Security | Bach Seat

Tag Archive for Security

RB | October 16, 2014

Comments Off

How to Spot Phishing

Phishing scams are spam emails sent by cyber-criminals that can lead to identity theft at home and data breaches at work. Phishing attacks pretend to be from a legitimate person or organization to trick you into revealing personal information. A phishing attack begins when a cyber-criminal sends an email that looks like it originates from your bank.

The email might hint at a problem with your account asking you to “confirm” account information by clicking on a link that takes you to a fake website. The fake website asks you to type in your bank account user name and password. The goal is to convince the target that the web page is legitimate so that they will enter their credentials. Once entered, attackers can access an individual’s finances.

Phishing attacks

RSA reports 2013 was a record year for phishing attacks. They report that nearly 450,000 phishing attacks were launched in 2013 with losses estimated to be nearly $6 Billion. The security firm believes that these attacks will continue for the foreseeable future. They point out that it only costs an attacker $65.00 to spam 500,000 email addresses.

Symantec reports (PDF) that 1 in every 392 emails a user receives is a phishing attempt. 71% of the phishing attacks were related to spoofed financial organizations and login credentials for accounts seem to be the main information phishers are looking for. Dell SecureWorks delved into the depths of the online underground economy and found the value of personally identifiable information (PII).

value of personally identifiable information

Visa and Master Card account numbers are worth up to $15
American Express account numbers are worth up to $18
Date of Birth (DOB) is worth up to $25

On his excellent website, Brian Krebs revealed the black market value of hacked credentials.

Active accounts at Facebook and Twitter retail for just $2.50 apiece,
$4 buys hacked credentials at wireless providers ATT.com, Sprint.com, Verizonwireless.com, and Tmobile.com,
Groupon.com accounts fetch $5,
Fedex.com, Continental.com, and United.com accounts for go for $6.
iTunes accounts go for $8 on the cyber underground economy.

medical records

In a new phishing twist, attackers are going after medical records to exploit the broken healthcare industry. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cybercrime protection company.

With these threats in mind, PhishMe developed an infographic, click on the image below to see the complete image.

PhishMe infographic

rb-

Since many cyberattacks originate with phishing emails, the best way for organizations and individuals to protect themselves online is to recognize and avoid phishing emails.

Phishing attacks target Google accounts, warns Bitdefender (computerweekly.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2014, Amex, email, Facebook, FB, Master Card, Phishing, PhishLabs, PII, Security, SPAM, Twitter, TWTR, Visa

RB | October 14, 2014

Comments Off

25 Years of the Firewall

25 Years of the Firewall The firewall has turned 25 years old this year. In commemoration, McAfee created a timeline of the events that shaped the development of the device most of us rely on the protect ourselves from each other. The infographic shows how the firewall’s evolution coincided with high-profile security events:

1995: WM/Concept first virus to spread through Microsoft (MSFT) Word
2000: First denial-of-service attack discovered
2008: Conficker infects 9-15 million Microsoft systems.

These security breaches triggered security developers to react with more advanced firewall technology:

1998: Evasions researched
2009: Native clustering for high availability and performance introduced
2012: Software enabled security introduced, making blade technology obsolete.

The first generation firewalls were called Packet Filters. Packet Filter firewalls look at network addresses and ports of the packet and determine if that packet should be allowed or blocked based on rules programmed by humans. If a packet does not match the packet filter’s ruleset, the packet filter will drop or reject the packet, breaking the connection.

The second generation firewalls do stateful packet inspection. According to Wikipedia, second generation firewalls record all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain a connection state as one of their test criteria.

Third-generation firewalls use application layer filtering which can “understand” certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port or detect if a protocol is being abused in any harmful way.

Next Generation Firewall Pat Calhoun, SVP at McAfee, explained in a Help Net Info article that it was not until 2009 when the fourth generation firewall we know and love began to evolve. In 2009 Gartner published its definition and a paper on “Defining the Next-Generation Firewall. (PDF)” According to its definition, NGFWs are:

…deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.

In its paper, the Gartner authors explain that “Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks.” Mcafee’s Calhoun points out that NGFW discussions started in 2003 but the technology really didn’t get on the right track until Gartner defined it in 2009.

Intel 25th Anniversary of the Firewall infographic

rb-

Future NGFW development efforts need to integrate application control, IPS, and evasion prevention into a single, purpose-built box with enterprise-scale availability and manageability solution.

Back in the day, 2000, I managed a Checkpoint firewall IPSO ver 3.0 on a Nokia appliance (IP300?). The thing was the network had been up and running for 3 years and included over 3,000 devices before the Checkpoint was put in. Can’t get away with that now, a naked PC on the Innertubes will be compromised within minutes to hours, according to those who know that kind of stuff.

The most vivid recollection of setting the thing up was just randomly mashing on the keys to create the first key. Other network guys were amazed because apparently, this was the first firewall many had seen with a GUI to configure the rules.

I also remember learning the hard way that Deny All goes at the bottom of the list, not the top.

Enterprise Firewall Market: Global Forecast to 2019 by Professional Services (mynewsdesk.com)

Category: Uncategorized | Tags: 2014, application layer filtering, Computer security, Denial-of-service attack, Gartner, IT, McAfee, Microsoft, MSFT, Next-Generation Firewall, Packet filter, Security, stateful packet inspection

RB | October 2, 2014

Comments Off

Superman Most Dangerous on Web

Superheroes are supposed to be our friends but sometimes a plot twist allows their arch-enemies to trick our heroes turn against us. This is also true on the intertubes. Attackers are using our superheroes to infect computers to scam people into visiting compromised sites and downloading dangerous software according to Santa Clara, California-based McAfee.

The security company scoured the web and identified the most dangerous superheroes online. The report, “Most Toxic Superhero 2014” estimates how likely the average user is to come across malware by searching for the name of any given superhero.

McAfee lined up 11 likely suspects. They gathered viable threat evidence from popular search engines like Google (GOOG), Yahoo (YHOO), and Microsoft (MSFT) Bing for spyware, adware, spam, phishing, viruses, and other malware. The company also searched each superhero’s name in conjunction with common phrases like “free torrent download” and “free app,” as seeding fake torrents is a common way for attackers to infect computers.

The most dangerous superheroes online by percent of his search traffic leading to unsafe sites are:

Superman 16.5%
Thor 16.35%
Wonder Woman 15.7% (tied)
Aquaman 15.7% (tied)
X-Man Wolverine 15.1%
Batman 14.2%
Black Widow 13.85%
Captain America 13.5%
Green Lantern 11.25%
Ghost Rider 10.83%

McAfee tells citizen do-gooders to protect themselves by:

Beware of clicking on third-party links. You should access content directly from the official websites of content providers.
Ensure you use web protection that will let you know of risky sites or links before you visit them. Stick to official news sites for breaking news.
Don’t download videos from suspect sites. This should be common sense, but it bears repeating: don’t download anything from a website you don’t trust — especially video. Most news clips you’d want to see can easily be found on official video sites and don’t require you to download anything.
“Free downloads” are by far the highest virus-prone search term. Anyone searching for videos or files to download should be careful not to unleash unsafe content such as malware onto their computers.
Always use password protection on your phone and other mobile devices. If you don’t and your phone is lost or stolen, anyone who picks up the device could have access to your personal information online.
Don’t “log in” or provide other information: If anything asks for your information—credit card, email, home address, Facebook login, or other information—to grant access to an exclusive story, don’t give it out. Such requests are a common tactic for phishing that could lead to identity theft.
Search online using an Internet security program in the background. These tools protect users from malicious websites and browser exploits. A complimentary version of McAfee’s SiteAdvisor software can be downloaded at www.siteadvisor.com

rb-

Whether you live in Metropolis or Gotham, do-gooders need not work very hard to avoid these scams. Avoid dark alleys where superhero websites tend to have the same flaws as any other unsafe page. Keep an eye out for typos and files that look suspicious. Run an Internet security program in the background (your antivirus or anti-malware program probably has one built-in). Lastly, check what other commenters say before downloading a torrent.

Mobile malware: Past and current rends, prevention strategies (cloudentr.com)

Category: Uncategorized | Tags: 2014, Batman, Captain America, Malware, McAfee, Phishing, Security, SPAM, Superhero, Superman, Virus

RB | September 25, 2014

Comments Off

Internet of Things Full of Holes

The Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.

Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.

The InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.

HP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:

A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
80% raised privacy concerns about the sheer amount of personal data being collected,
70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
60% didn’t use encryption when downloading software updates.

Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.

While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.

HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”

Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.

One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.

rb-

I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.

The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.

It is also annoying that HP did not reveal the details on the products they tested.

Internet of Everything Is Hackable (inventorspot.com)

Category: Uncategorized | Tags: 2014, Bitcoin, Business Continuity, Cloud computing, CSS, Disaster recovery, Encryption, Gartner, Heartbleed, HP, HPQ, Internet of Things, IOT, Malware, Mobile, Network, Password, Ransomware, Security, Wi-Fi, Wireless

RB | September 18, 2014

Comments Off

10 Policies to Minimize BYOD Risk

The challenge for employers offering BYOD, according to schnaderworks, a labor and employment blog from Schnader Harrison Segal & Lewis LLP, is finding the right cost/benefit balance for their businesses. In developing an effective “bring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.

Once the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company’s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:

1. Establish a Mandatory Authorization Process: The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device.

2. Require Password Protection: Each authorized device should have the same password protection as an employer-issued device. According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.

3. Clarify Data Ownership: A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.

4. Control the Use of Risky Applications and Third Party Storage: Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.

5. Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data is stored on the company’s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the “segmenting” of authorized devices. However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.

6. Address Any Business-Specific Privacy Issues: Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers’ license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy. The blog points out that HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.

7. Consider Wage and Hour Issues: Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer’s expectations about after-hours use (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah).

8. Ensure Compliance with Company Confidentiality Policies. The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the “acceptable use” of company information.

9. Spell Out Procedures In Case of Loss or Theft: The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.

10. Document Employee Consent: Finally the law firm, in good lawyer form, suggests the employer should get an employee’s written consent to all terms and conditions of the BYOD policy.

Where to start with BYOD security (techpageone.dell.com)

Category: Uncategorized | Tags: 2014, BYOD, HIPAA, Legal, Mobile, Password, Policy, Privacy, Security

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Security

How to Spot Phishing

Phishing attacks

value of personally identifiable information

medical records

Related articles

25 Years of the Firewall

Related articles

Superman Most Dangerous on Web

Related articles

10 Policies to Minimize BYOD Risk

Related articles

Meta