For your convenience and to learn more on how to protect yourself you can also check out this video:

Video not displaying? You can also view it on Youtube.

Here is the entire text of the message (added to properly index this article with the search engines):

Attn: Financial Department

By this message we would like to inform you about the recent alterations in the FDIC insurance coverage for transaction accounts.

During the period from December 31, 2010 to December 31, 2012 all the money in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation. Please note, that this measure is temporary and separate from the FDIC’s common deposit insurance regulations.

The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which no interest is paid by the insured depository institution.

For detailed information about temporary FDIC insurance coverage of transaction accounts, please view the official site link.

Yours sincerely,
Tad Melendez.

Federal Deposit Insurance Corporation

Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

1. Keeping your critical components up to date.
2. Cautious web surfing and Email habits.
3. Avoid public charging kiosks.
4. Avoid flash drives from unknown sources.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

• Symantec White Paper
• Wired Article

If you found this article helpful or interesting please share it with your friends.

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.

Juice Jacking

While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:

Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.

Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.

Use these!

Not these!

A survey…

In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.

Additional related content:

• #infosec hashtag search on Twitter (get the latest real time information)
• The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
• Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
• Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)

If your computer recently got infected and you paid to get it cleaned up or restored from a backup, this article was written just for you!

Fixing avoidable problems is not “fun”

Contrary to what many might believe, we don’t enjoy or look forward to fixing broken computers. What we really love to do is prevent them from needing to be repaired or otherwise enhancing your business using technology like WordPress. Since we don’t live in that perfect utopia and things do break on occasion and systems get compromised, the intention of this article is to help you avoid some of these issues in the future.

Information Security is Challenge

There are so many threats that face you as a user (Factoid: There are 43 posts on this site that use the Security category and that is practically all we share on our Facebook page these days!). In spite of what often appears to be a swell (Tsunami?) of threats, there are certainly things that you can do to protect yourself.

Step 1 – Admit that you have a problem Opportunity.

If your computer got infected it was due to a problem. The most likely three scenarios are:

1. Critical security updates were not installed.
2. You believe your Antivirus software will protect you.
3. You were careless gave the bad guys the opportunity.

Step 2 – Don’t beat yourself up

Many users find themselves in your shoes. None of us are perfect and the fact that you are still reading this you can pat yourself on the back for working to improve the situation. An opportunity has presented itself, you now have added motivation to take some important precautions and raise your awareness.

Step 3 – Make sure you are installing security updates

In April of 2010 we shared with our readers why it is important to install Security updates. In that post we recommended that you should always install the following updates as soon as you can whenever prompted:

1. Windows Critical Updates
2. Adobe Acrobat
3. Flash Viewer
4. Oracle/Sun Java

It takes a while to learn what all these updates look like, but generally speaking they remain fairly consistent so once you do learn what to look out for you only need to validate it when it changes. Don’t let the fear of the updates being part of the problem stop you. It is greatly beneficial to take the time to learn to recognize the “normal” updates and apply them when prompted. It could save you from getting your computer infected.

Step 4 – Know your Antivirus Software Limits

Have you ever heard the term Zero Day? Zero day is something brand new and you often hear it combined with exploits: “Zero Day Exploits”. Since Antivirus and Anti-Malware software work off definitions (there is also heuristics or virus like characteristics but it is not perfect) it is only good if the virus or malware that you happen to get exposed to is well defined in your Antivirus/Malware Software.  In other words, there are plenty of things that will infect your computer if you click them, particularly “new” viruses and malware. Remember Viruses are written to try to avoid being detected.

Your antivirus software won’t always protect you.

Learn how to protect yourself from Zero Day Exploits.

Step 5 – Understand the importance of your role in your security

It is not a security that without users computer viruses as we know them today would not exist. It is important to recognize that you can make a difference and to take an active role in avoiding infection by the choices you make. We covered this thoroughly in our post about the role of personal choices in information security. In that article we shared 5 areas where choices had a substantial impact on your security including:

1. Competency/Learning
2. Hardware and Networking Devices
3. Security Software
4. Participation
5. Gullibility and Greed

It’s no secret that virus and malware authors exploit us, our weaknesses, events, and a myriad of other things to compromise us. Make sure your personal choices aren’t giving them extra opportunities.

Step 6 – Subscribe to Our Updates

A lot of the content for this article was already on our site. Let us educate you and prevent you from harm and expense whenever possible. A simple way to stay plugged in is to to sign up for updates to this site so you never miss the latest news. You can Subscribe to Managed Solutions by Email and get our Facebook exclusive updates on our Facebook page.

Opportunity Center Image credit: Jason Tester, Guerilla Futures

Typical Sendto Menu

When you right click a file or folder on your Windows 7 computer there are several menus available, one of them is the “sendto” menu. This allows you to easily send that file or folder to that program or folder. One important option that is missing in this menu is the notepad program. In this video I demonstrate how to add new items to the sendto menu or specifically the notepad program in the example. You can use it for almost anything a program, network drive even an FTP server.

There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.

Other USB related risks

USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.

Protecting yourself

Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:

Tips for individuals

1. Store your USB storage devices in a safe place.
2. Use memory sticks only from extremely trusted sources.
3. Do not allow others to use your computer to charge their USB devices.
4. Purchase memory sticks from trusted sources in clearly sealed packaging.

Extra tips for businesses

1. Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
2. Do not allow third parties to use USB devices or charge phones on your corporate systems.
3. Consider implementing software or software policies that control access to USB ports on your systems.

You might also want to read these related articles on how you can function more securely:

Education: the Answer to Zero Day Exploits
Good Personal Choices – the most powerful Information Security Tool

Photo credit Opensourceway, Creative Commons

Spokeo.com got “spinsucked”

Gini Dietrich posted a great article this week that struck a chord with the readers. It’s been viewed, shared and commented on heavily since it came out. The post was about “Deleting Your Spokeo Profile” and it detailed what information could be found on Spokeo.com and how to delete the profile. I thought based on the comments that it was worthy of a screencast so I recorded it and shared it with Gini. You can view it on Youtube. At one point Spokeo was not able to process requests, so I joked with her on her blog that there is a new /. in town and that spokeo had gotten “spinsucked” so henceforth that will be my story, and I will stick to it.

As further proof that this issue really resonated with many of us, I had one person completely disconnected from the matter ask me on Facebook last night if I had “heard of Spokeo” at that point I realized this was really circulating far and wide.

Learning from the debate

Some debates did come up over the spinsucks post, here were the opposition arguments to removing your profile from spokeo:

1. There are many other sites that mirror the same data
2. They are probably harvesting the required email address to sell
3. The information is public domain only, readily available

One less site is better

In response to argument #1, one less site is certainly better is it not? Not to mention Spokeo actually did a bang up job of getting a lot more data than other sites seem to have to offer. I’d rather not be listed there.

Avoid the harvest

Avoiding the email harvesting concept is easy, you should use either an alias that can be tracked and later deleted or a “junk” email that is only checked in these circumstances.

The information is public domain only

I don’t think this is the case, it appears that Spokeo has found or paid for some really unique data or at least their paid for service touts that. If it is all public domain it’s usually not in one place. If someone is going to go after it, let’s make them work for it, does that sound like a decent strategy?

What does it mean?

I think these developments solidify the position that 2011 is the year of privacy, why? We know now, and we care, and we’re reading and watching and opting out to the tune of disabling a website. Our current privacy laws are not reacting fast enough for the changes in this digital world. This disparity is creating a vacuum that will be filled one way or another.

What happen’s next? Predictions

So the question is do the companies that are gathering this information and making it available cave from the pressure cooker that is likely to develop from consumers this year? Does the government step in and pass new privacy legislation more geared to our digital and interconnected age? Or does a group of entrepreneurs put together a service that opts out and erases data that can be masked, opts you out of junk mail and create an opportunistic menu of other privacy features?

I’ll be talking privacy a lot more this year and making it a priority to educate and discuss both here on Managed Solutions and also on my blog. Please join the conversation and share your thoughts. The most compelling comments will be added to the post and the authors cited. Or perhaps you’d like to guest post about this, if so please contact me.

Here is a screenshot example of the output on one of our test machines:

Have an idea you’d like to see a video demonstration of? If it’s not already here, let us know via comments, contact form or Facebook and we’ll try to get it added to our library.

Dali Burgado posted a really interesting article from infosecurity.com today about combating Twitter worm threats being personal. The gist of the article was that the best way to combat these information security threats was by reporting them. We’ll take this idea a step farther in this article, that information security really centers around making good personal choices. Unfortunately a lot of people are not very cautious in their experience and bad choices lead to big compromises, expenses and a bevy of other problems. In fact did you read about the man in Australia who had one of his investment properties sold as the result of identity theft?

What areas do these personal choices affect your information security?

Competency and learning – the core of information security

At the core of information security is what you as a user are willing to do to educate and protect yourself. Do you take a cautious and guarded approach or do you throw caution to the wind and click every link in sight? Perhaps one of the biggest challenges for new users is there are not many best practices training programs available for end users (know of some, please share the wealth as a comment to this post!). You really have to actively seek out the information. There are a number of paths for professionals to get the training including Sans Institute (Dali Burgado who inspired this post works for them!) among others. We provide end user information security and best practices training to our small business clients and you can always inquire at my “speaking” page on my personal blog to inquire on behalf of a group.

Hardware, Wireless and networking device choices

A little bit of prior planning in the hardware arena can close some huge gaps in information security. The biggest risk and most difficult choice the average home owner or business can make is the decision to have wifi on premises. You may have read this week that Google Street View Cars were collecting a lot more than pictures of the streets in your neighborhood. I don’t think the information Google collected will be used against you but to that point if they can do it anyone can do it. The decision to add wireless to your home or business network should not be taken lightly. Educate yourself on the security best practices and realize that even if you do a reasonable job of securing the device it is just one more thing that could be compromised at some point. Any networking gear you add to your network needs to be updated from time to time, do you have the ability to do that? Does the benefit of that hardware outweigh the expense of hiring a professional to provide you with the updates? These are questions that are best asked in advance.

Security software choices

Computers need extra protection against threats, the simplest protection is keeping your software updated. Think about this when you decide to install a new application, it is another spoke in the growing wheel that you will need to keep updated. Software updates are a fact of life in our modern age, be prepared to understand what they are and how to upgrade them. A great resource for finding out about new threats is CERT in fact I highly recommend you sign up for their weekly alerts or feed. In fact I used to do a weekly feature here that will give you an idea of what to look for at the CERT website.

In addition to keeping your software up to date, it is a great idea to protect your system with antivirus and/or a security suite. We became a reseller of Eset NOD32 a number of years ago and have found over time that they continue to provide a quality product. Do not for a minute think that antivirus/security suite software will protect you from everything. It is the “last resort” and even the best products will not catch everything. The personal choices you make will have more to do with your information security that the anti virus software you choose. (In the interest of disclosure we are an affiliate of Eset, and if you use the link provided below to purchase the software we will get royalties, see our product and partner policy.

Participation choices

Where you choose to be present can have a direct impact on your information security. The allure of social media sites like Facebook is great, and there are a number of advantages, but any place you choose to participate has it’s own risk, practices and learning curve. You should be aware and remain aware of these risks and practices, never assume that because a lot of people are using something that it is safe. The opposite is often true, the criminals often go where the people are because they have more potential targets. I have an article that I’ve started to work on that goes into detail about how social media has really become a vulnerable spot for many internet users. I will add a link to this post when it is done.

The Gullibility and Greed Factor

Gullibility and greed are major contributors to information security compromise. I think Facebook is a great example of where this occurs, I have seem more hacked Facebook accounts than I imagined I ever would, why? People thought that their really easy password was fine or they clicked a link or installed a rogue app. Now some malicious app or user is posting things to their friends walls, sending messages, etc trying to further perpetuate the compromise.

Beyond the gullibility of individuals that help their stranded friend at
greed is an often overlooked factor in information security. Do people really believe they will get something for nothing? Judging by the ongoing “Nigerian”, “419″ or “advanced fee fraud” scams, they do. If it didn’t work they would not be so prolific. Some very senior executives have been caught by these scams in the past, it is believed that many more have been victimized as well but did not come forward due to embarrassment.

Keep in mind the oldest trick in the book by con artists (pre-dating the internet) is to exploit a persons gullibility or greed. If you’re going to be information secure you’re going to also have to learn to be a little street wise.

Summary

Hopefully this will be a good primer and starting point for people to start to move towards a more information secure computing experience. While there are links to a number of great resources we’d be happy to have your feedback about other possible resources, we’ll also feature the best of the suggestions to the article itself. You can share your feedback, suggestions or questions in the comments below.