Category Archives: Best Practices

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer

 

Facebooktwitterredditlinkedinmailby feather

From Unsecure to Less Unsecure

Text messages, as many people know are not very secure.  If you are asking where we are meeting for lunch, you probably don’t care.  But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security.  While it does help some, it would be  a lot better if SMS messages were secure.

Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.

Enter RCS or Rich Communications Services.  RCS eliminates a lot of these shortcomings.  Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.

But the way the carriers are implementing it is not very secure as researchers are starting to point out.

While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.

So what are the carriers doing wrong?

SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December.  Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.

The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself.  This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard.  Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.

One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured.  In that case, there is no security, meaning any app can request the configuration and have access to your text messages.

Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses.  To try all the possible numbers takes about five minutes.

The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.

Which is good for users.

Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem.  Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure.  Source:  Vice

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Advertisers Still Want to Know Who You Are, What You Are Doing

As more users install ad blocking software and browsers such as Firefox and Safari start blocking some ad trackers by default, advertisers decided to come up with a new solution to track everything you do.

This new technique is a bit technical, but I will try to keep it high level.

Typically, the company tracking you is a separate company from the company who’s website you are visiting because not only do people want to know what you are doing on their website, but also what you are doing on every other website in the world.  This logic is what created the third party ad tracking business.

But browsers can tell, if you are visiting ABC.COM, if that web page makes a request for some data from XYZ.COM – a third party.

Those requests come in many forms.  It could directly load data from or save data to that third party.

Or it could save a “cookie” from that third party with information associated with the site you are visiting so the ad tracking company can track you everywhere.

As people have become smart to this and taken anti-tracking measures, advertisers tried Adobe Flash cookies.  That didn’t work well because many people (like me) think Flash is insecure and even Adobe is killing it in December 2020.

So the ad trackers came up with a new idea.

If ABC.COM wants to track you, the ad tracking company asks ABC to create a new subdomain, say trackyou.abc.com and point that subdomain to the tracking service.  Since the core part of trackyou.abc.com is still abc.com, it doesn’t look to the browser like there are any third parties.  But since the tracking company runs trackyou.abc.com, they can collect whatever data they want.

It turns out that it is possible, with some work, to block this if you use Firefox, but not with any other browser.  Most browser makers are in the business of selling your data, so they are a bit conflicted.

In fact, a Google search provides lots of articles on how to do this yourself.

Advertisers are just trying to make a buck, not do you in (mostly).   Source:  The Register

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 29, 2019

The Problem with Big Data is, Well, That it is Big

On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people.  The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers.  The second database contains hundreds of millions of scraped profiles from LinkedIn.  The data appears to be linked to “data enrichment” firms, People Data Labs and Oxy.io, but the firms say that the server doesn’t belong to them.  They did not say that the data did not originate from them.  Likely, the server belongs to one of their customers.  The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there.  The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…”  Source: Computer Weekly.

 

California DMV Made > $50 Million Last Year Selling Your Data

First the law requires you to provide all kinds of information to the DMV.  Then the DMV sells that information to anyone who’s check clears.  And they do not need to ask your permission.  In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person.  Another is data brokers like Lexis/Nexus.  Maybe the law should be changed, but in the meantime the DMV loves the cash.  Source: Vice

 

Another Public Leakware Attack

As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular.  Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees).  Allied was breached and the hackers want money.  To make a point, they leaked 700 megabytes of data.  They say that they have 4 GB+ more to leak and they will give it to Wikileaks.  They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive.  The hackers initially wanted $2 million.  Not they want $4 million; Allied offered $50k.    A bit of a gap.  Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data.  If these hackers are Russian, there really isn’t much they can do other than to negotiate.  They have brought in security experts after the breach.  While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised.  Stay tuned for lawsuits.  Assuming this trend continues, we need to create different defenses for ransomware.  Source: Bleeping Computer

That Thanksgiving e-Card – Yup, Its Malware

With the holiday season starting, the purveyors of malware  are in the holiday spirit too.  They are sending out millions of MALICIOUS, INFECTED e-greeting cards.

Open the card and you, too, will be infected.  In one campaign, the malware is the emotet password stealing trojan.

Open that card and all of your passwords will be sent to Russia or China or some other friendly place.

When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.

Then I hit the delete key.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Tips to Keep Remote Workers Safe(Safer) – Part 2

Yesterday’s list was so long I decided to break it into two posts.  Here is the second part.

To recap – here are some recommendations from Dark Reading. Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more. Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

11. Turn on auto update – Installing updates is a pain and even though updates sometimes happen at inconvenient times, they are important.  The challenge with updates is that there are so many.  Whether it is your laptop, phone, tablet, desktop and then, of course, all of the applications too.  Add to that your firewall, digital assistant, Wi-Fi and whatever else.  Updating it could be a full time job.  Which is why so many updates are missing.  The largest data breach in US history (Equifax) was caused by one missing patch.  If it is possible to automatically update, turn that feature on.  It just makes life easier.  ESPECIALLY for those Internet of Things devices.

12. Segment off your personal network – here is one you probably didn’t think of.  Put your work computer on  its own network segment – give it its own Wi-Fi hotspot.  If you isolate your work computer then if your kid’s computer gets infected, it won’t infect you.

13.  Use a password manager – passwords are a weak spot.  People can’t remember a thousand passwords so they either make them all the same, so when one web site is breached, they all are or they make them easy to guess.  Some people ask their browsers to remember their passwords.  After all, what could go wrong by asking the one part of your computer that talks directly to the Internet to store all your passwords.  There have been numerous attacks against browser password stores and many companies disable that feature for that reason.  Password managers actually make using unique, crazy passwords easy.

14. Enable Multi-Factor Authentication – Not only that, but it is better to do that with an app such as Google Authenticator or Authy instead of a text message.  If you have the option and a business is storing your sensitive data – like a bank – and they don’t offer multi-factor authentication, find a new bank.  I mean it.  Really.

15.  Avoid Browser Extensions – Speaking of not asking your browser to do un-natural acts, browser extensions are often security nightmares.  To the extent that you can avoid them, do so.  For one thing, it slows things down.  For another, many times they have bugs.  And going back to number 11, they often don’t automatically update.  It is a matter of security vs. convenience.  Your choice.

16.  Carry a spare portable battery for your phone or tablet – DO NOT use those handy USB charging ports in airports and other public places.  They can literally infect your device.  An alternative to a portable battery is to use the AC power outlet.  That won’t infect things.

17. Make sure you share documents securely –  In the mortgage business where I spent many years, loan officers often asked for bank statements, tax returns and other personal information via email.  Not exactly secure.  If you don’t have an ENCRYPTED email solution, ask your company for one.  If you need to control access, don’t use solutions like Dropbox.  Work with your IT department to figure out the best, secure, controlled access solution.

18. Be skeptical.  And then be more skeptical – you have a lot of things to do.  You have a lot of emails to read.  You have a lot of web sites to visit.  Bad actors are counting on that.  We hear about people falling for scams every day.  The FBI said that between Mid 2016 and mid 2019 losses due to scams reported to them totaled over $26 BILLION.  That is a lot of money.

19. If you have a remote working policy, follow it.  If you don’t have one, create one –  When it comes to reducing risk, you need to tell employees what they should and should not do.  If you don’t have one then you can’t complain if employees do things you don’t want them to.  For certain industries, these policies are legally required.  In fact you should have a complete set of security policies which are in addition to typical employee HR policies.

20.  Last but not least, get to know your IT and security folks – we really don’t want to make your life difficult.  We are working hard to protect the company and that includes making sure the company does not get breached or sued due to losing customer’s data.  Those kind of incidents can cost a company a lot of money and sometimes that translates to layoffs or even closing the company’s doors.  If you need something, ask.  We may not be able to do it, but hopefully we can explain why.

That is the end of this list.  If you have questions, please reach out to us – refer to number 20 above.

Based on information from Dark Reading. 

Facebooktwitterredditlinkedinmailby feather

Tips to Keep Remote Workers Safe(Safer)

As my son likes to say, nothing it bulletproof – it all depends on the size of the bullet.  Likewise, nothing is 100% secure (except the computer that has never been taken out of the box)  but your actions can improve the odds dramatically.

Here are some recommendations from Dark Reading.  Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more.  Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

So here are the tips:

  1. When working remotely, use two computers – one for work and one for personal stuff.  Besides the fact that malware on one might not infect the other, there are many other reasons that you might want to do this (like not wanting your boss to snoop on your personal stuff or backup your nude selfies on the company backups).
  2. Use only approved software on your company computer – many companies won’t let you install other software but many do let you.  There is a reason they approve the software that they do;  it goes through a vetting process.  It might be inconvenient, but so is getting breached.
  3. Don’t rely on a consumer-grade router, Wi-Fi hotspot or Firewall – I could go on all day about this one.  If your router, Wi-Fi or firewall is provided by your home Internet provider, you can assume that it is the best equipment that your provider can buy for $5 or $10.  Some Internet providers require that you use their equipment but there are no rules that say that you can’t put your own  firewall between the box your Internet provider uses and your computers.  That is what I do.  My firewall cost me $200.  But it runs the same software that you use in your office.  This is a case of you get what you pay for.  My Internet provider has not patched their firewall since 2013.    I am sure that there were no bugs fixed in the last 6 years.
  4. Ensure that your Firewall is configured securely – Your Internet provider will configure any equipment that they provide to minimize the number of support calls that they get.  That saves them money.  If that happens to make things more secure, that is a coincidence.  Mostly, it will make things less secure.  YOU are responsible for the security of your home network.
  5. Connect to your corporate network using a VPN – Using a VPN will definitely improve the security of your connection.  If you are a techie and you manage cloud servers from home, use a VPN connection to manage those as well.  Again, many free VPN services are worth exactly what you pay for them.  And some of them are even run by China – I am sure those are very secure.
  6. Be wary of public Wi-Fi – I am sure that your local coffee shop has all the best intentions when they offer you FREE Wi-Fi, but again, you get what you pay for.  Their IT department likely manages the network in between grinding and serving coffee.
  7. Harden your wireless access point(s) – There are lots of ways to improve the security of your Wi-Fi, especially when you are located in a high density location.  A friend of mine lived in New York and never paid for Internet, he only mooched off neighbor’s Wi-Fi.  Wi-Fi 6 is coming soon as is WPA-3.  Both will improve your security but both will require either software or hardware upgrades.
  8. Keep a very close watch on your stuff when you travel – I recently did a TV interview discussing a poor fellow who got his credit cards stolen while he was in the grocery store.  90 minutes later the crooks had racked up $23,000 worth of charges on his cards.  Hotel rooms and hotel safes are notoriously insecure.  If you don’t need to take it when you travel LEAVE IT AT HOME!  Otherwise, secure it as best you can.
  9. Update system and software patches regularly – this includes your phone and your tablet, in addition to your computer and ONLY update from a secure location – NEVER from public Wi-Fi.  Note that this includes all of your apps in addition to your operating system.
  10. Update your system’s firmware – do you even know what firmware is?  It is the software that runs the software that you see.  Almost nothing is done in pure hardware these days.  That includes updating the firmware in your firewall, router, Wi-Fi and especially your phone.  Some equipment can be configured to automatically update (Apple is really good about this) and while that might, occasionally cause problems, overall, auto-update is the way to go.

Come back tomorrow for more tips.  That’s all for now.

Facebooktwitterredditlinkedinmailby feather