Data Privacy Day is 28-Jan-2016

January 10, 2016

Happy New Year everyone! Sorry it’s been so quiet on our blog lately, but we’re back in the saddle and ready for 2016.

Mark January 28, 2016 on your calendar as Data Privacy Day. DPD is an international effort held annually and organized by the National Cyber Security Alliance to create awareness about the importance of privacy and protecting personal information.

DPD is part of a greater effort, the #PrivacyAware campaign, which helps everyone understand how they can own their online presence and reminds businesses that privacy is indeed good for business.

NCSA’s #PrivacyAware campaign provides free, nonproprietary resources to help you spread the word about privacy and protecting personal information. Here are some of the things you can do:

  • At Work … Privacy is good for business: Create a culture of privacy at work by teaching all employees what privacy means to your organization and the role they have in making sure privacy is achieved and maintained. Learn more about online business safety
  • At Home … Own your online presence: Help you and your family be #PrivacyAware. Talk to your family and friends about protecting personal information and how to stay safe online. Get started with these tips.
  • In Your Community … Share your privacy knowledge: Volunteer in a local school, senior care facility or faith-based organization, send messages on community listservs and use resources from the #PrivacyAware campaign to spread the word. Find some privacy tips for businesses, older adults, teens and parents

One way you can join the 2016 effort is by becoming a Data Privacy Day Champion. DPD Champions include companies and organizations of all sizes, nonprofits, government organizations, schools and school districts, colleges and universities and individuals.

Find some tools to promote Data Privacy Day and learn how to get involved and visit www.staysafeonline.org/DPD for more information.

Advertisements

Avoiding scams, phishing and malicious emails (things to watch for, how to report them + more)

November 19, 2014

Scam artists use clever schemes to defraud millions of people around the world each year. People need to learn how to recognize common phishing tactics and malicious emails and what you can do to avoid them.

Scammers typically create emails and messages that look like they’re from real companies, agencies and organizations and even use their logos, fonts, layouts and color schemes.

According to OnGuardOnline.gov, some clues that an email or text message is suspicious include:

  • the message is requesting your personal information — do not respond or click links! Companies, agencies (like the IRS, etc.) and organizations will not request your password, user name, credit card data, account numbers, or other personal or financial data through e-mail or text.
  • the email appears in your junk folder;
  • the sender’s email address does not have that business or agency domain name in it;
  • when you hover over a link or coupon the web address is not that company’s / agency’s website;
  • if you receive a coupon for a free or discounted item, ask yourself if you signed up to get emails from this company. If not, it’s unlikely they’d send you a discount or freebie out of the blue;
  • the email or message has several typos, missing data or poor English.

If you’re not sure an email is legit, DON’T click any links or open any attachments. Instead, look for signs that the email isn’t the real thing or do a search or visit that company’s site to see if there are any complaints from others who received similar emails.

Shipping confirmations or delivery failed messages

Fedex, UPS, USPS and other carriers are often used in fraudulent emails asking users to click on links that more often than not will place malware on the user’s machine. The subject lines typically say things like there was a problem with delivery or they want you to verify information or some important information is missing, etc. The fraudulent email may have an attached file that contains a virus or other malware … or the link may take you to a website that might download a malicious file. Don’t fall for these scams and report it (if you want to) then delete it. Read more about delivery failure phishing scams on Denver’s ABC7 

ups phishing shipping receipt

Receipts

Be on the alert for fake emails posing as online retailers like PayPal, Amazon and others with a subject line similar to a receipt you would see for a purchase on that vendor’s online store, a PayPal payment to someone, etc. These fake receipt emails are sent by cyber criminals — not the retailers — and clicking links contained in a fake receipt email may install malware on your system, in particular spyware used in severe forms of cyber crime such as credit theft, extortion, and identity theft.

For example, just last week I placed a small order on Amazon and received my order confirmation as usual.

The next day I received another Amazon confirmation email for a $1,099 electronic device and the first thing I thought of is someone hacked our account..!

I immediately logged onto Amazon.com and checked our shipping history and it didn’t appear so I went back to the email in my Inbox and noticed several things…

#1 – The “To” line had an email id called “bobrph@…” (my name is Janet);

#2 – The “Hi %USERNAME%” didn’t auto-populate a name;

#3 – When you hover the mouse over a link (DON’T CLICK IT – just hover) it displays a website NOT called “amazon.com/…” but rather “imailsolution.com/…”. << We strongly suggest you not visit this site – just in case!

email phishing1

Note the email has Amazon’s logo and layout, fonts and color scheme are almost identical to a typical order confirmation email from them so you need to be on guard.

#4 – As I scrolled down and hovered the mouse over other links (again without clicking) the same domain / website name kept showing up.

email phishing2

#5 – Whoever designed this email even added a typical footer that Amazon uses on their confirmations. This was just an image (nothing popped up when I hovered over these links), but it sure gives the appearance it is a normal message from them.

email phishing3

If you click a phishing or malicious link…

According to Anti-abuse.org once a victim visits a malicious website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct.

A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.

Report Malicious / Phishing / Scam emails

It does help to report suspicious emails to the respective company but it is always best to find out how they want you to report it. Some may ask you to forward an email while others prefer you send it as an attachment.

Below are some examples of common brands we’ve seen in suspicious emails over the years, and it’s easy to do a search on a company name and the phrase “report phishing” to find their preferred method of sending them the data.

Once you report an email just delete it so you don’t accidentally click on any links in it later. Realize you probably won’t hear back from the company you reported the malicious email to, but you will get an auto-reply explaining they received it and will be investigating it.

As Amazon.com mentioned in the auto-reply to me, “please be assured that Amazon.com is not in the business of selling customer information. Many spammers and spoofers use programs that randomly generate e-mail addresses, in the hope that some percentage of these randomly-generated addresses will actually exist.”

You can also forward phishing emails to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

If you might have been tricked by a phishing email:

Additional resources:

OnGuardOnline.gov
StaySafeOnline
US-CERT
Anti-Phishing Working Group
Protecting your devices from cyber threats

Stay safe out there..! j & B


Get involved with October 2014 National Cyber Security Awareness Month #NCSAM

October 2, 2014

ncsam-logo-2014Did you know October is cyber security month in several countries?

America’s National Cyber Security Awareness Month or NCSAM campaign – under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance – has grown exponentially, reaching consumers, small and medium-size businesses, corporations, educational institutions, and young people across the nation.

Cybersecurity begins with a simple message everyone using the Internet can adopt: STOP. THINK. CONNECT. Take security and safety precautions, understand the consequences of your actions and behaviors online, and enjoy the benefits of the Internet.

The National Cyber Security Alliance has #NCSAM tools, banners and materials to help home users, K-12 Educators, Higher Education, Small Businesses and more get involved at www.staysafeonline.org. You can also follow NCSA on Facebook or on Twitter @STOPTHNKCONNECT and @StaySafeOnline and search #NCSAM to find more cyber safety tips and resources.

Canada’s national public awareness campaign Get Cyber Safe was created to educate Canadians about Internet security and the simple steps individuals can take to protect themselves online. Learn more at www.getcybersafe.gc.ca and follow them on Twitter @GetCyberSafe

And the European Union advocacy campaign European Cyber Security Month (ECSM) aims to promote cyber security among citizens, to change their perception of cyber-threats and provide up to date security information, through education and sharing good practices. Visit http://cybersecuritymonth.eu/ to learn more and follow ‪#‎cybersecawarenessmonth‬ on social media to keep up on activities in Europe.

As NCSA explains… The Internet is a shared resource and securing it is Our Shared Responsibility. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.

Also read and share our Oct 2013 enews article called Protecting devices from cyber threats.

Stay safe out there, j & B

 

 


Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

September 25, 2014

shellshock bash bugA serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read herehere and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld


Heartbleed (what it is, how to protect yourself + tips about passwords)

April 11, 2014

Heartbleed logo by Leena Snidate Codenomicon Ltd A recently discovered encryption flaw in OpenSSL — a software used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data secure — has potentially exposed a majority of the internet. Not all secure sites use OpenSSL (a secure site typically has an “https://” prefix and a little padlock in the address line), but about 66% of websites do … so it’s a big deal.

The bug is called Heartbleed because it piggybacks on a feature called heartbeat and it affects specific versions of the widely-used OpenSSL cryptographic library. Basically an error that was missed over two years ago in the open OpenSSL encryption protocol allows a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys which may allow an attacker to decrypt traffic or perform other attacks.

In other words, if someone knew this bug existed, they could intercept usernames, passwords, credit card details, and other sensitive information from a website’s server in plain text. It also allowed for a server’s private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website’s server and a user of that website. And, since it leaves no trace, system administrators would have no clue they were breached.

Renowned security expert Bruce Schneier said of Heartbleed, “On a scale of 1 to 10, it is an 11.”

What kinds of devices are impacted..?

MIT Technology Review explains the Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Philip Lieberman, president security company Lieberman Software. “ISPs now have millions of these devices with this bug in them,” he says. The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated.

Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices — ranging from IT equipment to traffic control systems — that are improperly configured or have not been updated to patch known flaws. (See MIT’s 2013 article called “What happened when one man pinged the whole Internet” [i.e. 3.7 billion IP addresses] for some disturbing findings about these types of devices.) 

So what does this mean to me..?

If you are a business, a developer or system administrator … upgrading to OpenSSL version 1.0.1g resolves this vulnerability, but realize SSL digital certificates are compromised too so they must be recertified. US-CERT recommends administrators and users review Vulnerability Note VU#720951 for additional information and mitigation details. There is also a way to disable the heartbeat handshake command (although it is best to upgrade) – visit http://heartbleed.com to learn more. Also … once your system is upgraded and recertified, businesses and site owners should notify all users the site is secure and encourage everyone to change their passwords as quickly as possible.

For everyone else … there’s not much we can do other than avoid the Internet (okay … so that’s not realistic) … but you can be proactive and verify all the sites you have accounts with are fixed and get ready to change passwords as explained below. As ZDNet writes… if your bank, favorite online merchant, email, cloud and/or software provider hasn’t fixed Heartbleed yet [or advised that their site didn’t use the buggy version], close your accounts and find new service providers.

What can I do to protect myself..?

Realize some sites don’t even use OpenSSL, others didn’t update to the 2012 version of SSL so they aren’t vulnerable, and many others have patched the Heartbleed flaw once it became known on April 7, 2014. And hopefully any and all websites impacted by this vulnerability notify users once their systems are updated and recertified and recommend everyone log on and change your passwords.

Yes, it is a pain and will be time-consuming, but you should get in the habit of changing passwords every few months anyway.

And realize there will be some scumbags who will take advantage of this Heartbleed scare so be on the lookout for phishing emails requesting you click a link to change your password. The best way to ensure the security and integrity of any of your accounts is to go directly to each website and log in there to manage your secure data.

Mashable has compiled a Heartbleed Hit List of sites possibly affected by this flaw and advises if you should change your password on sites like Facebook, Instagram, Tumbler, Google, Yahoo mail and more.

heartbleed ssllabsIf you’re not sure if a site you use is vulnerable, visit https://www.ssllabs.com/ssltest/ to perform an analysis of the configuration of any SSL web server on the public Internet. (If everything’s green, it has probably been fixed.) Another tool you can use to check sites is http://filippo.io/Heartbleed/.

Also, if you use Chrome as your browser, they just released an app called Chromebleed that will test a site before you visit it and display a message if it’s affected by Heartbleed. (Note: Some early reviews weren’t so good so read description and reviews before installing.) But keep in mind these tools are just resources and may not be totally reliable.

heartbleed-cap one not vulnerableThe best solution is to visit each and every site you use that has sensitive information (e.g. banking, email, social media, etc.) to find out if they have posted a public statement or link about the Heartbleed issue — or maybe they weren’t even impacted or vulnerable — but hopefully they’ll say something online or in a newsletter.

If they don’t mention anything about Heartbleed, call, chat or email to ask if they had a problem with it. And if a site was fixed … you should change your password.

Many experts suggest the best thing to do is change all your passwords now. BUT… realize you may have to change some of them again since there may be some websites that are still buggy meaning the secure data is still vulnerable.

It’s totally your call, but it is wise to change your passwords often anyway … and you really should change them on any and all sites that have been patched.

Tips about passwords

  • DO NOT use the same password for all your accounts! And make sure all your email accounts have unique passwords since hackers with access to your email can visit other web sites (e.g. banks, Paypal, email providers, etc.) and submit a “forgot my password” request and intercept the email with the reset password.
  • Create long passwords (at least 8 characters long) using a combination of letters, numbers and special characters … change them often … and don’t share them with others. Consider using numbers or special characters in place of letters if using words, acronyms or phrases. For example, instead of using “ilovesunnydays” as a password, you could use “1loVe$unnyd@ys” to strengthen it.
  • Pet and family names are not good to use since hackers or criminals may have access to your personal data and/or your posts on Twitter, Instagram, Facebook, etc.
  • Don’t use the “remember my password” option on accounts that contain sensitive data (like credit card data, etc.) since 1) typing them every time can help you remember passwords … and 2) if your PC or handheld device got stolen the perp could potentially access your accounts.
  • Some people invest in password manager services and apps, such as LastPass, KeePass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones. However, some security experts warn against creating a single point of potential failure with all your passwords, especially if the service stores your passwords in the cloud. PCMag has some tips on various password managers.

Also…

  • Make sure computers and all wireless devices have current anti-virus software and firewalls, schedule them to scan daily or weekly, and update virus patterns often. If you own or manage a business, encourage employees to protect their personal home devices too.
  • Set security preferences as high as possible on Internet browsers and anti-virus packages.
  • Although it is best to not open emails or attachments from unknown sources, that’s not always feasible – especially in the business world. But consider saving the attached files into a temporary directory and scan them before opening.
  • See more tips about protecting your devices from cyber threats in our October 2013 enews

For more information about Heartbleed:

Heartbleed.com (official site with data + tips for developers and general public)

OpenSSL Project (OpenSSL community with updates, source code, etc.)

US-CERT OpenSSL ‘Heartbleed’ Vulnerability

Heartbleed: What you should know (WaPo article by Gail Sullivan)

What you need to know about the Heartbleed bug (Good Q & A)

How Heartbleed Works (Good PC Mag SecurityWatch article)

Stay safe (and secure) out there!  j & B


October is National Cyber Security Awareness Month (cyber safety tips and tools for #ncsam)

October 2, 2013

ncsam-logo-2014October is National Cyber Security Awareness MonthNCSAM, sponsored by the Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA), is a national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Fedhealth is proud to be an NCSAM Champion and we are encouraging everyone to learn more about NCSAM since cybersecurity is our shared responsibility. That means everyone has the potential to make a difference and educate others.

Whether you use one computer, a smartphone or a massive network, it is critical to keep systems protected from viruses and attacks.

  • Make sure computers and all wireless devices have current anti-virus and anti-spyware software and firewalls .. and schedule them to scan daily or weekly. Also set virus patterns, operating systems and browsers to update automatically. Encourage employees to protect their personal home devices too.
  • Set security preferences as high as possible on Internet browsers and anti-virus packages.
  • Be aware some flash drives may have trojans or viruses, or be used to copy sensitive data off secure systems, so consider limiting access to critical files and/or systems.
  • Although it is best to not open emails or attachments from unknown sources, that’s not feasible in the business world. But implement precautionary procedures like having employees save attached files into a temp directory and scan them before opening.
  • Discourage accessing financial institutions from mobile devices using apps or email links. Instead, visit banking and credit card sites directly using a browser window.
  • Be aware there are lots of “scareware” scams online! Do NOT download or click on a screen that says it found “X number of viruses or spyware on your system” suggesting you download their package — it will most likely be a virus.
  • Use long passwords (using both numbers and letters [and special characters if possible]), change them often, and don’t share them with others.
  • Backup data often and keep a daily or weekly backup off-site.
  • Make sure someone knows how to download patches or fixes in case a computer or system gets infected. And have a backup plan in case that person (or team) is not available.
  • If your business is hacked, file a complaint with the Internet Crime Complaint Center at www.ic3.gov

NCSA has many tools and materials available online for…

Learn more about National Cyber Security Awareness Month at www.staysafeonline.org/ncsam and get involved!


%d bloggers like this: