Don’t Talk to Strangers – version 2.0

One of the most interesting topics in the security field is social engineering.  It’s a type of attack that’s been around for years, and can defeat just about any form of security that can be implemented in a device.  A social engineering attack is not overly complicated to carry out: it largely relies on an attacker’s people skills!

Consider the following scenario…  A company I once worked for was contracted by an organization to redesign its network infrastructure.  During this process, I was tasked with going around to all of the computers (a few hundred) on site to manually install the latest version of an anti-virus program.  I wasn’t wearing a uniform or anything with a logo identifying myself while I was there.  I also didn’t have keys to the offices or rooms, which meant I had to either ask someone to open the door for me, or have a member of the organization’s IT department follow me around.  I chose to try my luck by asking.  As I went around to each office and room, I introduced myself by saying, “Hi, my name is Garrett, and I’m with the IT department.  Whenever it is convenient for you, I need to update your computer with the latest anti-virus.”  I never presented an ID or offered to prove who I said I was, yet I was given access to every computer I asked about.  That includes the “Admin” offices.  I was able to access the President’s and Accountants’ offices and computers without any opposition.  Had I been an attacker, this could have been a catastrophic incident for the organization!  Only twice did someone walk down the hall to call and check with the IT department because they didn’t recognize me.  This was an ineffective measure, because in less than a minute, I could have done everything I needed to initiate an attack on their systems.

The whole idea here is that it doesn’t take someone with any real knowledge of your computer system to get into it if you give them what they want when they ask for it!

How would you defend against social engineering?  First, make sure you know who is accessing your computer.  Often times with large organizations the employees in the IT department are unfamiliar to other employees.  It is very important to verify the identity of anyone asking for access your computer, even if they are in a hurry or seem to be bothered by your request.  It’s better to err on the side of caution here, and the head of the IT department should recognize that you have the company’s security in mind by doing so.  Second, don’t give out information to anyone on the phone if you aren’t 100% certain of their identity.  No matter how nice they sound, you must exercise caution in the information you give out, even if it seems innocuous.  Just last year, a Wal-Mart store manager was tricked into giving out information such as payroll schedules and the name of the contracted cleaning company in a demonstration by an ethical hacker – all over the phone without any previous interaction with the hacker!

Hopefully by now you see just how important it is to exercise caution when you are interacting with people you don’t know.  It’s just like mom always said (sort of), “don’t talk to strangers who want access to your computer or information.”




The Perils of Social Networks

By now it’s obvious that social networking is popular with many people and is here to stay.  In fact, currently utilize some form of social networking!  It is a great way to stay connected to people you might not see every day, and it is certainly handy for sharing thoughts, photos and videos with your friends.  But there is a certain risk you take by using social networking.  Below I’ve created a list of facts you may not know about social networking sites.

You should have no expectation to privacy on these sites.  This isn’t restricted to just social network sites, but it definitely applies here.  With every social networking site we sign up for, there comes a Terms of Service (ToS).  I’d be willing to bet that most of us don’t actually read through that agreement.  If we did, what I just said about privacy wouldn’t surprise you.  Most social networking sites reserve the right to use any of your photos for their advertising purposes.  This applies even to photos you mark “private,” or only allow certain friends to see.  And once your photo is added to your account, it is being stored on their servers.  But what happens when you take a photo off of the site?  Surely they delete it from their servers too?  Wrong.  They don’t have to, and most likely don’t.  Their money comes from advertising, and what better advertising do they have than using real user photos and information to promote their site.  This same idea applies to closing your account.  There’s no guarantee your data will be deleted automatically.  In fact, the site may require that you contact them directly to request deletion of your data, and that could take weeks!

Some of your photos may tell people where you live, work and play!  You know that convenient GPS system that is embedded in your phone?  The location data from it can be embedded into pictures you take with your smartphone.  When you upload your pictures, that data can come with it.  Now, anyone who sees your photo can examine it for metadata, and potentially see where and when you took that photo!  An easy way to see this data would be to right click on any picture on your computer, and click on the “Properties” option.  Then choose the “Details” tab.  Here, you can see the data your photo contains that you might not realize was there.  Sure, some of it is harmless, but what if GPS coordinates were embedded in photos of your children at a playground?  And this isn’t even the easiest information for someone to learn about you.  Simply posting status updates about your vacation could tip off a would-be burglar to your whereabouts.

The information on your profile could be used to access your bank account!  Consider the account security questions you create when you first setup your online bank account.  Could you find your mother’s maiden name, the street you grew up on, your favorite color, best friend’s name, etc. from your profile information?  How about your email address?  Knowing this information, it would be pretty easy for an attacker to perform a password reset of an account.

Finally, there’s always the risk that what you are posting can backfire.  There are several people each year who are reprimanded or lost their jobs because they posted something they thought was private, but it was seen by everyone.  Again, this reinforces the idea that nothing you post online should be considered private.




Safely Navigating the Internet

I often have people ask me, “What’s the best antivirus program for me to use?”  For a while, I would refer them to Norton, Avast!, Microsoft Security Essentials or any other antivirus that was getting good reviews at the time.  Then one day, I managed to get a virus on my home computer – only the second one I’ve ever had.  That’s when it hit me:

Protecting your computer from viruses (and malware in general) is more about safe browsing habits than which antivirus you use!

The majority of antiviruses are signature-based, meaning they refer to a database of “fingerprints” that these viruses have that enables the antivirus to detect them.  This database is what is updated every time an antivirus goes through the update process.  Other antiviruses use a more advanced method of detection, called “heuristic detection.”  This process allows the antivirus to examine the actions of the virus.  Here, we have a measure of protection against new viruses that might not be in the signature database.  However, even antivirus programs with both signature-based and heuristic detection abilities are not enough to guarantee that a virus can’t harm your computer.

The reason is simple; for an antivirus to do its job, the virus must already be on your computer.

The antivirus program on your computer can’t detect the virus before it gets there.  This is why even the best antiviruses (both paid and free) only block about 90-95% of malware, according to av-comparitives.org (and these are some of the higher numbers I’ve seen among antivirus studies).

 

So now you understand why having an antivirus doesn’t guarantee your computer is protected.  What can you do to prevent your computer from getting a virus and save money on virus removal services?  I have created a list of steps you can take to protect your computer – and therefore your personal information – on the internet.

 

First, update your computer regularly.  We all feel the pressure from having to do more in a shorter time and with fewer resources, and it’s easy to overlook your computer’s health.  It is important, however, that when your computer notifies you that there are updates available, take the time to install them.  There is a reason those updates were issued, whether they fix a small glitch or protect you from new malware.  Pay special attention to Java, Adobe Reader and Flash Player updates.  These applications tend to be a target for attackers, and are often updated.

Second, be aware that computer malware can come from any website.  I hear this often, “I don’t understand why I have a virus on my computer, it’s not like I look at adult websites.”  The reality is that viruses aren’t limited to these types of sites: your computer can get malware from any website you visit.  The malware may even disguise itself as an antivirus program, alerting you to an “infection” on your computer.  If you pay close attention to this alert, you should see that it’s not the same antivirus program you have installed on your computer.  If a popup appears on your screen, and you are unsure of it, click the red X button in the upper right hand corner of the screen to close it out.  Do not click “no” or “cancel,” because these buttons don’t always work properly, and may actually allow the malware to run anyway!

Third, turn on the pop-up blocker in your web browser.  A lot of recent attacks have taken advantage of the fact that pop-ups are not being blocked by the web browser, and can allow malware to install on your computer.  Also, most web browsers have a way to exclude websites from the pop-up blocker so it doesn’t affect those sites you visit on a regular basis.

Fourth, be suspicious of unsolicited email.  Attackers are utilizing email communication to spread viruses as well!  They can create email that looks like it came from your bank account, requesting that you visit a website to “confirm your account.”  Also, attackers are frequently breaking into email accounts in an attempt to steal the victims contact list, so they can spread a virus through an attachment to an email.  Be especially cautious if you receive an email from someone that contains an attachment you wouldn’t normally expect to see from them.  It doesn’t hurt to call them to confirm that they did, in fact, send the message in question.

This is just a list of some steps you should consider taking to protect your computer and your data, and isn’t intended to be used in place of an antivirus.  Being aware of what is going on with your computer will benefit you in the long run, and ensure that your computer stays clean and free from malware!




New Cyber Security Website.

WELCOME!

October is National CyberSecurity Awareness Month.  CFCC is excited to be participating this year on October 17, 2013.  Stay tuned for additional information.