Originally seen on CNBC on Feb 10th, 2020 by Megan Leonhardt
The Justice Department announced Monday that it’s indicting four members of the Chinese military for the 2017 Equifax data hack, which exposed the personal information of 147 million Americans.
The department’s painstaking investigation also found there’s no evidence the data stolen has been used “at this time,” FBI Deputy Director David Bowdich said during a press conference Monday.
Yet Bowdich urged consumers to remain vigilant when it comes to protecting their information. “As American citizens, we cannot be complacent about protecting our sensitive, personal data,” he says.
The Equifax data breach, first announced in September 2017, is one of the largest in history, with 147 million consumers affected, according to the Federal Trade Commission. Hackers were able to get access to a multitude of consumers’ private information, including names, Social Security numbers, dates of birth, credit card numbers and even driver’s license numbers.
During the investigation into the breach, Equifax admitted the company was informed in March 2017 that hackers could exploit a vulnerability in its system, but it failed to install the necessary patches.
Last summer, Equifax agreed to pay $700 million to settle federal and state investigations into how it handled the massive data breach. As part of the settlement individual consumers were able to claim up to $20,000 for any losses or fraud caused by the breach or free credit-monitoring services. If you already had credit monitoring in place, you could submit a claim for up to $125 cash payment.
The settlement received final approval last month. If you’re still unsure if your data was part of the Equifax breach, you can enter your name and the last 4 digits of your Social Security number in a search here.
That’s especially true since much of the information that was stolen in the Equifax breach, including Social Security numbers, does not change with time. In fact, this type of data can become more valuable over time, aging like a fine wine, Steinberg says. “If the Chinese use the data a decade from now, few people will even be thinking about the Equifax breach.”
That said, Steinberg says the Chinese government is probably not stealing data in order to steal money, and identity theft is probably not its primary reason either. “The data might have tremendous value in terms of recruiting spies and other military-type purposes,” he says, adding that “the FBI would not have a clue if the data were used as such.”
To protect your data, Bowdich recommends Americans avoid clicking on links or opening attachments in emails, especially when you don’t know the sender.
Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what’s called a phishing email. “Email is the number-one way cyber crime of all forms happens. If a bad guy can get you to click on a link in an email, he can do all manner of bad things to your online life,” says Dave Baggett, co-founder and CEO of anti-phishing start-up Inky.
Americans should also use two-factor authentication, which generally requires users to not only enter a password, but also confirm their identity by logging onto your phone or entering a code texted or emailed to you.
Last, people should check their credit report on a “fairly regular” basis, Bowdich said. Unlike a simple credit score, your entire credit report provides a comprehensive look at your credit history and activity. You can get a free copy of your report once a year from each of the three major credit bureaus: Equifax, Experian and Transunion.
“They should make sure their data and their information is secure,” Bowdich said.
Originally seen on Forbes on Feb 11th, 2020 by Kate O’Flaherty
The Yahoo breach is known as one of the worst of all time, partly because of its size. When the firm was hacked twice in 2016, all of Yahoo’s 3 billion users were affected. Worse still, hackers had stolen highly sensitive information including names, security questions and answers, and passwords.
It’s only fair, then, that those impacted are given compensation of some kind. Last year, Yahoo said it would pay up to $25,000 to each person affected by the breach, with $100 or free credit monitoring available to most users. It is part of a $117.5 million breach settlement for 194 million people.
The higher $25,000 is available if you can prove the financial damage you suffered due to the Yahoo hack. You are eligible for the $100 payout if you can prove you already have credit monitoring in place.
Last week, you might have received an email telling you more about the Yahoo payout. The deadline of July 20 this year is getting closer, so what better time to apply for your compensation? Here’s what you need to do.
How to apply for a Yahoo breach compensation payout
If you are based in the U.S. and had a Yahoo account between January 1 2012 and December 31 2016, you are eligible to make a claim. The first thing you need to do is visit Yahoo’s settlement website, where you can see whether you qualify for credit monitoring or the $100 cash payout. The cash payout might even go higher–if too few people apply in time, the money could go up to a more enticing $358.80 per claim.
However, you do need to prove that you have credit monitoring in place in order to qualify for the cash.
You also might be eligible for a payout of up to $25,000 in out of pocket losses. According to the Yahoo settlement website, this includes “lost time, that you believe you suffered or are suffering because of the data breaches.”
The settlement site explains that you can receive payment for up to fifteen hours of time at an hourly rate of $25.00 per hour or unpaid time off work at your actual hourly rate, whichever is greater. If your lost time is not documented, you can receive payment for up to five hours at that same rate, the site says.
Once you have worked out whether you are eligible, and how much you can apply for, you can file your claim via a form on the Yahoo settlement website. You will need to supply all the relevant documents.
Breach settlement payouts increase
The Yahoo and Equifax breaches are considered among the worst hacks of all time, and both firms have been the subject of class action lawsuits resulting in payouts. The initial Equifax claim deadline, which saw breach victims apply for up to $20,000, has just passed.
There is no doubt that companies such as these needed to take better care of customers’ data, and paying some kind of compensation is quite frankly, the least they can do.
When news hit this week that West Virginian military members serving abroad will become the first people to vote by phone in a major US election this November, security experts were dismayed. For years, they have warned that all forms of online voting are particularly vulnerable to attacks, and with signs that the midterm elections are already being targeted, they worry this is exactly the wrong time to roll out a new method. Experts who spoke to WIRED doubt that Voatz, the Boston-based startup whose app will run the West Virginia mobile voting, has figured out how to secure online voting when no one else has. At the very least, they are concerned about the lack of transparency.
“From what is available publicly about this app, it’s no different from sending voting materials over the internet,” says Marian Schneider, president of the nonpartisan advocacy group Verified Voting. “So that means that all the built-in vulnerability of doing the voting transactions over the internet is present.”
And there are a lot of vulnerabilities when it comes to voting over the internet. The device a person is using could be compromised by malware. Or their browser could be compromised. In many online voting systems, voters receive a link to an online portal in an email from their election officials—a link that could be spoofed to redirect to a different website. There’s also the risk that someone could impersonate the voter. The servers that online voting systems rely on could themselves be targeted by viruses to tamper with votes or by DDoS attacks to bring down the whole system. Crucially, electronic votes don’t create the paper trail that allows officials to audit elections after the fact, or to serve as a backup if there is in fact tampering.
But the thing is, people want to vote by phone. In a 2016 Consumer Reportssurvey of 3,649 voting-age Americans, 33 percent of respondents said that they would be more likely to vote if they could do it from an internet-connected device like a smartphone. (Whether it would actually increase voter turnout is unclear; a 2014 report conducted by an independent panel on internet voting in British Columbia concludes that, when all factors are considered, online voting doesn’t actually lead more people to vote.)
Thirty-one states and Washington, DC, already allow certain people, mostly service members abroad, to file absentee ballots online, according to Verified Voting. But in 28 of those states—including Alaska, where any registered voter can vote online—online voters must waive their right to a secret ballot, underscoring another major risk that security experts worry about with online voting: that it can’t protect voter privacy.
“Because of current technological limitations, and the unique challenges of running public elections, it is impossible to maintain separation of voters’ identities from their votes when Internet voting is used,” concludes a 2016 joint report from Common Cause, Verified Voting, and the Electronic Privacy Information Center. That’s true whether those votes were logged by email, fax, or an online portal.
Voatz says it’s different. The 12-person startup, which raised $2.2 million in venture capital in January, has worked on dozens of pilot elections, including primaries in two West Virginia counties this May. On a website FAQ, it notes, “There are several important differences between traditional Internet voting and the West Virginia pilot—mainly, security.”
Voatz CEO Nimit Sawhney says the app has two features that make it more secure than other forms of online voting: the biometrics it uses to authenticate a voter and the blockchain ledger where it stores the votes.
The biometrics part occurs when a voter authenticates their identity using a fingerprint scan on their phones. The app works only on certain Androids and recent iPhones with that feature. Voters must also upload a photo of an official ID—which Sawhney says Voatz verifies by scanning their barcodes—and a video selfie, which Voatz will match to the ID using facial-recognition technology. (“You have to move your face and blink your eyes to make sure you are not taking a video of somebody else or taking a picture of a picture,” Sawhney says.) It’s up to election officials to decide whether a voter should have to upload a new selfie or fingerprint scan each time they access the app or just the first time.
“We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer.”
NIMIT SAWHNEY, VOATZ
The blockchain comes in after the votes are entered. “The network then verifies it—there’s a whole bunch of checks—then adds it to the blockchain, where it stays in a lockbox until election night,” Sawhney says. Voatz uses a permissioned blockchain, which is run by a specific group of people with granted access, as opposed to a public blockchain like Bitcoin. And in order for election officials to access the votes on election night, they need Voatz to hand deliver them the cryptographic keys.
Sawhney says that election officials print out a copy of each vote once they access them, in order to do an audit. He also tells WIRED that in the version of the app that people will use in November, Voatz will add a way for voters to take a screenshot of their vote and have that separately sent to election officials for a secondary audit.
To address concerns about ballot secrecy, Sawhney says Voatz deletes all personal identification data from its servers, assigns each person a unique but anonymous identifier within the system, and employs a mix of network encryption methods. “We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer,” he says.
Experts Are Concerned
Very little information is publicly available about the technical architecture behind the Voatz app. The company says it has done a security audit with three third-party security firms, but the results of that audit are not public. Sawhney says the audit contains proprietary and security information that can’t leak to the public. He invited any security researchers who want to see the audit to come to Boston and view it in Voatz’s secure room after signing an NDA.
This lack of transparency worries people who’ve been studying voting security for a long time. “In over a decade, multiple studies by the top experts in the field have concluded that internet voting cannot be made secure with current technology. VOATZ claims to have done something that is not doable with current technology, but WON’T TELL US HOW,” writes Stanford computer scientist and Verified Voting founder David Dill in an email to WIRED.
Voatz shared one white paper with WIRED, but it lacks the kind of information experts might expect—details on the system architecture, threat tests, how the system responds to specific attacks, verification from third parties. “In my opinion, anybody purporting to have securely and robustly applied blockchain technology to voting should have prepared a detailed analysis of how their system would respond to a long list of known threats that voting systems must respond to, and should have made their analysis public,” Carnegie Mellon computer scientist David Eckhardt wrote in an email.
Ideally, experts say, Voatz would have held a public testing period of its app before deploying it in a live election. Back in 2010, for example, Washington, DC, was developing an open-source system for online voting and invited the public to try to hack the system in a mock trial. Researchers from the University of Michigan were able to compromise the election server in 48 hours and change all the vote tallies, according to their report afterward. They also found evidence of foreign operatives already in the DC election server. This kind of testing is now considered best practice for any online voting implementation, according to Eckhardt. Voatz’s trials have been in real primaries.
“West Virginia is handing over its votes to a mystery box.”
DAVID DILL, STANFORD UNIVERSITY
Voatz’s use of blockchain itself does not inspire security experts, either, who dismissed it mostly as marketing. When asked for his thoughts on Voatz’s blockchain technology, University of Michigan computer scientist Alex Halderman, who was part of the group that threat-tested the DC voting portal in 2010, sent WIRED a recent XKCD cartoon about voting software. In the last panel, a stick figure with a microphone tells two software engineers, “They say they’ve fixed it with something called ‘blockchain.’” The engineers’ response? “Aaaaa!!!” “Whatever they’ve sold you, don’t touch it.” “Bury it in the desert.” “Wear gloves.”
“Voting from an app on a mobile phone is as bad an idea as voting online from a computer,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins, who has studied electronic voting systems since 1997. “The fact that someone is throwing around the blockchain buzzword does nothing to make this more secure. This is as bad an idea as there is.”
Blockchain has its own limitations, and it’s far from a perfect security solution for something like voting. First of all, information can be manipulated before it enters the chain. “In fact, there is an entire industry in viruses to manipulate cryptocurrency transactions before they enter the blockchain, and there is nothing to prevent the use of similar viruses to change the vote,” says Poorvi Vora, a computer scientist and election security expert at George Washington University.
She adds that if the blockchain is a permissioned version, as Voatz’s is, “It is possible for those maintaining the blockchain to collude to change the data, as well as to introduce denial of service type attacks.”
keylogging flaw found its way into dozens of Hewlett Packard laptops. Nick Lewis explains how the HP keylogger works and what can be done about it.
More than two dozen models of Hewlett Packard laptops were found to contain a keylogger that recorded keystrokes into a log file. HP released patches to remove the keylogger and the log files. How did the HP keylogger vulnerability get embedded in the laptops? And is there anything organizations can do to test new endpoint devices?
When it comes to security, having high expectations for security vendors and large vendors with deep pockets is reasonable given that customers usually pay a premium believing the vendors will devote significant resources to secure their products. Unfortunately, as with most other security teams, companies often don’t have enough resources or organizational fortitude to ensure security is incorporated into all of the enterprise’s software development.
But even the most secure software development can enable security issues to slip through the cracks. When you add in an outsourced hardware or software development team, it’s even easier for something to go unnoticed.
So while vendors might talk a good talk when it comes to security, monitoring them to ensure they uphold their end of your agreement is absolutely necessary.
One case where a vulnerability apparently escaped notice was uncovered when researchers at Modzero AG, an information security company based in Winterthur, Switzerland, found that a bug had been introduced into HP laptops by a third-party driver installed by default.
The vulnerability was discovered in the Conexant HD Audio Driver package, where the driver monitors for certain keystrokes used to mute or unmute audio. The keylogging functionality, complete with the ability to write all keystrokes to a log file, was probably introduced to help the developers debug the driver.
We can hope that the HP keylogger vulnerability was left in inadvertently when the drivers were released to customers. Modzero found metadata indicating the HP keylogger capability was present in HP computers since December 2015, if not earlier.
It’s difficult to know whether static or dynamic code analysis tools could have detected this vulnerability. However, given the resources available to HP in 2015, including a line of business related to application and code security, as well as the expectations of their customers, it might be reasonable to assume HP could have incorporated these tools into their software development practices. However, the transfer of all of HP’s information security businesses to a new entity, Hewlett Packard Enterprise, began in November 2015, and was completed in September 2017, when Micro Focus merged with HPE.
It’s possible that Modzero found the HP keylogger vulnerability while evaluating a potential new endpoint for an enterprise customer. They could have been monitoring for open files, or looking for which processes had the files open to determine what the process was doing. They could have been profiling the individual processes running by default on the system to see which binaries to investigate for vulnerabilities. They could even have been monitoring to see if any processes were monitoring keystrokes.
Enterprises can take these steps on their own or rely on third parties to monitor their vendors. Many enterprises will install their own image on an endpoint before deploying it on their network — the known good images used for developing specific images for target hardware could have their unique aspects analyzed with a dynamic or runtime application security tool to determine if any common vulnerabilities are present.
Originally seen on Tech Target and written by: Madelyn Bacon
News roundup: The hacking group called Fancy Bears claims to have hacked the Olympics again.
The International Olympic Committee has had its email stolen again, this time in a response to its ban on Russia from the 2018 Winter Olympics.
A hacking group that calls itself Fancy Bears posted email messages allegedly from officials at the International Olympic Committee (IOC), the U.S. Olympic Committee (USOC) and other associated groups, like the World Anti-Doping Agency (WADA). There’s no confirmation yet that the email messages are authentic, but Fancy Bears focuses on anti-doping efforts that got Russia banned from this year’s Olympic Games.
“The national anti-doping agencies of the USA, Great Britain, Canada, Australia, New Zealand and other countries joined WADA and the USOC under the guidance of iNADO [Institute of National Anti-Doping Organisations],” Fancy Bears said on its website. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”
The batch of email messages Fancy Bears posted is from 2016 through 2017 and mainly focuses on discrediting Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.
The IOC declined to comment on the “alleged leaked documents” and whether or not they are legitimate.
It’s not clear how Fancy Bears allegedly breached the IOC email. However, in 2016, the same group targeted WADA with a phishing scheme and released documents that focused on previous anti-doping efforts following the 2016 Summer Olympics. In that case, the hacking group released the medical records for U.S. Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne. The medical records showed that these athletes were taking prohibited medications, though they all obtained permission to use them and, thus, were not violating the rules. This release happened in the midst of McLaren’s investigation into the widespread misconduct by Russian athletes.
In one email released in this week’s dump, IOC lawyer Howard Stupp complained that the findings from McLaren’s investigation were “intended to lead to the complete expulsion of the Russian team” from the 2016 Summer Games in Rio de Janeiro and now from the 2018 Pyeongchang Games.
What do you think about this alleged Olympics hack?
As seen on Tech Target by: John Sammons and Michael Cross.
In this excerpt from chapter four of The Basics of Cyber Safety, authors John Sammons and Michael Cross discuss basic email security.
The following is an excerpt from The Basics of Cyber Safety by authors John Sammons and Michael Cross and published by Syngress. This section from chapter four explores the basics of email and email security.
Email is a term that’s short for electronic mail, and a common method of exchanging messages over the Internet. You’ll use an email client, like Google mail or Outlook, installed on a computer, an app on your mobile phone, or a website to create and read the messages. The email is sent to a mail server, which is a computer that’s used to store and forward messages.
To demonstrate how this works, let’s say that you’re going to send me an email. If you have an email client installed on your computer, you’ll write a message to me and click the send button. That message is sent to a mail server, which may be one provided by your Internet Service Provider (ISP). If I had an email account with another ISP, or a free email service like Gmail, the mail server would forward that email onto the mail server that I use. It would be stored in a mailbox, which would be an area on the mail server that’s designated for mail going to my account. When I retrieve the mail online, I would be accessing that mailbox, and see your email in an area for mail I’ve received called an Inbox.
As we’ll see in the sections that follow, there are a lot of potential problems with using email, but there are settings and decisions you can make to protect yourself. You may have information of some kind included with the email called an attachment, which could be virus infected. It could have links in the email that may take you to a site to fool you into providing sensitive information or automatically download and infect your system with malware. By knowing what to look out for, and configuring your email client properly, you can safeguard yourself and minimize these and other threats.
Depending on what you plan to do on the Internet, it’s advisable to setup separate email accounts for different types of online activities. By this, we’re not saying that you should have different email addresses for each of the sites you commonly visit. The kind of email accounts you have will be based on what they’ll be used for and your need for privacy. Some of the ones you might have include:
A generic account, which is often the first one you have when you sign-up for Internet Service. This will be the one you commonly give to friends, family, and others you want to stay in contact with.
Work email, which is used for business purposes. This may be one created for you by your employer, and should only be used for work-related purposes.
Social media email, used for sites like Facebook, Twitter, and so on.
Email account(s) for chat, instant messaging, shopping, promotional sites, or other sites where you want additional privacy.
There are many reasons why you’d want separate accounts. One is that you should never use work email for personal reasons. Many companies have policies dealing with proper use of technology, and using corporate email to sign up on sites, chat, or simply sending personal messages could result in disciplinary actions or even termination of employment. As we saw in Chapter 1, What is cyber safety?, companies own any email account issued to you, meaning that they can access your mail, and you should have zero expectations of privacy.
Generally, when you sign up with an ISP, you’re issued an email address that includes your name in it or your first initial and last name. For example, my email address might be firstname.lastname@example.org or email@example.com. In looking at it, you can see that all or part of my name is included in the address. As we’ll see throughout this book, these little tidbits of information can be used with other information gathered about you, and reveal more than you want to know.
Before setting up any accounts on social media sites, chat rooms, and so on, you should seriously consider setting up one or more email accounts with less revealing information. In doing so, the name used for the email account should include nonidentifying information. For example, using an email address like firstname.lastname@example.org may indicate you’re a happy person, but it doesn’t reveal who you actually are.
Understanding the Importance of Nonidentifying Email
Keep in mind that your family and friends already know your full name, but many of the online “friends” or connections you make are actually strangers. You never want to reveal more to a complete stranger than necessary, and one of the biggest identifiers of a person is their name. To illustrate a problem with revealing email addresses, let’s say you used a chat site, discussion board, or instant messaging (which we discuss in chapter: Beyond technology — dealing with people) to meet new people and have online discussions. When you set up an account to use any of these, you’re probably given the option of creating a username or alias, so that when you’re chatting other people would see you as “Big Bob” or some other name you came up with. Now, consider that one of these people decided to check your account profile, and saw your email address. If it included your real name, the stranger now knows who you are, and the anonymity and protection provided by an alias or username is lost.
Depending on your needs for the account, you should also limit any information included in a signature in messages. For work email, you might include your work number, extension, company website, business address, and so on. However, you do not want to include this in other emails being sent, unless there is a specific and exceptional reason to do so. Even if you send personal information in an email to someone you trust, there is no guarantee that they won’t forward it, or include others in the reply that would show the original information you sent.
CHOOSING AN EMAIL CLIENT
There are a number of good email clients available, but the one you choose will often depend on the operating system you’re using, and the amount of money you’re willing to pay. The email client you use may be one that’s installed on your computer, or an online version that you access through a browser. Some of the email clients that can be installed on a computer include:
Microsoft Outlook, which runs on Windows and Apple and is commonly used by businesses. It’s included with Microsoft Office or Microsoft Office 365.
Apple Mail, which is Apple’s email client.
Thunderbird, which is available for Apple, Linux, and Windows machines.
In this section we’ll go through a number of common settings found in email clients that are installed on your computer, using Thunderbird as an example. Thunderbird is a popular, free email client from Mozilla that can be installed on Windows, Apple, and Linux machines, and has a number of features that can be configured to improve your
features should be available under the client’s settings. To configure Thunderbirds Privacy and Security settings:
After opening Thunderbird, click on the Tools menu, and then click Options.
When the Options dialog appears, click on the Privacy icon at the top to display a screen similar to that shown in Fig. 4.1.
Click on the Allow remote content in messages so it appears unchecked. This will prevent any images or other content from being automatically viewed in the email. We’ll explain more about why it’s important not to allow this in a section that follows.
Click on the Tell sites that I do not want to be tracked checkbox so that it’s checked. This will send a request not to track your activities, opting you out of any tracking systems on a site you’re accessing, so that tracking cookies aren’t sent to your computer.
To modify the security settings in Thunderbird, you would click on the Security icon at the top of the Options dialog. Upon doing so, you’ll be presented with several tabs of options, where you can make the following modifications:
On the Junk tab, you can configure settings to train Thunderbird to detect junk mail or SPAM, and specify what happens to email. You can flag an email as junk mail in Thunderbird by right-clicking on a message, selecting Mark, and then clicking As Junk. On this tab, you should do the following:
Click on When I mark a message as junk so the checkbox appears checked, and then either select the option to move it to a junk folder. This will automatically move any junk messages to the account’s “Junk” folder. Alternatively, you can click on the Delete them option, so that your junk mail is automatically deleted.
Click on the Mark messages determined to be junk as read checkbox so it appears checked. In doing so, the message won’t appear as unread, meaning there’s less chance of you accidentally opening it.
Click on the Enable adaptive junk filter logging so the checkbox appears checked.
On the Email Scams tab, click on the Tell me if the message I’m reading is a suspected email scam so the checkbox appears checked. If the email has known elements of being a scam, you’ll be presented with a warning.
On the Anti-Virus tab, click on the Allow antivirus clients to quarantine individual incoming messages so it appears checked. This will allow your antivirus software to remove any infected messages before you read them.
On the Passwords tab, click the Use a master password checkbox so it appears checked. After checking this, you’ll be prompted to provide and confirm a password. The next time you open Thunderbird, you’ll need to enter the password, preventing anyone else from opening Thunderbird and reading your email. To change the password afterwards, click on the Change Master Password button on this tab.
WHY IS IT IMPORTANT TO BLOCK REMOTE CONTENT?
When an email is opened, or viewed in the message pane of an email client, it’s possible for content from a server to appear in the message. If the email is in an HTML format, then you’re viewing a message that’s written in the same language as a web page. Any external content can be displayed in the message as if you’ve visited the sender’s website. Your email client will load any images, including ones that have an executable (Malware) embedded in it, and other content from an external server. While allowing remote content allows you to view any graphic content automatically, it isn’t a secure option.
Another problem with allowing remote content is that it can be used to verify your email address. If I send you a SPAM message, when you load the remote content, your client is contacting my server and requesting that the content be sent. I can now see that you made that request, and can see that it’s a legitimate email account that’s still in use. In verifying that email, I know to contact you further with either additional email, or (as we’ll see in chapter: Cybercrime) attempts to phish additional information out of you.
Also, additional information about you is sent with the request to a Web server for images and other content. The browser or email client will identify the application being used and the operating system its running on, which could be used by a hacker to identify possible vulnerabilities or target distribution of malware. The request will also include your IP address, which can be used to get a rough idea of your location.
When you block remote content and open the email, images and other external content don’t appear in the message. If I want to view the blocked content, I can click on a link at the top of the message to display images and other content, or if I trust the sender to always allow remote content from that sender.
HIDING THE MESSAGE PANE
A common feature in email clients is the Message Pane, which allows you to view the contents of any emails that you select in your inbox. It is a little deceptive in making you think that you haven’t opened the email, as you haven’t double-clicked on it so it opens in a new window. However, the Message Pane does open and display the contents of your email, and (depending on your settings) will display any of the images or external content used. As we mentioned, because emails can be written in HTML, the email client is acting like a browser, and you’re loading the equivalent of a web page with all the potential threats one can provide.
Hiding the message pane allows you to review the subject, sender, and other information listed in your inbox, but won’t show its contents when you click on it. This allows you to select different emails that seem suspicious or appear to be SPAM, and delete them as needed without opening them. To remove the message pane from Thunderbird, click on the View menu, select Layout, and then click Message Pane.
THE DANGERS OF AN ATTACHMENT
The message in an email is only one of the potential threats to your system. Files can also be attached to a message, and these have the same potential risks of files that you download from sites. Documents may be virus infected, and executable files (such as those with an .exe extension) may be attached to install malicious software on your computer. Even though the attachment is with the file, they only pose a threat if they’re activated.
Never open any attachment if you don’t know the sender, or the email seems suspicious. Even if you know the sender, it’s possible that the message and attachment was sent automatically by malware, and the actual person the email says it’s from doesn’t know that the email was sent. To avoid many of the known problems with attachments, ensure that the settings to allow your antivirus program to scan and quarantine email is enabled. If your antivirus can catch and remove infected messages, there’s less chance you’ll open a file that will infect your system.
FREE EMAIL SITES
You could contact your ISP to have additional email accounts setup for various purposes, or you could set them up yourself through an online service. There are a number of sites available for setting up additional email accounts that are free, including:
Gmail (www.gmail.com), which is a free email service from Google.
Outlook (www.outlook.com), which was is Microsoft’s email service formerly called Hotmail.
mail.com (www.mail.com), which provides the ability to choose different domain names in the email address.
These free email services allow you to store and access your email online, using a web-based interface to read and compose messages. Some of these have almost unlimited storage, while others require you to pay for premium accounts that allow you to store mail and attachments over a certain limit. These sites may provide additional features and services that may be useful, such as online calendars and file storage.
When looking at the features of free online email, you want to ensure that the service provides virus checks and good SPAM filtering. As we have seen in Chapter 10, Protecting your kids, antivirus protection will prevent unwanted code from corrupting your data or system, while SPAM filtering will keep unwanted advertisements, scams, and other inappropriate, dangerous, and/or unwanted email from getting into your inbox. Even if you have antivirus software installed on your computer, it’s important to realize that it will not scan and protect email and attachments stored on one of these sites. The email is stored on the email service’s server, so you need to ensure that they provide adequate protection before you download or open anything that’s been sent to you.
SECURITY SETTINGS ON EMAIL SITES
The security settings on free email sites vary. All of them will allow you to change your password, which as we saw in Chapter 2, Before connecting to the Internet, should be done on a recurring basis and use strong passwords. Beyond this, the features you encounter will vary.
While it would be impossible to cover the settings in every online email service, looking at a couple of popular sites will give you a good idea of what’s offered, and how to configure it properly. In the following sections, we’ll look at Mail.com and Gmail. For any email service, you’ll generally find the security and privacy settings for your email under your account settings.
If you’re using mail.com as a free email service, you would login and see a link in the left pane of the screen called Settings (as shown in Fig. 4.2). Clicking this, you would then click on the Mail Security link under Security. Doing so provides you with a number of options, which when checked will activate the related feature:
Spam protection activated, which will prevent SPAM emails from being added to your inbox.
Contacts, which will prevent emails from people in your contact list from being flagged as SPAM. Generally, you can turn this off to prevent junk email that may have been automatically forwarded by people you know from appearing in your inbox. We saw how bots can do this without a person realizing it in Chapter 10, Protecting your kids.
POP3 options, which has a checkbox that indicates you’d like to be sent a daily report about SPAM that may have been received. This allows you to release or delete any mail that may have incorrectly been flagged as SPAM.
Virus protection activated, which checks your incoming and outgoing mail for viruses.
Other options in the security section of your mail.com account include:
Whitelist, which allows you to add email accounts and domains that should always be trusted, and never marked as SPAM.
Blacklist, which allows you to add email accounts and domains that should never be trusted, and you never want to receive mail from. This is especially useful if you are being harassed by a person, getting unwanted email from a company, or know that a particular site is a problem.
External content, which after being clicked, shows a page with a checkbox that allows you to prevent any content hosted on an external site (such as images) from appearing in your email. If this is activated, a link will appear in your email that allows you to show the images, and does not apply to any emails in your SPAM folder (which already keeps external content from being displayed).
Gmail offers a number of features designed to protect your privacy and enhance the security of using email. After logging into Gmail, you can access your settings by clicking on the gear shaped icon in the upper right-hand corner, and then clicking settings. After doing so, you’re presented with a screen with tabs along the top of the screen. Clicking Accounts and Import will provide you with a variety of options to maintain your account, including a section called Change account settings. In this section, you can click on any of the following links:
Change password, where you can enter a new password, and will tell you the strength of that password.
Change password recovery options, which provides the ability to set recovery options if someone hijacks your account, or your password is forgotten. We’ll discuss more about this shortly.
Other Google Account settings, which presents a screen of additional options to control your account preferences, and options and tools related to your privacy and security settings. Again, we’ll delve deeper into this in the paragraphs that follow.
The password recovery features in Gmail allow you to set what happens when you forget your password or it appears an unauthorized person is trying to get into your account. The options on this page allow you to set the following:
Mobile phone, which (after providing your phone number) will be used to send a text message. Because an unauthorized person probably wouldn’t have your mobile phone, this ensures that you’re the person who the account belongs to.
Recovery email address, which can be used to challenge someone attempting to logon, and allows you to reset your password if you’re locked out.
Alternate email address, which allows you to specify a secondary way to log onto your account. This would be a different email address than your gmail.com account.
Security question, which allows you to set a question and answer that will be used to establish that you’re the person who should be logging in.
The Other Google Account settings link takes you to the My Account page at https://myaccount.google.com, where you can access settings that control your account preferences, personal information and privacy (which we’ll discuss further in chapter: Protecting yourself on social media), and sign-in and security options. The My Account page also provides tools for doing a checkup on your security and privacy settings, and will take you step-by-step through setting many of the options we’re about to discuss.
If you click on the Signing in to Google link, you’re given a number of options we’ve already discussed, including the ability to change your password, provide a recovery email address, provide a phone number to recover your account, and set a secret question. You’re also given an option in the Password and sign-in method section to use 2-Step Verification.
When 2-Step Verification is used, you would log onto Gmail as you normally would, but after entering your password, a code is sent via text, voice call, or the Google mobile app. This feature becomes especially important if you use untrusted computers or devices to access your mail, such as public computers. You must then enter this code to access your mail. To set up Google’s 2-Step Verification, follow these steps:
When the Set up your phone page appears, enter your phone number.
If you want Google to send you a text message with a code, click the Text message (SMS) option. If you want a voice call, then click the Voice Call option.
Click Send code.
When you receive the code, enter it in the box on the Verify you phonepage, and then click Verify.
When the Verification codes on this computer screen appears, check the Trust this computer checkbox if you’re using a trusted computer (such as your home computer). In doing so, you might still be able to access your account without a code.
When the Turn on 2-step verification screen appears, click Confirm.
The next link on the My Account page is the Device activity & notifications link, which provides important information about how your account is being accessed. Here, you’ll find information on security events (such as password changes, modifications to your account, and so on), and devices that have recently been used to access the account. It shows the current device you’re using to access your account, as well as any other computers or mobile devices that were previously used. You should regularly review this section to determine if someone else is accessing your account. If something seems amiss, you can click the Secure your account link to change your password, review settings, and add or change recovery information that we discussed earlier. If you don’t think you’ll regularly visit the page to monitor this (as is the case with most people), you should click the Manage Settings link under Security alerts settings. In doing so, you can set whether you’ll receive an email and/or text message when there is a security risk (such as someone trying to access your account) or other account activity (such as when security settings are changed).
The final link is Connected apps & sites. As we saw in Chapter 1, What is cyber safety?, various apps on your mobile device or sites may connect to your Gmail account. By clicking the Manage Apps link on this page, you’ll be able to view which apps have access, and what they have access to (inclusive to such things as your mail, calendar, contacts, or basic account info). If there’s an app you no longer use, you would click on the Remove button beside the app’s name to complete revoke its access. The page also provides a Saved Passwords section, where you can manage passwords saved with Google Smart Lock, which we discussed in Chapter 2, Before connecting to the Internet.
At the bottom of this section, you’ll see an option to Allow less secure apps, which should be turned off. If an app uses less secure technology to sign-on, it can leave your Google account vulnerable, so by default this option is turned off.
There may be times when you need to send an email that’s secure, ensuring that no one other than the person it’s intended for reads it. There are a number of options available for encrypting messages, some of which require installing software like add-ons or extensions to your browser, while others are simple and straightforward.
Infoencrypt (www.infoencrypt.com) is an easy to use site, in which you type a message in a box on the web page, and provide and confirm a password. After clicking the Encrypt button, the page reloads and the message in the box is encrypted. For example, if you were to enter a phrase like “This is encrypted” and used the password test, it would return something like what follows:
The message itself is meaningless, unless the recipient uses the correct password to decrypt it. You would copy and paste the contents of the box and email it to the intended recipient, secure in the knowledge that no one else can read it.
When the recipient receives it, they would click a link that takes them to Infoencrypt’s website, where he or she copies and pastes the email message into the box, and enters and confirms the password you provided separately. After clicking Decrypt, the message is then revealed.
Once the tool is installed, you can then logon to Gmail (www.gmail.com) and you’ll see a new red button with a padlock icon beside the Compose button. Clicking the padlock icon will open a new message dialog. After composing the email, you’d then click the Send Encrypted button.
After you click the button to send your encrypted email, a new message will appear asking you to enter a password and provide a secret hint. The hint should be something that only the recipient would know the answer to, thereby revealing what to enter as a password. After filling this out, click the Encrypt and Send button.
The message that the recipient receives will be encrypted. If they receive it on a standard email client, it will include a link to install the Secure Streak Gmail Extension. If they already have the extension, they will see a link to decrypt the email, and when clicking it will be asked to enter a password and see your hint. After providing the password, the message is decrypted.
About the author:
John Sammons is an Associate Professor and Director of the undergraduate program in Digital Forensics and Information Assurance at Marshall University in Huntington, West Virginia. He teaches digital forensics, electronic discovery, information security and technology in the School of Forensic and Criminal Justices Sciences. Mr. Sammons is also adjunct faculty with the Marshall University graduate forensic science program where he teaches the advanced digital forensics course. A former police officer, he is also an Investigator with the Cabell County Prosecuting Attorney’s Office and a member of the West Virginia Internet Crimes Against Children Task Force. Mr. Sammons is a Member of the American Academy of Forensic Sciences, the High Technology Crime Investigation Association, and Infragard. He is the founder and President of the Appalachian Institute of Digital Evidence, a non-profit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement and information security practitioners in the private sector.
Michael Cross is a SharePoint Administrator and Developer, and has worked in the areas of software development, Web design, hardware installation/repairs, database administration, graphic design, and network administration. He is also a former Computer Forensic Examiner with Police Services in the Niagara Region of Ontario, Canada. Working for law enforcement, Mr. Cross was part of an Information Technology team that provided support to more than 1,000 civilian and uniformed users. He performed digital forensic examinations on computers involved in criminal investigations. Over five years, Mr. Cross recovered and examined evidence involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. Mr. Cross has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials. In 2007, he was awarded a Police Commendation for work he did in developing a system to track local high-risk offenders and sexual offenders. With extensive experience in Web design and Internet-related technologies, Mr. Cross has also created and maintained numerous Web sites and implementations of Microsoft SharePoint. This has included public Web sites, private ones on corporate intranets, and solutions that integrate them. In doing so, he has incorporated and promoted social networking features, created software to publish press releases online, and developed a wide variety of solutions that make it easier to get work done
ITG remains committed to their clients day in and day out. Whenever you need someone, you know who to call. Mike and the ITG team care so much about the clients that they want to spread the word. Although it may be strange if Mike stood on a rooftop yelling about all the ways they can help someone, we figured the clients could tell you best. We recently interviewed Linda from NYACP, New York Chapter American College of Physicians, to get her take on ITG and to find out more about what she does!
NYACP is a not-for-profit professional service organization providing education, advocacy and quality improvement/practice management for 12,000 internal medicine physicians in New York state. Linda loves that her work focuses on improving healthcare and helping members achieve success in the ever-changing practice environment.
In a world of such uncertainty and change, wouldn’t you want to feel that passion? Every business will suffer from technological issues, updates and threats to operations by viruses and other intrusions. Lucky for Linda, her limited IT experience was in hiring the right consultant. She has better peace of mind within the company since working with ITG. She has been able to learn more about technology as her business grew and came to better understand the impact of technology and interoperability. This allows her to feel more comfortable with her entire IT infrastructure allowing her to focus more on management and operations.
She was first introduced to ITG by word of mouth from colleagues. After interviewing others and assessing the best choice, Linda chose ITG because of their experience and local reach. She has not been disappointed, and its been years working together! When asked what the process is like to work with ITG she said: “They are a sound, reliable partner, they respond to our needs expeditiously and completely.” She considers the ability to ask questions and get “helpful, meaningful information in easy to understand language (and Diagrams!!!)” to be the best value for a busy executive.
Did you Know……….
Her favorite part of working with ITG is “the staff, the reliability of their recommendations and their service”!
There are laws and regulations in place that require companies to take measures to prevent data breaches and other attacks.
You too can have the peace of mind in your day to day life by partnering with a company that cares about your business, answers questions and immediately responds to concerns. Reach out to ITG today and speak with the team about how they can help!
89.1 percent of all information security leaders are concerned about the rise of digital threats they are experiencing across web, social and mobile channels, according to the 2018 CISO Survey by RiskIQ.
Some 1,691 U.S. and U.K. information security leaders across multiple verticals, including enterprise, consulting, government and education, provided insights into their cyber risk concerns and plans for 2018.
Overall, the survey revealed a coming “perfect storm,” where the problem of staff shortages collides with escalating cybercrime, leaving organizations ill-equipped to manage and respond to cyber risks and threats that are accelerating in an era of digital transformation, pervasive connections and increasingly sophisticated attack strategies sponsored by nation-states and rogue actors.
As the Spectre and Meltdown security flaws in Intel chips dominated the news in early 2018, and after a year of major security breach announcements and settlements, including Equifax, Yahoo and Anthem, the following findings are hardly surprising:
67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive
60 percent expect digital threats to grow as their organizations increase online engagement with customers
The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches
The top risk organizations face today is a lack of experienced staff to monitor and help protect networks from cybercrime
“The RiskIQ 2018 CISO Survey illuminates a growing industry-wide problem, which is that cybercrime is growing at scale, and enterprises are already experiencing critical staff shortages. That’s one reason 1 in 3 organizations have engaged with an MSSP to combat cyber risks and threats, and we expect that number to grow as the competition for top security talent gets far more intense,” said Lou Manousos, CEO at RiskIQ.