Archive for the ‘Issues’ Category

Carrots and Sticks! How to improve your security culture …

Posted: November 3, 2018 by IntentionalPrivacy in Compliance, HIPAA - HITECH, Privacy, Security or Privacy Initiatives, Tips, Vulnerabilities
Tags: , ,

Originally written for Third Rock

Sticks

Just like technology controls, administrative controls work better when they are layered. Almost every organization has an administrative control “stick” in the form of policies. The purpose of policies is to explain the rules as well as the consequences if the rules are not followed.

But do the employees really understand what every policy means? Some may be too embarrassed to ask for an explanation if they do not understand a particular policy. Another issue with policies may occur if an employee does not remember what they agreed to five minutes after they handed in their signed policy understanding statement.

Carrots

This is where a security awareness program can help improve an organization’s security culture enormously. It does not have to be expensive to be effective. The program will also be more effective if security awareness training can involve employees. Here are some techniques:

  • Make security training interactive. Use only a small number of PowerPoint slides, tell relevant stories, and keep it short and engaging.

Look for ways to make security important to an employee’s personal life; for instance, show how they can better protect their families online. Employees who practice good security hygiene at home will be better at understanding and implementing security at work.

People learn different ways! The more types of senses used during the training, the better it will be remembered by the audience. Break up the training monotony with focus groups, table-top exercises, and question-and-answer sessions. Instead of having a once-a-year marathon, have sessions monthly or even quarterly. If they are held during lunch make sure you provide food.

There are several places to find resources online. StaySafeOnline.org is one example; they have tip sheets and videos for all age groups and even for businesses. The FTC also offers resources at their Stick with Security blog.

  • Encourage employees to turn in social engineering attempts. Give a small reward, such as a coffee cup, to the first employee who turns in a security issue, such as a phishing email or a social engineering phone call. Maybe your organization will want to stipulate that an employee would be eligible to win a prize once a quarter to give other employees a chance to win. Add the names of each submitter to a list for a prize drawing to be held at the end of the year or at an employee meeting. Send out emails with sample snapshots of the latest attacks, so others can avoid them.
  • Staff are human; if someone makes an honest mistake, reward them for reporting it immediately. The sooner it gets turned in, the faster the issue can be resolved. Of course, the staff person needs to understand what happened and how to avoid it in the future. Organizational controls should also be reviewed to help avoid that issue in the future. Maybe a policy needs to be changed, some staff need retraining, or maybe a technical control can be added to eliminate the issue.
  • Have a process for reporting lost or stolen devices that includes who to contact and how. Decide if the process should include automatic wiping of the device. Make sure that employees are aware of the process.
  • Have a response plan for when a security issue is reported, whether an employee, a customer, a vendor, or a volunteer is the person reporting.. Ensure that a contact is always available for found security or privacy issues.
  • Post a short list of actions for possible security and privacy issues in a prominent place like a break room or a kitchen. Also give the list to employees so they know what to do in an emergency.

Peopleyour customers, your employees, your partners—make a security program work!

New Year’s Resolution: Find Your Blind Spot!

Posted: January 1, 2018 by IntentionalPrivacy in Automobile hacking, Cell phone, Ethics, Issues, New Year's Resolutions, Privacy, Theft, Vulnerabilities
Tags: , , ,

Today is New Year’s Day, a day typically devoted to hangovers and making resolutions.

I recently saw a presentation about automotive computer forensics that made me think about New Year’s resolutions. In spite of my background in computer forensics, I had not considered that automotive computers were advanced enough to conduct forensic investigations on. I enjoyed the presentation and I seriously considered taking the class even though it would not advance my career in Texas.

But then the instructor ruined the class for me by doing two things.

The first was when the presenter—an instructor for a world-famous IT school—talked about driving his yellow muscle car at 65 MPH in a 15-MPH school zone and getting a ticket.

Does he use the ticket as an agent of change? Take his punishment? Learn to drive his car on a racetrack?

No, he was standing up there bragging about his yellow car and getting away with driving fast in a school zone. He is just like those rich-and-powerful gropers that have been lately in the news. They do it because they can and because they (at least used to) get away with it. I do not admire them and I do not admire him.

I appreciate that traffic tickets are expensive (particularly tickets in a school zone), that such a ticket would cause the recipient’s insurance rates to go through the roof, that such a driver might be required to attend traffic school, and that there might be other consequences. I understand the desire to avoid those consequences. I understand that he has a legal right to hire an attorney who will reschedule the court hearing until the police officer could not attend.

Since the police officer could not attend, the ticket was dismissed.

When he was talking about this experience, I was nodding right along with everyone else, but on the way home, I started thinking about what he said and who he is. This presenter possesses several certifications (such as a CISSP), many of which require the possessor to agree to abide by strict ethical standards. In fact, (ISC)2, the certifying body of the CISSP certification, issues just such a code of ethics. The relevant portion is listed below:

Code of Ethics Preamble:
  1. The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  2. Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

Driving 50 miles above the speed limit obviously breaks several of those tenets (even though this situation was probably not what (ISC)2 had in mind). Another problem I have with his crazy driving is that this man appeared to be in his late sixties. Does he have the reflexes necessary to drive like this?

How far does a car going 65 mph travel before coming to a complete stop? According to Government-Fleet.com, “it takes the average driver from one-half to three-quarters of a second to perceive a need to hit the brakes, and another three-quarters of a second to move your (sic) foot from the gas to the brake pedal. Nacto.org states that “… if a street surface is dry, the average driver can safely decelerate an automobile or light truck with reasonably good tires at the rate of about 15 feet per second (FPS).” Let’s examine how that plays out.
Stopping65MPH
To put this in perspective, a football field is 300 feet long from goal post to goal post. A vehicle traveling 65 MPH (given average conditions) will take 396 feet to stop—more than the length of a football field!

The laws of physics apply to everyone. It does not matter how well you drive. If a six-year-old child steps in front of a vehicle traveling 65 MPH, he or she is dead. If the vehicle is traveling 15 MPH, the kid at least has a chance to learn a lesson.

The second thing he said that I had an issue with was when he was talking about how vehicle forensics is now appearing in court cases. As an example, he talked about a case in Texas where a minister regularly connected his phone to the car infotainment center over Bluetooth, which meant that things maintained on the phone such as contacts and photos are transferred to the car’s computer. He claimed that even if a picture is deleted from the phone, it stays on the vehicle computer. When the preacher took his car into the dealership for service, some of the dealership’s service people stole nude pictures of the clergyman’s wife from the car’s infotainment computer and posted them on a swingers’ site as a joke. One of the preacher’s parishioners told him about the pictures being posted. The clergyman and his wife were understandably upset about this and were suing the dealership.

Since I wanted to write an article for this blog about vehicle computer forensics and the amazing amount of information that can be obtained from an automobile’s computer systems, I looked for articles about that incident.

Except the articles I found about a Texas preacher whose wife’s nude pictures were posted on a swingers’ website had nothing whatsoever to do with the vehicle’s infotainment computer. The photos were stolen from the customer’s phone. When I realized that he had twisted the story to fit his theme, I was appalled.

What really happened: A preacher and his wife went to a Dallas Toyota dealership to buy a car. The minister had gotten a preapproval for the loan from an app on his phone. The salesman took the customer’s phone to show the manager the preapproval. While the salesman was out of sight, he found some nude pictures of the wife on the phone and emailed them to himself and the swingers’ site. Then erased the email. The couple were outraged—rightly so!—about this intrusion into their privacy and the theft of pictures of a “private moment.” They hired attorney Gloria Allred to sue Toyota, the Dallas dealership, and the car salesman. You can read more about it here.

A computer forensics professional is required to present the facts fairly and accurately. Given these two stories, would you trust this man to represent the facts fairly and accurately? Would you trust him to act ethically and honorably?

I am asking you to add these New Year’s resolutions to your list this year:

  1. Drive the speed limit. Drive as if it could be your child, your grandmother, or your dog in that crosswalk!
  2. Check the accuracy of your information before you give a presentation. Give citations, so that other people can verify your work. If I am in the audience, I will.
  3. Find your blind spot and change it to something positive.
  4. Do not allow anyone access to your phone, especially if that person is out of your sight.

Have a wonderful new year!

References

“Driver care: Know Your Stopping Distance,” http://www.government-fleet.com/content/driver-care-know-your-stopping-distance.aspx

“Vehicle Stopping Distance and Time,” https://nacto.org/docs/usdg/vehicle_stopping_distance_and_time_upenn.pdf

“Couple Sues Grapevine Car Dealership Claiming Salesman Shared Their Photos on a Swingers Site,” http://www.dallasobserver.com/news/couple-sues-grapevine-car-dealership-claiming-salesman-shared-their-photos-on-a-swingers-site-8957090

“Texas pastor claims Toyota car salesman stole his wife’s nude photos and emailed them to a swingers’ site,” http://www.dailymail.co.uk/news/article-3994292/Texas-pastor-claims-Toyota-car-salesman-stole-wife-s-nude-photos-emailed-swingers-site.html

Credit freeze vs Credit lock – which is best?

Posted: October 4, 2017 by IntentionalPrivacy in Equifax, EquiMess, Security Breach, Vulnerabilities
Tags: , , , , , ,

Equifax and the other credit bureaus are trying to convince consumers to put “credit locks” on their credit files instead of credit freezes. Credit locks are – I think – a really bad, bad idea. Why?

  1. Why would you trust anything a company tells you that did not encrypt a database with 145 MILLION records in it? Former Equifax CEO Smith testified yesterday at the House of Representatives that Equifax has a poor record of encrypting data. To read the latest about the EquiMess, click on Wired‘s “6 Fresh Horrors From the Equifax CEO’s Congressional Hearing.” Talk about dancing on the head of a pin!
  2. The credit bureaus claim a lock is “free” and simple to use through an app on your phone … the problem is that nothing is free, and again, why would anyone trust them? They’re selling your information somehow to pay for that lock.
  3. What’s the difference between a lock and a freeze? Well, nobody seems to know. While credit freezes have a cost to set up and remove (which varies from state to state), they’re regulated by state and federal law. When you sign up for a freeze, you do not have to agree to arbitrary credit bureau terms and conditions (such as giving up your right to sue or participate in class-action law suits).

More on credit freezes vs credit locks: “Myths vs. facts: Sorting out confusion surrounding Equifax breach, credit freezes.”

October is National Cyber Security Awareness Month

Posted: October 2, 2017 by IntentionalPrivacy in Identity theft, National Cyber Security Awareness Month, Personal safety, Security or Privacy Initiatives, Tips
Tags: , ,

Today is the kickoff for the 14th annual National Cyber Security Awareness Month. Do your part to protect your own and other people’s information. For tips, visit https://stopthinkconnect.org/resources/preview/tip-sheet-basic-tips-and-advice

Don’t forget physical security …

Posted: October 1, 2017 by IntentionalPrivacy in Identity theft, Personal safety, Social media, Theft
Tags: , , , ,

I belong to a neighborhood social media group. Recently, there has been post after post about vehicle and mail-box break-ins in our neighborhood. While avoiding all thefts is not possible, make it more difficult for thieves and maybe they will look for an easier target.

  • Keep your house and vehicle locked at all times.
  • Don’t leave anything – especially electronics and wallets or purses – in sight in your vehicles, remove documents with personal information – vehicle title/registration, loan paperwork, birth certificate, drivers license, passport, bills – from the vehicle.
  • Do not leave garage door openers or house keys, checks, checkbooks, or credit cards in your vehicle.
  • Keep your vehicle insurance in your wallet or purse.
  • A ring of identity thieves who broke into vehicles expressly to steal ID was busted in Dallas in April, story here:
    https://www.dallasnews.com/news/mesquite/2017/04/27/mesquite-thieves-unlocked-cars-became-keys-identity-theft
  • Especially don’t put expensive electronics in your trunk for long periods of time when parked in your driveway. You never know who’s watching you.

Also, your car insurance may not cover your losses if your auto was stolen or vandalized when it was unlocked.

The Texas Department of Motor Vehicles has a brochure you can download about how to protect yourself somewhat from auto theft at https://www.austintexas.gov/sites/default/files/files/Police/BRO_Atpa_120_WhereUR_EnglishFinal.pdf

Furthermore, try to collect your mail every afternoon or send your important mail to a post office or UPS box. You can also sign up for Informed Delivery by USPS at https://informeddelivery.usps.com/box/pages/intro/start.action – this email allows you to know if something is missing from your mailbox.

 

Equifax breach: UPDATE

Posted: September 9, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach, Vulnerabilities
Tags: , , , , , , ,

The newest large breach, potentially affecting 143 million people in the US, was announced Thursday by Equifax at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 . It also affected a small number of consumers in Great Britain and Canada. According to the Equifax PR statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”

There’s been at least one potential class-action suit already filed. The New York State Attorney General, Eric T. Schneiderman, has also opened an investigation.

Based on US Senator Al Franken’s Facebook post on Equifax, it might be a good idea to wait to sign up for Equifax credit monitoring until Equifax clarifies that you are not trading your rights to sue them or join a class-action suit in return for accepting their credit monitoring service. However, you should still visit the Equifax site (http://www.equifaxsecurity2017.com/) to find out if you are one of the affected parties. If your information was not affected (although I would not trust that completely), the site will continue on to give you the date when you will be allowed to sign up for credit monitoring if you should decide to do so. Make sure you note the date, because you will receive no other notice.

Since I cannot sign up for the TrustedID service yet, I have not personally read the agreements that Equifax has put in place.

Furthermore, credit monitoring usually just alerts you to an event that has already happened. It is not always accurate or even timely. Although good to know that something has happened, taking preventive action is better.

What should you do?

Act as if your information was stolen and move to block access to your credit and financial accounts. Yes, it’s painful, but far less painful, expensive, and time-consuming than dealing with identity theft. We need better oversight of credit bureaus, but in the meantime protect yourself. Your personal information is important for credit and insurance availability and costs, getting a job, and even renting an apartment or buying a home.

Brian Krebs has an article about credit freezes and credit monitoring at How I Learned to Stop Worrying and Embrace the Security Freeze. The FTC article on credit freezes is good, but Kreb’s article is more thorough and he explains about his personal experience with credit monitoring services. Here are the actions he recommends:

Update: Unfortunately, the pin that Equifax automatically assigns starts with the date you call you to start the credit freeze (i.e, 090917xxxx). The automatic pin is not random. To change it, you have to call 888-298-0045; the line is only available Monday – Friday 9 am to 5 pm (and the message doesn’t even tell you which time zone). You cannot change the pin on their website.

While Fraud Alerts are free, they have to be updated again every 90 days.

NPR.org is reporting that three Equifax executives sold small amounts of stock shortly after the breach was discovered. You can look at the SEC filings here; open the Beneficial filings to see what the stock sales were. Even though all 3 only sold a small portion of their holdings, it is still a lot of money – about $1.8 million. I find it hard to believe that the CFO was not alerted to a breach of the company. The stock price was $145.09 on July  28, 2017, before the breach (discovered on July 29, 2017); yesterday the stock closed at $123.23.

 

Equifax hack just announced may have exposed 143 million consumers’ private information.

Posted: September 7, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach
Tags: , , ,

Today Equifax announced that a breach may have exposed 143 million consumers’ private information. Equifax has created a special website at https://www.equifaxsecurity2017.com/enroll/ so you can find out if you are affected (at least as far as they know right now) by the breach. They are also providing credit monitoring.

What should you do?

  1. Sign up for the complimentary identity theft protection and credit file monitoring product, called TrustedID Premier.
  2. Put a freeze on your credit at each of the three credit bureaus. The Federal Trade Commission has an article at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs that explains the process of implementation and how to temporarily remove it when you apply for new credit.
  3. If you were affected by the breach, the Federal Trade Commission has a site that explains exactly what to do to keep your information safe. https://www.identitytheft.gov/

Getting creeped out by IoT …

Posted: August 8, 2017 by IntentionalPrivacy in IoT, Security or Privacy Initiatives, Theft
Tags: , , , , , , , ,

Common problems with IoT devices include their lack of privacy and security controls and their lack of transparency. “Transparency” in this case means that the end user knows and willingly agrees to how the device operates, especially on their home network.

I have recently been working on building a Raspberry Pi B+ home monitoring system. The Raspberry Pi is a handy little computer board geared to hobbyists or children learning to use computers; more than 12.5 million have been sold. Something that appalled me was the complete lack of discussion about securing the thing in the project plan I downloaded. Before you put any device on your home network, you should—at the very least!—change the default username and password (which for the Raspbian operating system is “pi” and “raspberry”).

Another example comes from the experience of a former co-worker who bought a new refrigerator, not knowing the refrigerator had network capabilities. The refrigerator tried to connect to her network. When she investigated further, the manufacturer said the network connection was used for troubleshooting maintenance issues and installing updates. What could possibly go wrong with a refrigerator that connects to a home network without the owner’s knowledge or consent? It probably has a hard-coded (unable to be changed) default username and password that a hacker could use to cause havoc with that refrigerator. For instance, maybe a hacker could shut the refrigerator off by connecting to it using the default username and password. Depending on when the owner realized that it was not working, an entire refrigerator worth of food could be spoiled. Or maybe they could override the water shutoff for the automatic ice maker, resulting in water all over the floor. It could also provide an entry point into the home network. Argh!

Then there’s the iRobot 900-series Roomba, which currently uses a camera and sensors to vacuum a home. It has mapping software that allows the robot to avoid objects in its path, know where it has already cleaned, return to the dock for recharging, and then pick up vacuuming where it left off. Handy!

According to Reuters, a new feature that iRobot is planning to introduce is sharable home maps. While mapping software could bring many benefits to a smart home—such as improved air flow, temperature regulation, and lighting—sharing such data publicly could be a mistake. Even if iRobot only shares with certain companies, what happens if one of those companies get breached? Could such a breach allow a thief access to download your home map to help them decide what to steal from your home?

Recordings from an Amazon Echo—which listens and records supposedly only conversations that have a keyword such as “Alexa” in them—have already been requested as evidence in an Arkansas murder court case.

There are some organizations that are currently claiming to be examining the security and privacy of IoT devices, which include:

  • AV-TEST Institute – you can check out their findings here.
  • I am the Cavalry – a grass-roots organization that looks at the computer security of medical devices, automobiles, home electronics, and public infrastructure here.
  • UL (formerly Underwriters Laboratory) has published UL 2900 ANSI Standard for Software Cybersecurity for Network-Connectable Products. Unfortunately, it costs between $225-250 for a copy of the standard and I cannot find any products that they have certified.

In the first session of the 115th Congress, Senators Warner, Gardner, Wyden, and Daines introduced the ‘‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” While this act would currently only apply to IoT devices on government networks, hopefully most vendors would put the same security and privacy features in their consumer products. You can read a one-page summary of the bill here and a full version here.

Thank you Senators Warner, Gardner, Wyden, and Daines. Long overdue!

No security anywhere …

Posted: May 19, 2017 by IntentionalPrivacy in Conferences, Privacy, Theft, Vulnerabilities
Tags: , ,

I was at a conference yesterday. When I went to register, the computer system being used had a label with the username and password right next to the touchpad. There was a problem with my registration, so the conference sent me an email. It contained the names of three other people–unknown to me–at the conference.

Next, we went to the exhibits. The first trailer we went to was open and no one was there. On a table inside was an open, logged-in laptop and a cell phone. Who would have known if I had taken the laptop or phone, or worse, taken information from the laptop?

Pay attention to what you do. Always lock your laptop (press the Windows and L keys simultaneously) when you have to leave it with someone you trust and do not leave your belongings unattended in a vehicle, or at a conference, a restaurant, or a coffee shop.

It’s not just WannaCry: Thieves are opportunists

Posted: May 19, 2017 by IntentionalPrivacy in Financial vulnerabilities, Personal safety, Ransomeware, Vulnerabilities, WannaCry
Tags: , , , ,

WannaCry has effectively died down according to Wikipedia < https://en.wikipedia.org/wiki/WannaCry_ransomware_attack&gt;. However, if you do not WannaCry about some other malware, take some preventive actions now to make your systems less vulnerable to future attacks. If it is not easy to attack you or your computer systems, in most cases a thief will look for an easier target.

Organizations

  • Keep system and application versions up to date and patched, especially critical patches
    • If the organization still has to run computers running XP (or older operating systems), get them off the network
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to ensure files are recoverable)
  • Create network zones
  • Place public-facing web servers in DMZs
  • Restrict administrator rights
  • Change default passwords and enforce password rules on users
  • Train users in security awareness, especially how to avoid clicking harmful links
  • Take infected machines off the network and clean them up as soon as possible, so that the infection does not spread to other machines on the network

These actions alone will stop a considerable amount of malware and other attacks. They do not require expensive equipment or software, just the time to set them up. And these practices will help any organization better comply with regulatory requirements.

For instance, Microsoft came out with a critically rated security patch for Microsoft Windows SMB Server on March 14, 2017. This patch would have made Windows systems resistant to WannaCry. The WannaCry attack started on Friday, May 12, 2017, almost two months later. While I understand the need to test patches to ensure they will work in an environment, testing for a couple of weeks should be adequate, especially for critical updates.

Individual systems

Many of the same actions will keep your systems safe:

  • Keep system and application versions up to date and patched; in fact, set updates to run automatically and schedule them for  a convenient time frame
    • If you are running an older operating system such as XP, take it off the Internet
    • Uninstall applications that you no longer use from both your phones and computers
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to make sure files are recoverable)
  • Do not run with administrator rights
  • Change default passwords on routers and modems, and choose long, strong passwords for all your accounts
  • Do not click harmful links in email, on Facebook, or other websites

Prevention is the key for physical theft also.

Our neighborhood has been experiencing a recent rash of car break-ins and theft of items on porches. Many of these thefts happened when someone forgot to lock their car.

Be a little paranoid! Assume that someone is always watching you. For instance, you might not realize the dog walker walking by your house was watching you put a computer case in the trunk or that the 16 year old who lives next to you tries car doors at one am because he is bored or has a drug problem. Leaving a laptop in the car is not ever a good idea, but if you have to leave valuables in your car, put them in your trunk before you get to your destination. Lock your house and car as soon as you shut the door. Do not leave extra keys on your property or stashed on the car. Do not leave the garage door opener in the car. When you are working on that report in a coffeehouse, take your laptop, phone, keys, and wallet with you when you go to the restroom. Do not leave your purse or phone in a grocery cart when you turn around to pick out items for dinner.

Older Entries