Hilarious video from F-Secure. I’ve got people emailing their credit card numbers clear text. Perhaps this might get the message across.
Archive for the ‘Awareness’ Category.
CyberSecurity Awareness Month
October is designated Nation CyberSecurity Awareness Month by the National CyberSecurity Alliance and the Department of Homeland Security.
This month, I will be focusing on awareness topics. Non-security people aren’t aware of the risks inherent in their computer use . Campaigns like this seek to adjust perceptions of risk and remove the “it couldn’t happen to me” mindset.
Lifelock and Menard
Radio hosts reading commercials often try to sound live and ad libbed (a “live read”) when doing commercials. Its one thing when discusing how great Snapple is, its another thing when discussing a technical topic. I wonder if these live reads are approved by legal.
Today I heard a radio show advertising lifelock which used a recent attempt to rob John Menard and his bank as an example of why you need lifelock.
From Walletpop:
Back in April, someone called Menard’s bank in Eau Claire, Wis., and requested $475,000 be wired to a bank account outside the country. Whoever it was — he or she hasn’t been caught yet — had Menard’s account numbers, passwords and Social Security number. And when the bank called Menard’s house to confirm the transaction, the thief was able to intercept the call and give the go-ahead to wire the money.
Unfortunately for the thief, the bank also called Menard’s office. Someone there contacted the billionaire, who was in flight at the time and asked that the transaction not go through.
Perhaps I’m not familiar with new Lifelock services, but I thought they 1. Checked bad guy sites for signs your identity had been stolen 2. placed a lock on your credit reports so any new credit requests would be blocked if the people extending credit checked the credit report.
I dont see how either of those things would prevent someone from calling your bank to attempt a wire transfer. What prevents that is your bank’s policies. Perhaps Lifelock would have prevented this instance by hiring Kevin Mitnick to make sure the call to the home wasn’t intercepted.
I wrote about Lifelock back in 2007 here. As I said, Lifelock sells fear. When that happens, hold on to your wallet. Identity Theft is a real problem, I dont think this is the solution.
Out of Office
Are out of office (OOF) messages a security risk or a useful tool? (Microsoft uses the acronym OOF for Out of Facilitiy. I’ll be using that rather than OoO for out of office).
I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email. Rather than dismissing it out of hand, lets examine some of the objections to OOF
Out of office messages could inadvertently disclose information. “I’m out of the office, check with Joe at 555-12324. Now the bad guy has another contact name. In this era of LinkedIn, I’m not sure how big a disclosure this would be. You decide for your environment.
OOF messages could verify your email address to spammers.
Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.
OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.
OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there.
Now that we’ve gone through some OOF FUD, how can you OOF safely?
1. If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders. You can also perform OOF only for people in your contacts.
2. Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes. I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.
3. The less said the better.
At work, you kind of need to let people know you wont be getting back to them for a while. There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy. For most of us I think a OOF on the work email account isn’t the end of the world.
“Best Practices” are for people who cannot perform a risk analysis. You’ll need to consider the risk environment and decide whether OOF is appropriate.
Now you’re getting it
In December I set up a rule on our outbound email to let me know when people are sending Social Security Numbers in outbound email. Once I was satisfied with the accuracy of the rules, we set up some education for our physical security and HR Recruiters so they would understand why its a bad idea to send SSNs and what some alternative choices are . Once our big offenders had been notified I enabled a notification to the sender to let them know why emailing SSNs in plaintext is a bad idea. After about a month of that I reconfigured the rule so it blocked the email and notifies the sender.
One person who I believe is a finance manager got blocked while attempting to email papers for a personal mortgage refinance. A hilarious rant was sent to the helpdesk saying that if that people can read non-encrypted emails then non-encrypted email cant be used for business mail such as emailing a credit card number to enroll in a conference or when sending resumes that include SSNs.
Its so nice when the user gets it. Although I would have appreciated a ‘thanks for stopping me from shooting myself in the foot” tone instead of misplaced moral outrage.
I replied that she’s absolutely right. She should never be sending credit card numbers by email either. Some of the project/customer related data’s secrecy is dependent on the requirements of the customer and talking to the project lead about how to handle customer data would be appropriate. Unfortunately the company can’t allow emailing of SSNs.
Facebook Google Indexing Tempest in a Teapot
Earlier today I started getting status updates from friends that read
If you don’t know, as of today, Facebook will automatically index all your publicly available info on Google, which allows everyone to view it. To change this option, go to Settings –> Privacy Settings –> Search –> then UN-CLICK the box that says ‘Allow indexing’. Facebook kept this one quiet. Copy and paste onto your status for all on your news feed.
Facebook’s chain letter detection kicked in (not sure if that was an automatic or manual process) to deter future exact duplicates of that status update. This made people all the more suspicious about why Facebook would be blocking their attempts to warn about Facebook privacy.
If you did wander over to the Facebook privacy page you’d see the following message from Facebook.
Worried about privacy? Your information is safe.
There have been misleading rumors recently about Facebook indexing all your information on Google. This is not true. Facebook created public search listings in 2007 to enable people to search for your name and see a link to your Facebook profile.
Security hoaxes have been around forever. Misconceptions about genuine security threats are tough to deal with. While Facebook has made some debatable privacy changes lately, I believe Facebook is right that the search settings are hardly new. What really matters is the security settings you place on you data.
When someone asks you to share information with everyone you know, as this dire warning did, unless its the Gospel of Jesus, I think your crap detector should be sounding the alarm. If the source is not a computer security expert stop and ask if it makes sense. If the source IS a computer security expert stop and ask if it makes sense and then make sure your wallet hasn’t been stolen by the security expert.
Search engines index Facebook status, but only the status that has the Everyone permission. If you’re going to freak out, do it by reviewing your privacy settings. You know, the privacy settings Facebook had you review this week. Everyone means everyone on the internet.
SANS Newsbites on Phishing your Company
SANS Newsbites is a summary of the most important news articles published on computer security in the past week. It includes commentary from an editorial board.
In Volume 11 Number 9, they reported on the DOJ self-phishing exercises that has been in the news. I was a little surprised that Marcus Ranum wrote “This sort of test generally serves only to embarrass people and hasn’t been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it’s just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream “GOTCHA!”"
It is true that phishing does have a great chance of success for pentesters. But I’ve seen numbers from phishme.com showing a marked improvement from initial tests to followup tests. That is what Alan Paller said in reply to Ranum in the Newsbites as well.
I agree with what Paller wrote, Phishing your own company is a core component of increasing security awareness
Any such testing should have the appropriate approval of course. The contents of the phish should be considered carefully. You don’t want users to think you’ve gathered their credit card information and you dont want them notifying external fraud alert services. There is plenty of education opportunities without attempting to harvest Paypal accounts for example.
User Education
Over at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email.
This hit something that I’ve been forced to re-examine this week. Is it effective to send all employee emails warning about the latest virus attack on the internet.
I believe that if you find yourself sending all employee emails about security to users regularly then you should examine the technology you’ve chosen. Why is it leaking like a sieve. To send an emergency email about a security threat, the email should be timely and actionable. In our case, if we dont know of a single email getting through to the users is it really necessary to warn them? The only answer I see is that they may infect us through using the ISPs webmail or checking personal email when outside our firewall.
Is it really necessary to raise security awareness through dire warnings about things that dont effect the user anyway? It seems more appropriate for a Security Awareness newsletter or website. That is assuming users are trainable, which is a whole ‘nother story.
Dumpster Diver’s Dream
I was in the office over the weekend. Lined up in the cellar, I found trash cans full of paper intended for our secure document disposal vendor.
In all likelyhood these cans were not the contents from the supposedly secure boxes placed around the building. Facilities had announced a office cleanup week and put out trashcans to give people a chance to clear out all the old crap. What else are you going to be doing Christmas week anyway.
So while users likely didn’t have a expectation that these bins would be stored semi-securely, I still felt like it was a dumpster divers dream. Here’s a tip. When only one set of papers is ripped up before being put in the disposal, I assume that is much more interesting than all the neatly stapled powerpoint slide printouts.
The Duhs of Security
This security awareness video was developed by the Commonwealth of Virginia to promote simple changes in behavior that will strengthen security.
- Dont allow tailgating
- Guard your password and change it often
- Safe sensitve information to secure backed-up network storage areas
- Lock the computer when unattended
- Pick up sensitive printouts immediately
- Dont have sensitive conversations where you can be overheard.
- Be wary of suspicious emails
- Keep electronic media secure and safe from theft or damage.
