July 2015 - secureCI Monthly Newsletter

by in , , , , , , , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at CI


Social Media
In This Issue…
  • Overview
  • Privacy
  • Security

GUEST EDITOR
Tanya Baccam is a longtime security consultant. She has been a SANS author and instructor for over a decade, having taught and written SEC502, SEC542, SEC401, MGT414, AUD507 and many other courses. Follow her on Twitter at @tbaccam.

OVERVIEW
Social media sites, such as Facebook, Twitter, Instagram and LinkedIn, are amazing resources, allowing you to meet, interact and share with people around the world. However, all this power also brings risk for you, your family, friends and employer. In this newsletter, we explain what these dangers are and how to use these sites securely and safely.

PRIVACY
A common concern with social media is protecting your personal information. Potential dangers include:

Impacting Your Future: Some organizations search social media sites as part of background checks. Embarrassing or incriminating photos or posts, no matter how old, could prevent you from getting hired or promoted. In addition, many universities conduct similar checks for new student applications. Privacy options may not protect you, as these organizations can ask you to “Like” or join their pages or certain posts may be archived on multiple sites.

Attacks Against You: Cyber attackers can analyze your posts and use them to gain access to your or your organization’s information. For example, they can use information you share to guess the answers to the secret questions that reset your online passwords, create targeted email attacks against you (called spearfishing) or call someone in your organization pretending to be you. In addition, these attacks can spill into the physical world, such as identifying where you work or live.

Accidentally Harming Your Employer: Criminals or competitors can use any sensitive information you post about your organization against your employer. In addition, your posts can potentially cause reputational harm for your organization. Be sure to check your organization’s policies before posting anything about your job. In addition, some of your social media posts may be monitored.

The best protection is to limit what you post. Yes, privacy options can provide some protection. However, they are often confusing and change frequently without your knowledge. What you thought was private can quickly become public for various reasons. In addition, the privacy of your posts is only as secure as the people you share them with. The more friends or contacts you share with, the more likely that information will become public. You should assume anything you post can or will become a public and permanent part of the Internet.

Finally, be aware of what friends are posting about you. If they post something you are not comfortable with, ask them to take it down. If they refuse or ignore you, contact the social media site and ask the site to remove the content for you. At the same time, be respectful of what you post about others.



SECURITY
In addition to privacy concerns, here are some steps to help protect your social media accounts and online activities:

Login: Protect each of your accounts with a strong, unique password and do not share them with anyone else. In addition, many social media sites support stronger authentication, such as two-step verification. Always enable these stronger authentication methods whenever possible. Finally, do not use your social media account to log in to other sites; if it gets hacked, then all of your accounts are vulnerable.

Privacy Settings: If you do use privacy settings, make sure you review and test them regularly. Social media sites often change privacy settings and it is easy to make a mistake. In addition, many apps and services let you tag your location to content that you post (called geotagging). Regularly check these settings if you wish to keep your physical location private.

Encryption: Social media sites use encryption called HTTPS to secure your online connections to the site. Some sites (like Twitter and Google+) enable this by default, while others require you to manually enable HTTPS. Check your social media account settings and enable HTTPS as the default connection whenever possible.

Email: Be suspicious of emails that claim to come from social media sites. These can easily be spoofed attacks sent by cyber criminals. The safest way to reply to such messages is to log in to your social media website directly, perhaps from a saved bookmark, and then read and reply to any messages or notifications from the website.

Malicious Links/Scams: Be cautious of suspicious links or potential scams posted on social media sites. Bad guys use social media to spread their own attacks. Just because a message is posted by a friend does not mean that message is really from them; their account may have been compromised. If a family member or friend has posted an odd message you cannot verify (i.e., they have been robbed and need you to send money), call them on their mobile phone or contact them by some other means to confirm the message is truly from them.

Mobile Apps: Most social media sites provide mobile apps to access your online accounts. Make sure you download these mobile apps from a trusted site and that your smartphone is protected with a strong password. If your smartphone is unlocked when you lose it, anyone can access your social media sites through your smartphone and start posting as you.

Social networking sites are a powerful and fun way to communicate with the world. If you follow the tips outlined here, you should be able to enjoy a much safer online experience. For more information on how to use social networking sites safely or report unauthorized activity, be sure to review the security pages of the sites you are using.

RESOURCES

Passphrases:

Two-Step Verification:


LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 4.0 license.

Do you Know What Day Today Is?

by in , , , , , , , , , , 0

There are all sorts of days to celebrate during the year such as Mother's Day and Father's Day, and even some more off-the-wall days such as National Fried Chicken Day, Talk Like a Pirate Day, and a personal favorite, National Pancake Day.  But today is an extra special day that should be added to everyone's calendars.  Today is International Password Day!

International Password Day gives us all the opportunity to stop and reflect on what makes a good password, and how we can best protect our work and personal data by using strong password concepts.

To help you along, there's even a website dedicated too helping you figure out what makes a good password, how to deal with keeping track of the never ending list of passwords, mobile device passwords, and even some funny stories about password catastrophes!

Please take the time in joining your information security team in making every day a strong password day!


Don't be a victim of identity tax theft! The IRS is helping to protect false tax claims.

by in , , , , , , , , , , 0

One of the hot identity theft scams is submission of false tax returns in order to receive unearned or earned refunds. The IRS has a process to try and detect these false returns. If they suspect a false return they will mail a letter to the address the taxpayer listed in their previous year return. The IRS letter directs the taxpayer to visit an IRS site to verify the tax return submitted. Legitimate letters should direct taxpayers to idverify.irs.gov. More details are contained in this link: http://www.irs.gov/uac/Newsroom/Taxpayers-Receiving-Identity-Verification-Letter-Should-Use-IDVerifyirsgov.

The IRS also has a great website page detailing active tax scams: http://www.irs.gov/uac/Tax-Scams-Consumer-Alerts.

If taxpayers suspect they are a victim of tax fraud/identity theft, they should contact the Treasury Inspector General for Tax Administration at 1-800-366-4484 or via the web at: http://www.treasury.gov/tigta/contact_report_scam.shtml

Taxpayers can forward scam emails to phishing@irs.gov.

Adobe Flash Player Exploit Found - What you can do protect your systems.

by in , , , , , , , , , , 0

Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, Adobe is investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild. For the latest information, please refer to the PSIRT blog here.  You may find more information about the Adobe Security Bulletin here.


Here are instructions on how to disable Adobe Flash in current browsers. If Flash is disabled, it can be temporarily re-enabled if needed. Follow the steps for all browsers used. If you use multiple browsers it may be simpler to uninstall Adobe Flash: http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html.

Mac

Firefox
  1. On the Firefox tool bar go to Tools 
  2. Select Add-ons 
  3. In the Plugins tab, set Shockwave Flash to Never Activate 
Safari
  1. On the Safari tool bar go to Safari > Preferences… 
  2. In the Security tab, ensure Allow Plug-ins is checked 
  3. Click on the Manage Website Settings… button 
  4. Select Adobe Flash Player 
  5. In the dropdown, select When visiting other websites: Block 
  6. Click on the Done button 
  7. Close the Preferences dialog box 
Chrome
  1. Type chrome:plugins in the address bar to open the Plug-ins page 
  2. On the Plug-ins page that appears, find Adobe Flash Player 
  3. Click the Disable ​link under its name 

Windows

Firefox
  1. Go to the Firefox menu button 
  2. Select Add-ons 
  3. In the Plugins tab, set Shockwave Flash to Never Activate 
Internet Explorer
  1. Click the Tools button, and then click Manage add-ons 
  2. Under Show, click All add-ons, and then select Shockwave Flash Object 
  3. Click Disable, and then click Close 
Chrome



  1. Type chrome:plugins in the address bar to open the Plug-ins page 
  2. On the Plug-ins page that appears, find Adobe Flash Player 
  3. Click the Disable ​link under its name

Tax Identity Theft Awareness Week Begins Today!

by in , , , , , , , , , , , , , , , , 0


Two Ways Tax Scammers Might Target You


It’s that time of year — tax time. It’s also a great time to get up to speed on tax-related scams. Here are two ways tax scammers might target you:

Tax identity theft

This kind of identity theft happens when someone files a fake tax return using your personal information — like your Social Security number — to get a tax refund or a job. You find out about it when you get a letter from the IRS saying:

  • more than one tax return was filed in your name, or
  • IRS records show wages from an employer you don’t know
If you get a letter like this, contact the IRS Identity Protection Specialized Unit at 800-908-4490. You can find more about tax identity theft at ftc.gov/taxidtheft and irs.gov/identitytheft.

IRS imposter scams

This time scammers aren’t pretending to be you — they’re posing as the IRS. They call you up saying you owe taxes, and threaten to arrest you if you don’t pay right away. They might know all or part of your Social Security number, and they can rig caller ID to make it look like the call is coming from Washington, DC – when it could be coming from anywhere. Leaving you no time to think, they tell you to put the money on a prepaid debit card and tell them the card number right away.

The real IRS won’t ask you to pay with prepaid debit cards or wire transfers, and won’t ask for a credit card number over the phone. When the IRS contacts people about unpaid taxes, they usually do it by mail.

If you have a question about your taxes, call the IRS at 800-829-1040 or go to irs.gov. You can report IRS imposter scams to the Treasury Inspector General for Tax Administration (TIGTA) online or at 800-366-4484, and to the FTC at ftc.gov/complaint.

Social Engineering: The Basics

by in , , , , , , , , , , , , , , , , 0

What is social engineering?  What are some of the most common tactics used.  Here's a short guide on how you lessen your likelihood of becoming a social engineering statistic.

January 2015 - secureCI Monthly Newsletter

by in , , , , , , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


Securely Using Mobile Apps
In This Issue…
  • Overview
  • Obtaining Mobile Apps
  • Permissions
  • Updating Apps

GUEST EDITOR
Chris Crowley is an independent consultant, certified SANS instructor and course author.  He is active on Twitter @CCrowMontance and on Google plus: +Chris Crowley

OVERVIEW
Mobile devices, such as tablets and smartphones, have become one of the primary technologies we use in both our personal and professional lives. What makes mobile devices so versatile are the millions of apps we can choose from. These apps enable us to be more productive, instantly communicate and share with others, train and educate or just have more fun. However, with the power of all these mobile apps come risks. Here are some steps you can take to securely use and maintain your mobile apps.

Obtaining Mobile Apps
The first step is making sure you always download them from a safe, trusted source. Remember, just about anyone can create a mobile app, so you have to be careful where you get them from. Cyber criminals have honed their skills at creating and distributing infected mobile apps that appear to be legitimate. If you install one of these infected apps, these criminals can take control of your mobile device to read your emails, listen to your conversations and harvest your contacts. By downloading apps from only well-known, trusted sources, you reduce the chance of installing an infected app. What you may not realize is the brand of mobile device you use determines your options.

For Apple devices, such as an iPad or iPhone, you can only download mobile apps from a managed environment: the Apple App Store. The advantage to this is Apple does a security check of both the mobile apps and their authors. While Apple cannot catch all the bad guys or all the infected mobile apps, this managed environment helps to dramatically reduce the risk of you installing an infected app. In addition, if Apple does find an app in its store that it believes is infected, it will quickly remove the mobile app. Windows Phone uses a similar approach to managing applications.

Android mobile devices are different. Android gives you more flexibility by being able to download a mobile app from anywhere on the Internet. However, with this flexibility comes more responsibility. You have to be more careful about what mobile apps you download and install, as not all of them are being reviewed. Google does maintain a managed mobile app store similar to Apple’s, called Google Play. The mobile apps you download from Google Play have had some basic checks. As such, we recommend you download your mobile apps for Android devices only from Google Play. Avoid downloading Android mobile apps from other websites, as anyone, including cyber criminals, can easily create and distribute malicious mobile apps and trick you into infecting your mobile device. As an additional protection, consider installing anti-virus on your mobile device.

To reduce your risk even more, avoid apps that are brand new, that few people have downloaded or that have very few positive comments. The longer an app has been available or the more positive comments it has, the more likely that app can be trusted. In addition, install only the apps you need and use. Ask yourself, “Do I really need this app?” Not only does each app potentially bring new vulnerabilities, but also new privacy issues. If you stop using an app, remove it from your mobile device. (You can always add it back later if you find you need it.)

Finally, you may be tempted to jailbreak or root your mobile device. This is the process of hacking into it and installing unapproved apps or changing existing, built-in functionality. We highly recommend against jailbreaking or rooting, as it not only bypasses or eliminates many of the security controls built into your mobile device, but often also voids warranties and support contracts.

Permissions
Once you have installed a mobile app from a trusted source, the next step is making sure it is safely configured and protecting your privacy. Installing and/or configuring mobile apps often requires that you grant certain permissions. Always think before authorizing any access, “Does your app really need those permissions to do its stated job?” For example, some apps use geo-location services. If you allow an app to always know your location, you may be allowing the creator of that app to track your movements; perhaps they can even sell that information to others. If you do not wish to grant the permissions an app is requesting, shop around for another app that meets your requirements. Remember, you have lots of choices out there. Apple devices allow some permissions to be changed in Settings or at runtime, such as access to geo-location information. Windows and Android mobile devices are different. They present you with an all-or-nothing approach. If you do not grant all of the specified permissions, you can’t install the app.

Updating Apps
Mobile apps, just like your computer and mobile device operating system, must be updated in order to remain current. Criminals are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. Most platforms allow you to configure your system to update mobile apps automatically. We recommend this setting. If this is not possible, then we recommend you check at least every two weeks for updates to your mobile apps. However, when your apps are updated, always make sure you verify any new permissions they might require.

Securing the Human Blog
Be sure to frequent the STH Blog for recent articles and trends on security awareness. This month, we cover key topics for Electric Utilities. More at http://www.securingthehuman.org/info/173402.

RESOURCES

Social Engineering:
http://www.securingthehuman.org/ouch/2014#november2014

Disposing Your Mobile Device:
http://www.securingthehuman.org/ouch/2014#june2014

Securing Your New Tablet:
http://www.securingthehuman.org/ouch/2013#december2013

Common Security Terms:
http://www.securingthehuman.org/resources/security-terms

SEC575: Mobile Device Security Course:
http://www.sans.org/sec575

License
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit www.securingthehuman.org/ouch. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis