Wed, 5 Oct 2016 00:00:00 +0700
(image) With the recent story about FBI Director James Comey admitting to having tape over the top of his webcams at home, this question is making the rounds once again.
Comey isn’t the only one that has tape over his webcams. Another story that took the Internet by storm was a picture of Facebook Founder Mark Zuckerberg showing that he has tape over both the webcam and the microphone jack on his laptop.
How Possible Is A Webcam Hack?
The technical capability for a remote hacker to gain access to your webcam is absolutely a possibility, so putting tape over your webcam will keep them from being able to see or record anything if they do get in.
But I’ve always contended that just putting tape over your webcam is a little like sticking your head in the sand, if that’s all you do.
In order for a remote hacker to make use of your webcam, they generally start by gaining access to your computer, which gives them complete access to EVERYTHING on your computer.
Making sure you have solid security software installed and paying attention to changes in the performance and startup times of your computer are also critical to sniffing out hidden malware.
Both Mac and Windows users are potential victims of the many social engineering tricks used by malware creators to gain access to your system.
One of the more common tricks is to convince you that you need to update your video playback software in order to see a video, which often presents itself as a convincing but fake pop-up with a link.
If you’re serious about protecting access to your computer’s webcam, you can install special software that monitors, blocks and alerts you whenever a program is attempting to use your webcam.
Windows users can look into using Phrozen Software’s Who Stalks My Cam (https://goo.gl/W5DwIa) which offers free threat detection as well as the ability to setup automatic responses to detected threats.
It also offers the ability to create ‘Whitelists’ of approved programs so applications like Skype that you do want to use won’t be stopped in their tracks.
Mac users can install a free program called OverSight (https://goo.gl/TvcWb1) from the R&D Director at Synack, an information security firm.
The OverSight program will monitor both your Mac's mic and webcam, alerting you whenever the internal mic is activated or whenever a program is attempting to access your webcam.
Patrick Wardle, the author of the program and former NSA staffer recently discussed new ways malware could piggy-back on legitimate webcam sessions, so Mac users shouldn’t shrug off the threat as a Windows-only problem.
Most webcams have an LED that indicates that it’s in use, but some of the more sophisticated attacks can turn off the visual indicator or in the case of the recent proof-of-concept attack on the Mac, simply piggy-back onto legitimate sessions.
Remember, if a remote user can access your webcam, they can generally access everything on your computer, so don’t limit your concerns to the webcam.
Wed, 21 Sep 2016 00:00:00 +0700
(image) This question illustrates the ongoing challenge we all have to face when it comes to balancing convenience with security.
Having your passwords stored in your browser is certainly a big convenience, but no matter how you look at it, the price you’ll pay is some level of security.
If you never save a password in your browser, technically speaking it’s certainly safer, but what you really need to do is weigh the actual risks against the convenience.
How and where you use your computer should also be a consideration as a laptop, smartphone or tablet is much more likely to be lost or stolen then a desktop computer in your home or office.
Saving passwords on your home computer that only you use is far safer than saving passwords on a mobile laptop that you’re whole family shares.
Saving passwords on benign sites that contain very little personal information is also less of an issue than saving passwords for any of your financial institutions.
Every major browser offers some form of encryption that securely stores the saved passwords on your computer, but we don’t really know exactly how ‘hackable’ their security may be.
The reality for most of us is that we're a lot less likely to be the victim of a hacker that’s specifically targeting saved browser passwords then we are to be the victim of theft or a lost device.
A stolen device loaded with a plethora of saved passwords is a cyber-thief’s dream, so it’s imperative that you setup some form of access code and auto-locking feature to reduce the potential damage should it go missing.
Installing some form of remote tracking and deletion software, such as https://preyproject.com on all your mobile devices is also a good idea, whether you’re saving passwords on them or not.
To Sync or Not to Sync
Another ‘convenience’ feature you’ll have to decide whether to use or not is the browser ‘syncing’ option.
Syncing allows you to share your browsing history and passwords across all your different devices, but in order for it to work, your information has to be stored by the browser company on their servers.
Once again, they offer various levels of encryption and with the exception of one company, Opera, we’ve yet to hear of any breaches of this particular secured data, but you’ve technically added another way to be exploited.
For its part, Google has created a central place that allows you to manage what passwords the Chrome browser saves which you can also password protect separately with a sync passphrase at https://passwords.google.com.
A Better Way
Security experts all tend to agree that if you’re going to use software to store your passwords, using a dedicated password storage tool such as LastPass, KeePass or RoboForm is more secure than using your browser to store your passwords.
Products that focus solely on protecting passwords instead of relying on browser developers that have to focus on many other things besides security should provide you with a better layer of security.
Wed, 14 Sep 2016 00:00:00 +0700
(image) If you only had one or two to remember, creating long, complex passwords that you could easily remember wouldn’t be too difficult, but estimates are that most people average between 25-30 distinct online accounts.
This has led to the common, but unsafe practice of using the same password on multiple online accounts, which the security community has warned against ad nauseam.
All Security Eggs In One Basket?
Companies like LastPass, RoboForm. 1Password and Dashlane offer a solution that may seem a bit counter-intuitive: put all your security eggs in one basket.
On its face and from a purely technical standpoint, storing everything in one place seems a bit risky, but you need to compare it to what you’re currently doing.
No process is 100% secure, but if you’re using the same password everywhere, you’re in about the highest risk category that exists.
Password managers allow you to use strong unique passwords for every account, but only require you to remember a single master password.
Encryption Is The Key
Every password manager uses some form of encryption to secure your basket of passwords. This doesn’t make them impossible to compromise, it just makes it more difficult and a less desirable target.
Even when a breach occurs at an online password management service, the stolen data is encrypted, which means the thieves still have to spend the time to crack the security. By the time they can actually crack the encryption, you’ll have been notified to change your passwords by the breached service, rendering the stolen info useless.
Online vs Offline Managers
There are generally two ways that password managers store your encrypted passwords; in the cloud or on your computer.
Online password managers tend to trade a bit of security for convenience, because there is nothing to download or install and you aren’t limited to using the service on specific devices. Any device that has an Internet connection can potentially be used to access your accounts, but that also means that it’s potentially accessible by others.
Offline password managers are technically more secure because the only place that your information exists is on your computer or mobile devices, but that also means you’ll only be able to access your accounts from those specific devices.
This can become problematic if your computer goes down or you’re using a computer that you don’t own to try to access your accounts.
If you decide to use a password management system, the single most important password you’ll create is the master password.
Making sure it’s long (at least 12 characters) and complex as well as activating 2-factor authentication (https://twofactorauth.org) is critical to keeping everything secured.
Keep in mind, if you lose your master password, most of the services can’t help you recover it because they generally don’t store it anywhere as a security precaution.
Making Your Decision
If you’re not tech savvy, using an online password manager is likely more secure then what you’re currently doing and it’s a lot less complicated.
If not, you can always use my low-tech password management suggestion: https://goo.gl/v8Rvjo
Wed, 17 Aug 2016 00:00:00 +0700
(image) Passwords tend to be the only thing separating criminals and thieves from our online accounts, which is why they spend so much time creating sophisticated means in which to compromise them.
Just about all the advice you’ll ever hear about creating ‘strong passwords’ is generally designed to thwart sophisticated guessing schemes commonly referred to as ‘brute-force attacks’.
Brute-force attacks, which are generally performed off-line by high-speed computer networks, are a systematic process of trying every possible combination of letters, numbers and special characters until the correct combination is figured out.
Long, complex passwords are the best way to combat this type of attack.
Understanding Brute-Force Attacks
If you were to only use 2 characters for your password, you can see how a high-speed computer could guess every possible combination in the blink of an eye.
In fact, the Gibson Research Password Haystack Tool (https://grc.com/haystack) suggests that any 2-character password can be broken in 0.0000000000354 seconds or less.
Each additional character that you add exponentially increases the number of possible combinations, so the longer your password is, the longer it will take for a brute-force attack to be successful.
Most of you have been trained to use complex 8 character passwords, which are hard for you to remember and easy for attackers to crack. With today’s sophisticated password cracking technology, GRC’s tool suggest it’ll take just over 1 minute to break any 8 character password, no matter what combination of characters you use.
By stretching the password to 10 characters, that 1-minute goes to 1-week, as long as you have included uppercase characters, numbers and special characters.
Use Passphrases, Not Passwords
If you don’t follow the guidance on using all the required characters, the number of possible combinations drops exponentially.
For instance, the time that it takes to crack a complex 10-character password that does not include an upper case letter goes from 1-week down to just over 6 hours.
The key to creating strong complex passwords that you can remember is to stop using passwords and start using passphrases.
My go-to example of ‘I H8te Passwords!’ is a 17-character passphrase (including spaces) that GRC’s tool suggests would take 13.44 billion centuries to crack.
By creating a passphrase that is personal to you, you have a much better chance of creating a long complex password that you can easily remember.
For example, I’m Going To Aruba in 2017! is 27 characters long and uses all the required characters. Some sites don’t allow you to use spaces, but it would still be 22-characters long.
I personally shoot for at least 12-character passphrases these days, knowing that brute-force cracking technology is going to get faster as time goes on.
If time wasn’t a factor, any password of any length can eventually be broken, but time is a factor with cyber-thieves, so make yours long and complex enough so that your accounts aren’t worth their time.
Wed, 27 Jul 2016 00:00:00 +0700
(image) We’ve all been taught to look for HTTPS: (HyperText Transfer Protocol Secure) at the beginning of a website whenever we’re going to make a purchase online.
This ensures that the information you’re typing on the page is encrypted between you and the trusted website so that your information stays secure.
The warning message you’re asking about typically appears on sites that require this level of security, such as any site that requires you to log in or make purchases online.
A security certificate is a means to ensure that the site owner is who they say they are resulting in the famous ‘lock’ image that helps you know that you’re on a secure site.
Think of them as a way to authenticate the owner of a website much like your username and password are used to authenticate you as a user.
The complexity involved in Internet security can get a bit technical, but for the most part, whenever you see this error on a site where you are being asked to provide sensitive information, you should be very cautious.
When you see this message pop up, your browser is essentially telling you that it can’t verify the authenticity of the website you are visiting because there is a problem with the security certificate.
The causes for this warning message can vary greatly and often times does not necessarily mean that something nefarious is in play, but you should still always be cautious.
Something as simple as your computer’s date and time being off can cause this but so can a slightly mistyped URL that lands you on a scam site.
A common cause is that the website owner hasn’t renewed their security certificate (as in it was once valid, but has since expired) or they’re using a free Certificate Authority service such as CAcert.org (http://cacert.org) that isn’t necessarily trusted by some browsers.
If you know for sure that the website is legitimate, you should alert the website owner of the warning so they can fix the problem on their end.
Keep in mind, this can also be a clear alert that the site you’re visiting isn’t a legitimate site and can’t be trusted.
Creating very convincing duplicate websites is not very hard to do these days, so you’ve got to always pay close attention to security indicators like the picture of the lock and these security warnings that can come from Google, your browser or from your security software.
If you’re not sure about a site, you can use a third-party site checker such as Sucuri’s SiteCheck scanner (https://sitecheck.sucuri.net) to get a full report on the site that will check for known malware, blacklisting status, website errors and out-of-date software.
If you regularly visit a site that you know is legitimate but gives you this error, there are ways to bypass the message for just that site, but I’d only suggest this for tech savvy users (by doing a Google search).
Wed, 6 Jul 2016 00:00:00 +0700
(image) With over one billion active daily users, Facebook increasingly is becoming an attack vector of choice for those with malicious intent.
Target Rich Environment
Facebook is a target rich environment not only because of the huge number of users but because of the sensitive information that so many have provided the network which helps to pull off ID theft.
Birth dates, mother’s maiden name, and using a compromised profile to login to other services is just the beginning of the desirable identity elements for thieves.
There are a variety of common techniques that scammers use to gain access to your profile, with many of them focusing on phishing scams with malicious links or fake login requests.
Fake Duplicate Accounts
Another very common practice that gets people thinking that their account has been hacked is actually just a fake duplicate of your profile.
It only takes a few minutes to download your public profile image and publically available information to create what looks like your account to your friends.
Most of these scams will try to trick your friends into accepting a new friend request that looks like it’s from you so they can perpetrate their scam as a ‘trusted friend’.
In these cases, posting a warning to all your friends and asking them to help you report the fake duplicate will generally get the account taken down fairly quickly.
The process for reporting fake accounts is posted at: https://goo.gl/73Kddn
Has My Account Been Hacked?
Certainly there are clear indicators that someone had gained access to your account, like when you see posts that you had nothing to do with or private messages that were sent to your friends that wasn’t you.
The first step to determining if others are actually using your account is to check the ‘Where You’re Logged In’ page in the Security portion of your Settings.
This page will list every location, device and last access time for all your active sessions, so if you see a location or device that you don’t recognize, that could be an indication of a compromise and you should immediately change your password.
If you don’t initially recognize an entry, remember that if you’ve ever borrowed a friend’s computer to use your account, that computer may still have access to your profile and many friends will take the opportunity to prank you.
You can remove any of the entries by clicking on the ‘End Activity’ link next to each session or click on the ‘End All Activity’ to kill all sessions except your current one.
Keep in mind, with data breaches occurring almost daily, if you’re using the same username and passwords on most of your online accounts, it’s a walk in the park for someone to start using your Facebook account.
My advice to everyone is that you should assume that all your usernames and passwords will be compromised at some point, so activating ‘Login Approvals’ (https://goo.gl/sDqOlF) or ‘2 factor authentication’ (http://goo.gl/X65O1N) on every account is essential.
Wed, 22 Jun 2016 00:00:00 +0700
(image) It sounds like you’re referring to a reposting of a hoax warning that started circulating years ago as some form of copyright declaration as Facebook was going public.
There are many variations of this misinformation that tend to have a couple of statements in common:
“pursuant to articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data drawings, paintings, photos, video, texts etc. published on my profile and my page” and “Those who read this text can do a copy/paste on their Facebook wall. This will allow them to place themselves under the protection of copyright”.
The first red flag to any Facebook posting these days is when they encourage you to copy/paste the information to your own wall (it’s like the early days of email – send this to everyone you know!).
Although the wording may appear to be some form of a legitimate legal declaration, it’s absolutely useless and unnecessary based on what every user of Facebook agreed to when they joined the network.
If you review the terms of your use of Facebook, under the “Sharing Your Content and Information” section is this:
“You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings.
In addition: For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”
Anyone that claims you need to post a declaration to keep Facebook from using your pictures and information is sadly misinformed.
They don’t own your content, but you gave them pretty liberal use of it when you agreed to their terms and conditions.
If you’re not comfortable with this arrangement, you can delete your account, but when you do, if any of your friends at any point in time shared your content, it’s still completely usable by Facebook until your friends delete it as well.
Facebook’s whole raison d'etre is to share our content, information, Likes and behaviors with advertisers; us users aren’t the customers, we’re the product.
You can certainly control how they use your content to a certain degree through the privacy and sharing settings in your profile (https://goo.gl/tFjdt5), but in reality once you post anything on a social network or on the Internet at large, you should essentially assume you’re giving up control over what happens to it.
If you haven’t spent much time reviewing the numerous options you have for managing your profile, a fairly comprehensive guide is posted at security blogger Graham Cluley’s website.
Wed, 25 May 2016 00:00:00 +0700
(image) We’ve all seen them: What does your name truly mean? What nationality do you look like? When and who will you marry?
While very few of them are actual scams, you’ll have to decide whether they are ‘safe’ or not for yourself.
By now, all Facebook users should understand that they are using a social networking tool that’s free of financial cost because we are all paying with the information we post and interact with: We are the product, not the customer.
Facebook’s ability to monetize our posts, pictures, likes and comments with advertisers is what has taken a stock that traded below $18 less than 4 years ago to over $118 in the past few months.
The quizzes, friend comparisons and personality tests that you see from Facebook's many advertisers are primarily in the data gathering business.
How You’re Paying
We’re in the era of big data and anyone that participates in these ‘fun’ posts is providing incredibly valuable data about themselves and often times, their friends, to powerful data mining companies.
As soon as you give permission for one of these ‘cute’ apps to access your profile information, they instantly grab as much information as they can get away with because they know very few people pay much attention to permissions or privacy policies.
Your profile data along with lots of other digital footprints we all leave across the Internet is what is feeding a multi-billion dollar digital tracking industry.
Who's Got Your Data?
The reality is you have no idea and no control over how they use your highly personal data, once they’ve gathered it. Could your 'advertising' data someday fall into the hands of someone with nefarious intent? It's certainly a possibility.
If you’ve ever participated in any of these quizzes, you can remove the permissions that you gave by going to Settings-> Apps in Facebook and clicking the ‘X’ to the right of each listed app.
Unfortunately, even if you remove the permissions from your profile, you cannot revoke the information that they've already gathered.
It’s Not Just Your Info
Some people may shrug it off as no big deal, but even if you are perfectly comfortable with providing your birthday, age, hometown and current city, email address, everything you’ve ever posted, all of your photos or any photos you’ve been tagged in or any other profile information that you’ve filled out, you’re usually allowing them to gather various info from your entire network of friends as well.
If you’re comfortable with all of this, by all means, jump in and learn ‘which magical creature you are’ or ‘what your face reveals about you’…I’ll take a pass.
Wed, 30 Mar 2016 00:00:00 +0700
(image) Since we don’t know who the third-party that helped the FBI is or what they did, it’s pretty difficult to pinpoint exactly what it might mean, just yet.
What we do know is that the shooter’s phone was an older and less sophisticated 5c model, so it lacked some of the security features of newer 5s, 6 and 6s models.
It’s doubtful that what was used to break the code on the 5c would be directly usable on newer model phones.
With the introduction of Touch ID on iPhones, Apple beefed up the security through something they call the ‘Secure Enclave’ which exponentially increases the complexity of gaining access to the device.
Without getting into a heavy technical explanation, this additional security feature renders many of the techniques that might be used to break into a 5c useless on any iPhone that has Touch ID.
For instance, the ability to install a modified OS on the 5c to bypass security features couldn’t be done on the 5s, 6 or 6s models without the user’s passcode.
As to the ‘FBI-proofing’ question, while there are certainly things you can do that would severely limit what they could do, it may come at the expense of usability of your phone.
Turning on basic security features in the ‘Touch ID & Passcode’ settings such as ‘Erase Data’ which will erase all the data after 10 failed passcode attempts and turning off the ‘Simple Passcode’ to extend the length of your passcode are a good start.
Also, make sure Siri is not accessible from the Lock screen so she can’t be ‘interrogated’ without your passcode.
If you really want to ‘FBI-Proof’ your iPhone, you need to turn off Touch ID because a Virginia Circuit Court judge back in 2014 ruled that law enforcement can compel you to provide your fingerprint as it’s considered a physical object (like a physical key or DNA sample).
Your Fifth Amendment rights protect you from having to give up your passcode because it’s something you know that might incriminate you, but your fingerprint isn’t.
If you really want to increase the security, you can create a really long custom numeric or alphanumeric code, but this is where you start to get into usability issues.
With Touch ID disabled and a 10 to 12 character passcode, you may keep the FBI at bay, but you’ve just made your phone a major pain to use on a daily basis.
If your iPhone is syncing with your iCloud account, law enforcement can use a court order to get Apple to provide the key to gain access to your encrypted iCloud data.
Apple currently stores a copy of your iCloud encryption key on their servers, but speculation is that they’re working on a process that would push all the keys to a user’s local device making it impossible for them to decrypt data in the future.
Frankly speaking, many of the reasons to own an iPhone go right out the window if you’re that concerned about keeping the government out. Maybe you should consider a BlackPhone (https://goo.gl/LQl3te) instead.
(Image courtesy of https://commons.wikimedia.org)
Wed, 16 Mar 2016 00:00:00 +0700
(image) One of the fastest growing Internet banking scams that specifically targets businesses is a very clever form of wire transfer phishing fraud according to Heartland Financial, the parent company of over 90 community banks.
The typical scenario involves a member of the accounting department getting an e-mail message from what appears to be the CEO, CFO or other high ranking executive within the company requesting a wire transfer be prepared.
The scammers generally study their victims before the scam so they know the names and e-mail addresses of the people in the company most likely to be involved in accounting processes.
The variations that I’ve seen over the years always spoof the senders address, so if the recipient isn’t paying attention, they simply assume it’s a legitimate request.
In some cases, the request will come while the CEO/CFO is out of town to minimize the chances that an offline conversation would expose the scam (credit social media posts for this ability).
Despite clear red flags like strange salutations or improper grammar, enough accounting departments have fallen for this scam to encourage the scammers to increase their efforts.
The popularity of social networks such as LinkedIn and Twitter makes the ‘research’ portion of the scam much easier and some have speculated that a press release or news story can be the initial attraction to targeting a company.
If someone in your organization falls for these clever social engineering scams, it could be very costly.
“The reality is that when this happens, if it goes more than a business day or two from the time the funds are sent, we never get the money back,” said Greg Normington, Vice President of Treasury Management and Product Manager for Heartland.
There are a number of places that you can report the scam messages, but the sheer volume of this type of activity makes it pretty unlikely that much will happen.
My accounting department recently received a scam wire transfer request message that claimed it was from me, so I had them play along so we could get the bank name, account and routing numbers that the scammers were attempting to use.
With this specific information, I contacted the listed bank by phone and emailed the information to their fraud department, but later found out that the best way to report the information is in person at a bank branch (not of your own bank, but of the bank being used by the scammers).
We determined that the account number was valid, but not whether it was setup by the scammers or a legitimate account that the owner didn’t realize had been compromised.
As a preventative measure against this growing scam, it’s highly recommended that all businesses setup dual controls or other extended approval methods as it pertains to wire transfers to minimize the chances of being scammed.
Another thing to consider is moving away from e-mail as an interoffice communication standard as it’s the most common threat vector these days.
Private networking and messaging platforms are plentiful and worth considering for all organizations.
(Image courtesy of https://www.flickr.com/photos/jakerust)