All posts by mitch tanenbaum

Reduce Your Credit Card Fraud Exposure

Here is a really, really simple tip for you to reduce (not eliminate) your exposure to credit card fraud.

This is for you as a credit card user  – not as a business accepting credit cards.

I use it and I can tell you from personal experience, it works.

Most banks offer the option to send you a text message EVERY SINGLE TIME your credit or debit card is used.  If yours doesn’t, whine at them till they do or change banks.  It happens in real time.  Here is how I use it.

If I go to a restaurant, for example, and pay by credit card, the server takes the card and runs it through the restaurant’s POS terminal.  Literally, before the server gets back to the table with the receipt for me to sign, I have gotten a text message that tells me the name of the establishment running the charge and the amount.

If I am somewhere and I get a text from my bank, and I don’t recognize the merchant, it has my interest.  In my case, since some of my cards are shared with my wife, I call or text her and ask if this was her.  If she says no, I am on the phone with my bank.  Not later.  Not tomorrow.  Now!  Shut down the card, get a new one.  The new one is free.  For most banks, if you press them, they will Overnight Express the new card to you.  For many banks, even that is free.

I had a charge pop up a few months ago from Babies R Us in Philadelphia for about $300.  Since I have not been in Philly in ten years and we don’t have any little kids, I called my wife to see if, maybe, she bought a gift for someone.  Nope.  Not the case.  On the phone with Wells (in this case) and poof that card was toast.  In a day or two we had new cards.

I am sure the crook was disappointed, but I don’t care and the bank is actually happy that you did it.

If you have cards with a spouse or kid and the cards have different numbers on them, you can have the text messages go to each family member.  If the cards all have the same number, then there is no way to split them out.  In my family, I watch the charges, so I get all the text messages.

To me, it seems simple.  You reduce your pain and anguish.  You don’t have to review the bank statements which would give the crook 30 days of play time.  You don’t have to keep logging on to your bank’s web site or app to check for charges.

And, it reduces your exposure to one charge.  Which the bank will eat anyway.

Free and simple.  Which I like.



Sony – The Story That Just Never Ends

The New York Times is reporting that the NSA has been inside North Korea’s network since 2010 and that is how they knew that the Sony attack came from North Korea.  Hopefully, this is one NSA spying activity that no one in the U.S. is going to complain about.

The Times article said that North Korea had stolen the credentials of a Sony administrator, but the NSA didn’t realize that until after the attack.

General Clapper, the U.S. Director of National Intelligence went to North Korea in November as part of a secret plan to seek the release of two Americans being held there.  His host, Kim Yong-chol, head of the Reconnaissance General Bureau, Clapper says, later oversaw the Sony attack.

That information certainly adds some more credibility to the statement that North Korea is responsible for the attack and is an example of how sometimes, the government makes statements, leaving out facts for various reasons, and as a result, they don’t sound as credible as they would like.

Obviously, the downside of the Times article – disclosing “sources and methods” – which are generally very highly classified (There is a link in the Times article to a Der Spiegel leaked NSA document that is marked TOP SECRET//SI/TK//REL TO USA, FVEY.  For those of you who are familiar with the DoD classification markings, that document is definitely highly classified), will likely shut down the entry the NSA has into North Korea as the Koreans scramble to figure out how to deal with the leak of information.  Just as likely, the NSA is trying to (or maybe already has) figure out how to deal with this leak.


Splashdata Releases Its Top 25 Password List

Let me start with a few caveats.   This is based on hacked and published passwords, so it may or may not represent the overall use of passwords.  Splashdata also makes a password manager application, so they have a vested interest in the story.


The top password is no long password.  It is now 123456 .  Followed by the more secure 12345 .

Here is the complete list, but the top 5 passwords, in order, are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

As I said, this may not represent the use of passwords in general, but how do we expect people to deal with phishing attacks like at Sony if, after all these years, the most popular password is still 123456.

According to Splashdata, this is an analysis of 3.3 million leaked passwords and the top 25 represents a little more than 2 percent of the total.  This means that about 70,000 people used the passwords in the top 25 list.


Everyone Offers “The Best” Security Advice

How many times have you seen computer experts telling you that they have the secret solution to making your computers secure?  I don’t know how many I have seen, but it is a lot.  There is, no doubt, some truth in each of these lists, but for everyone, the solution is a little different.  The challenge is that most business people don’t have the time or expertise to figure it out for themselves.  Unfortunately, rather than hiring an expert, they throw their hands up in defeat and don’t do anything – or pretty close to that.

Roger Grimes is an author of 8 computer security books, works for Microsoft as a computer security architect and is a frequent public speaker.  Beyond that, I don’t know much about him, but after reading this column of his,  it seems like he has some good points TO CONSIDER.  My opinion, you MUST operate out of an information security strategy that everyone in the organization, including the Board if there is one, has signed on to.  If you don’t do that and if you don’t have active support from the C-Level and Board, the results are not going to turn out well.

With that preamble, here is a synopsis of Roger’s advice.  Read his column if you need more detail.  Better yet, call me.  Some of this is my take on what Roger said, so don’t blame him.  At least not for all of it.   🙂

  • Using long passwords, hardening your computer systems and using anti-virus software is not sufficient.  If it was, we wouldn’t be in the mess that we are in.
  • Be up to date on patching software.  If you can’t get to it all, patch the most popular software first.  Hackers are likely to go after Java and Flash before they go after PDFSplit.  What you do patch, patch well (testing to see what it breaks, making sure that all systems have the patch, changes are documented,  etc.)
  • Don’t get socially engineered.  That means either online or in the physical world.  I heard of a social engineering con that sent out disks that looked like Oracle patch disks.  The hacker called the I.T. department pretending to be Oracle support and told them they were Fedexing a critical patch.  Guess what – the organization deployed the patch (which didn’t break anything but did create a back door).  When it comes to security, trust but verify.  No, let me think about that.  Don’t trust and do verify.
  • Two factor authentication is not a silver bullet but it helps.  The Chase hack late last year was effective because they forgot to install two factor on one server and that became the hacker’s entry point.  If they had installed two factor would it have kept the hackers out?  We will never know, unfortunately.
  • Don’t use the same passwords across systems or websites.  I know this is a king sized pain, but if you do reuse passwords, then when site X is comprised, Y and Z falls too.  At a minimum, group passwords into a level of sensitivity (don’t use the same password for Facebook and your online banking.  In fact, for a variety of reasons, your facebook password should be unique).
  • In a corporate environment, don’t have any permanent members in the HIGHEST security groups and then monitor the heck out of group additions.  If you see any activity that you don’t expect then ALARM, ALARM, ALARM.  Don’t make everything your highest group otherwise, you will drive yourself crazy.
  • Reduce the security events that you are monitoring to those that are actually important.  Part of the reason that Target got hacked (but only part of it) was they were getting so many alerts that they became numb to them. If you get a thousand alerts a day, some people would say that is great, but smart people would say “how the hell do you figure out which ones are important?”  Start with a few important alerts, get your process handled and then, if you still have resources available SLOWLY add more. Never add an alert until you have reviewed the cost (resources)/ benefit tradeoff.
  • Network traffic analysis.  Do this.  Both internally and externally.  Once you have a baseline, then if you see abnormal traffic say to a database server or mail server, you should raise an alert.  Likewise if you see a bunch of outbound traffic to a place that you don’t normally see (which, unfortunately, could be either China or Des Moines – the issue is not where, but rather, is this what we usually see), then investigate.
  • Whitelisting works better than anti-malware.  While I agree with Roger on this one, it is a pain in the tush to make work at scale.  What this means is that you only allow specific versions of specific software to run anywhere in the organization – servers, desktops, tablets, phones – employee owned or company owned.  If you can pull this off – even if it is not perfect, it makes the bad guy’s job harder.
  • Focus on how, not what.  That means you have to have a strategy (Again! Sorry.).  You need to figure out what is important to YOUR organization and HOW a bad guy has in the past or likely will in the future, attempt to steal it.  Are lost devices the killer for you?  If so, then encrypt them and install kill switches on them (meaning either or both of you can remotely wipe the device or the device is smart enough that if it has not been able to phone home for x hours, then it wipes itself.  There are lots of variants to this).

Roger says that his wisdom is the real deal and that the other guys are providing useless advice.  IMHO, all advice, including Roger’s and mine, is useless if you don’t put some thought into it and see if it makes sense for your organization.

Start with the one or two MOST IMPACTFUL things to change.  For each organization that is likely different.  Get those done – AND DONE WELL – then focus on the next thing.  Each time, look at the cost benefit trade-off.  Is doing this going to have minimal security benefit yet make my employees want to slash my tires in the employee parking lot?  If so, that is not the right thing to do.  Sorry – last time for this post – YA GOTTA HAS A STRAGETY.

I wish there was a silver bullet – that would make everyone’s life easier.  Unfortunately, at the moment, there isn’t one.


Turn To Stop Using Verizion Zombie Cookie To Track Users

PC World and others are reporting that Turn, the advertising group that I wrote about a few days ago, will stop using Verizon’s unique identifier to target advertising to Verizon customers in early February.

The practice, which is completely legal, lets Turn track every web page a Verizon customer visits, even if they delete their tracking cookies.  The only solution is to run all of your traffic over a VPN, which encrypts your traffic until it leaves the Verizon network.

Turn insists that users who delete their tracking cookies should not expect not to be tracked – they should instead use opt out methods endorsed by the advertisers.  Of course those only work for “participating” companies and doesn’t stop them from collecting and selling your data – they only agree to stop targeting ads to you.

In the end, the power of a bright spotlight is effective in keeping at least one small piece of your privacy.


Police use military radars to see inside homes

I have written before about law enforcement’s creative use of technology to capture bad guys.  The prior article talked about putting cameras on utility poles and intercepting cell phone traffic, both without a warrant.

Today’s story, in USA Today, talks about the FBI, Marshall Service and U.S. Marshal’s use of a type of radar that can see through the walls of houses at a range of up to 50 feet and detect people and motion – even breathing.

The question becomes whether a warrant is needed or not to effectively search your house.  The question in front of the court is just because it can now be done with technology from outside your house, does that make the need for a warrant obsolete?

And, of course, at some point in time, the technology will be used and the wrong person will be in the house and something bad will happen.  It is just a matter of when.  It happens today with no-knock raids without technology.  Nothing is perfect.

The use of this technology came out when a federal appeals court in Denver disclosed that police had used one before entering a house to arrest a man wanted for violating his parole.  When they broke in, they discovered he had two guns, which was a violation of his parole and the parolee wanted the court to throw out the evidence and conviction.

L-3 Communications who makes this device says they have sold about 200 of them to 50 law enforcement agencies for about $6,000 each.  The Marshals Service, which spends a lot of time looking for fugitives, has spent $180,000 on them since 2012.

Another version of the technology allows law enforcement to see a 3 dimensional map of a house showing where people are located and still another version can be mounted on a drone.

Like the previous article, my concern is not with the technology but rather the secretive nature of its use.  The Marshals Service says that they don’t want the bad guys to know that they have the technology.  That could work both ways.  If the fugitive knows the Marshals can see him, he might just give up.

How this came up was that the Marshall did not say that he used Radar to discover that the fugitive was in the house (actually, all they knew was that someone or something alive was in the house).  he said that he “developed reasonable suspicion” that the fugitive was in the house.  When the agent testified, he admitted that he did that by using the radar.

The Marshals Service claims that agents “are not instructed to conceal the agency’s high tech tools”, but on the other hand, “they also know not to advertise them.”  The Sarasota police got caught writing an email (really!) last year telling another police department not to say that they received information from a cell phone interceptor called a stringray.

In 2001, the Supremes said that the police could not do thermal imaging of someone’s  house from the outside without a warrant.  This seems like a very similar situation.  The Supremes have also said the police cannot attach a GPS tracker to your car without a warrant.  The 10th Circuit Court of Appeals – the court that ruled in this case – said that they have little doubt that they will have to address this issue soon.

Now that the cat is out of the bag, I suspect we will hear more about it.

By the way, the court upheld the conviction.