Tagsecurity

We can all hear you now

Verizon Wireless is the next winner of “Which Company Will Expose Your Data!”

So if you’re got a PIN or password with them you use elsewhere, it’s time to change it. Because the danger isn’t an attacker getting your Verizon info, it’s them using that same password or PIN to get into your email or banking information.

Here’s what Verizon Wireless left open on the web.

Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company’s datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer’s home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer’s “frustration score,” by detecting if certain keywords are spoken by a customer during a call.

And even though it wasn’t Verizon Wireless’ fault for the breach, they’re still to blame since they outsourced the work to a vendor who made the mistake.

“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” said a spokesperson. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

A hacker doesn’t need to break into a server when a vendor leaves it out on the web. This is where I start my pitch for 1Password because the breaches, mistakes and leaks of data are not going to stop.

I have used 1Password almost a year full-time. It keeps everything safe and secure. My Verizon password (when we were customers) was a long strand of 20-something numbers and letters. It didn’t match anything and I never knew it. But 1Password did.

https://1password.com – It’s only $5 per month for up to 5 people. You can have separate vaults where you can keep your logins and personal information. There are also shared vaults which are great for couples to share common information and keep sensitive information like Social Security Numbers safe. I keep every login to a site I sign up for there as well as my banking information including routing and account numbers. I keep a profile I use to fill-in forms in web sites as well as my plastic cards I use to buy things.

Because Verizon isn’t the first company to leak your info and they are not the last company to leak your info. It’s going to happen. Over and over and over. You should sign-up for 1Password. It will take the guesswork out of passwords and sensitive information.

Microsoft Security Essentials

Please top me if you’ve heard this one before.

I have _________ anti-virus installed on my computer but…

But I thought the subscription was up to date. It wasn’t and I got infected.
But I thought I had paid for protection. But I hadn’t and I got infected.
But I got a virus anyway because it wasn’t up to date.

Stop paying for Anti-Virus protection.

Microsoft has a product called Security Essentials. It’s free to download and install. The updates are free and they are pushed along with Windows Updates. You are installing Windows Updates at least once a week, right?

Download Microsoft Security Essentials.

This will keep your computer protected against viruses. Your updates will never stop. You never have to pay for them. As long as you’re updating your computer, your anti-virus will stay up to date too.

Stop paying for what you can get free. Don’t find yourself paying a local computer tech or bribing a family member to clean the virus off your computer. Don’t allow yourself to be without your computer because it’s infected.

Download Microsoft Security Essentials and don’t give it another thought.

Click here and enter your password

Why will your local IT Department never ask for your username and password?

XKCD Comic

Username

Your local IT department setup your account. They know your username. They can look it up if they don’t. It’s often a combination of first and last names. Perhaps there’s a number thrown in. Or perhaps it’s a series of numbers.

No matter what it is, your IT department knows it.

Password

Never Give Anyone Your Password Over Email

Your IT department doesn’t know your password. They have no way to look up your password. But you know what they can do, reset your password.

IT will never ask you for your username and password. If they really need it, they can look up one and reset the other. And resetting a customer’s password without their permission or knowledge is a huge breach of security and trust and will lead to that person getting fired or possibly worse.

What is Phishing?

According to Dictionary.com, Phishing is…

to try to obtain financial or other confidential information from Internet users, typically by sending an e-mail that looks as if it is from a legitimate organization , usually a financial institution, but contains a link to a fake Web site that replicates the real one.

Basically, it is someone trying to gain information from you by pretending to be something else. The attackers will spoof your bank web site, your employer, local IT department or an email from a friend or loved one.

Examples of phishing emails

Over the past few weeks, we’ve seen a larger than usual amount of phishing emails. I have included a couple of samples below with the links removed. After each message, I’ll make a note of why this is a fake message and what to look out for.

From: “Hogan, Judith”
Date: February 11, 2013, 11:14:15 AM EST
Subject: Security Update
There has been an automatic security update on your [email address](LINK REMOVED). To complete update, you are to click here.
Please note that you have within 24 hours to complete this update because you might lose access to your Email Box

First, check who the sender is. Does this person work in your company. Do they have the same Company.com email address? Have you heard of them before or the company they work for?

In this case, poor Judith Hogan at Rochester.edu is our sender. She does not work for the same organization where this email was sent to. She has most likely had her account compromised and it being used by the attackers. Judith is not trying to get access to your account. She is another victim of phishing or another attack that has compromised her account. She is not after your information. She is merely the victim.

Second, the link for “email address” went to a page at hpage.com. Hpage.com is not your local IT department.

From: National Institute of Health <2254576378@qq.com>
Date: Sat, 2 Feb 2013 04:27:06 -0500
Subject: Important Notification

Dear Subscriber, All NIHMAIL users must upgrade their account on or
before 4th February 2013 . For easy upgrade, Click
http://[REMOVED].my3gb.com and fill out your correct account details.
Webmail Administrator

First, the From line actually has the correct organization on it. However, a quick check of the email address goes to qq.com. NIH is a government entity and uses a NIH.gov domain. They would never direct customers to qq.com for any reason.

Second, Dear Subscriber is a giveaway. If this really were your employer emailing you, they know who you are. They would address you by first or last name. It would not be something so generic as Subscriber.

Third, The IT department plans and executes upgrades. Your IT department would never ask you to click anything to upgrade your account. That is part of the job of your IT techs. To manage, upgrade and control the email servers and email accounts. If there is an upgrade happening, they will tell you about it.

Finally, IT will never, ever, ever ask for your credentials. The IT department setup your email account. They already know what your username is. And while they don’t know your password, they do have the power to reset it. If you’ve ever forgotten your password and call your Help Desk, they can reset your password so they’ll never need to ask you for it. Your IT Department will never ask for your username and password.

Often times, attackers will threaten a customer with their data or email being deleted to scare them into compliance.

From: “Warren, Frank”
Date: Mon, 26 Nov 2012 07:19:27 -0500
Subject: Security Update

There has been an automatic security update on your email address. Click here to complete update
Please note that you have within 24 hours to complete this update because you might lose access to your Email Box.

First, Frank Warren @ BP.com doesn’t work for your company most likely.

Second, IT would never conduct an automatic update without first announcing it. And if there was an update performed, no one would need to click a link. They are the IT department. When they perform an upgrade, your account is upgraded. Done. There is no step 2.

Third, sporadic capitalization such as Email Box and missing periods in sentences are key indicators of phishing. Professional emails sent from your IT department will use proper grammar and punctuation.

From: NIH EMAIL WEB ACCESS
Subject: TERMINATION OF ACCOUNT

Dear NIH Account User,

Due to the congestion in all NIH users
accounts you needs toupdate your account with
our released F-Secure Internet Security 2013.
Newversion of a better resource spam and viruses.

If you have not upgraded your account, click reply
and fill in the columnsbelow to send it back so we can
update our database account immediately.
Failure to update will process your NIH
account beingtemporarily blocked or suspended
from our network and may not be able to
receive or send e-mail due to the update.

First, your company knows who you are and would address you by name.
Second, the missing spaces between words and poor grammar such as better resource spam and viruses means phishing. That last line doesn’t even make sense when you read it.
Third, the IT department upgrades your email. It doesn’t access you to click a link *or else.** IT doesn’t threaten customers.

From: NIH User
Subject: Blank

Due to recent suspicious activities in your web-mail account and high amount of Spam mails we receive daily. you account have been blocked and made inactive to protect you, so to activate and unblock your account before routine deletion by our servers, To upgradeyour webmail please click (link withheld)

please fill all details to unblock your account instantly Thank you.

First, the subject line would not be blank.
Second, if your account has been blocked, you would not be receiving this email because your account has been blocked.
Third, poor grammar, lack of capitalization and asking to click a link is a sure sign of phishing.
Fourth, filling information into a web site will not unblock your account. A call to your help desk will.

I hope these examples and explanations have been helpful to better understand phishing and the ways attackers try to gain access to your email. Often times, customers will say, “I have nothing in my email that is important or sensitive.”

However, when a customer’s email account is compromised so is access to anything else they have. Any network drives are also vulnerable. VPN access or remote access are now vulnerable.

If the customer works with sensitive data such as HR or Financial information, access to those accounts are now vulnerable too. Think of all the things that use a password reset sent to an email address to change a password.

If an attacker has access to your email account, they potentially have access to anything that email address connects to. Do you use it for Facebook, Twitter, your own web site, Amazon, Paypal, or your bank?

All of those things could be compromised because the attacker is able to reset those emails with your email address. For a worst case scenario, the story of Mat Honan getting his computer and phone deleted because an attacker was able to gain access to his account.

This is a worst case scenario. However, the same security threats exist if an attacker gains access to your email account. Attackers aren’t just after your work email accounts either.

Take a look through your Gmail, Hotmail, or Yahoo email account. What social media sites do you use that email for? Does your bank send email there? How about credit cards? If an attacker gains access to that account, they have anything you use that email address for. In addition to being able to email your friends, family and colleagues from your account in an attempt to gain access to their accounts too.

The best weapon against phishing and other attacks is to use common sense. If you have a question about something you’ve received email the sender back and ask them about it. If you receive a suspicious email at work. Call your help desk and ask about it.

The best defense is to use common sense and think about what you’ve received and if it makes sense. How can you easily detect a phishing attack?

  1. Check the sender. Do they work for your company? Is the email address the same as the sender name?
  2. Are there weird misspellings, poor grammar and a lack of basic punctuation? Does your local IT department send you emails like this? Does your brother, mother or colleague?
  3. Is there a link in the email? Don’t click it. If you move your mouse over it and wait a couple of seconds, it will show the link where it’s going to take you. If it’s a weird-looking link. Don’t click it.
  4. If your suspicious, delete the email. If it was something important, the sender will contact you again or in another way.
  5. Remember, the IT department manages your email account. They will never ask for your credentials or to click a link for any reason. They have the power to do whatever they need to do to upgrade, manage or migrate your email. That’s their job.