Today is the kickoff for the 14th annual National Cyber Security Awareness Month. Do your part to protect your own and other people’s information. For tips, visit https://stopthinkconnect.org/resources/preview/tip-sheet-basic-tips-and-advice
October is National Cyber Security Awareness Month
Posted: October 2, 2017 by IntentionalPrivacy in Identity theft, National Cyber Security Awareness Month, Personal safety, Security or Privacy Initiatives, TipsTags: National Cyber Security Awareness Month, NCSAM, Security tips
Equifax breach: UPDATE
Posted: September 9, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach, VulnerabilitiesTags: credit fraud alert, credit freeze, Equifax breach, identity theft protection, New York Attorney General Eric T. Schneiderman, protect personal information, pseudorandom generators, security breach
The newest large breach, potentially affecting 143 million people in the US, was announced Thursday by Equifax at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 . It also affected a small number of consumers in Great Britain and Canada. According to the Equifax PR statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”
There’s been at least one potential class-action suit already filed. The New York State Attorney General, Eric T. Schneiderman, has also opened an investigation.
Based on US Senator Al Franken’s Facebook post on Equifax, it might be a good idea to wait to sign up for Equifax credit monitoring until Equifax clarifies that you are not trading your rights to sue them or join a class-action suit in return for accepting their credit monitoring service. However, you should still visit the Equifax site (http://www.equifaxsecurity2017.com/) to find out if you are one of the affected parties. If your information was not affected (although I would not trust that completely), the site will continue on to give you the date when you will be allowed to sign up for credit monitoring if you should decide to do so. Make sure you note the date, because you will receive no other notice.
Since I cannot sign up for the TrustedID service yet, I have not personally read the agreements that Equifax has put in place.
Furthermore, credit monitoring usually just alerts you to an event that has already happened. It is not always accurate or even timely. Although good to know that something has happened, taking preventive action is better.
What should you do?
Act as if your information was stolen and move to block access to your credit and financial accounts. Yes, it’s painful, but far less painful, expensive, and time-consuming than dealing with identity theft. We need better oversight of credit bureaus, but in the meantime protect yourself. Your personal information is important for credit and insurance availability and costs, getting a job, and even renting an apartment or buying a home.
Brian Krebs has an article about credit freezes and credit monitoring at How I Learned to Stop Worrying and Embrace the Security Freeze. The FTC article on credit freezes is good, but Kreb’s article is more thorough and he explains about his personal experience with credit monitoring services. Here are the actions he recommends:
- Put a credit freeze on your credit at each of the four credit bureaus (you will need to provide social security number, address, zip code, date of birth, and a credit card number for the fee (which is between $0 -$15 to place or lift):
- Equifax — 1-800-349-9960, https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
- Experian — 1‑888‑397‑3742, https://www.experian.com/freeze/center.html
- Innovis – 1-800-540-2505, https://www.innovis.com/personal/securityFreeze
- TransUnion — 1-888-909-8872, https://www.transunion.com/credit-freeze/place-credit-freeze
- Free: Get your free yearly credit report for all three credit reporting agencies (if available) from the FTC website, https://www.annualcreditreport.com/index.action
- Free: Opt out of prescreened/preapproved insurance and credit offers at https://www.optoutprescreen.com/?rf=t You can choose 2 time frames: permanent or 5 years.
- ChexSystems, https://www.chexsystems.com/
- Monitor your financial accounts for any irregularities daily if possible, but at least weekly.
Update: Unfortunately, the pin that Equifax automatically assigns starts with the date you call you to start the credit freeze (i.e, 090917xxxx). The automatic pin is not random. To change it, you have to call 888-298-0045; the line is only available Monday – Friday 9 am to 5 pm (and the message doesn’t even tell you which time zone). You cannot change the pin on their website.
While Fraud Alerts are free, they have to be updated again every 90 days.
NPR.org is reporting that three Equifax executives sold small amounts of stock shortly after the breach was discovered. You can look at the SEC filings here; open the Beneficial filings to see what the stock sales were. Even though all 3 only sold a small portion of their holdings, it is still a lot of money – about $1.8 million. I find it hard to believe that the CFO was not alerted to a breach of the company. The stock price was $145.09 on July 28, 2017, before the breach (discovered on July 29, 2017); yesterday the stock closed at $123.23.
Equifax hack just announced may have exposed 143 million consumers’ private information.
Posted: September 7, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security BreachTags: Equifax, FTC credit freeze, identity theft, security breach
Today Equifax announced that a breach may have exposed 143 million consumers’ private information. Equifax has created a special website at https://www.equifaxsecurity2017.com/enroll/ so you can find out if you are affected (at least as far as they know right now) by the breach. They are also providing credit monitoring.
What should you do?
- Sign up for the complimentary identity theft protection and credit file monitoring product, called TrustedID Premier.
- Put a freeze on your credit at each of the three credit bureaus. The Federal Trade Commission has an article at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs that explains the process of implementation and how to temporarily remove it when you apply for new credit.
- If you were affected by the breach, the Federal Trade Commission has a site that explains exactly what to do to keep your information safe. https://www.identitytheft.gov/
Getting creeped out by IoT …
Posted: August 8, 2017 by IntentionalPrivacy in IoT, Security or Privacy Initiatives, TheftTags: 115th Congress, home monitoring systems, Internet of Things (IoT) Cybersecurity Improvement Act of 2017, IoT, privacy, Raspberry Pi security, Raspbian, security, Senator Warner
Common problems with IoT devices include their lack of privacy and security controls and their lack of transparency. “Transparency” in this case means that the end user knows and willingly agrees to how the device operates, especially on their home network.
I have recently been working on building a Raspberry Pi B+ home monitoring system. The Raspberry Pi is a handy little computer board geared to hobbyists or children learning to use computers; more than 12.5 million have been sold. Something that appalled me was the complete lack of discussion about securing the thing in the project plan I downloaded. Before you put any device on your home network, you should—at the very least!—change the default username and password (which for the Raspbian operating system is “pi” and “raspberry”).
Another example comes from the experience of a former co-worker who bought a new refrigerator, not knowing the refrigerator had network capabilities. The refrigerator tried to connect to her network. When she investigated further, the manufacturer said the network connection was used for troubleshooting maintenance issues and installing updates. What could possibly go wrong with a refrigerator that connects to a home network without the owner’s knowledge or consent? It probably has a hard-coded (unable to be changed) default username and password that a hacker could use to cause havoc with that refrigerator. For instance, maybe a hacker could shut the refrigerator off by connecting to it using the default username and password. Depending on when the owner realized that it was not working, an entire refrigerator worth of food could be spoiled. Or maybe they could override the water shutoff for the automatic ice maker, resulting in water all over the floor. It could also provide an entry point into the home network. Argh!
Then there’s the iRobot 900-series Roomba, which currently uses a camera and sensors to vacuum a home. It has mapping software that allows the robot to avoid objects in its path, know where it has already cleaned, return to the dock for recharging, and then pick up vacuuming where it left off. Handy!
According to Reuters, a new feature that iRobot is planning to introduce is sharable home maps. While mapping software could bring many benefits to a smart home—such as improved air flow, temperature regulation, and lighting—sharing such data publicly could be a mistake. Even if iRobot only shares with certain companies, what happens if one of those companies get breached? Could such a breach allow a thief access to download your home map to help them decide what to steal from your home?
Recordings from an Amazon Echo—which listens and records supposedly only conversations that have a keyword such as “Alexa” in them—have already been requested as evidence in an Arkansas murder court case.
There are some organizations that are currently claiming to be examining the security and privacy of IoT devices, which include:
- AV-TEST Institute – you can check out their findings here.
- I am the Cavalry – a grass-roots organization that looks at the computer security of medical devices, automobiles, home electronics, and public infrastructure here.
- UL (formerly Underwriters Laboratory) has published UL 2900 ANSI Standard for Software Cybersecurity for Network-Connectable Products. Unfortunately, it costs between $225-250 for a copy of the standard and I cannot find any products that they have certified.
In the first session of the 115th Congress, Senators Warner, Gardner, Wyden, and Daines introduced the ‘‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” While this act would currently only apply to IoT devices on government networks, hopefully most vendors would put the same security and privacy features in their consumer products. You can read a one-page summary of the bill here and a full version here.
Thank you Senators Warner, Gardner, Wyden, and Daines. Long overdue!
No security anywhere …
Posted: May 19, 2017 by IntentionalPrivacy in Conferences, Privacy, Theft, VulnerabilitiesTags: computer security, privacy, Theft
I was at a conference yesterday. When I went to register, the computer system being used had a label with the username and password right next to the touchpad. There was a problem with my registration, so the conference sent me an email. It contained the names of three other people–unknown to me–at the conference.
Next, we went to the exhibits. The first trailer we went to was open and no one was there. On a table inside was an open, logged-in laptop and a cell phone. Who would have known if I had taken the laptop or phone, or worse, taken information from the laptop?
Pay attention to what you do. Always lock your laptop (press the Windows and L keys simultaneously) when you have to leave it with someone you trust and do not leave your belongings unattended in a vehicle, or at a conference, a restaurant, or a coffee shop.
It’s not just WannaCry: Thieves are opportunists
Posted: May 19, 2017 by IntentionalPrivacy in Financial vulnerabilities, Personal safety, Ransomeware, Vulnerabilities, WannaCryTags: cyber attack, personal safety, physical safety, Ransomeware, WannaCry
WannaCry has effectively died down according to Wikipedia < https://en.wikipedia.org/wiki/WannaCry_ransomware_attack>. However, if you do not WannaCry about some other malware, take some preventive actions now to make your systems less vulnerable to future attacks. If it is not easy to attack you or your computer systems, in most cases a thief will look for an easier target.
Organizations
- Keep system and application versions up to date and patched, especially critical patches
- If the organization still has to run computers running XP (or older operating systems), get them off the network
- Keep antivirus software current and scan daily
- Make regular, consistent backups (and test them to ensure files are recoverable)
- Create network zones
- Place public-facing web servers in DMZs
- Restrict administrator rights
- Change default passwords and enforce password rules on users
- Train users in security awareness, especially how to avoid clicking harmful links
- Take infected machines off the network and clean them up as soon as possible, so that the infection does not spread to other machines on the network
These actions alone will stop a considerable amount of malware and other attacks. They do not require expensive equipment or software, just the time to set them up. And these practices will help any organization better comply with regulatory requirements.
For instance, Microsoft came out with a critically rated security patch for Microsoft Windows SMB Server on March 14, 2017. This patch would have made Windows systems resistant to WannaCry. The WannaCry attack started on Friday, May 12, 2017, almost two months later. While I understand the need to test patches to ensure they will work in an environment, testing for a couple of weeks should be adequate, especially for critical updates.
Individual systems
Many of the same actions will keep your systems safe:
- Keep system and application versions up to date and patched; in fact, set updates to run automatically and schedule them for a convenient time frame
- If you are running an older operating system such as XP, take it off the Internet
- Uninstall applications that you no longer use from both your phones and computers
- Keep antivirus software current and scan daily
- Make regular, consistent backups (and test them to make sure files are recoverable)
- Do not run with administrator rights
- Change default passwords on routers and modems, and choose long, strong passwords for all your accounts
- Do not click harmful links in email, on Facebook, or other websites
Prevention is the key for physical theft also.
Our neighborhood has been experiencing a recent rash of car break-ins and theft of items on porches. Many of these thefts happened when someone forgot to lock their car.
Be a little paranoid! Assume that someone is always watching you. For instance, you might not realize the dog walker walking by your house was watching you put a computer case in the trunk or that the 16 year old who lives next to you tries car doors at one am because he is bored or has a drug problem. Leaving a laptop in the car is not ever a good idea, but if you have to leave valuables in your car, put them in your trunk before you get to your destination. Lock your house and car as soon as you shut the door. Do not leave extra keys on your property or stashed on the car. Do not leave the garage door opener in the car. When you are working on that report in a coffeehouse, take your laptop, phone, keys, and wallet with you when you go to the restroom. Do not leave your purse or phone in a grocery cart when you turn around to pick out items for dinner.
Medical Records Flapping in the Breeze!
Posted: May 11, 2017 by IntentionalPrivacy in HIPAA - HITECH, Identity theft, Privacy, Private Health Information (PHI), Security Breach, VulnerabilitiesTags: HIPAA/HITECH, identity theft, medical records theft, tax fraud
Medical record theft is on the rise, and according to Reuters ( http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 ), a stolen medical record is worth ten times what a stolen credit card number on the black market. The reason medical records are worth so much more, is because they are used to steal benefits and commit identity theft and tax fraud.
How easy is it to steal medical records?
This morning, I read Brian Kreb’s report on True Health Diagnostics health portal, which allowed other patients’ medical test results to be read by changing one digit on the PDF link. The company—based in Frisco, Texas—immediately took the portal down and spent the weekend fixing it. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/
While I think it is great they fixed the problem so rapidly, I am disgusted that our medical information is so often flapping in the breeze. Health professionals are notoriously lax about protecting their patients’ medical information. A security professional that I know defended medical people by saying they do not understand HIPAA/HITECH. Yes, I know they do not necessarily understand the technical details. But is ignorance an excuse? I do not think so. They have IT people to support those computers and medical professionals are supposed to attend HIPAA training on a regular basis.
For instance, upon reading the FAQs at http://www.holisticheal.com/faq-dna , I noticed that after a patient completes their tests (recommended by my doctor), this practitioner sent results in email. It is not a simple test like cholesterol; it contains information about someone’s DNA.
After I emailed them and told them I would not consider using their service because email is not secure unless encrypted and in my opinion this practice—sending medical results in unencrypted email—is contrary to HIPAA/HITECH, they changed their policy. While they now send the results for US patients on a computer disk through the mail, they still send international clients their results through email.
I have frequently caught my own medical professionals leaving their patient portals open when I am alone in the exam room or even away having tests. During one notable session, without touching the computer, I could see a list of all the patients being seen that day on the left, and the doctor’s schedule across the top (including 3 cancellations). Another medical professional texted me part of my treatment plan. (I thought we were limiting our text conversation to time, date, and location. Otherwise I never would have agreed to text. I had never even met this person!) Another provider grouped three receptionists with computers (no privacy screens) in a circle with windows on two sides. I could read two of the screens when signing in and the third when leaving and I saw them leave their screens open when they walked away from their computers so that the other receptionists can use those computers.
Granted, these incidents may not be breaches, but I think they are violations of HIPAA/HITECH and they could lead to breaches. What are the chances they are using appropriate access control, backing up their systems, encrypting their backups, thinking about third-party access? Are they vulnerable to phishing, crypto ransomware, hackers, employee malfeasance, someone’s child playing with the phone?
Yes, I get that people make mistakes. The problem is they have the ability to make mistakes! Set up fail safes. Require each employee’s phone to be physically encrypted and give them a way to send encrypted emails or texts or do not allow them to text or email patients. Make screens lock after five minutes or sooner. Give them training. Spot check what they’re doing.
I always discuss these issues when I notice them with the practice HIPAA Privacy Officer (and sometimes change medical providers if egregious). Does it help? Maybe. But it always makes me wonder what I have not seen.
Pay attention! Protecting your data helps protect everybody’s data.
I recently attended BSides Austin 2017, an information security conference. It is a wonderful conference! I greeted friends and met some great people. It was difficult to choose which presentations to attend there were so many interesting ones. I wanted to go to all of them! I also went to the Fire Marshall Talks, named for a memorable talk one year where the number of occupants were more than the fire marshall thought safe for the room size. Anyone who wants to speak can talk for ten minutes on any information security topic.
One of the talks this year dismayed me; the speaker spent his 10 minutes talking about all the “Security Rockstars” in the audience and how they refused to help him.
Since he did not give specific instances, I am not really sure what that meant to him. I looked around the room and saw many people I knew, security people who were passionate about sharing with the security community through presentations or classes, online blogs and videos, and even mentoring. While I saw people who were notable contributors to InfoSec, I did not identify a single person I would call a “Security Rockstar.”
In spite of being a woman in security and information technology (over 20 years), I have rarely experienced a situation where someone would not help me. In fact, people have gone out of their way to give me assistance when I asked for it. Austin is that kind of place! Before I ask, I try everything I can think of and I have a focused question so I do not waste the person’s time. I attend conferences, such as BSides and LASCON, and meetings put on by OWASP, ISSA, and InfraGard to keep my skills current, learn about things I do not know, and to network. I often go to the weekly OWASP study sessions, which has given me some excellent ways to hone my skills. There are many opportunities for assistance if someone looks for them and is willing to put in some work.
I also contribute as much as I can. If I cannot help you, I will tell you that. If I know someone who knows more about your question, I will point you in their direction. I write this blog. I provide mentoring to anyone who wants to become a security professional. I think it is important because I believe that helping people work towards their goals helps the entire security community. But I cannot do the work for you. I will answer your question or point you toward resources I know about. What you do with them is up to you.
For instance, I met the speaker—a student on the brink of starting on his career—the evening before. I gave him my card, asked if he was looking for mentoring, told him about my blog, and said I would value his opinion about it. I have yet to hear from him.
To anyone who has run into an unhelpful person, I suggest you consider why the person asked may not be able to help:
- It might be a temporary problem—they might be available at another time. For instance, if they have just given a presentation, they might need decompression time.
- They might be worried about a personal problem: a lost client or position, money troubles, a work situation, or a family or pet illness or death.
- They meant to help at a later time, but could not because they had no method of contact. Carry business cards or exchange email addresses.
- Information security encompasses a wide range of skills and knowledge bases. The question asked could be outside their expertise, and they are too embarrassed to say so.
- The question might be too general. If they tell you LMGTFY (“Let me Google that for you”), it means they believe you can figure it out yourself. Maybe you can clarify the question to better explain where you are stumped.
Of course, they really could be a Rockstar.
Also consider what you have to offer in exchange. One of the few times I have experienced a situation where someone would not help me was at a position where I was doing security assessments. One of my coworkers had a difficult time with reports. He copied and pasted sections from other reports to speed up the reporting process. I often read his reports to fix discrepancies, incomplete sentences and missing words, as well as spelling and grammar issues. One time he forgot to change the IP addresses to match the client’s. When I had a problem with the scanning software, I expected his help. But since he did not value my help with his reports; he said that I should figure it out myself. I was not asking for him to fix it (I was at a client site in another state) although I would have appreciated any suggestions he could give me. I thought I should at least have a contact with the software company so that I could put in a trouble ticket, but he—the administrator of the software—would not even give me that. Our boss finally made him give me the ability to turn in a trouble ticket.
While I did figure out a temporary solution (it was a software issue), it made for a very tense evening. I eventually left the company with great relief. I loved the work, but the company culture did not suit me.
I once read an article about how a bad situation can be a gift, because it can make you see that you need to change something—attitude, positions, relationships. Furthermore, Rockstars who will not help someone are their own worst enemies because everyone needs help sometimes. Their karma will catch up to them! Shake your head, send them a blessing, and find someone who will help you.
Remember to be grateful when someone does help you. They do not owe it to you.
But I am not a rock star! I do not want to be a rock star. I am merely someone doing a job to the best of my ability to help make the world a safer, more secure place.
Thwarting Vehicle Keyless Fob Attacks
Posted: May 2, 2017 by IntentionalPrivacy in Automobile hacking, Issues, Traveling, VulnerabilitiesTags: Faraday cages, hacking, vehicle hacking, vehicle keyless fobs
A recent article in Wired called “Radio Attack Lets Hackers Steal 24 Different Car Models” at https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/ talks about how thieves can steal some car models by attacking keyless entry fobs.
It is a very informative article, but they do not talk much about possible solutions. Want to wait around while your automobile manufacturer comes up with a solution?
Our own cars—a 2015 Honda Accord and a manual-everything 2005 Honda Civic—are not on the list of vulnerable vehicles. While the 2005 Honda, which does not have keyless entry, is not susceptible to this type of radio attack, the 2015 Honda Accord might be. Although it was not one of the vehicles listed in the article, it might not have been one of the models tested. I looked at my key fob to see if there was some easy way to shut off keyless entry. Aside from taking out the battery, none was apparent. A switch on the key fob in a location that is not easily turned on or off (maybe inside the battery case) would be a great solution to this problem. Another possible plus? It might make the battery last longer!
When I Googled “2015 Honda Accord turn off keyless entry,” there were not many new solutions. Possible solutions include:
- Removing the key fob battery. According to a YouTube video by Honda Pro, https://www.youtube.com/watch?v=kXiyku7Ye-c, the car will not start when the key is not in the car. However, it will still start when the key fob is present even if the battery is inoperative or removed. The key fob also contains a manual key, so entry is still available.
- Making or buying a faraday cage. There are several types of faraday cages. According to Wikipedia, a faraday cage “is an enclosure used to block electromagnetic fields.” I tried wrapping my key in aluminum foil. Standing next to the 2015 Honda with the key wrapped in aluminum foil, I could still unlock the car. However, while I did not test it, it might limit the accessible distance for the key signal.
I do not like the option of putting my keys in the freezer, which is often touted as an easy faraday cage. For one thing, the moisture and the cold could be hard on the key electronics. Replacing the key is expensive and you would still have the problem with the new key. Another problem with this solution is that it only works when you have access to a refrigerator. Probably would not work at Starbucks!
Amazon.com offers Faraday pouches for sale for as little as $9 (plus shipping). There is a DIY faraday cage Instructable at http://www.instructables.com/id/Faraday-Cage-Phone-Pouch/ if you would like to make one yourself.
If anyone has other ideas about possible solutions to a keyless entry attack, leave a comment and I will update the article.
Remember, always lock your car, do not leave extra keys in hidden places on the vehicle, and remove or hide your valuables before you leave your car. It is also a good idea to remove your garage door opener from the car, especially if you leave the door between the house and the garage open.
Intentional Privacy 