The Security Pub

Random Thoughts About Security

Category Archives: Security Pub Original

Phishing Scams are on the Rise

“Phishing” is where fraudsters send spam or pop-up messages to lure recipients into volunteering personal, financial or credential-related information from unsuspecting victims. That information can then be used to commit identity theft, or enter password-protected sites using your account. As phishing schemes become more sophisticated, it becomes increasingly important to be vigilant.

Learn more about how to spot a bogus phishing message, the important steps you can take to avoid getting “hooked,” and what to do if you’ve mistakenly responded to a phishing email with your personal information.

[box type="info"]The “Dos, Don’ts and Nevers” of Phishing

  1. DO Delete suspicious messages immediately.
  2. DON’T click on any links in the message.
  3. Instead, DO copy and paste the URL into a new browser window.
  4. NEVER respond to an unsolicited email, or supply personal information as requested by an email, even if the message looks real.
  5. NEVER supply your passwords or other sensitive information via an email message. No legitimate organization should request your password or other types of sensitive information via an email message.[/box]

What to do if you’re compromised

If you believe you might have inadvertently revealed sensitive information such as your password, you should change your password immediately.

If you provided personal financial accounts information that could be used for identity theft or fraud in response to a fraudulent e-mail claiming to be sent by outside agencies, you should immediately contact the company being spoofed.

PIN Pad Physical Security

So I was at the grocery store this evening (I won’t mention which one) . When I was paying for my groceries with my credit card I noticed how the PIN pad was secured.  Can you see what’s wrong with this picture?

If you are having difficulties identifying what’s wrong I will go ahead and explain…

This grocery store has decided to secure all their pin pads to the stand with zip ties.  I did take a look underneath the device and there wasn’t any screws mounting the device to the stand.  So if a hacker wanted to they could easily remove and replace these PIN pads with modified versions.

Here are some examples of good security for physically securing PIN pads.

Security Awareness: Social Engineering Part Two

This is the last article in this two part series on Social Engineering.  The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else (i.e., impersonating a senior official or someone from the help desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

Remember be cautious when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim that’s the only way they can assist.

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering a secure area or the building without even knowing who the individual is or asking where they are going. The unauthorized individual may pre-tend to be a delivery person, a visitor, or even a fellow employee. This is referred to as “piggybacking” or “tailgating.”

Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing”, and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

BAITING

This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker-whether that information is about your work environment, fellow employees, projects, or personal information-must be handled with extreme care. Be mindful of what you say to whom.

SURVEYS

Many of us have no doubt been recipients of requests to participate in surveys—whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your company, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.

DUMPSTER DIVING

Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy these items appropriately.

Putting It All Together

The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information.

  1. Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information your authority to exchange or release the information the real identity of the third party (positive identification) the purpose of the exchange.
  2. Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.
  3. Before you throw something in the trash, ask yourself, ?Is this something I would give to an unauthor-ized person or want to become publicly available?? If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
  4. If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.

Security Awareness Topic 1 – Password Best Practices

I am going to start a Security Awareness Series.  On a monthly basis I am going to post a Security Awareness topic based on Best Practices & Industry Standards.  The first topic of the series is going to cover Password Best Practices.

Create a strong password

Use strong passwords to protect your computing resources. Here are some rules to create strong passwords:joetech

  • Use two numbers in the first eight characters.
  • Pick long passwords, at least 8 characters in length if the system allows it.
  • Don’t use a common dictionary word, a name, a string of numbers, or your User ID.
  • One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
    • personal phrase: “My first dogs name was the best…”
      password: my1donawa…
      method: Chose first two letters from each word until a total of eight characters resulted.
    • personal phrase: “I love to drink Landshark Lager…”.
      password : iltdll22
      method: Chose first letter from each word, followed by your age.
    • personal phrase: My Brother’s Birthday Is april(4) Twenty Two Nineteen Sixty three(3)
      password : mbbi4tt19s3
      method: Chose the first letter from most words, and substituted numbers for letters.
  • Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:

$     .     ,     !     %     ^     *

Avoid a weak passwordpost-it-with-crossed-off-passwords

When creating passwords, avoid the following:

  • Easy to guess passwords such as a blank or “password”
  • Your name, spouse’s name, or partner’s name
  • Your pet’s name or your child’s name
  • Names of close friends or coworkers
  • Names of your favorite fantasy characters
  • Your boss’s name
  • Anybody’s name
  • The name of the operating system you’re using
  • String of numbers or letters, like 1234, abcde
  • The hostname of your computer
  • Your phone number or your license plate number
  • Any part of your social security number
  • Anybody’s birth date
  • Other information easily obtained about you (e.g., address, town, alma mater)
  • Words such as wizard, guru, password, nimda,and so on
  • A username in any form (as is, capitalized, doubled, etc.)
  • A word in the English dictionary or in a foreign dictionary
  • Place names or any proper nouns
  • Passwords of all the same letter
  • Simple patterns of letters on the keyboard, like asdfg
  • Any of the above spelled backwards
  • Any of the above followed or preceded by a single digit

dilbert_passwords

Protect your password from misuse

  • Do not let anyone else know or use your password.
  • For optimum security, don’t write your password down.
  • Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The “s” in “https” means that the Web site is encrypted and cannot easily be read by other people.
  • If you suspect that someone else may know your current password, change your password immediately.
  • Change your password periodically, even if it hasn’t been compromised.
  • Don’t type your password while anyone is watching.

Be on the look out for the next topic Social Engineering in The Security Pubs Security Awareness Series.