Recently in Awareness Category

Earlier today I started getting status updates from friends that read

If you don't know, as of today, Facebook will automatically index all your publicly available info on Google, which allows everyone to view it. To change this option, go to Settings --> Privacy Settings --> Search --> then UN-CLICK the box that says 'Allow indexing'. Facebook kept this one quiet. Copy and paste onto your status for all on your news feed.

Facebook's chain letter detection kicked in (not sure if that was an automatic or manual process) to deter future exact duplicates of that status update. This made people all the more suspicious about why Facebook would be blocking their attempts to warn about Facebook privacy.

If you did wander over to the Facebook privacy page you'd see the following message from Facebook.

Worried about privacy? Your information is safe. There have been misleading rumors recently about Facebook indexing all your information on Google. This is not true. Facebook created public search listings in 2007 to enable people to search for your name and see a link to your Facebook profile.

Security hoaxes have been around forever. Misconceptions about genuine security threats are tough to deal with. While Facebook has made some debatable privacy changes lately, I believe Facebook is right that the search settings are hardly new. What really matters is the security settings you place on you data.

When someone asks you to share information with everyone you know, as this dire warning did, unless its the Gospel of Jesus, I think your crap detector should be sounding the alarm. If the source is not a computer security expert stop and ask if it makes sense. If the source IS a computer security expert stop and ask if it makes sense and then make sure your wallet hasn't been stolen by the security expert.

Search engines index Facebook status, but only the status that has the Everyone permission. If you're going to freak out, do it by reviewing your privacy settings. You know, the privacy settings Facebook had you review this week. Everyone means everyone on the internet.

SANS Newsbites is a summary of the most important news articles published on computer security in the past week. It includes commentary from an editorial board.

In Volume 11 Number 9, they reported on the DOJ self-phishing exercises that has been in the news. I was a little surprised that Marcus Ranum wrote "This sort of test generally serves only to embarrass people and hasn't been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it's just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream "GOTCHA!""

It is true that phishing does have a great chance of success for pentesters. But I've seen numbers from phishme.com showing a marked improvement from initial tests to followup tests. That is what Alan Paller said in reply to Ranum in the Newsbites as well.

I agree with what Paller wrote, Phishing your own company is a core component of increasing security awareness

Any such testing should have the appropriate approval of course. The contents of the phish should be considered carefully. You don't want users to think you've gathered their credit card information and you dont want them notifying external fraud alert services. There is plenty of education opportunities without attempting to harvest Paypal accounts for example.

Over at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email.

This hit something that I've been forced to re-examine this week. Is it effective to send all employee emails warning about the latest virus attack on the internet.

I believe that if you find yourself sending all employee emails about security to users regularly then you should examine the technology you've chosen. Why is it leaking like a sieve. To send an emergency email about a security threat, the email should be timely and actionable. In our case, if we dont know of a single email getting through to the users is it really necessary to warn them? The only answer I see is that they may infect us through using the ISPs webmail or checking personal email when outside our firewall.

Is it really necessary to raise security awareness through dire warnings about things that dont effect the user anyway? It seems more appropriate for a Security Awareness newsletter or website. That is assuming users are trainable, which is a whole 'nother story.

I was in the office over the weekend. Lined up in the cellar, I found trash cans full of paper intended for our secure document disposal vendor.

In all likelyhood these cans were not the contents from the supposedly secure boxes placed around the building. Facilities had announced a office cleanup week and put out trashcans to give people a chance to clear out all the old crap. What else are you going to be doing Christmas week anyway.

So while users likely didn't have a expectation that these bins would be stored semi-securely, I still felt like it was a dumpster divers dream. Here's a tip. When only one set of papers is ripped up before being put in the disposal, I assume that is much more interesting than all the neatly stapled powerpoint slide printouts.

This security awareness video was developed by the Commonwealth of Virginia to promote simple changes in behavior that will strengthen security.

• Dont allow tailgating
• Guard your password and change it often
• Safe sensitve information to secure backed-up network storage areas
• Lock the computer when unattended
• Pick up sensitive printouts immediately
• Dont have sensitive conversations where you can be overheard.
• Be wary of suspicious emails
• Keep electronic media secure and safe from theft or damage.

I've been looking forward to the release of Lunker, a spear Phishing toolkit for pentesters. It was originally reported to be part of the OWASP live CD due out this month. We just dont have the budget for phishme (although it is cheap).

Unfortunately according to a comment on this post over at hackyourself.net they are getting a case of the conscience. "Its too ripe for exploitation". So they are going to take a couple months to make it less ready to go. The rationale is that with metasploit anyone can patch and protect themselves from that. You can't patch the users against social engineering.

I've noticed that the number of vishing attempts reported at work has been on the rise. Vishing like phishing is a socially engineered attempt to get your financial information. Unlike phishing rather than luring you to a website, it lures you to a phone number. This could fool some people who are aware of the danger of phishing websites but unaware that of the ease of setting up a number to collect financial info. When calling your financial institutions only trust the number on the back of your card and the number on the bill.

Here is the text of the vish:

In our terms and contidions you have agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that order parties may have tried gaining access or control of your information in your account.

Therefore, to prevent unauthorized access to your Old Point National Bank Internet Banking account,you are limited to five failed login attempts in a 24-hour period. You have exceeded this number of attempts.*

To reactivate your debit card , please call: +1(xxx-xxx-xxxx)

Jesper Johansson writes about Antivirus XP 2008 with some really good screenshots in a article in TheReg.

You don't need a zero day when users have admin rights and can be tricked into installing the malware.

Apparently I'm several years behind on the Internet meme of Rick Rolling. Its recently invaded one of the forums I frequent. The regulars are split on whether its as funny as "your shoelace is untied, ha ha, no it isn't I made you look" or if it is actually kind of funny.

For the uninitiated, a rick roll according to wikipedia is "a classic bait and switch: a person provides a link they claim is relevant to the topic at hand, but the link actually takes the user to the music video for the 1987 Rick Astley song "Never Gonna Give You Up"

When people first heard the Rick Astley song they might think it sounds like a black guy is singing, then you see the music video and its MC mighty white. Its not what you expect. So when someone says they have a link to XYZ and instead you don't get what you expect, you've been rickrolled.

The purpose of all of that backstory is simple. I've been wondering if the rickroll phenomena will succeed in educating users to be careful about links in a way that security awareness training never could.

In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)

The Postmaster General's letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.

So many times when dealing with users the response is "I've got nothing to hide" or "I wont be a victim" or "I've got nothing worth protecting". The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.

The FTC brochure has a link to the FTC's Identity Theft Site.
The brochure has three key sections.
Deter

• Shred financial documents and paperwork before you discard them


• Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.


• Don't give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.


• Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information


• Don't use an obvious password like your birth date, your mother's maiden name or the last four digits of your social security number


• Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.

• Bills that do not arrive as expected


• Unexpected credit cards or account statements


• Denials of credit for no apparent reason


• Calls or letters about purchases you did not make

Defend
Defend against ID theft as soon as you suspect it.

• Place a "fraud alert" on your credit reports.


• Close any account that has been tampered with or established fraudulently.
  
• File a police report


• Report the theft to the FTC

Common Ways ID Theft Happens:

1. Dumpster Diving.


2. Skimming - skimmers are a special device that steals your credit/debit card numbers.


3. Phishing


4. Changing your address


5. Theft of wallet/purse, mail, records

The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.

Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.

Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.

The condo board asked all owners to update their contact information. This time I decided to give them my email address. As I gave it to them, I asked them to please use the BCC function to preserve our email address privacy. I dont need all my neighbors knowing my email address.

The property manager didn't know about BCC, but she certainly knew of the dangers when BCC isn't used. Previous they had difficulty with "reply all" storms.

Since she didn't have access to a listserv (and that would have been too complicated for her) I showed her how to use BCC in Outlook. Hopefully that will prevent future issues. I left feeling like I've done my security good deed for the day. Sometimes its hard to put yourself in the users shoes and realize they just need some gentle suggestions to do the right thing. (of course my spidey sense is telling me that I'm going to be the new helpdesk/security guy for her whether I like it or not).

Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.

I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren't taken advantage of by online con men.

Think before you post. Its not just advice for bloggers like Whole Foods CEO John Mackey. New generations are growing up with an entirely different expectation on what needs to remain private.

While watching TV tonight, I saw a public service announcement (PSA) from cybertipline.com titled "Bulletin Board." In this PSA, a girl puts here picture on a physical bulletin board but quickly finds that its not so easy to take something back once its been put out there.

Here's the youtube copy.

More information is available at their website.

The cynical person might make jokes about how hokey this is. "So you've had the birds and the bees talk with your kid, but did you make sure they are practicing safe surfing." I actually thought the PSA was great and was happy to see it get run on TV.

We've all heard about the chocolote bar for your password surveys, you've probably also heard about the fake credit card application and ID theft for a free t-shirt. What I saw this past weekend was only slightly better.

I was down at my alma mater's homecoming football game. After the game, I decided to check out old haunts by wandering though the music building. I found a signup envelop for Pep Band. Pep Band pays (very poorly) so people signing up for pep band have to include a University employment application, and a W-4. There was also a request for a copy of the applicants drivers license and Social Security Card.

So here in this unguarded unlocked university building hallway, I found 20-30 Pep Band applications. All of which included Social Security Number, Student ID number and home address. Some applications also had the requested copy of the drivers license and social security card.

Do people have no concept of protecting personally identifiable information?

Authority asked them to do something dangerous with their Personally Identifiable Info, not for a chocolate bar, but as part of the job application process. The paperwork submission process should not leave this information exposed in a hallway.

In the April 2006 Information Security Mag (free subscription required) Marcus Ranum and Bruce Schneier have a Faceoff on User Education. Actually they dont have much of a faceoff since they both agree that security education has not helped.

Ranum, "Security practitioners have shouted themselves hoarse trying to educate users. But has it helped? Obviously, no: Phishing scams are still raking in money, viruses are still spreading, and countless users continue to use their cat's name as a password for their online bank account. In fact, it looks like the situation is getting worse rather than better."

Schneier, "I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile."

You'd think they've have a counterpoint from one of the security awareness companies.

Computer Security Day was started in 1988 to help raise awareness of computer related security issues. Our goal is to remind people to protect their computers and information. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.

We had an event today, I think it came out fine. Posters in the elevator lobby. Security Awareness newsletter in everyone's mailbox. And post-it notes with a security related theme.

Did you know that November 30th is Computer Security Day? According to their website, Computer Security Day was started in 1988 to help raise awareness of computer related security issues. Their goal is to remind people to protect their computers and information.

I was wondering if any readers currently have a computer security awareness campaign on this date. I'm trying to put something together at my company for this year. As with most companies, its always tough to get something done. Its never too soon to start planning. Computer Security Awareness is an important part of a corporate security program.

I've added a countdown in the left hand menu column.

A story from Network Security: Private Communication in a Public World by Kaufman, Perlman and Speciner.

At a lecture on computer security, a professor asked, "Are there any advantages of passwords over biometric devices?" A helpful student replied "When you want to let someone use your account, with a password you just give it to them, while with a biometric device you have to go with them until they are logged in." This is the sort of remark that sends chills down the back of security administrators and makes them think of their users ad adversaries rather than the customers they are trying to protect.

Security people need to remember that most people regard security as a nuisance rather than as needed protection, and left to their own devices they often carelessly give up the security that someone worked so hard to provide. The solution is to educate users on the importance of security, helping them to understand the reasons for the procedures they are asked to follow and making those procedures sufficiently tolerable that they don't develop contempt for the process.