Cyber Security

The New Threat Landscape

There’s a new threat landscape and it’s you! So, what does that mean? According to the latest reports from data breach experts (namely the Verizon Business Data Breach Investigations Report), attackers are no longer spending as much time directly attacking servers and data. One of the most common methods of access today is for attackers to target employees and their systems to gain a foothold into the network.

This means that you are more important than ever to the confidentiality, integrity, and availability of the systems that you and your company rely on each day. What can you do? Here are some things to keep in mind as the new front-line defenders of information security:

  • E-mail is not secure by default. If you need to exchange confidential information, ask the other party if they have a secure or encrypted e-mail mechanism. E-Mail is typically transmitted across the Internet in plain-text, which makes it vulnerable to eaves-dropping by many parties along the way. If you need to send confidential or private information at work and the other party does not have a secure mail gateway, speak with your Helpdesk about possible alternatives. There may already be an enterprise-wide solution in place that you can use. For sending confidential and private information at home you may have to investigate an encrypted e-mail provider, or consider simply calling the party you need to share information with. With some apps in the various marketplaces today you can easily encrypt both your voice calls and text messages.
  • Any pond with fish will eventually be Phished. The days of e-mails that contain viruses or malicious links from unknowns are far from behind us. Several of the largest data breaches this year have happened because of an infected e-mail sent to a handful of employees. However prescient (and frightening) these attacks account for only a small number of data breaches today. The same principal is still being applied in ever-more versatile ways, however. Attackers have started moving their phishing scams, malicious links, viruses, and spam to social networks to keep up with the times.  Be wary of strange (especially “viral”) links that show up on Facebook or Twitter, as these are the latest ponds to be phished. These links can lead to viruses or infected pages which can, in turn, infect your machine and even grant attackers access into your company’s networks.
  • Smart Phone viruses are a growing trend. Mobile phones now only carry the moniker of “phone” for the sake of tradition. They are just as much (if not more) a computer as the desktops that we used a decade ago. No matter what your phone of choice (iPhone, Android, BlackBerry, et cetera), there are most likely attackers trying to write malicious code for it or (on some platforms) sneak malicious apps into the app marketplace. It is probably worth researching some Anti-Virus and firewall solutions for your mobile device platform of choice. This is another among many good reasons to consider e-mail insecure. The infancy of smart phone operating systems makes it easier for attackers and harder for anti-virus and anti-malware makers, which makes your mobile device an easy point of entry for an attacker looking to gain access to confidential company data, or your own private information.

Posted by Ben, Senior Information Security Engineer at Intelius

Draft Bill to Protect Consumer Privacy

Follow-up to post: Cutting Costs at the Expense of Privacy

The issue of online privacy has been an ongoing battle – companies have continued to develop methods to gather consumer data to maximize their advertising revenue in this $25 billion industry. Lawmakers finally unveiled their proposed bill to regulate privacy on the Internet. The recently drafted bill aims to protect consumer privacy and regulate how marketers are aggregating information about consumers. The legislation will require companies to disclose how they are collecting, using, and sharing personally identifying data. Consumers will also need to give consent before using more protected information, such as social security numbers, medical records and financial accounts. With this bill, the Federal Trade Commission hopes to create a more secure online environment.

Do you think these regulations will be enough to protect consumers?

Latest Phishing Scam: Email Scamers are Taking Advantage of Twitter-style Alerts!

With an estimated 3.7 billion phishing emails sent in the past year it is no surprise that phishers have set their sights on Twitter. The latest phishing scam sweeping the ‘Net' is a spam campaign designed to look like legitimate Twitter notifications.

The emails take many forms: Some resemble messages from Twitter customer support claiming that the site has detected an attempt to steal the receiver's Twitter password. Others claim that the recipient has changed the e-mail address associated with their account and ask them to confirm. The links in these emails lead either to a downloadable "secure module" which the emails claim will protect the account but is actually malware or to a phishing site designed to steal the user's account information. Online pharmacy spammers have also taken to Twitter-formatted emails to advertise non-FDA approved pills.

Those these scams don't seem very threatening at first (I mean, how much damage can some do with 140 characters?) but the repercussions having your Twitter account hacked are HUGE! Many people use the same password they use for Twitter for many other online sites; from Facebook to online banking, people just aren't taking necessary precautions with their passwords. So, if you enter your account information into phishing site and you use the same password for Twitter as sites like Facebook or your email that may house more personal information, the scammer can potentially get into your other accounts.

These scams, discovered by Trend Micro, are easily avoidable if you are aware of them and know what a legitimate Twitter email does and does not contain.*

  • Twitter does not send links to "secure modules".
  • Twitter emails request confirmations include the new account information.
  • Twitter emails do no describe or promote new services or products.

* Twitter email specifications via Trend Micro

Before you get hacked, consider taking these precautions:

  • Always read emails completely and thoroughly before clinking though the links. It can take a while for news of the latest scam to reach your ears so keeping a vigilant eye on all your emails is a must!
  • Use different, high quality, passwords for Twitter, Facebook, your email, and your online banking account. Secure passwords contain a random series of lower and upper case letters, numbers, and approved symbols. Such passwords should be more than 8 characters in length
  • Consider and Identity Protection service. Investing in and identity protection service, such as Intelius IdentityProtect, can prevent a scammer that acquires your information from using it. This useful advantage could save you tons of time and money.

The latest scam YOU need to be aware of: 'tabnabbing'

Think ‘tabnabbing’ sounds like the latest prank involving filing supplies and the office clown? Think again.  Tabnabbing (also referred to as tabnapping) is a new type of phishing attack that is sweeping the internet.  Most phishing scams rely on you clicking on an imbedded link or downloading a file you find in a suspect email, sketchy website or a pop up window.  Tabnabbing occurs in the background after your focus shifts away from a malicious or compromised site.   

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise,” Said Aza Raskin, Firefox's creative lead who identified the attack.  “Most people keep multiple tabs open, often for long periods.”

This attack uses JavaScript to discretely change the contents of an open but not active tab in your browser to look like the log-in screen of a bank, credit card company, popular retail site, social networking site or email provider.  This page transformation only occurs after the page becomes “inactive” while a victim moves to another tab or open program. The scammers are relying on users thinking they left a login page tab open.   

"When they click back to the fake tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in," says Raskin.

Raskin was able to recreate “tabnabbing” on his own blog to show users what to look for.  You can try it here. After clicking the link, open a new tab, or simply click away from the page for a few seconds and then go back to the original tab.  While the URL hasn’t changed, the original blog content you saw only moments ago has been replaced with what appears to be a Gmail login page.  In this case the Gmail login page is just an image; however, in the case of an actual tabnabbing attack the page will be a functional login form.

In an actual attack after the user enters their login information, it’s sent it back to the attacker, and then the victim redirected back to the site they think they are logging into. This often goes completely
undetected because often the victim was never logged out in the first place, and it will simply appear as if the login was successful, never realizing that they just handed over the all credentials the attacker needed to access their account.   

It is even possible for attackers to detect which sites are in your history as well as what sites you are currently logged into and then customize the fake page to resemble a site you often use or are currently logged into, making this form of attack extremely effective and difficult to detect.  All major browsers are susceptible to this attack.  

Here’s what to watch for and how to avoid a potential tabnabbing attack and keep your identity, information, and login credentials safe:

Don't log-in on a tab that you haven't opened yourself. Since the tabnabbing tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Enable browser settings and filters that will alert you to potential attacks. For Internet Explorer (IE) use SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Safari doesn't give it a name, but offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Look at the URL in your browser's address bar before filing in any form or giving out any personal information and verify the URL matches the login page. If there’s a discrepancy, close the tab
immediately.

Use a password manager. Third-party browser password managers like RoboForm for Windows or 1Password for Mac link saved log-in usernames and passwords to a specific URL. When you save the username and password on the log-in page of the legitimate site, the password manager won't auto enter the username and password into a non-matching URL which should alert you to a possible tabnabbing attempt.

For more info on avoiding Tabnapping read ComputerWorld’s How to Foil Web Browser Tabnapping.

Child Internet Safety: Is Your Child Practicing Safe Habits Online?

Do you talk to your kids about cyber safety? This is an issue that many parents overlook as it was not a topic of conversation when they were growing up. Nonetheless it is a topic that we encourage you to discuss with your kids.

Cyberbullying

Schools, parents, and teachers are being faced with the issue of cyberbullying for the first time. Bullying has always been a problem, but the onslaught of virtual communications such as text messages, emails and instant messages has given way to a whole new form of bullying. There have been numerous stories in the news recently of children falling victim to cyberbullying. The state of New Hampshire is currently in the process of passing a bill which will give schools the authority to address cyberbullying if it has an impact on the educational environment. If the bill passes, many states will likely follow New Hampshire's lead.

• Monitor your children's online activity. Know which sites they are visiting and who they are talking to.

• In many cases parents are unaware that their child is being picked on online, talking to your kids about cyberbullying and encourage them to talk to you if they feel they are falling victim to a cyberbully.

• Be aware that children and adults may have more than one profile on social sites such as facebook.com or myspace.com. As a condition for allowing them online access, ask them to share their online profiles with you.

• If you suspect that your child is hiding something from you, ask them to show you the most recent pictures they posted from their phone to their Facebook profile after they attend special events like a school dance, concert or party. Most likely they will post to their most active profile.

• Establish limits for online use. If your child knows you're around or if they can only use the internet for a limited amount of time each day they will be less likely to put themselves in situations that make them vulnerable to cyberbullying.

• Review your child's browsing history or set up parental controls that only allow your children to visit approved sites.

While computers have become a main staple in the curriculum of schools in the United States, a study recently released by the National Cyber Security Alliance (NCSA) and supported by Microsoft Corp., revealed that less than 1/4 of teachers in the U.S. have spent more than six hours teaching cyber ethics, safety, or security in the last year.

As a parent you cannot depend upon your child's school to teach them about cyber safety. If internet safety and security is part of the curriculum, sit down with your kids and ask them to tell you what they have learned. If you feel that the school has missed some important points, this is your opportunity to bridge the gap.

As a parent you are raising a new technology driven generation of computer savvy Americans and it is up to us to make sure that they have the knowledge needed to remain safe while using these skills. In each of these cases the most effective defense is having an open dialog with your kids. This will make them more likely to come to you if a problem should arise.

What do you do to protect your kids online?

Comment below or send us a tweet @Inteliusgal


Syndicate content