS networking engineer at Apple. Devices use the Happy Eyeballs algorithm to decide which protocol to use, as many applications use a “dual stack” approach to networking, making available both IPv4 and IPv6 connections.

FierceMobileIT says this worked out to be a 50/50 split between IPv4 and iPv6 in iOS 8 and OS X Yosemite, but for the new OSes, IPv6 will be chosen by the algorithm around 99 percent of the time, according to Apple beta testing. Apple’s Schinazi, wrote in a post on the Internet Engineering Task Force mailing list that Apple considers IPv6 mainstream.

IPv6 is now mainstream instead of being an exception, there are less broken IPv6 tunnels, IPv4 carrier-grade NATs [network address translations] are increasing in numbers, and throughput may even be better on average over IPv6

The author reports that testing performed by Apple show that the new OSes should use IPv6 addresses around 99 percent of the time. Apple operating systems have supported IPv6 by default for Mac users as part of the OS X 10.2 Jaguar release in May 2002.
>Mr, Schinazi cautioned that both OSes are in beta so things might change for the final versions. “If this behavior proves successful during the beta period, you should expect more IPv6 traffic from Apple products in the future,” he added.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Thought Crimes Project Managers Make

Thought Crimes Project Managers MakeThe folks at TaskWorld designed this infographic as a warning to project managers about 5 thought crimes that PM’S should never ever think. The article says these thought crimes can be a real impediment to your ability to be a good project manager. One of the characteristics of a good manager is their ability to show a level of maturity when handling their staff.

Project Manager Thought Crimes

 

rb-

Of course I have never been guilty of any of these assumptions. I do know a guy how has tripped over a few of these road-bumps.

Related articles

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.