May 2011
We have all been presented online with secret questions and passwords. This is supposed to help a company website know it is really you when you need a password reset. But, how secret are those answers and should you give a completely different answer to the question to throw off cybercreeps?
We all see the security questions and take them seriously. We dutifully enter in our Mother’s maiden name when asked. But where does that information go? Is it really protected? Is it really used to validate that it’s you or does a cybercreep just need to know the answer? With the recent Sony PlayStation breach, they are concerned that your answers to their secret questions might be at risk. Cyber Expert Theresa Payton says that you may want to think about how you answer those secret security questions on various sites.
When you fill out a job or bank application, you need to truthfully answer these questions. When you are on sites such as email, social networking, or other internet sites you should look for options that make sense.
Tips to Protect Your Secret Questions and Answers:
1. Look first to see if you can create your own questions. If you can create your own question, that is the best option.
You can make up something such as a question: “Where I wish I could go right now” and answer “On Vacation with my honey!”.
2. Avoid responding to quizzes online: A lot of those funny quizzes you can answer online on Facebook or other sites might give away clues that can help guess your password or your answers to security questions
3. Come up with your own code phrase and choose the first letter of each phrase and use numbers or symbols. Example: When answering “your favorite color” create a phrase like, “I love yellow because it reminds me of daisies” and answer with Ilybirm@d!
4. Use completely different answers but make sure it is something you can remember!
Our word for the week is: PIMP
A play on the phrase, “pimp my ride”, this is geek speak for using words, cool backgrounds, or graphics to embellish your online profile. An example would be, finding cool backgrounds for your Twitter or blog page. Pimping your profile means boosting the look and content of your profile online by adding various information or links to your profile to make it stand out.
Web Resources:
McAfee has great tips on security questions and answers as well as the latest scams floating around at www.McAfee.com
Facebook has a great safety page at: https://www.facebook.com/fbsafety
You can keep up with the latest Facebook scams at: https://www.facebook.com/Facecrooks?ref=ts
Online safety. Online security. Protecting Yourself Online. Protecting Kids Online. Keeping the U.S. Safe from Cybercreeps. Cybercrime. Protecting Against Fraud.
Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts
Wednesday, July 6, 2011
Wednesday, January 5, 2011
The "e" in e-card for cybercreeps means "easy" to get past security
My family and friends know by now that I NEVER open e-cards without calling or emailing them first to ask them 50 questions about the card before I even consider opening it. That might explain the decline in e-cards in my in basket?
Until now, most of my friends and family put up with it because they love me and they all know that like the kid in "6th sense" who "sees dead people", when I look at most anything I "see cyberbadpeople".
So, when I read that bogus White House Christmas e-cards were sent out to people, I absolutely cringed. I knew, before I read the article, that people probably opened them.
According to articles I read, the e-card contained the infamous Zeus malware.
One article mentions that one of the servers used to deliver the e-cards from "the White House" was in Belarus. It is believed that the hackers stole several gigabytes worth of data.
From the site KrebsOnSecurity, he posted the actual message sent to recipients:
“As you and your families gather to celebrate the holidays, we wanted to take
a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission."
The card included links with a picture of a decorated Christmas tree with a file named "card.zip".
The Zeus variant appears to have stolen passwords and used those to steal Word and Excel documents.
Sources:
"White House E-Card Spoof Steals Data", Brian Kalish, NextGov.com, January 4, 2011.
" 'White House' eCard Dupes Dot-Gov Geeks", KrebsonSecurity, January 4, 2011.
Until now, most of my friends and family put up with it because they love me and they all know that like the kid in "6th sense" who "sees dead people", when I look at most anything I "see cyberbadpeople".
So, when I read that bogus White House Christmas e-cards were sent out to people, I absolutely cringed. I knew, before I read the article, that people probably opened them.
According to articles I read, the e-card contained the infamous Zeus malware.
One article mentions that one of the servers used to deliver the e-cards from "the White House" was in Belarus. It is believed that the hackers stole several gigabytes worth of data.
From the site KrebsOnSecurity, he posted the actual message sent to recipients:
“As you and your families gather to celebrate the holidays, we wanted to take
a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission."
The card included links with a picture of a decorated Christmas tree with a file named "card.zip".
The Zeus variant appears to have stolen passwords and used those to steal Word and Excel documents.
Sources:
"White House E-Card Spoof Steals Data", Brian Kalish, NextGov.com, January 4, 2011.
" 'White House' eCard Dupes Dot-Gov Geeks", KrebsonSecurity, January 4, 2011.
Friday, December 17, 2010
Strong Passwords
I taught a class on Internet Safety to 3rd graders. We talked about examples of creating strong passwords and how to vary them across accounts. We had fun doing it by making up phrases and turning them into crazy passwords to use.
By the way, are you a user on Gawker.com? If so, are you one of the 100,000 people out of their 1.3 million users that had your user id and password posted online for the world to see?
Just to be on the safe side, here are a few tips you may want to use:
1. Vary your password across different sites
2. Make up a phrase and use the first letter of each word alternating lower and upper case
3. Add numbers and special characters for effect
"FBI Investigating Gawker.com Hack", Fox News, December 14, 2010.
By the way, are you a user on Gawker.com? If so, are you one of the 100,000 people out of their 1.3 million users that had your user id and password posted online for the world to see?
Just to be on the safe side, here are a few tips you may want to use:
1. Vary your password across different sites
2. Make up a phrase and use the first letter of each word alternating lower and upper case
3. Add numbers and special characters for effect
"FBI Investigating Gawker.com Hack", Fox News, December 14, 2010.
Tuesday, May 4, 2010
Guest Post - Nick Volpe - Summary of What's Hot in the Security Headlines
Guest Post from Nick Volpe. Spring Semester Intern at Fortalice®, LLC. Attending Immaculata University.
Facebook Expect to Launch Location-Aware Feature
It seems as if Facebook has long been put into the hot seat over its data privacy features. More specifically, what settings Facebook deem are appropriate defaults have come under scrutiny with less sophisticated users not knowing what information from their profile is available to whom and how to change that selection of information. In April 2010, Facebook will begin to allow its registered users to share their geographical location with their friends in their news feeds. The supposed location-based feature(s) are expected to be unveiled in late April at Facebook’s annual f8 developer conference in San Franscisco. According to company reports, the feature will be opt-in allowing users to choose if they wish to participate or not. Given the companies track record on security, however, users should be vigilant and check changes to privacy policies and settings. The news comes after popular micro blogging competitor, Twitter, announced a similar location-based feature for their offering. Officially, Facebook will neither confirm nor deny the anticipated announcement.Sources:
AllFacebook.com: “Facebook Prepares To Release Location Service At f8” by Nick O’Neil http://www.allfacebook.com/NYTimes.com Bits Blog: “Facebook Will Allow Users to Share Location” by Nick Bilton http://bits.blogs.nytimes.com/
PC Magazine: “Report: Facebook to Add Location Info to Updates” by Brian Heater http://www.pcmag.com/article2/
New Statistics Show About 12% of Employees Willingly Violate Company IT Policy
One of the biggest and most difficult to address points of failure in terms of IT security problems is employee error. According to a new survey conducted by firm Harris Interactive, 12% of the United States workforce claimed to have willingly violated their companies IT policies. The employees are something that IT departments need to worry about maybe even more so, in some sense, than antivirus and malware infection in the network. IT departments and companies simply are not tough enough on enforcing their policies as they should be thus making employees the largest cause of corporate data loss.Sources:
Ars Technica: “Bad employee! 12% knowingly violate company IT policies” by Jacqui Cheng http://arstechnica.com/Pivotal Payments: “12% of employees intentionally breach corporate IT policy, study shows” by Kristen Lawrence http://www.pivotalpayments.
Highly Marketed Identity Protection Agency LifeLock Fined by FTC
The identity protection industry is highly lucrative and popular amongst individuals that aim to keep their confidential information private. There are firms that, for a monthly fee, claim to protect your identity by closely monitoring credit reports and other identifying accounts and information in order to protect your identity or at least attempt to do so.LifeLock, one of these identity protection services, was fined by the US Federal Trade Commission for false advertising. The company guaranteed its clients that for as long as they paid, their identity would never be stolen and they would not be susceptible to fraud. As it turns out, you really can’t guarantee that a person’s identity can’t or won’t be stolen. There are simply too many factors in that. Ironically, the CEO of LifeLock, who freely gave out his social security number publicly as a testament to his service, fell victim of identity theft himself.
Sources:
Total Bankruptcy: “LifeLock Fined for Inappropriate Identity Theft Protection Claims” http://www.totalbankruptcy.Ars Technica: “LifeLock fined $12 million over lack of life-locking ability” by Jacqui Cheng http://arstechnica.com/tech-
Saturday, March 20, 2010
Big Brother Has the Power to...turn off your car
Turn off your car? What?
As our world becomes more automated and every day gadgets are infused with computer machinery, you are more at risk of a glitch, or worse.
Over 100 car owners in Austin, TX had the worst surprise ever recently. Cars began behaving badly - they would not turn on or the horns were honking.
How could this happen?
Many consumers have no idea that their dealerships are installing a little black box on cars. This little black box allows the dealerships to disable YOUR car if you fall behind on payments. It is the modern day alternative to the Repo Man.
The culprit? Not a technology glitch but a ticked off employee who had been fired. Police in Austin's High Tech Crime Unit arrested 20 year old, Omar Ramos-Lopez. Police tracked him down using access logs and then tracing the traffic back to his IP address.
Martin Garcia, Texas Auto Center manager where Omar worked said, "Omar was pretty good with computers". Really? Maybe Mr. Garcia was taken out of context, let's hope so.
I have said it before, sometimes the greatest risk in cybersecurity is the INSIDER THREAT - from the model employee to the displaced employee.
They can put Ramos in jail but until businesses address the risk of insider threat, Ramos will not be the last.
This leaves another question open, if Ramos was able to access the system using another employee's account, what could someone with a real plan have done to immobilize drivers?
Who needs an EMP (electomagnetic pulse) to take out computer systems when you can just hack into devices?
Comments? Questions? Please send me your reaction to this story.
As our world becomes more automated and every day gadgets are infused with computer machinery, you are more at risk of a glitch, or worse.
Over 100 car owners in Austin, TX had the worst surprise ever recently. Cars began behaving badly - they would not turn on or the horns were honking.
How could this happen?
Many consumers have no idea that their dealerships are installing a little black box on cars. This little black box allows the dealerships to disable YOUR car if you fall behind on payments. It is the modern day alternative to the Repo Man.
The culprit? Not a technology glitch but a ticked off employee who had been fired. Police in Austin's High Tech Crime Unit arrested 20 year old, Omar Ramos-Lopez. Police tracked him down using access logs and then tracing the traffic back to his IP address.
Martin Garcia, Texas Auto Center manager where Omar worked said, "Omar was pretty good with computers". Really? Maybe Mr. Garcia was taken out of context, let's hope so.
I have said it before, sometimes the greatest risk in cybersecurity is the INSIDER THREAT - from the model employee to the displaced employee.
They can put Ramos in jail but until businesses address the risk of insider threat, Ramos will not be the last.
This leaves another question open, if Ramos was able to access the system using another employee's account, what could someone with a real plan have done to immobilize drivers?
Who needs an EMP (electomagnetic pulse) to take out computer systems when you can just hack into devices?
Comments? Questions? Please send me your reaction to this story.
Tuesday, November 17, 2009
Strong Passwords STOP the Bad Guys! 4 Tips + Password Strength Checker
20,000+ email users across Hotmail, Gmail, AOL, and Yahoo had their account ids and passwords posted on the internet!
This disturbing situation can be made worse if you are using the same password across many accounts, including your online banking.
The computer security firm, Sophos, did a survey and found that only 19% of people use a different password for each site they go to.
We have busy lives and it is tough to remember passwords. That is why we are providing you with easy tips to create a unique and strong password. The best way to put a STOP to these cyberthugs is to create strong passwords.
STOP Tips:
S: Special characters such as exclamation points and numbers
Avoid using personal information.
o Examples: Any part of your name, address, high school, birthday, Social Security number, pet
names.
Avoid using sequences
o Examples: “12345” or “ABCDE” or “AAA” or “Password”
If your web site supports it, try to use special characters and/or mixing upper and lower case
o Examples: @, $, &, *
T: Think of a phrase and pick the first letter of each word to build your base password
• Longer passwords are preferred, at least 8 characters
O: One time – only use each password on one account
• Create a different password for each of the different sites you visit
P: Protect your password, never write it down and leave it next to your computer, never give it out via an email or over the phone
• If you cannot remember your passwords, consider writing them down and keeping them in a home safe that you keep locked
• Never leave them on a post it note next to your PC
Sample Password Using STOP Cybercriminal tips,
• Using the phrase: Fall-beautiful leaves and yummy apples.
o fblaya
• Combined with the other rules it becomes:
o F-Bl1&9Ya@
If you would like to test the strength of your password try the Microsoft site’s free online password checker at:
www.microsoft.com/protect/yourself/password/checker.mspx
This disturbing situation can be made worse if you are using the same password across many accounts, including your online banking.
The computer security firm, Sophos, did a survey and found that only 19% of people use a different password for each site they go to.
We have busy lives and it is tough to remember passwords. That is why we are providing you with easy tips to create a unique and strong password. The best way to put a STOP to these cyberthugs is to create strong passwords.
STOP Tips:
S: Special characters such as exclamation points and numbers
Avoid using personal information.
o Examples: Any part of your name, address, high school, birthday, Social Security number, pet
names.
Avoid using sequences
o Examples: “12345” or “ABCDE” or “AAA” or “Password”
If your web site supports it, try to use special characters and/or mixing upper and lower case
o Examples: @, $, &, *
T: Think of a phrase and pick the first letter of each word to build your base password
• Longer passwords are preferred, at least 8 characters
O: One time – only use each password on one account
• Create a different password for each of the different sites you visit
P: Protect your password, never write it down and leave it next to your computer, never give it out via an email or over the phone
• If you cannot remember your passwords, consider writing them down and keeping them in a home safe that you keep locked
• Never leave them on a post it note next to your PC
Sample Password Using STOP Cybercriminal tips,
• Using the phrase: Fall-beautiful leaves and yummy apples.
o fblaya
• Combined with the other rules it becomes:
o F-Bl1&9Ya@
If you would like to test the strength of your password try the Microsoft site’s free online password checker at:
www.microsoft.com/protect/yourself/password/checker.mspx
Subscribe to:
Posts (Atom)