May 23, 2013

Posts Comments

You are here: Home / Archives for Infosec

Phishing Email from FDIC targets Businesses

February 8, 2012 by Leave a Comment

It’s tax season and we’ve already seen the tax related phishing Emails showing up in our inbox. Early this morning a new phishing scheme was detected that is targeting businesses with Emails purportedly from the FDIC. If you take the time to evaluate the link it can be easily determined to be just that. Here is a screenshot of the message:

FDIC Phishing Email Screenshot

For your convenience and to learn more on how to protect yourself you can also check out this video:

Video not displaying? You can also view it on Youtube.

Here is the entire text of the message (added to properly index this article with the search engines):

Attn: Financial Department

By this message we would like to inform you about the recent alterations in the FDIC insurance coverage for transaction accounts.

During the period from December 31, 2010 to December 31, 2012 all the money in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation. Please note, that this measure is temporary and separate from the FDIC’s common deposit insurance regulations.

The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which no interest is paid by the insured depository institution.

For detailed information about temporary FDIC insurance coverage of transaction accounts, please view the official site link.

Yours sincerely,
Tad Melendez.

Federal Deposit Insurance Corporation

Filed Under: Business/Productivity, News, Security, Videos Tagged With: , , , , , ,

2 Things Everyone Needs to Know about the WPS Vulnerability

January 6, 2012 by 4 Comments

I Promise Not to Own your WifiYou may have heard recently that there is a vulnerability affecting many wireless access points. It has to do with Wi-Fi Protected Setup (WPS) which is supposed to make it easier to configure devices to use your wireless network. The problem is the WPS system is vulnerable to a brute force attack that will allow a malicious attempt within range of your wireless signal to access and change settings on your device. Once the foot is in the door there are many other things that can be done, especially if you have un-protected devices on your network.

The two things you should know if you own or are responsible for any wireless access points are:

  1. There is no practical universal solution to the problem.
  2. You may have to use the hacking tools themselves to be 100% certain you are not vulnerable.

If you feel you have anything someone might want to steal, the smartest thing might be to just disconnect the wireless access point or turn it off. Then live without it until the manufacturer has clear information on your make and model of wireless device. Of course if your wireless access point is also your Internet Router this could be problematic.

There are more questions than answers right now and while you can’t tell with certainty if you are not vulnerable a list is being compiled of devices that have been confirmed to be vulnerable. You can access the WPS Vulnerability Testing Document to find devices that have been confirmed.

Known and potential solutions

Solutions to this issue will be updated here as they become available

Belkin (Does not note if this fully disables WPS!)

Netgear (Home Routers)

Additional Resources

Vulnerability Note VU#723755 (US-Cert)

Special thanks to @Shonali for sharing the Bart Simpson Chalkboard Generator.

Filed Under: Hardware, IT Professionals, Security, Technology Tagged With: , , , , , , , ,

Critical Java update and a stark reminder to update JAFO

October 21, 2011 by Leave a Comment

Java LogoThe latest advisory for Oracle Java addresses a total of 20 vulnerabilities 19 of those 20 may be remotely exploitable. Remotely exploitable vulnerabilities are very high information security priorities because they can allow rapid propagation of a malware or computer viruses.

It’s time to add a new acronym

For some time now we’ve all learned that windows/operating system updates are pretty important but there are emerging threat vectors that also need to be addressed. Back in early 2009 a huge ramp up in volume of Adobe PDF and Java updates occurred. Since that time those two have become two very popular sources of computer exploitation. Add that to some recent nasty Flash exploits and you have the makings of a new acronym:

Always update JAFO:

Java
Acrobat
Flash
Operating System (Critical Updates Windows, etc)

Extra credit for the techie types, remember when Microsoft had their own Java Virtual Machine?

 

Filed Under: IT Professionals, News, Security, Technology Tagged With: , , , , ,

Why all businesses should consider SEC Cyber Security Guidance

October 17, 2011 by Leave a Comment
Cyber Security Sandia Labs Research

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Filed Under: Business/Productivity, Featured, IT Professionals, News, Security, Technology Tagged With: , , , , ,

Why you should avoid Public Charging Kiosks

August 29, 2011 by Leave a Comment

Universal Serial Bus or USB was a extremely valuable development in the technology world. USB made consolidation of how we connect our smart phones, cameras, memory sticks and personal computers. It also created a very easy way to charge mobile devices. Like any prolific technology this high availability is not without it’s pitfalls, perhaps most significantly in the world of information security.

In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.

Juice Jacking

While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:

Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.

Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.

AC to USB Chargers - Photo by Joe Hackman

Use these!

Public USB Charging = Bad

Not these!

A survey…

In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.

Additional related content:

  • #infosec hashtag search on Twitter (get the latest real time information)
  • The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
  • Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
  • Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)
Filed Under: Business/Productivity, Security, Technology Tagged With: , , , , , , , ,

American Honda warns their customers of Privacy Breach

December 24, 2010 by 1 Comment

American Honda Motor Company, Inc. is warning their customers today of a privacy breach that resulted in the compromise of private information about their customers. In this instance they are advising their clients of the following client information being compromised:

  1. Email Addresses
  2. Names
  3. Vehicle Identification Number (VIN)
  4. User ID

Their formal statement to their customers claims that no other information such as password, address where included in the breach. Hopefully a more thorough investigation will occur to verify the claim because if customer physical addresses were also compromised this would be a major concern.

Here is the entire message:

Honda Logo

Dear Customer,

American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account. The data that was obtained included your email address, your name, Vehicle Identification Number (VIN) and User ID. Your password was not included and no other sensitive information was contained in that list.

We apologize for any inconvenience this may cause. As a company, we believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. You may be aware of attacks on email marketing systems, therefore we want to assure you that we take the safeguarding of your information seriously and that the appropriate authorities have been contacted regarding this incident. Additionally, we have taken steps to minimize this type of exposure in the future.

As a Company, we encourage you to continue to be aware of the increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information — Be cautious when opening links or attachments from unsolicited third parties. Also, know that American Honda Motor Co., Inc. will not send you emails asking for your credit card number, social security number or other personal information. If ever asked for this information, you can be confident it is not from us.

Again, let us reassure you that we are taking necessary steps to safeguard your personal information.

If you would like further information on this topic please visit honda.com/info/b

Thank you.

American Honda Motor Co., Inc.

Filed Under: IT Professionals, News, Security Tagged With: , , , ,

Good Personal Choices – the most powerful Information Security Tool

October 25, 2010 by 15 Comments

Korean Road Sign

Dali Burgado posted a really interesting article from infosecurity.com today about combating Twitter worm threats being personal. The gist of the article was that the best way to combat these information security threats was by reporting them. We’ll take this idea a step farther in this article, that information security really centers around making good personal choices. Unfortunately a lot of people are not very cautious in their experience and bad choices lead to big compromises, expenses and a bevy of other problems. In fact did you read about the man in Australia who had one of his investment properties sold as the result of identity theft?

What areas do these personal choices affect your information security?

  • Competency – learning.
  • Hardware and networking devices (especially wireless!).
  • Security software.
  • Participation.
  • G Factor

Competency and learning – the core of information security

At the core of information security is what you as a user are willing to do to educate and protect yourself. Do you take a cautious and guarded approach or do you throw caution to the wind and click every link in sight? Perhaps one of the biggest challenges for new users is there are not many best practices training programs available for end users (know of some, please share the wealth as a comment to this post!). You really have to actively seek out the information. There are a number of paths for professionals to get the training including Sans Institute (Dali Burgado who inspired this post works for them!) among others. We provide end user information security and best practices training to our small business clients and you can always inquire at my “speaking” page on my personal blog to inquire on behalf of a group.

Hardware, Wireless and networking device choices

wifiA little bit of prior planning in the hardware arena can close some huge gaps in information security. The biggest risk and most difficult choice the average home owner or business can make is the decision to have wifi on premises. You may have read this week that Google Street View Cars were collecting a lot more than pictures of the streets in your neighborhood. I don’t think the information Google collected will be used against you but to that point if they can do it anyone can do it. The decision to add wireless to your home or business network should not be taken lightly. Educate yourself on the security best practices and realize that even if you do a reasonable job of securing the device it is just one more thing that could be compromised at some point. Any networking gear you add to your network needs to be updated from time to time, do you have the ability to do that? Does the benefit of that hardware outweigh the expense of hiring a professional to provide you with the updates? These are questions that are best asked in advance.

Security software choices

Computers need extra protection against threats, the simplest protection is keeping your software updated. Think about this when you decide to install a new application, it is another spoke in the growing wheel that you will need to keep updated. Software updates are a fact of life in our modern age, be prepared to understand what they are and how to upgrade them. A great resource for finding out about new threats is CERT in fact I highly recommend you sign up for their weekly alerts or feed. In fact I used to do a weekly feature here that will give you an idea of what to look for at the CERT website.

In addition to keeping your software up to date, it is a great idea to protect your system with antivirus and/or a security suite. We became a reseller of Eset NOD32 a number of years ago and have found over time that they continue to provide a quality product. Do not for a minute think that antivirus/security suite software will protect you from everything. It is the “last resort” and even the best products will not catch everything. The personal choices you make will have more to do with your information security that the anti virus software you choose. (In the interest of disclosure we are an affiliate of Eset, and if you use the link provided below to purchase the software we will get royalties, see our product and partner policy.


Click Here - Free Trial of ESET NOD32 Antivirus

Participation choices

Where you choose to be present can have a direct impact on your information security. The allure of social media sites like Facebook is great, and there are a number of advantages, but any place you choose to participate has it’s own risk, practices and learning curve. You should be aware and remain aware of these risks and practices, never assume that because a lot of people are using something that it is safe. The opposite is often true, the criminals often go where the people are because they have more potential targets. I have an article that I’ve started to work on that goes into detail about how social media has really become a vulnerable spot for many internet users. I will add a link to this post when it is done.

The Gullibility and Greed Factor

Gullibility and greed are major contributors to information security compromise. I think Facebook is a great example of where this occurs, I have seem more hacked Facebook accounts than I imagined I ever would, why? People thought that their really easy password was fine or they clicked a link or installed a rogue app. Now some malicious app or user is posting things to their friends walls, sending messages, etc trying to further perpetuate the compromise.

Beyond the gullibility of individuals that help their stranded friend at
greed is an often overlooked factor in information security. Do people really believe they will get something for nothing? Judging by the ongoing “Nigerian”, “419″ or “advanced fee fraud” scams, they do. If it didn’t work they would not be so prolific. Some very senior executives have been caught by these scams in the past, it is believed that many more have been victimized as well but did not come forward due to embarrassment.

Keep in mind the oldest trick in the book by con artists (pre-dating the internet) is to exploit a persons gullibility or greed. If you’re going to be information secure you’re going to also have to learn to be a little street wise.

Summary

Hopefully this will be a good primer and starting point for people to start to move towards a more information secure computing experience. While there are links to a number of great resources we’d be happy to have your feedback about other possible resources, we’ll also feature the best of the suggestions to the article itself. You can share your feedback, suggestions or questions in the comments below.

Related Posts Plugin for WordPress, Blogger...
Filed Under: Business/Productivity, Eset, IT Professionals, Security Tagged With: , , , , , ,