(Or, How business owners can add a second line to their cellphone number)
The New York Times, Nov. 12, 2016
By STEVE LOHR
The next time someone asks you for your cellphone number, you may want to think twice about giving it.
The cellphone number is more than just a bunch of digits. It is increasingly used as a link to private information maintained by all sorts of companies, including money lenders and social networks. It can be used to monitor and predict what you buy, look for online or even watch on television.
It has become “kind of a key into the room of your life and information about you,” said Edward M. Stroz, a former high-tech crime agent for the F.B.I. who is co-president of Stroz Friedberg, a private investigator.
Yet the cellphone number is not a legally regulated piece of information like a Social Security number, which companies are required to keep private. And we are told to hide and protect our Social Security numbers while most of us don’t hesitate when asked to write a cellphone number on a form or share it with someone we barely know.
That is a growing issue for young people, since two sets of digits may well be with them for life: their Social Security number and their cellphone number.
Nearly half of all American households have given up their landlines and have only wireless phone service — a figure that has risen more than 10 percentage points in just three years. Among people ages 25 to 29, the share of homes that have only wireless phone service stands at 73 percent, according to government statistics.
Taylor Gallanter, a 23-year-old hair stylist in San Francisco, has had her cellphone number since she was 15. She has never had a landline and doubts she ever will.
Shivani Siroya, founder of Tala, which uses cellphone data to gauge people’s ability and willingness to repay loans. Photo credit: Christina Gandolfo for The New York Times
She knows how valuable her cellphone number is. She does not provide it on online forms unless it is required. Using her email address as contact information, she said, seems less invasive and risky.
“With just your cellphone number and name, I know they can get all sorts of information about you,” Ms. Gallanter said.
In fact, investigators find that a cellphone number is often even more useful than a Social Security number because it is tied to so many databases and is connected to a device you almost always have with you, said Austin Berglas, a former F.B.I. agent who is senior managing director of K2 Intelligence, a private investigator.
“The point is the cellphone number can be a gateway to all sorts of other information,” said Robert Schoshinski, the assistant director for privacy and identity protection at the Federal Trade Commission. “People should think about it.”
The use of the cellphone number in new, unanticipated ways has echoes in the history of the Social Security number, which was created in 1936. Its original purpose was to enable the nation’s nascent social insurance system to maintain accurate records of workers covered under the program. It was never meant as a general-purpose identification number.
Gradually, the simplicity of using a unique number to identify people encouraged the widespread use by other government agencies and corporations. That took off starting in the 1960s, when mainframe computers made it possible to create huge digital files on citizens and customers.
The spread of the Social Security number as a quick and easy identifier, found in all kinds of corporate and government databases, has smoothed the way for commerce. But there have been unintended consequences.
“That Social Security numbers are so broadly used and often so poorly protected is a major cause of the current epidemic of identity theft,” said Alessandro Acquisti, a computer scientist and privacy expert at Carnegie Mellon University.
The total losses in the United States from stolen identities used in crimes like credit card and loan fraud were $15 billion last year, Javelin, a research and consulting firm, estimated. And 11 percent of American adults say they lost money last year in a telephone swindle, according to a Harris Poll survey sponsored by Truecaller, a Swedish maker of a cellphone app with features like caller ID and spam blocking.
But if a cellphone number and the intimate computer behind it open a door to new risks, technology, as is so often the case, can also be employed to combat those risks.
Take fraud prevention. When shoppers use Affirm, a start-up that offers an alternative to credit cards for online purchases, the company’s software mines many data sources and approves or rejects a loan within a minute or so.
To perform that feat of technical wizardry, Affirm asks borrowers for a few pieces of personal information, including their names and dates of birth.
But the strongest identifier and conduit to useful information is the cellphone number, which acts like “the digital equivalent of the Social Security number,” said Max Levchin, chief executive of Affirm.
When a customer of Affirm wants to get an installment loan to buy, say, an $850 mattress or a $3,000 mountain bike, the company sends the person a temporary personal identification number in a text message.
The same form of authentication is widely used by banks, payment systems like PayPal and other companies before certain transactions are approved. The temporary ID numbers typically remain valid for only 30 seconds to 180 seconds, increasing the odds that the person trying to borrow or buy is indeed the same person who owns the phone with that number.
It’s not foolproof, but if a cellphone is lost or stolen, it is typically locked. It can be hacked into, but that takes a separate set of skills. By contrast, a stolen Social Security number is a permanent pathway to identity theft.
“What you can do with the cellphone number and mobile technology represents a pretty substantial advantage in the ongoing war against fraud and identity theft,” said Rajeev Date, a venture investor and former banker, who was previously deputy director of the Consumer Financial Protection Bureau.
But a cellphone-only life presents problems for many independent professionals and workers at start-ups and small businesses, who make business calls on their personal cellphones. So Ms. Gallanter, a partner in a mobile barbershop in a van, became one of the five million people who have installed the new app Sideline this year to add a second number to their cellphones.
The service is free for individuals and $10 a month a number for groups of workers in a business, who get extra features like a company directory and voice mail transcription. One of Sideline’s ad mottos is: “Keep your personal number private. Add a second number to your smartphone.”
“This gives you a second mobile identity, which more and more people need today,” said Greg Woock, chief executive of Pinger, a start-up in San Jose, Calif., that created the Sideline software and service.
Huffington Post 10/15/2015 03:27 pm ET
by Jason Glassberg, Co-Founder, Casaba Security
The holiday shopping season is just around the corner, but businesses aren’t the only ones that will be profiting from the uptick in consumer spending—cybercriminals will be making plenty of money too.
For cybercriminals, the busy end-of-the-year shopping season is a prime opportunity to steal consumer data, hijack small business bank accounts and extort companies using cyber-attacks. Why? Because many businesses are stretched thin during the hectic November to January period, which means they have less time to check and maintain their IT security, look for incidents of fraud and other malicious activity, and they’re also more willing to pay off a cybercriminal who threatens their business operations during a crucial profit-making period.
Small businesses are particularly at risk during the holidays because they often have less resources available for IT security, as well as less experience dealing with threats. According to the national insurance company, Travelers, 62% of all data breach victims are small- to mid-size businesses.
For this reason, SMBs need to take extra precautions ahead of time to avoid these risks.
Here’s a simple checklist that every small business owner should complete before the holiday rush:
- Update Everything –Make sure every computing product you have, whether it’s a desktop, laptop, server, mobile device, point-of-sale terminal, WiFi router, etc., is fully updated with the latest software and security patches. This will lower the risk of hackers exploiting known security flaws. In particular, businesses should transition to the new EMV, or “smart chip,” point-of-sale devices as soon as possible since the older swipe-based terminals no longer have fraud coverage by the major credit card companies. Also, if you’re still using other end-of-life software or devices, like Windows XP or Windows Server 2003, try to replace them as soon as possible as they are high-risk targets.
- Do a Password Audit –Now’s the time to start asking questions like, do any of your employees have too much access to sensitive networks or data, when was the last time the company reset its passwords, how strong are employees’ individual passwords and what would happen if any single password was compromised by a hacker. Segment the company so that no single employee has too much access to key accounts – that way, if they’re hacked they won’t sink the ship. Make sure every employee has a “password manager” tool (ex: LastPass, Dashlane) loaded on her desktop, laptop, mobile device and point-of-sale terminal. Require passwords to be long and complex (12+ characters, using upper and lower case letters, numbers and special symbols), and changed frequently.
- Scan the Website –Most small business websites today are riddled with basic security flaws. These flaws could allow a hacker to steal information stored on back-end servers, or infect customers who visit the web page. Sign up for a web scanning service (ex: McAfee SECURE, Symantec Safe Site) that will check the site every day for vulnerabilities and malware. Go one step further by signing up for a security information and event management, or SIEM, tool (ex: AlienVault, HP Arcsight) – this will monitor the site for active attacks.
- Isolate Your Online Banking –A special type of malware known as the “banking Trojan” is widespread on the Internet and it’s easy to get infected just by surfing the web and opening emails. Criminals use this malware to takeover small business bank accounts and steal tens of thousands to millions of dollars. Banks don’t always catch the fraudulent activity and they may refuse to reimburse the small business for its losses. The best way to avoid this risk is by having a dedicated computer (desktop or laptop) that is literally used for nothing else except logging into the online bank account. This will greatly reduce your chance of a malware infection. Also, sign up for extra security features offered by your bank, such as two-factor authentication, email alerts and fraud monitoring.
- Anticipate Extortion Attacks –Cyber extortion incidents are growing rapidly across the US, and SMBs are a prime target. Two of the most common attacks, especially during the holiday season, are distributed denial-of-service (DDoS) and ransomware. In a DDoS attack, hackers will knock the company’s website offline by flooding it with bogus web traffic. They will then demand a fee (usually $5,000+) to stop the attack. The best way to prevent this is by signing up with a DDoS mitigation service (ex: CloudFlare, Incapsula). In the case of ransomware, the company will be infected with a type of malware that locks up all available files (e.g., Word docs, spreadsheets, etc.) using high-grade encryption, thereby rendering them unusable. The hackers will then demand a ransom to unlock the data. The best way to mitigate this attack is a simple one – back-up data regularly. If back-ups are done every day, or at least once per week, the company can simply wipe the hard drive of the infected machine and restore the data – with only a minimal disruption of business operations.
- Lockbox Your Data –Every company will eventually be hacked. Therefore, safeguard your most important data – like customer accounts – by encrypting it, that way, even if a hacker breaks in and steals these files, they won’t be able to use them. There are a wide range of commercially available encryption products that are user-friendly and inexpensive. They include full-disk and file encryption tools, as well as email and cloud encryption.
By following these six simple, inexpensive tips, any business can significantly reduce the damage potential of a hack. Remember, no business can prevent every cyber attack, so focus instead on common sense measures that will protect data and operations even if the worst comes to pass.
So much for counter-phishing training: Half of people click anything sent to them Even people who claimed to be aware of risks clicked out of curiosity.
SEAN GALLAGHER 8/31/2016
Sean is Ars Technica’s IT Editor. A former Navy officer, systems administrator, and network systems integrator
Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.
The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.
The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.
The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.
“The overall results surprised us, as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Dr Benenson said in a FAU posting on the research. “And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link.” But in fact, of those claiming they were security savvy, “we found that 45 and 25 percent respectively had clicked on the links,” Dr Benenson said.
For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognize the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link. “I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.
Given the vast amount of personal data that’s available to attackers—especially thanks to breaches like the one at the Office of Personnel Management, for example—crafting that sort of message for targets of interest has gotten a lot easier. The bottom line is that telling people not to click strange links is not going to be enough.
By: Steve Evans Freelance journalist, copywriter and editorial consultant
Access to social media and BYOD are the biggest internal security threats businesses face, while organized cybercrime is the greatest external threat, according to a new report from fraud specialists Callcredit Information Group.
The group’s Fraud and Risk 2016 Report found that fraud prevention managers and directors rated employee access to social media websites and services (43%) and BYOD to work (35%) as the biggest obstacles IT faces when it comes to preventing data breaches. Lack of knowledge about security threats (28%) and access to personal email accounts (25%) are also considered problematic.
As well as being worried about those internal threats, fraud managers also fear external risks. Organized cybercrime is listed as the current biggest threat, with 75% of respondents fearing it. Respondents to the survey were also worried about identity fraud (51%), money laundering (50%) and social engineering, such as phishing (46%).
However, many appear to see organized crime as a short-term issue; only 26% think organized crime will still be as big a threat in two or three years. Instead, denial of service is expected to be the primary external threat in the future, ahead of “malicious, external loss or compromise of data” (50%), and “accidental, internal loss or compromise of data by an employee” (50%), and ransomware (48%).
Fraud managers seem particularly worried about internal threats. More respondents (46%) considered the threat of malicious, internal loss of data or fraud by an employee a greater threat than the same threats from external parties (42%).
Despite these worries, many fraud managers feel their organization is ahead of those cyber-criminals who specialize in fraud. Just 13% feel they are behind the fraudsters, while 75% feel on top of things.
The report also brought up interesting reactions to Brexit. While most respondents (57%) feel it will have little impact on the risk of fraud, 28% feel it will increase it. That’s primarily driven by a fear that leaving the EU will reduce information sharing between the UK and European anti-fraud authorities.
“As fraud in our society grows, and as geographically mobile individuals increasingly need to establish their digital identity, so the pressure on fraud and risk professionals to protect their organizations and consumers mounts,” said John Cannon, director, fraud & ID, Callcredit Information Group.
“Whilst fraud professionals might be confident in their abilities to prevent and deal with a potential breach, our research suggests that employees need much more education on the risks. Explaining the threats, giving them suggestions on how to protect themselves and informing them about ways to spot a breach could be instrumental in protecting a company from cybercrime. Organizations are only as strong as their weakest link, and the entire workforce needs to understand what the cyber vulnerabilities are in order to prevent them,” he added.
69 Million Dropbox Passwords Compromised; Last.fm Reportedly Breached in 2012
To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.
On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.
Dropbox’s Aug. 27 alert suggests that the service might not know which users have changed their passwords since mid-2012.
“We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012,” Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed “ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts,” the alert notes.
Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.
What’s belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts – including email addresses and hashed passwords – were stolen. The information reportedly began circulating recently on underground forums.
More Historical Mega Breaches
This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace – the date of its breach remains unclear, though it’s obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and “adult social network” Fling, which said that 41 million accounts were breached in 2011.
On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users – including usernames, email addresses and passwords – was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site’s unsalted passwords, which had been hashed with MD5.
Last.fm didn’t immediately respond to a request for comment on that report.
Dropbox Breach: Worse than Believed
Dropbox’s Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).
It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, “a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt,” says Troy Hunt, who runs the free Have I Been Pwned? website.
Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 – as well as MD5 – are deprecated and shouldn’t be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.
Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.
Dropbox couldn’t be immediately reached for comment on that report.
But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.
The Dropbox passwords were salted, which refers to the practice of adding data to a password before it gets run through a one-way hashing algorithm, which makes it more difficult for attackers to crack. Whenever users enter their password in the site again, it gets salted and run through the password-hashing algorithm, and if there’s a match, then the site knows the password is authentic.
Hunt says that while the passwords are salted, that doesn’t mean they were invulnerable. “The risk is they may be cracked, but their password hashing approach means that’s only likely with bad passwords,” Hunt says via Twitter.
Hunt has added the Dropbox breach to his website’s list of the top 10 breaches of all time. It currently holds sixth place, behind breaches of Adobe (152 million accounts exposed), China’s Badoo (112 million) and Russian social media site VK (93 million), among others.
Enable Two-Step Verification
Two safeguards against breaches that may happen today, but not be revealed until well into the future, are to use unique passwords for each site – thus blocking attackers from reusing the credentials to log into other sites – as well as to enable two-step authentication whenever possible. The latter means that even if attackers obtain a user’s valid password, they can’t use it unless they can somehow also obtain, for example, a one-time verification code.
After it was hacked in July 2012, the next month Dropbox introduced two-step verification as a free option for all users. Today, it works via text messages or a mobile app, generating a unique six-digit security code that users must enter to log in. The authentication feature also works with some types of security keys – small USB or near-field communication devices that typically get carried on a keychain and are used as the second step for verification.
By NICOLE PERLROTHSEPT. 22, 2016
The announcement of the breach at Yahoo comes as Verizon Communications moves forward with its $4.8 billion acquisition of the company. Credit Mike Blake/Reuters
SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.
In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”
While Yahoo did not name the country involved, how the company discovered the hack nearly two years after the fact offered a glimpse at the complicated and mysterious world of the underground web.
The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information.
Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.
The company said as much in an email to users that warned it was invalidating existing security questions — things like your mother’s maiden name or the name of the street you grew up on — and asked users to change their passwords. Yahoo also said it was working with law enforcement in their investigation and encouraged people to change up the security on other online accounts and monitor those accounts for suspicious activity as well.
“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”
How to Protect Yourself After the Yahoo Attack
Yahoo said on Thursday that hackers stole the account information of at least 500 million users. Here are some answers to frequently asked questions about how you can protect yourself.
The Yahoo hack also adds another miscue to what has been a troubled sale of a long-troubled company. In July, Verizon said it would acquire the internet pioneer, roughly a month before Yahoo security experts started looking into whether the site had been hacked. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.
In a statement on Thursday, a Verizon spokesman, Bob Varettoni, said his company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”
It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.
But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence.
“Cybersecurity can absolutely affect a valuation, and these are important questions that investors need to be asking,” said Jacob Olcott, vice president of BitSight Technologies, a security company.
Yahoo said it learned of the data breach this summer after hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data. A Yahoo security team was unable to verify those claims. But what they eventually found was worse: a breach by what they believe was a state-sponsored actor that dated back to 2014.
A potential breach of Yahoo’s systems was first reported by the tech news site Recode early Thursday morning.
The first sign that something was amiss appeared in June, when a Russian hacker who goes by the user name Tessa88 started mentioning, in underground web forums, a new trove of stolen Yahoo data, Mr. Holden said. In July, Tessa88 supplied a sample of the stolen collection to people in the so-called underground web for authentication.
Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg
The sample contained valid Yahoo user accounts, but it was unclear whether the data was from a breach of a third-party service or Yahoo itself. And it was not clear whether it came from a recent Yahoo breach or a previous incident in 2012, when the internet service acknowledged that more than 450,000 user accounts were compromised.
Then, in August, a second hacker who goes by the alias Peace of Mind began offering a large collection of stolen Yahoo credentials — including user names, easily cracked passwords, birth dates, ZIP codes and email addresses — on a site called TheRealDeal, where hackers can buy and sell stolen data, Mr. Holden said.
TheRealDeal uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.
After looking into that data, Yahoo did not find evidence that the stolen credentials came from its own systems. But it did find evidence of a far more serious breach of its systems two years earlier.
Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.
Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.
Thursday afternoon, Senator Mark R. Warner, a Democrat from Virginia and former technology executive, issued a statement that said the “seriousness of this breach at Yahoo is huge.”
He weighed in with a call for a federal “breach notification standard” to replace data notification laws that vary by state. Senator Warner added that he was “most troubled” that the public was only learning of the incident two years after it happened.
Michael J. de la Merced contributed reporting in San Francisco.
By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.
In the world of cybersecurity, there are two wildly different approaches to phishing.
The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.
The second approach is quite different.
There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.
I believe this is a mistake, and I’ll explain why.
Understanding your attacker
Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.
Image Source: PhishLabs
The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.
The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.
But are governments and competitors really lining up to steal your secrets? Well… no.
In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.
Rest assured that there is big money in play here, and successful hackers get paid extremely well for their “work.”
So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.
The anatomy of a (successful) phishing attack
Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).
Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.
Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.
Going after the big phish
As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or “whaling,” and it can spell disaster for your organization. Clearly, this is not what you want to happen.
Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.
But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?
Access controls on your whales
I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.
Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.
Controls aren’t enough
It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.
At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.
Brian Krebs, JUL 16, 2016
Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.
If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.
This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.
In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.
These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.
That data mining process involves harvesting and stealthily testing interesting and potentially useful usernames and passwords stolen from victim systems. Today’s more clueful cybercrooks understand that if they can identify compromised systems inside organizations that may be sought-after targets of organized cybercrime groups, those groups might be willing to pay handsomely for such ready-made access.
It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce. In addition, the past few years have seen the emergence of several very secretive crime forums wherein members routinely solicited bids regarding names of people at targeted corporations that could serve as insiders, as well as lists of people who might be susceptible to being recruited or extorted.
The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them.
Those weak spots very well may be your users, by the way. A number of security professionals I know and respect claim that security awareness training for employees doesn’t move the needle much. These naysayers note that there will always be employees who will click on suspicious links and open email attachments no matter how much training they receive. While this is generally true, at least such security training and evaluation offers the employer a better sense of which employees may need more heavy monitoring on the job and perhaps even additional computer and network restrictions.
If you help run an organization, consider whether the leadership is investing enough to secure everything that’s riding on top of all that technology powering your mission: Chances are there’s a great deal more at stake than you realize.
Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.
By KATIE ROGERS
JUNE 22, 2016
Mark Zuckerberg is one of the most powerful men in the world because billions of people give Facebook, which he founded, free access to their personal data. In return, users receive carefully curated snapshots of his life: baby photos, mundane office tours and the occasional 5K.
On Tuesday, observers were reminded that Mr. Zuckerberg, 32, is not just a normal guy who enjoys running and quiet dinners with friends. In a photo posted to his Facebook account, he celebrated the growing user base of Instagram, which is owned by Facebook. An eagle-eyed Twitter user named Chris Olson noticed that in the image’s background, his laptop camera and microphone jack appeared to be covered with tape.
Other publications, including Gizmodo, used the tweet to raise the question: Was this paranoia, or just good practice?
The taped-over camera and microphone jack are usually a signal that someone is concerned, perhaps only vaguely, about hackers’ gaining access to his or her devices by using remote-access trojans — a process called “ratting.” (Remote access is not limited to ratters: According to a cache of National Security Agency documents leaked by Edward J. Snowden, at least two government-designed programs were devised to take over computer cameras and microphones.)
Security experts supported the taping, for a few good reasons:
- The first is that Mr. Zuckerberg is a high-value target.
“I think Zuckerberg is sensible to take these precautions,” Graham Cluley, an online security expert and consultant, wrote in an email Wednesday. “As well as intelligence agencies and conventional online criminals who might be interested in targeting his billions, there are no doubt plenty of mischievous hackers who would find it amusing to spy upon such a high-profile figure.”
- The second is that covering photo, video and audio portals has long been a basic and cheap security safeguard.
“Covering the camera is a very common security measure,” Lysa Myers, a security researcher at the data security firm ESET, said in an email. “If you were to walk around a security conference, you would have an easier time counting devices that don’t have something over the camera.”
- Third, Mr. Zuckerberg is not immune to security breaches.
A recent hacking of his Twitter and LinkedIn accounts shows that he most likely committed two basic privacy faux pas: He may have used the same password across several websites and did not use two-factor authentication.
Judging from his photo, however, it appears that Mr. Zuckerberg was taking simple precautions to protect himself from anyone who may try to gain remote access. The practice is fairly technologically simple: Hackers trick people into clicking on links or unfamiliar websites containing malware that allows them access to the devices.
Mr. Zuckerberg is not the only high-profile case: James Comey, the director of the F.B.I., told students at Kenyon College in April that he also puts tape over his computer’s webcam, for surprisingly simple reasons, according to NPR:
“I saw something in the news, so I copied it,” Mr. Comey said. “I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera.”
People who are not billionaires or high-ranking government officials are not without risk, said Stephen Cobb, a senior security researcher at ESET.
“For people who are not C.E.O.s, the threat is people scanning the internet for accessible webcams for a range of motives, from voyeurism to extortion,” Mr. Cobb wrote in an email.
Experts don’t have a good estimate for how often such attacks occur, but according to a 2015 report released by the nonprofit Digital Citizens Alliance, the practice is a growing problem for consumers, especially young women. The report also said that trojans account for some 70 percent of all malware.
“They’ve been one of the most popular types of malware on every operating system, for quite a long time,” Ms. Myers, of ESET, said. “The best ways to protect against them are to update all your software on your machine regularly, and use reputable security software, including anti-malware and a firewall.”
June 21, 2016
A number of users are experiencing problems during logging into GoToMyPC because Citrix reset account passwords after hackers reportedly attacked it.
It’s official, the GoToMyPC service operated by Citrix is the last victim of the hackers.
GoToMyPC is remote desktop software that allows users to access and control their computers remotely by using a simple web browser.
A number of users are experiencing problems during logging into GoToMyPC because Citrix experts have reset account passwords after unknown hackers reportedly attacked the service.
The advisory doesn’t include details on the attack, it only describes it a “very sophisticated password attack.”
Now the problem is to understand if hackers breached the GoToMyPC severs or if the attackers used passwords available online leveraging the bad habit of users in sharing same credentials among various services.
The company is still investigating the case, meantime, let me suggest also to change the password for all those services for which you shared the same credentials.
The incident reminds us the problem recently suffered by TeamViewer, recently many TeamViewer users reported that their systems were accessed by hackers via the popular support tool, but the company denies any incident.
GoToMyPC is suggesting customers to enable two-step verification in order to improve the security of their accounts.
To learn more about the File Sync and Share Program that you may wish to use to replace accessing your computer remotely, contact us at 518-479-3881.