Security Articles


Read some of the best security articles to appear in GCFlash:

Enhanced Security In Wake of Target Breach

When we covered this story last in the January 7, 2014 edition of GCFlash, much was yet unknown about the massive breach aimed at Target stores. We've since learned Target was not alone.

Neiman Marcus, Sally Beauty, and at least six other stores were also victims. Word spreading through security circles indicates a major restaurant chain and hotel chain are among those who were breached. While specific names are not yet being released due to confidentially in a case still unfolding, Michaels craft stores and Sears are rumored to be among them.

Read more

Credit Card Insecurity

Panic spread through America on December 19, 2013. The news was huge. As many as 40 million credit and debit cards were compromised in a breach that occurred in Target stores between November 27 and December 15.
Update: Target announced new estimates of compromised cards on January 10, believing that somewhere between 70-110 million customers were affected by the breach.

Not online shoppers. But consumers who shopped at a brick and mortar establishment, swiping their cards with confidence.

A well-respected national chain under attack from the onset of the holiday shopping season. Those lured in by Black Friday deals they couldn't refuse. Turns out they got more than they bargained for.

Read more

Scams and Scammers

More often than not it's unfounded. Yet whenever the telephone rings at an unusually early hour, you can't avoid that gnawing sensation in the pit of your stomach. You brace yourself to hear whatever bad news occurred overnight.

It happened just this morning. When the phone rang at 7:30, my instincts proved correct. Fortunately, nobody had died. But I was very lucky that the good folks at Global Support LLC were notified that my computer had downloaded a bad virus that could cause a lot of trouble. And they were the very folks who could rid my system of this nasty bug.

No doubt I would have learned how much they were charging for this service and asked for a credit card number had they not hung up on me immediately when I asked for a phone number to call them back.

'Tis the season, folks. But I don't mean the holidays are approaching.

While it's always scam season of one sort or another, there's a perfect storm brewing right now. Scammers are opportunistic. And we're seeing a rare set of events that are giving them plenty to fill their coffers.

Read more

Ransomware

It's the holiday season. Decorating. Festivities. Goodwill. Shopping. Fake FedEx and UPS tracking notices.

We've seen the ploy before. An email alerts you of a package coming your way. Open the attachment for tracking information. Those that do get a payload package delivering malware rather than holiday goodies.

So every year we issue the same alert. Don't open an unsolicited attachment.

Legitimate tracking notifications from both FedEx and UPS include the name of the vendor and date the shipper received the package. They embed a link into the message body for those that want delivery details. Not an attachment.

If you did make a purchase from the listed vendor around that date, it's safe to assume the message legitimate. Any doubt, track the package through the vendor's website.

Because the stakes just went up for those that open unsolicited attachments.

Read more

HACK AFTER HACK AFTER HACK...

The old idiom was "Another day, another cyber threat." Yet lately, it seems more like every hour that we learn of a new risk to our online safety. There has been a flurry of activity in the cybercrime world as of late.

Don't think for a minute that you're safe as long as you don't bank online. Most every function today depends on information. Information stored in a database.

Use a credit card, write a check, pay your utility bill, buy your groceries, use your smartphone. There's a record of each and every transaction. A record that can be compromised if someone hacks into the computer system charged with safeguarding your personal information.

I'm not trying to scare you here. Well, maybe a just little bit. You wouldn't take this seriously otherwise.

Read more

SPEARED BY CHINA

It's called spearphishing. And it may ultimately be responsible for the fall of many great nations.

We first discussed spearphishing in our June 14, 2011 issue. The article revealed the nature of this type of cyber attack and gave a couple of instances where it had been used to compromise the security of U.S. companies.

Including security vendor RSA.

We're now learning the source of these attacks. And they go much deeper than we initially feared.

Read more

YOU WILL BE HACKED

It's not a matter of IF you'll be hacked any longer. It's wondering WHEN.

Java has made the news highlights over the past week with news of a zero-day vulnerability. Commentators will tell you to disable the plug-in.

But what does this all really mean? And will it help?

Read more

CONFESSIONS OF A SCAM VICTIM

I did it. I've often read that anybody could become a scam victim, but never believed it could happen to me.

Online security is my pet subject. I read about it, I write about it. I knew what to look for, what to avoid.

The email appeared legitimate by every measure. Words were spelled correctly. The grammar and punctuation were proper. It was crafted by a business writer, not a Nigerian shyster.

I knew the bank that issued my credit card was planning new products for their customer's security. I recognized the name appearing in my inbox to be the person who was facilitating the program.

Everything appeared legitimate. So I didn't suspect a thing when I read the email announcing an enhanced credit card monitoring service. All I needed to do was answer a couple of quick questions.

My busy schedule didn't allow opportunity to revisit this request before the deadline. I'd better do it now if I wanted full protection.

The product was tied to my online login, so the last question required my credentials to process. No sooner did I click "Submit" when I had that uh-oh moment.

Read more

CYBERTHREAT LEVEL: HIGH

It didn't take long. Regular readers may remember our coverage of the Stuxnet virus, those who don't remember the article can read it below.

We described how Stuxnet was the first of its kind in targeting, and subsequently destroying, machinery. We detailed how this type of threat can spell doom should one nation attack another's infrastructure, such as their water supply. And that we could be seeing a new type of warfare conducted in cyberspace rather than the battlefield.

A group called Izz ad-Din al-Qassam Cyber Fighters is claiming responsibility for a wave of threats targeting U.S. banks. The group has been associated with Hamas.

And it really wasn't too hard since malware build kits are readily available on criminal websites. Tool kits like those described in our coverage of the ZeuS Trojan in the August 17, 2010 issue of GCFlash

The threat is so high that the Financial Services Information Sharing and Analysis Centers (FS-ISAC) has raised the U.S. banking industry's cyberthreat level from "elevated" to "high". This is like the Dept. of Homeland Security telling us we're in imminent danger of a terrorist strike.

Read more

FLAME

This one might be as hard to extinguish as a California wildfire.

For a primer, read our Stuxnet article that appeared in the April 10th edition of GCFlash (article below).

Now that you have the gist of the scope of cyber warfare, multiply it by 20. You now have the size and complexity of Flame, aka Flamer or sKyWIper.

Read more

STUXNET

You may have seen the term "Stuxnet" appear in news headlines. You likely rolled your eyebrows thinking "not another one" before scanning the next article for something newsworthy.

No precautions necessary for the average computer user for this one. It doesn't target home computers or mobile devices. It doesn't try to steal credentials or present a security threat to consumers. It wasn't created by a bored teenager with more talent than scruples.

Just imagine a cyber attack capable of disrupting New York City's power grid. Unthinkable chaos would ensue as engineers scramble to repair the damage.

Worse yet, consider a worm capable of dismantling America's defense system.

Read more

CAN'T PREVENT IT

GCFlash readers may have figured out by now that I take online security pretty seriously. I have to restrain myself from covering the topic too often in this newsletter. I'm afraid of the overkill factor where a subject is so over-saturated that people will overlook it. Ho-hum... another day, another data breach.

Life's day-to-day functions hold constant demand. So what do we do with information we're already familiar with? We turn a deaf ear. There are too many other issues clamoring for our attention.

But this time we're not talking about a new attack. We're talking about a massive tidal wave of attacks targeting some pretty large victims. And eventually, every single one of us.

Read more

MODERN DAY BONNIE & CLYDE

Had we published GCFlash yesterday, May 23rd, our day in history would have been the 1934 death of Bonnie and Clyde. Just reading that fact got my cyber-gears turning.

The Depression-era spurred a wave of gangster activity. The country had just lost 38 percent of its wealth. There were no jobs, foreclosures were rampant. Soup kitchens overflowed.

Capitalism and government officials took the blame. The people revolted. (Starting to sound familiar?) Many took to a life of crime.

John Dillinger, Pretty Boy Floyd, Baby Faced Nelson and Machine Gun Kelly terrorized towns with their crime sprees. But perhaps none became quite as famous as a young Texas couple called Bonnie and Clyde.

Read more

HACKERVILLE

The travel brochures display breathtaking scenery; medieval buildings nestled in a quaint valley, snowcapped peaks of the Transylvania Alps, beachgoers wading in the crystal blue waters of the Black Sea.

Romania is one of Eastern Europe's most popular tourist destinations. It's also the cybercrime capital of the world.

Until 2003, the country had no cybercrime law on its books. It became a haven for hackers. Its reputation was so bad that Romania struggled to gain acceptance into the European Union.

The law eventually passed was one of the strictest in the world. After an initial decline in criminal activity, it returned to the infamous position that gained their nickname - Hackerville.

Read more

BIGGEST HACK TO DATE

The biggest security hack to date was announced last week. It wasn't a financial services firm that was compromised, nor a provider of related products. Those charged with keeping your personal information safe have done so.

This was a marketing company that got hacked. And all they stole were email addresses of their clients. How much harm can that do?

Plenty. Particularly if your client list includes the likes of Citi, Chase, U.S. Bank, Capital One, Barclays Bank of Delaware, Verizon, Walgreens, Visa, TiVo, HSN and L.L. Bean to name just a few.

Read more

THE (TROJAN) TIDE IS STILL RISING

No, not the massive tsunami that devastated parts of Japan. While the chaos an event of this magnitude wrought on this country, we're going to talk about a bigger threat yet. This one threatens chaos on a global scale.

You may want to refer to the August 17, 2010 issue of this newsletter for background on the ZeuS Trojan before continuing here. The article was so important that we've made it readily available on our Security Articles web page as well.

The article describes a sophisticated Trojan in use by global organized crime rings. The toolkit to deploy the Trojan is readily through underground Internet sites. At the article's end, I offered this prediction:

"While no incidences have yet been reported, it's only a matter of time before SpyEye dethrones ZeuS as King of Crimeware."

That time has come.

Read more

ANATOMY OF A TROJAN

It's been quite a few years since I've written a GCFlash piece on a specific threat. Hundreds of new ones were reported daily, all with similar characteristics and methods of prevention. Early threats were merely pranks pulled by smart kids. They became routine. Little harm was done outside of having to cleanup and rebuild your hard drive, which we thought was troublesome at the time.

Until now. The ZeuS Trojan is so sophisticated and so elusive that even Internet security experts are scrambling to stop it.

Read more

DISTRIBUTION AND PREVENTION

Trojans differ from viruses in that they are not self-replicating. They will not scour your address book and send themselves to all of your contacts. They are spread manually, hiding inside websites, emails, images or downloads with the premise of offering a benefit to the intended victim.

Since ZeuS is sold as a customizable toolkit, each criminal using it will deliver the crimeware in their own fashion.

Read more

UNDERSTANDING FIREWALLS

A recent survey of U.S. and U.K. computer users revealed that 25 percent did not know whether they had any privacy protection. Over half admitted they had no idea what the privacy settings on their browsers were. Do you know what keeps your computer safe?

As the name implies, the firewall serves as a boundary to restrict information traveling between your computer and a network or the Internet. If used properly, the firewall is your defense against someone trying to hack into your system. If it's configured wrong, you're opening the door for an identity thief.

Here's how they work: An unsolicited request is generated whenever someone tries to connect to your computer. This happens when you did not initiate the contact. Your firewall will alert you to the request and ask if you want to allow access or block that particular program or Web site. If you approve the request, the site or program is added to your exception list. It will be recognized the next time it wants access and you'll get no further alerts. Block it and you've slammed the door on potential fraud.

You should have two different kinds of firewalls protecting your home computer. A software firewall protects the computer and a hardware firewall will protect your Internet connections. If you use a PC, the Windows firewall will handle the software protection quite well. The $75 routers you can buy at any electronics store usually include a great hardware firewall.

To be safe, simply set the Windows firewall to Enabled and check the "Don't allow exceptions" box. To find these properties, open Control Panel and choose Windows Firewall from the menu. You'll see the firewall properties box that display these options. You'll now be prompted if any program or Web site not on your exception list is trying to gain access to your computer.

If you misconfigure your firewall, you could inadvertently allow anyone on the Internet to access your computer and read your stored files and other personal information. That's why it's best to simply configure it to block everything.

Many security products on the market offer their own firewall, you don't have to use the Windows version. Examine what each product offers and choose the solution that's best for you. But make sure you only have one product enabled or they'll conflict with each other.

A firewall offers a degree of protection, but there are certain things that it cannot do. It can't detect or disable computer viruses and worms already present on your computer. You'll need antivirus software for that. It will ask permission before granting connection requests, but it won't stop a dangerous email attachment from opening. You'll have to use discretion in deciding what can be a threat. If you don't know the sender or the subject line doesn't make sense, don't open it. It can't block spam. Your email client may offer a spam filter that will help in this regard.

Your firewall can create a security log to record successful and unsuccessful attempts to connect to your computer. This can be helpful if you need to troubleshoot a problem. If you're using the Windows firewall, click the Advanced tab on the properties box described above. The Security Logging option appears on this screen. Choose Settings to select what type of instances you want logged and the file location to do so.

Cyber criminals are continually trying to find new ways to ply their trade. Take your protection into your own hands and stop them in their tracks.

NOT SO PRIVATE

Back in the late '90s, when we installed our first computer network at GCF, there was much debate over whether we really needed all that fancy stuff. Technology was for the big guns at the time. An institution our size didn't REALLY need such automation.

I can remember one department head that was meticulous in her job. She was a wonderful woman with a dedication and work ethic that's hard to find today. She would run numbers forward, backward and sideways if she could to validate her conclusions. That is, as long as she used a pencil and a ledger sheet. Holding that paper firmly in hand was material proof of a job well done.

I sometimes wish life were that simple once again. Sure, that piece of paper could have been compromised. It could have missed the shredder and gotten thrown directly into the trash where a cleaning person could have stumbled on it. A disgruntled employee could have intercepted it and used that valuable information to make the bank look bad. But that would have been the worst of it.

Fast forward a millennium and it's now universally accepted that data doesn't have to be in paper form to be legitimate. Electronic communications and transactions all leave a footprint that serves as their version of a paper trail. But their path extends much farther than any piece of paper ever could, for they leave a footprint that can be traced all around the world.

I never was concerned with privacy issues. While I knew my frequent visits to NASCAR.com would result in race-related display ads when I logged on to Google, who really cared? My name, address and phone number have appeared in the local telephone book for decades. What's the harm in their appearance online?

So I sat down with information security expert Mike Chapple, CISSP, whose books have helped aspiring Internet security professionals prepare for the challenging Certified Information Systems Security Professional certification. I questioned him as to how easy it is to gain access to our private information, and why we should even care. His response was frightening.

Marketing databases are widely available for sale, and can tell you all sorts of things about people. The data isn't integrated, one would have to purchase several different lists to create a complete profile. Yet one can retrieve plenty of information on your habits and interests by simply searching for your Social Security number, address, or even your 9-digit zip code. A lot can be surmised by the demographics of your community. Enough for some deranged person to stalk you or steal your identity. Someone wanting that information badly enough needs to do nothing more than hire a private investigator who can readily access the appropriate database.

Damage can be done even without the help of a private investigator. Once someone has your address and learns where you were born, they have enough information to pull a birth certificate online for $1.95 and find your mother's maiden name. What information does your bank and other institutions ask for to verify identity? Now they've got access to your accounts.

Public tax records can give someone that has your private information enough knowledge to take out a loan in your name. You can easily learn what someone paid for their home and how much they still owe. They show the name of your mortgage holder and when the mortgage was written. These questions are often used to prove the identity of someone applying online. A soft credit check is run, presenting you with questions about your credit history that presumably only you would know.

In the few minutes I sat speaking with Chapple, he was busily plugging away at his keyboard while answering my questions. He paused twice: the first time to tell me my full name, age, place of birth, address, length of residence, current and previous places of employment. The second time his fingers stopped he told me when we bought our home, how much we paid, who holds our mortgage and for what amount, the color I painted the railing on my front deck and the make and model of my neighbor's minivan. He admitted to not being able to clearly read the license plate. He also went on to describe what kind of harm could befall me if this basic, public information fell into the hands of someone not quite as honorable as himself.

The worst part is that there's absolutely nothing we can do to prevent this from happening. We could limit our risk somewhat if we purchase goods only with cash, avoid the Internet completely and become a hermit. But any electronic transaction or action can and does result in a profile.

Chapple suggests you always keep a record of what you do and where you do it. Pull your credit reports regularly to limit any damage in case you have been compromised. You are entitled to one free report per year from each of the three major reporting bureaus, and so is your spouse. If you pull a report from one bureau at a time and intermix those of your spouse, you can keep watch every two months. The only federally sponsored web site to provide your free credit report is annualcreditreport.com. Don't be misled by those with catchy jingles you see advertised in television commercials. You'll need to subscribe to their service to access the free report offered.

Remember that villainous eyes are watching... you best be, too.