Security Protection – Harry Waldron MVP Rotating Header Image

Facebook – Avoid Fake Ebola links currently circulating

Many Facebook users are clicking on well crafted “breaking news” stories that are often false and these may be embedded with malware or may also spread to their contact list to trick others into clicking.  Avoiding the clicking of links or even the “LIKE” button on these items can improve user safety.

http://www.theverge.com/2014/10/22/7028983/fake-news-sites-are-using-facebook-to-spread-ebola-panic

QUOTE: About 340,000 Facebook users shared a story on the site this week about a family of five in Purdon, Texas that were all infected with Ebola and had their home quarantined. However, the story, published by a “satirical” site called the National Report, isn’t true. In fact, according to experts, that story and others like it regarding the dangerous disease represent deliberate attempts to mislead users.

The reasons for this are unclear, though several factors are likely contributing to Facebook’s status as the preeminent platform for fake news. First, its relatively new “Trending Topics” feature encourages fake sites to take advantage of whatever topics people are already discussing in order to garner cheap clicks, shares and likes. And as The Verge points out, all content appearing on Facebook News Feeds essentially looks the same, making it harder to distinguish between real and fake news. Facebook has made some noise recently about introducing a “Satire” tag to help users weed out these hoaxes, though it’s likely that opportunistic cyber-con artists will always work to disseminate dangerously false content no matter what restrictions are put in place.

Emergent – Real-time Verification tool for News Rumors

Like Virus Myths, Snopes, and other resources, this is a valuable verification tool and users for social networking “breaking news” which is constantly being shared. However, no matter what news source is offered, it is better to affirm with mainstream news sources, rather than through Facebook or email

http://www.emergent.info/

 
Emergent is a real-time rumor tracker. It’s part of a research project with the Tow Center for Digital Journalism at Columbia University that focuses on how unverified information and rumor are reported in the media. It aims to develop best practices for debunking misinformation. Read more about the research here.

Facebook – New Tools emerging to identify offensive posts

The Facecrooks security team shares that new security tools are emerging to remove offensive posts.  This is designed to better ensure individuals are treated in a respectful manner within this leading social network environment.

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Trying-Make-Users-Behave-Better.html/

 
According to a recent New York Times profile of Arturo Bejar, the director of engineering for the Facebook Protect and Care team, the world’s largest social networking site is actively trying to make its users nicer and treat each other with more respect.  Online discussions are often fraught with inappropriate and harassing language; the anonymity that Internet discourse provides gives many individuals free reign to be mean or cruel in ways that they would never dream of being to someone’s face. “The way our brains work, we have evolved to understand each other by tone of voice or seeing facial expressions, but that gets lost through the devices we use to communicate,” Bejar said. That’s why Bejar’s team of 80 employees worked to create tools for users to report harmful posts and photos, and to notify Facebook if content “hurt their feelings.” And according to the site, the tools are being utilized in a big way: over 8 million users flag content per week. Though the team has experienced success by providing more language options to help users convey how offensive content makes them feel, they may take it even further soon by allowing users to share emotional sounds.

Malware – POS Backoff agent increased sharply during Q3 2014

Point-of-Sales (POS) malware impacts credit card processing and is designed to hide in a stealth-like manner to capture sensitive information that can be used for fraudulent purposes. Everyone should take utmost care when using credit & debit cards both online and regular purchases as well. 

https://www.damballa.com/q3-state-infections-report-reveals-57-increase-backoff-malware-august-september/

http://www.darkreading.com/attacks-breaches/backoff-pos-malware-boomed-in-q3/d/d-id/1316957

 
The security firm Damballa detected a 57% increase in infections of the notorious Backoff malware from August to September. Try as they might, retailers don’t seem to be able to get the Backoff malware to actually back off. According to a new report from the security firm Damballa, detections of the notorious point-of-sale (PoS) malware jumped 57% from August to September. During the month of September alone, Backoff infections increased 27%. This year, the Secret Service estimated that as many as 1,000 US businesses may be infected by the malware. That list of impacted businesses features some big names, including United Parcel Service (UPS) and Dairy Queen.

Credit Card Fraud – Tips to spot Credit Card Skimmers

Credit Card skimmers are devices designed to intercept credit cards, allowing thieves to create a fake duplicate copy of the original and rack up unauthorized charges. Kim Komado highlights these dangers in one of the daily security tips.

http://www.komando.com/tips/278304/how-to-spot-credit-card-skimmers

 
One of the more successful tools of 21st century crooks is the skimmer. Thieves attach them to ATMs, gas pumps and other places people swipe their credit and debit cards. It’s quite ingenious.  Once in place, this sneaky bit of electronics steals the magnetic strip information from your card. Once the thieves have the information, it takes just moments for them to copy or clone it.  And once they have a clone, they can drain your bank account or run up huge bills and trash your credit before you even know it!

FBI Study – over 500,000,000 accounts exposed in past 12 months

The FBI and other authorities have quantified the many data breaches seen in past year.  The use of “hacked” means security records were exposed and these actual account information may or may not have been downloaded by the bad guys in the process.

http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

QUOTE: WASHINGTON — Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.

“We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch.

The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.

Nearly 439 million records were stolen in the past six months, said Supervisory Special Agent Jason Truppi of the FBI. Nearly 519 million records were stolen in the past 12 months, he said.

About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card, the FBI said.

About 110 million Americans — equivalent to about 50% of U.S. adults — have had their personal data exposed in some form in the past year, said Tim Pawlenty, president of the Financial Services Roundtable and the former governor of Minnesota.

About 80% of hacking victims in the business community didn’t even realize they’d been hacked until they were told by government investigators, vendors or customers, according to a recent study by Verizon cited by Pawlenty.

Data Breach – Early reports for possible Staples compromise

Hopefully the scope of the latest will continue to be isolated to about a dozen of the 1800 stores nationwide.  During WSJ report this morning, it was noted that approximately 400 million accounts have been compromised over the past year collectively by the many firms impacted.  

http://www.zdnet.com/staples-investigates-possible-data-breach-credit-card-fraud-7000034902/

http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

QUOTE: Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.

BEST PRACTICES FOR INTERNET SAFETY FOR 2014

In November, a presentation is planned for professional organizations in our area.  This represents a planning outline that will be further refined.  

 1. SECURITY = SEC-U-R-IT-Y was once shared by a class leader that “you are it“.  Careful and well planned human behavior is your BEST defense, even over technological safeguards.  Fort Knox has some of the world’s best security, but if the guards open the doors and let unauthorized folks in — what good is all of that fortification?  For the best safety for yourself, family, and corporately, one must “think security” and then integrate those concepts in all actions.

2. THINK DEFENSIVELY –   Avoidance is your #1 risk management tool.  For email or internet actions — safety should always be a primary concern.  It’s good to get secondary verification before acting on items.  When a site is encountered that will not allow you to exit — use CTRL+SHIFT+ESC to bring up task manager to close malicious web pages & exit safely.   Lock down your browser settings with restrictive security settings.  Patch immediately from trusted sources quickly to fortify your system.

3. THINK BEFORE YOU CLICK – Think of every action being potentially dangerous on Internet.  While most actions are safe, there is still the potential of danger.  It is better to pause and double check than to act to emotions or initial responses sometimes.   The good news is that it takes one or more clicks by the user to install most malware.  The bad news is that many folks click anyway, without realizing this gives permission to possibly plant malicious code in a stealth like manner on the system.

4. STAY INFORMED ON DANGEROUS RISKS – When a leading bank with restrictive security has millions of accounts compromised, it is a wake call for security to be a top safety theme in our well connected society.  Security is only as strong as weakest point.  Recently, telephone call scams pretending to be the IRS, Microsoft, and other entities have emerged.  However in most cases, they use postal mail to contact folks on serious matters.  These are scams intended to rob folks ultimately.   There are “no free lunches on the Internet” and the appeal of winning or being chosen, may temp users to click on unsafe items.  Please avoid temptations to click on even false news alerts.  A few years ago a bad European 100 year storm hit and there was a “Storm Worm” virus that impacted many users.   Today, there are false Ebola news alerts circulating and clicking those links may implant a virus.  Sensationalized news alerts can be used to trick user.  Stay informed on security news bulletins & visit beneficial blog sites to stay educated on the dangers.

5. STAY UP-TO-DATE ON SOFTWARE – Update Windows, Anti-Virus and all other products on your system as soon as this is offered. Stay on latest version of browser, flash, and other software. Reboot your PC often to give it a fresh start and ensure latest patched components load for your protection.

6. USE SECURE PASSWORDS – Use strong password techniques and don’t use the same one for each site, but vary them to reduce harm if the bad guys happen to discover one. Consider putting an asterisk (*) or exclamation point (!) at end of password that you like using. Use 2-pass security and other approaches in lieu of passwords when feasible.

7. WIRELESS NETWORK SAFETY – Use or setup these resources with security in mind, as unsecure connections can be easily intercepted. Be especially careful with your mobile smartphone as it can provide a wealth of personal and sensitive information, if lost or stolen.  Please consider wireless as HIGH RISK both at home or away.

8. PHYSICAL SECURITY – Carefully handle laptops or mobile phones while traveling by air or driving or at hotel. Hide, lock, and secure these resources. Encrypting the hard drive is beneficial for frequent travelers and anyone desiring high levels of security.

9. RECOVERY FROM SECURITY EVENT – When personal information has been compromised or malware infections occur, quickly change all passwords, alert banks, change account numbers, and take other actions to minimize damages associated with loss of information.  The key is to quickly change credentials for anything that has been disclosed and ensure your security in future processing is restored under new & improved controls.

10. SECURITY IS A CONTINOUS IMPROVEMENT PROCESS – the bad guys are improving their tactics & defensively we must proactively respond as developments occur. The defense mechanisms of five years ago won’t work for today’s threats. Security requires re-thinking and re-evaluation of safety techniques constantly.

Data Breach – JP Morgan 76 million users impacted

 

I had the same reaction of “The Atlantic” as 90 “BANK” servers were compromised and sensitive personal data was mined.  While no financial account data was extracted, phishing scams and targeted attacks could be easily created knowing email addresses and other personal data.  

http://www.theatlantic.com/business/archive/2014/10/why-the-jp-morgan-data-breach-is-like-no-other/381098/

QUOTE: Banks are supposed to have some of the most advanced security systems in the world.   JP Morgan still got hacked. Another month, another report of a large corporation failing to keep customer information secure. This time, it’s JP Morgan reporting that 76 million households and 8 million small business were exposed in a data breach. At this point, it’s understandable if the news doesn’t cause much alarm.

But hear us out: This JP Morgan Chase breach should freak you out, even if you don’t bank with them. Previous data breaches have largely been confined to retail companies (Target, Home Depot etc.), where brands are required to meet basic security protocols and not much else. “Retailers are known to be cheap,” Paula Rosenblum, managing partner at Retail Systems Research, said. “But it gives me much more pause when it happens to a bank.”

Banks have much more sensitive information about their customers than any retail operation, everything from social security numbers to detailed records of past spending. So far, JP Morgan reports that only limited personal information, such as names, phone numbers, and addresses, were stolen, insisting that social security numbers, banking information, and other data remain safe. “I’m assuming that [information] is encrypted,” said Rosenblum. “If not, then Katy bar the door.”

Then there’s the sheer scale of the breach. Let’s repeat: Seventy-six million households and 8 million small business were exposed. According to The New York Times, JP Morgan believed only one million accounts were affected a few weeks ago. So there’s the possibility that the number may rise even further.

ATM Malware – Tyupkin allows direct theft from infected ATM systems

Kaspersky Security is warning financial institutions regarding highly sophisticated ATM malware where a thief knowing the right input codes can steal money directly from the ATM itself

https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

QUOTE:  This ATM based malware attack uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.  When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

General advice for on-premise ATM operators

* Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras.
* The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
* Regularly check the ATM for signs of attached third-party devices (skimmers).
* Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
* Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
* Consider filling the ATM with just enough cash for a single day of activity.