Posts

Seasonal Security: A Poem

It’s that time of year, for holiday cheer,

to give of ourselves and ring in the New Year.

But while you celebrate, please keep in mind,

criminals and hackers are not far behind.

 

Mobile malware is here; it’s increased since last year.

Be sure to install mobile malware protection,

so that you don’t receive an unwelcome infection.

 

QR codes are barcodes consumers can scan.

With their smartphones in hand,

a digital bar can locate a great deal, near or far.

But not so fast: these codes can be tricky.

Bad guys can use them to slip your cell a Mickey.

Before clicking that link, remember to think:

Is that code okay? Or might it be sticky?

 

Scareware pops up with frightening lies:

“Your PC has a virus! Install me, or it dies!”

But before you take action, be aware it’s a scam,

and shut down that pop-up before you get jammed.

 

Apples are targeted now more than ever,

‘cause when Mac users hear “virus,” they say, “Not me! No way! Never!”

But they ought to know, studies now show

there is plenty of malware that will plague Macs forever.

So install antivirus. Don’t think, “It can’t happen to me,”

or soon you will see, a Mac is as vulnerable as a PC.

 

Watch out! For holiday phishing!

Or you may wind up wishing

you didn’t believe the hysteria,

when that “prince” from Nigeria,

turns out to be a boldface con

and your money is gone.

 

Happy holidays to all! Enjoy the season! Have a ball!

And when you give, I implore you to heed,

it’s those that have not that are truly in need.

 

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto, and he is running the Boston Marathon in April 2012 to support Miles for Miracles for Children’s Hospital Boston.

Human Security Weaker Than IT Security

Information technologies have evolved to a level at which the developers, programmers, and security specialists all know what they’re doing, and are able to produce products and services that work and are reasonably secure. Of course, there’s always room for improvement.

Despite the amount of criminal hacking that goes on, users who effectively implement the appropriate measures and refrain from risky behaviors enjoy relative security.

The Wall Street Journal reported on a study by Dartmouth’s Tuck School of Business, quoting professor Eric Johnson:

“Criminal hackers are increasingly turning to digital versions of old-fashioned con games, literally gaining the confidence of employees through innocuous-seeming phone calls purporting to be from fellow workers, or even through regular mail, in order to entice them into downloading malicious code or revealing a password. The threat of data leakage is thus highest where a human is put in a position to decide whether to click on a link or divulge important information. The [phishing] techniques have become more hybrid.”

If you are reading this, chances are you do a pretty good job with information security to prevent identity theft, at least on the consumer level. But you also need to start thinking about avoiding Jedi mind tricks. Within the security world, these cons are known as “social engineering.”

Whether you receive a phone call, an email, or a visitor at your home or office, always question those who present themselves in positions of authority.

You should never automatically place your trust in a stranger.

Within your own home or business, set clear guidelines regarding what information should or should not be shared.

Keep in mind that when you lock a door it can be unlocked, either with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face-to-face, with a cynical eye for a potential agenda.

In the end, if a bad guy has pulled the wool over your eyes, they often will want to infect your Mac or PC. Keep your computers operating systems critical security patches up to date and install a total protection product.

Robert Siciliano is an Online Security and Safety Evangelist to McAfee and Identity Theft Expert. (Disclosures)

Facebook Beefs Up Your Security

It is obvious to many that Facebook has got the message and is becoming more responsible for their users security. For a few months now I have enjoyed a security feature they implemented that allows you to say in control of your logins.

Login notifications: This feature sends you an email or text telling you someone has just logged into your account.

To set up and enable notifications

1. go to “Account” upper right hand corner

2. in the drop down menu to “Account Settings”

3. in the main menu go to “Account Security”

4. click “Yes” next to “Would you like to receive notifications from new devices”

5. the same can be done with text messages if you have your mobile plugged into Facebook. But don’t have your mobile displayed on your page publically.

6. Log out then log back in and it will ask you to identify the computer.

One time passwords: This makes it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.

Simply text “otp” (that’s O T P for ‘One Time Password’) to 32665 on your mobile phone (U.S. only), and you’ll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you’ll need a mobile phone number in your account.

Remote logout: the ability to sign out of Facebook remotely is now available to everyone. These session controls can be useful if you log into Facebook from a friend’s phone or computer and then forget to sign out. From your Account Settings, you can check if you’re still logged in on other devices and remotely log out.

Under the Account Security section of your Account Settings page you’ll see all of your active sessions, along with information about each session.

Robert Siciliano personal security expert to ADT Home Security Source discussing social media Facebook scammers on CNN. Disclosures.

Seminar to Feature ISECOM’s OSSTMM v3

Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.

Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web applications.

“About 5 years ago, while searching for any existing methodologies, I stumbled across ISECOM and the Open Source Security Testing Methodology Manual. It changed the way my company and I engaged with clients at every angle,” Michael Menefee of WireHead Security recently wrote.

“As a security consultant, I’ve always looked for ways to increase consistency, efficiency and value when conducting security analysis on a client’s network or business,” Menefee stated. “This would, of course, require both a data collection methodology as well as a reporting methodology in order to work properly.”

The OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

On the origins of the OSSTMM, Pete Herzog wrote that, “in the research for factual security metrics, factual trust metrics and reliable, repeatable ways for verifying security, including concretely defining security, we found that the practice of guessing forecasting risk was not only non-factual but also backwards. Risk stuck us into a never-ending game of cat and mouse with the threats.”

“Beginning with version 3, the OSSTMM is no longer just about security testing. The break-throughs we’ve had in security had us re-visit how we work with security. This includes risk assessments.”

Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland – whose firm has been using the OSSTMM methodology since its inception – recently commented on the value proposition the methodology standard offers, stating that, “the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.”

“Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.”

OSSTMM was developed by the Institute for Security and Open Methodologies (ISECOM), a non-profit collaborative community established in January 2001.

ISECOM is dedicated to providing practical security awareness, research, certification and project support services for non-partisan and vendor-neutral projects to assure their training programs, standards, and best practices are truly neutral of national or commercial influence.