Category Archives: End-user Focused

How to Safeguard Your Data From Hackers, Phishing Scams, and Nasty Intruders

Posted on by
Reply

In my last article, we discussed shedding the fears we have of the technologies we interact with by learning more about them. Building on that philosophy, we’ll venture down a rabbit hole now that we’re online and looking to browse, shop, bank, and interact safely. As society becomes increasingly reliant on the conveniences of the Internet, it will be important to know basic safety and how to identify possibly dangerous activity.

Somehow people have come to feel less and less worried about email being an attack vector in the modern arena. Unfortunately, this complacency has done an injustice as email attacks are still a dominant method by which attackers compromise their targets. Our penetration testing team uses email attacks on almost every engagement, and we see through our work with HoneyPoint as well as other intelligence that this continues to be a staple of the modern attacker’s arsenal. But what does that mean to you?

Hopefully, the average user has gotten into the habit of filtering spam, only opening email from known senders, and only opening attachments when they are known and/or expected. But are we seeing the possible danger in an email from support@mycompany.com or human.resources@mycompany.com when we have only ever received email from techsupport@mycompany.com or humanresources@mycompany.com? Attackers spend a lot of time doing their homework and finding trust relationships to exploit in obscure ways such as these. If in doubt about the source of an email, send a separate email to the sender to verify it.

Browsing the Internet is fun, entertaining, and often necessary. Web browsers are also a ripe playground for nefarious activity which means the more risky places you visit, the bigger the chance that you’ll face some sort of danger. First, like all software, we need to be using a fully patched deployment of the latest stable version of the browser. Here is one of many statistical breakdowns of browser security for review, which should make a user consider which web browser they want to use. Internet Explorer controls a majority of the market simply due to being packaged with Windows as a rule, but the other options are stable, smooth, and less of a target making a successful attack less likely.

In addition to being compromised simply by using a weak browser, we must also be aware of where we browse and look for oddities when we surf. Looking at the URLs in the browser’s address bar, hovering over links to see where they direct and then ensuring that’s where you end up, realizing the pop-up browser window (telling you the machine is infected with a crazy number of infections and must be dealt with NOW) is a browser window, not a legitimate warning from your Anti Virus solution (you ARE running AV, right?). After all, modern browsers still struggle with BROWSING properly, we can’t expect them to properly provide AV coverage too!

While browsing safely is much deeper than we have space to cover in this post, one last activity we’ll discuss is online banking. Banks do a good job protecting us while providing online service for the most part. Individual users must still run a tight ship to keep the attack surfaces as small as possible. First off, change your banking passwords regularly. I know this sounds like a pain in the backside, but it’s worth it. I promise my next post will discuss more about how to manage this with ease. Secondly review your account often, looking for discrepancies (If you want details on the plethora of fraud I’ve encountered doing this, contact me on twitter). And finally, log off. Most banking web applications are designed to properly terminate your session upon logging off which prevents any issues with stale sessions that might be hijacked by an attacker.

Embrace the conveniences that technology provides, but do so with a sharp mind and open eyes. Following these few basic tips will help build the skills that become second nature to a wise and seasoned traveler on the Information Super Highway!

How to Safely Use a PC and the Internet: Fear Them No More!

Posted on by
1

As the MicroSolved team strives to bring quality service to our clients, we also make every effort to educate the masses and try to contribute not only to the Info Sec community, but to the “average Joe” out there trying to bank online, check email, or use Facebook without sacrificing their digital security or personal identity.

It’s human nature to fear the unknown. We don’t like to deal with things we don’t understand. Once upon a time, it might have been ok to just avoid what we didn’t know. But today’s world is becoming more and more reliant on machines, computers, and the Internet. Before, a person used be able to go through life without knowing how to work with technology. Today this is becoming more difficult. People use computers at work, at home, and at the store. Children are required to do papers, reports, and projects on a computer- it’s not something that can be easily circumvented any longer.

This being said, it is time to STOP fearing these things. The only way to do is it to face the fear. Realize the machines only do what they’re told- you just need to know how to give the proper orders. Computers are dumb. They’re basically a digital filing cabinet which holds files with digital instructions on them. They can be manipulated to the will of the user, and can be helpful tools once the apprehension subsides. Take a basic course on how to use a PC and the Internet- they’re not costly and should be readily available. If you have trouble finding one, ask around. Many libraries and community centers offer basic introduction courses either for free or at low cost. You don’t need to be a Windows Jedi or a Linux Guru to operate these machines.

The Internet is a staggering creation of man. Nearly everything in the world can be accessed in some form online. Learn what a web browser is, what it does, how to operate it, and how it should behave. Learn to pay attention to how your browser acts when surfing and how commonly visited pages act. When something changes don’t dismiss it! These changes can indicate unsafe conditions and should not be ignored. Using the Internet is a responsibility and users need to be aware when they’re online.

Over the coming weeks, the MicroSolved team will be working to create blog and video content focused on educating end users to keep them safe while surfing the web. If you have a topic you’d like to see covered, contact us! We’re always excited to hear from you.

Tales From a Non-Security Professional, An End-User’s View

Posted on by
Reply

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.

Stories of Hacking the Human #security

Posted on by
1

He stood before the receptionist, patiently waiting until she was finished with the phone call. He fiddled around with his fake badge while glancing at the security door that led into the main office area, waiting to see if someone would exit or enter soon.

Finally, two employees engaged in conversation exited the door while a small group headed toward it. He darted to join the group while the receptionist continued to look down at her list of R.S.V.P.’s, searching for the business’ name.

As the group entering the office area quickly glanced his way, he shot them an easy grin. “Phone lines,” he quipped as he showed them the badge. “Just upgraded on our end and we want to make sure you don’t miss your phone calls!”

As the group laughed and joked about not really missing calls if they had the opportunity, he scanned the cubicle areas to make a note of which ones were empty. In a few minutes, he’d double-back , slip into one, hack into the network and start snooping around.

In larger corporations, that is how social engineering can happen. Employees are trusting and often distracted by their own sense of security. They see the same people in the office but realize every once in awhile, there is “the new girl” or “new guy.” They trust this person has gone through the proper channels that authorized their presence. And that’s their mistake. Very few ask questions.

Many times, employees find that their desire to be helpful is exploited. What is usually portrayed as good customer service (“Is there anything else you need?”), can be cleverly manipulated by attackers. Often a hacker will appear to be IT staff who needs to verify an employee’s password. When the unsuspecting victim is presented with a plausible reason for taking shortcuts (“I’m so sorry, but it could really help me if you just gave me the password instead of having to bother my supervisor…”), they often comply.

How can employers prevent social engineering attacks? The quick answer is, they can’t. Hackers are becoming more resourceful as organizations initiate more complex security measures. But employers can still take precautions that will help employees recognize that a potential threat exists. Here are some tips:

  • Be aware of your surroundings. Know who is in charge of vetting outside service people so when a strange face appears, they know who to call. Tell employees that entering a secured area means using their badges to gain entry and to make sure everyone follows procedure.

  • Be suspicious. When callers ask for personal information, ask if there is a number you could return their call and then verify their credentials with an internal source.
  • Pay attention to the URL of a website. The page may look the same but the URL will expose it as a fake. Contact the company when in doubt.

    • Using these tips will help your organization avoid becoming a victim. Be alert and you’ll keep your data safe!

    2 Ways to Get the Most Out of Security Awareness Training

    Posted on by
    Reply

    A good security training and awareness program is one of, if not the most important part of any effective information security program. After all, people are the ones that cause security problems in the first place and, ultimately, people are the ones that have to deal with them. Not to mention the fact that people are twice as likely to detect security problems and breaches as any automated system. Doesn’t it make sense that you should do everything in your power to ensure that all of your people are behind you in your security efforts? That they are provided with the knowledge and the tools they need to understand information security and what their responsibilities are towards it? That they are aware of how devastating an information security incident can be to the company, and consequently, how devastating it can be to them personally? Well, you’re not going to get that from having them read the policy book as new hires and then hold a two hour class six or twelve months later!

    And that is traditionally how information security is dealt with in most companies. All enthusiasm for the process is absent, too. They don’t want to do this training! It costs them time and money! The only reason most companies provide any security training outside of the very basics is because of their need to comply with some regulation or another. So what you end up with is a whole group of undertrained and unenthusiastic employees. And these employees become, in turn, the very kind of security liabilities that you are trying to avoid in the first place! So why not turn them into security assets instead? You have to provide them with some security training anyway, so why not give it that extra little “oomph” you need to make it worth your while to do?

    How do you go about that you may ask? Here are some tips:

      1. Make sure that they understand what an information security incident or anomaly looks like. Make sure that they know all about social engineering techniques and how Malware is spread. Give them some tips on how to recognize bogus websites, phishing emails and bogus phone calls. Let them know some of the things they can expect to see if there is a virus present on their machines. And don’t use just one format to provide them with this information. Use every method you can think of! There are many formats for security and awareness training to choose from. Group assemblies with speakers and PowerPoint presentations, lunch and learns, training days, self directed web based learning, directed webinars, security documents, email reminders, posters and pamphlets, podcasts, departmental meetings, discussion groups and many more. And make sure that management personnel, especially top management personnel, make it clear how important this task is and how much it means to them and the company. Without this support, your efforts will go nowhere.

      2. Give your people incentives that make them want to participate in the information security program. One method is to simply ask for their help. Make sure your employees understand how important the participation of each and every one of them is to the effort. People often respond very favorably to such requests. Whereas if they are simply told that they must do it, they are much more likely to be unconcerned and uncooperative. Another way is to provide them with rewards for active participation in the program. Put the names of employees who have reported security issues in a hat and have a monthly drawing for a prize or a day off. Give these people a free lunch. Give them the best parking spot in the lot for a month. I’m sure you can think of a dozen other ways to reward your employees for participating in the program. Or simply post the picture of the employee on a bulletin board or internal web page or recognize their accomplishments at group meetings. Everybody really likes to be recognized for doing a good job!

    The whole idea is to turn your personnel into “net cops”. If you can do that, you can turn your own people into the best IDS system there is, and for a lot less money than you would spend on machines or hosted services…or for cleaning up a security incident!

    A Quick Word on LiveCD’s and Bootable USB for Consumers

    Posted on by
    Reply

    I gave a quick interview today for a magazine article to be printed in late July. The topic was pretty interesting; it revolved around consumer fears about online banking.

    The key point of the discussion was that financial organizations are doing a ton of work on securing your data and their systems from attack. The major problem facing online banking today is really the consumer system. So many home PCs are compromised or infected today that they represent a significant issue for the banking process.

    The good news is that home systems can pretty easily be removed from the equation with a simple bootable LiveCD or USB key. It is quite easy (and affordable) to create Linux distros with very limited applications and security measures that enforce using it just for banking and other high risk transactions. Solutions in this space are available in open source, community/payment supported and of course, full blown commercial software tools complete with a variety of VPN, access control and authentication tools.

    You might even consider creating your own open source distro, labeled and logo branded to distribute for free to your customers. A few of my credit unions are taking this approach. For the cost of CD duplication, they get the high trust customer contact and peace of mind of having a dedicated, trusted platform for their home banking. That, indeed, may be well worth the investment.

    Review of Puppy Linux 5.0

    Posted on by
    Reply

    Lucid Puppy Linux 5.0 was released back in May of 2010, but as one of my favorite distros, I have been playing with it heavily since then. I have been so impressed with the new version that I wanted to take a moment and write a quick review of this release.

    You can find the official release page here, along with download information.

    First, let me say that I have really come to love Puppy Linux over the last several years. I use it as a LiveCD/USB platform for secure on the go browsing, a Linux OS for old hardware that I donate to a variety of folks and causes, and as a platform for using HoneyPoint as a scattersensor. I like the ease of use, wide range of hardware support, and small footprint. All of these make this a very workable Linux distro.

    This version especially seems to be stable, fast, and capable. I have taken to running it from a bootable USB drive and the performance has been very nice. Being able to drop these onto untrusted systems and use them as a browser, VPN client, and productivity tool has been handy. Using HoneyPoint Personal Edition, the nmap plugins and some other Puppy installs of security tools gives me a great platform for working incidents, gaining visibility and catching rogue scans, probes and malware that are in circulation when I pull in to help a client. Over and over again, the distro has proven itself to be a very powerful tool for me.

    I suggest you take a look at the distro, LiveCD or USB and see how it can help you. I think you’ll find it fun, easy to use, and quite addicting. The pictures of the puppies don’t hurt either. 🙂

    Check it out!

    Using WordPress In the Corporate Environment

    Posted on by
    Reply

    WordPress (WP) has become the dominant force in blogging platforms for a very good reason. Because it’s open source, creative developers are constantly looking for ways to improve the product to meet the needs of both personal and business bloggers. Consider that WordPress can be hosted on your own server (or hosted by whichever service you use), has an army of theme designers (both free and premium), and attracts traffic by a variety of add-ons.

    A quick list of the competition: TypePad, which costs $14.95 a month for the “pro” version. You’ll need to learn a specific TypePad programming language to customize your blog. Tumblr does not allow comments so if you used it, you would have to embed Disqus to enable comments. Movable Type offers customization, but requires a license for business use, which ranges from $50 to $1,000, depending on how many people will require access to make updates.

    WP is a free download but many themes have a cost attached. You can find some great free themes, but be sure to look for support. If a theme designer’s website has a forum, that’s a very good sign. It means they’re open to questions and helping you when needed.

    Once you set up your WP blog, avoid spammers by activating the “Akismet” plug-in. What this plug-in does is protect your blog comment section from being spammed. There are many great plugins for business blogs. Search Engine Journal has a few here and a helpful article with more plugin recommendations from Better Business Blogging.

    One of the reasons WP is loved by businesses is because it is SEO-friendly. Google and other search engines play very nicely with WP. Once you create a powerful header and add keywords within your post, a search engine will notice. Searching for relevant keywords? Try Google’s search-based keyword tool. It will give you ideas of what people are searching for in your industry and you can adopt a few of those keywords to drive traffic.

    WP also allows multiple users to contribute to the blog. You can also schedule blog posts to be published at a later date. If you have multiple users, it may be a good idea to filter the posts through a gatekeeper (such as HR or marketing) before posting, to ensure a consistent message for the organization.

    WP has updates, like any software. Install an automatic update plugin to help you stay on track. Use strong passwords for logins and have strong file permissions set.

    Another way to secure your blog is by using a secret key. In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect: name, address and password of the MySQL database. Go here and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.

    Blogging can be an excellent way for your organization to stay current in its industry. By consistently posting relevant blog posts for your audience, you have the opportunity to inform them and stay connected. Using some of these tips will help make the most of your blog.

    The iPad as a VPN Client

    Posted on by
    Reply

    Today was my first real chance to try out the iPad as a VPN client in a critical situation. I needed an essential file for a client in a real hurry. We were about 50 miles from the office and a physical return with the file wasn’t possible. Even worse, it was stored on an encrypted vault volume on my personal backup system, so none of my engineers could assist me, since they lack credentials for that box.
    Thankfully, I had my iPad with me. I had already set up a VPN connection for my device, but hadn’t yet tested it. The good news is that it worked perfectly! I was able to quickly create a VPN tunnel back to my network and then SSH into my vault. Once there, I could effortlessly arrange for a file transfer to my client in a secure manner. I even piped a VNC connection over the tunnel using iTeleport and could interact with the GUI nearly as easily as on a laptop.
    All in all, it was a great save and made an excellent real world use case for the iPad in my work flow. Have you had any other big successes with the iPad in your security work? If so, drop a comment and tell us about it. I look forward to reading about it!

    How To Create a Social Media #Security Policy

    Posted on by
    Reply

    Facebook now claims 300 million active users. And Twitter, has 6 million monthly unique visitors. As more employees use mobile devices and their desktops to access social media sites, it poses an increasing security risk both for user and organizations.

    And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security issues, more companies are starting to address concerns by creating a social media policy.

    Because social media will not likely disappear (In fact, more are more likely to develop.), an organization needs to create guidelines to help protect their confidential data. Here are a few things to consider when crafting your own policy:

    1. Communicate with employees and emphasize current policy. If it’s not acceptable to discuss new business at a live networking event, then it’s not acceptable to post it on Twitter or Facebook. The social media platform may change, but the principle remains the same. “Loose lips sink ships” isn’t just a quote for the military. You may already have a policy in place regarding sharing information. Include it in a social media policy.
    2. Use social media policies as an additional tool for your employee awareness program. When you develop a policy, and emphasize it with training classes, email reminders, or media – employees remember how important it is to protect the company’s intellectual property. As you explain to employees that social media just gave them a megaphone to broadcast; and with that comes responsibility, more of them will think twice before sharing something that they’ll know is inappropriate.
    3. Work with both the human resource and marketing department. To put a positive spin on usage, it’s good for employees to realize what they can post on their accounts. In fact, your employees can become an in-house public relations firm as they share with their followers the great things about their workplace. Allowing employees to have influence in an organization’s message will give them a sense of ownership in its success.
    4. Have a password vault available for each employee. One of the most common ways a hacker gains access to accounts is by discovering a password and then reusing that password to gain access to a person’s other social media accounts. KeePass is a great, open- source version to help secure passwords. Encourage employees to change passwords often.

    Keep policies current to match new developments within the social media industry. Be as specific as possible and have ongoing awareness sessions to ensure everyone is on board. By planning ahead and communicating expectations clearly, a company can significantly decrease their level of vulnerability by an employee’s misuse of social media.