SCAM Alert: Puppy Scams & Business Executive Scams

NEVER send money or give credit card or online account details to anyone you do not know and trust.

Almost everyone will be approached by a scammer at some stage. Some scams are very easy to spot while other scams may appear to be genuine offers or bargains. Scams can even take place without you doing anything at all.

Two scams have been identified prominent and needs awareness are:

(1) The “Puppy Scam” which is aimed at the dog lover, has been around for many years and appears to be rising again.

(2) The “Business Executive Scam” looks to victimize businesses in both Canada and the United States of America.

The Puppy Scam Method of Solicitation: Purebred dogs are offered at lower than normal prices. Straight forward ads are placed in free on-line sales sites like Gumtree, Craigslist and community web pages. The use of standard Newspapers ads has also been identified.

A twist to the scam also sees the seller leaving countries to do a ‘Christian Mission’ in other country. They must sell their dog because of their commitment to this mission where they will be helping people less fortunate. Although mobile phones have been used mainly the communication is done through an email address.

Victim Remittances: The use of money service businesses (MSB) is the primary method the fraudster uses to collect victim funds. Once the price is confirmed and the original payment is made the victim can expect many more communications from the fraudsters because the victim has to pay the “certified Transportation Company”, the “out of country tax”, the “Anti-terrorist fee” or the “verification of vaccination fee” just to name a few.

Additional emails will follow until the complainant finally realizes they are a victim and will never get a dog. Most of the destinations of the MSB transfers are West African nations including Nigeria, Ghana and Cameroon.

Refer here and here for more information.

The Business Executive Scam Fraudsters are researching companies on-line via company websites. To make this scam work, the fraudsters need to identify a company executive (IE CEO, President, manager, owner) as well as an email address to the accounting department. Once identified the fraudster creates an email address using the free emails of Yahoo, MSN or Google. The email address will be for instance “The executives name@ Yahoo.com”.

A message will be emailed to the accounting department advising that the executive is working at home or off-site and the executive has identified an outstanding payment that needs to be made ASAP.

The Executive instructs that a payment be made, generally in the amount of 25,000 to 80,000 dollars to an identified person and bank account.

Bank accounts associated to this fraud have been identified across North America thanks to the efforts of the complainants and the banks. Currently the victimization rate is very low but it has the potential for high dollar loss. Identified bank accounts require prompt action.

Refer here to learn more types of Business Executive Scams.

Why Mobile Security Matters

How do Enterprises secure the increasing flow of data in and out of their doors?

The widespread adoption of intelligent mobile devices has transformed the way we work in innumerable ways. In 2012, IDC calculates that 712.6 million smartphones were shipped globally – 44.1% more than in 2011. In 2013, it predicts worldwide mobile tablet sales will reach 190.9 million, increasing the adoption of cloud and app-based solutions.

By 2016, mobile data traffic will have increased 18-fold, with smartphones, laptops, tablets and other portable devices driving around 90% of that traffic [Cisco]. Yet, alongside the countless new opportunities that these handy communications tools present for flexible workers, the continued rise in mobility also brings with it a myriad of potential security threats.

Most enterprises are already well-accustomed to protecting corporate data, including everything from commercial information to intellectual property and customer/employee information. However, the fact that mobile phones and tablets are small, portable and frequently used in public places or for downloading applications makes them particularly vulnerable to attacks and difficult to manage, especially compared with PCs.

In effect, these devices take corporate information out of the ‘safe’ corporate network and into unsecured environments, such as public Wi-Fi hotspots, and invite users to access a huge range of apps and websites.

The consequences of unwittingly falling foul of security threats can potentially go beyond the need for a simple repair to become far reaching. Whether it’s connecting to a bad Wi-Fi network in an internet café or downloading an app which contains malware, a single unintentional mobile security breach could potentially lead to financial and information loss, a privacy breach, loss of intellectual property or even damage to reputation.

As with other aspects of business, the cost of prevention is far lower than the cost of cure. For this reason, it is critical that today’s businesses assess their security environment and put the necessary protection in place to enable employees to work securely and without risk of infection, whenever and wherever in the world they may be.

Refer here to download the white paper (registration maybe required) which covers the following topics:

• Mobile security challenges and risks faced by large organisations
• Factors to consider when developing a mobile security strategy
• How to find a security solution that meets your organisational needs

Must-Watch Film On Cyber Crime Awareness

Every social media user should watch this movie!

Securing The Smart Grid

With reports of regular cyber attacks targeting the US smart grid, should UK energy and utilities rethink their approach to security?

"With greater connectivity comes the even bigger need for better energy efficiency, from which the concept of the smart grid was born. The idea of the smart grid is to use IT to gather and act on behavioural information from both consumers and suppliers in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. However, along with higher energy consumption, greater connectivity also entices a far greater number of security risks."

Continue reading on the Guardian Media Network.

Sex Matters: Men & Women differ on data security

Surprise: Women are also more likely to take steps to control what's visible to strangers on social media although they take less security precautions online!

Two Microsoft studies have found that when it comes to technology, men and women may have different priorities when it comes to staying safe and secure.

The first study, which surveyed more than 10,000 mobile and desktop users worldwide, found that 35 percent of men kept their mobile devices protected behind a passcode and used secured wireless networks to go online.

Women, the study found, took those same security precautions at a slightly lower rate of 32 percent.

Following that trend, 32 percent of men kept the software on their mobile devices up-to-date, an important defense against malware attacks. Only 25 percent of women did.

The numbers seem to show that men take mobile security slightly more serious than their female counterparts, but also that both sexes adopt these common-sense security precautions at an abysmally low rate.

Jacqueline Beauchere, chief online safety officer at Microsoft, said in a statement. "We know from earlier research that men and women practice mobile safety very differently."

Despite their slight edge in security, men appear to fall victim to mobile-based attacks more frequently than women. They receive slightly more phishing emails, intrusive pop-ups and messages from impostors.

When it comes to defending their reputations, women tend to be more cautious than men about what they're willing to share online, the study found.

Women are also more likely to take steps to control what's visible to strangers on social media. The study also found that women are less cavalier than men when it comes to the content of their text messages.

A different Microsoft survey, this one conducted on Facebook, asked more than 800 people about their mobile pet peeves.

Many respondents cited loud talkers, constant phone checking and socially inappropriate use of mobile phones as among their top annoyances.

Do You Need an Anti-Virus for MAC?

It's unlikely you'll ever run into malware for the Mac

But you may still want to consider an antivirus tool anyway—if not to protect yourself, but to protect your Windows-using friends from any malware you may inadvertently send their way.

If you agree, Sophos Anti-Virus for Mac maybe the best choice, and it's free.

Many of you may choose to use nothing, but you need to consider that malware is starting to become a bit more prevalent on the Mac, and even the safest browsing habits don't protect you completely. 

Sophos Anti-Virus for Mac

Platform: OS X (10.4+) 
Price: Free
Download: Click here

Features

• Compact, easy-to-use interface that can be used for custom on-demand scans of files, folders, and drives, or scheduled, periodic full scans of your Mac.
  
• Also scans files on your Mac for known Windows malware, trojans, and viruses, and deletes or quarantines them so you don't risk spreading them to someone else via network share, USB drive, or email.
  
• Deletes or quarantines known threats, gives you the option to quarantine anything suspicious that may be a new threat or dangerous file.
  
• Runs quietly in the background, scanning emails, downloads, and any other files on access, stopping you from opening them before they can do any harm.
  
• Light on system resources while running in the background.
  
• Installs like any other Mac application, and uninstalls just as easily—no complicated packages or components to manage or configure.
  
• Sophos' "Live Antivirus" feature updates your app the moment new threats are detected or found in the wild. The feature also performs real-time lookups to see if files accessed are in the SophosLabs database, even if they're unfamiliar to the app.
  
• Supports OS X up to 10.8 and back to 10.4, and is completely free for all versions.

Sandcat - Penetration Testing Oriented Browser for Pen-Testers

Sandcat Browser brings unique features that are useful for pen-testers and web developers

Sandcat is targeted at penetration testers - people who test websites for security holes - but could also be useful for developers, or anyone else who would like a little more low-level control over their browsing .. This is a capable security testing and developer-oriented browser.

Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web-browser with extensions support developed by the Syhunt team. It is built on top of Chromium, the same engine that powers the Google Chrome browser and uses the LUA language to provide extensions and scripting support.

It has many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers such as: 

• Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
• Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
• Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
• Page Menu extensions — allows you to view details about a page and more.
• Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities, Tor support and more.

Features inherited from Chromium include:

• Multi-Process Architecture — each tab is its own process
• Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

BYOD is here to stay, Why?

Should enterprise adapting to an increasingly mobile world?

Statistics from major BYOD surveys and analysts over the last year shows that the BYOD trend is strong and will only get stronger. There are already 1 billion smartphone users around the world, with 1.3 billion smartphone and tablet sales expected in 2013.

Employees are using their personal smartphones for work all over the globe. However, the trend is strongest in high growth countries, such as Brazil, Russia and India, and among the youngest workers. Employees bring their own devices because they believe they let them do their jobs better, they like the flexibility to work when they want, and they prefer to carry a single device for work and personal use. Even knowing the security risks and that their companies might be watching their online activities, isn’t stopping this trend. 

IT departments are paying attention. They are aware of the growth of BYOD and are mostly positive about it. High growth countries and the US are more positive and providing the most support. While most IT departments have been supporting BlackBerry and Apple devices, many are realizing the need to support Android and Windows Mobile as well. Not surprisingly, the most popular business applications being used on mobile are email, web browsing, contacts and calendars, however more than half of IT departments report mobile apps being used for office applications, task and project management, social media, sales force automation or CRM as well. 

By embracing the rise of BYOD and enterprise mobility, 2013 presents the opportunity for IT to change their role from service providers and technology partners to leaders and business strategists. By taking the initiative and working closely with all areas of the business, IT can lead the company into the New Age of enterprise mobility – enabling increased productivity and operational efficiencies, securely, and cost-effectively. 

See below A Visual Display of the Current State of BYOD 2013:

Cybersecurity is about more than technology

Securing Supply Chains Beyond Vendors and Service Providers

Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.

The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.

According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.

But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.

We see organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: 

Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. 

Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it. Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it. This is a huge area of the supply chain that now exists that is completely shadowed.

Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.

But as long as employees can find better technology than their employers offer, they will concoct ways to use them. Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive.

Organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.

Cyber Infrastructure Protection Guidelines by Strategic Studies Institute

It provides the foundation for long-term policy development and a roadmap for cyber security

Increased reliance on the Internet and other networked systems raise the risks of cyber attacks that could harm our nation’s cyber infrastructure.

The cyber infrastructure encompasses a number of sectors including: the nation’s mass transit and other transportation systems; banking and financial systems; factories; energy systems and the electric power grid; and telecommunications, which increasingly rely on a complex array of computer networks, including the public Internet.

However, many of these systems and networks were not built and designed with security in mind. Therefore, our cyber infrastructure contains many holes, risks, and vulnerabilities that may enable an attacker to cause damage or disrupt cyber infrastructure operations.

Threats to cyber infrastructure safety and security come from hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare.

Cyber attackers can introduce new viruses, worms, and bots capable of defeating many of our efforts. Costs to the economy from these threats are huge and increasing. Government, business, and academia must therefore work together to understand the threat and develop various modes of fighting cyber attacks, and to establish and enhance a framework to assess the vulnerability of our cyber infrastructure and provide strategic policy directions for the protection of such an infrastructure.

This book addresses such questions as:

• How serious is the cyber threat?
• What technical and policy-based approaches are best suited to securing telecommunications networks and information systems infrastructure security?
• What role will government and the private sector play in homeland defense against cyber attacks on critical civilian infrastructure, financial, and logistical systems?
• What legal impediments exist concerning efforts to defend the nation against cyber attacks, especially in preventive, preemptive, and retaliatory actions?

Refer here to download the book.

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

• Avoid acquiring technology from companies based in nations that pose a threat;
  
• Isolate internal networks from the Internet;
  
• Share cyberthreat information with other organizations;
  
• Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

No Room For Guessing Games in Information Security

The Global Cost of Cyber Security?

The information security industry, for the large part, has been working hard to reshape how users think about security. Before this reshaping took place, security was a nuisance for enterprises, was overlooked by developers (i.e., security-as-a-fix instead of security-at-inception), and was unknown to end users.

Fortunately, the trend is changing. For example, CXOs are now less reluctant to approve those line items in the budget related to securing their enterprises and end users are becoming more aware of cyber security and its consequences. 

For me, trying to estimate the global cost associated with cybercrime is one of those ‘somethings’. The inherent complexity associated with the global space of cybercrime events prevents us from calculating a reliable cost estimate with respectable accuracy and precision.

Not so long ago, Symantec asserted that cybercrime was costing us about $110 billion per year. Around the same time, McAfee stated that cybercrime was instead costing us approximately $1 trillion per year. I wonder which one is right? It’s a conundrum, indeed.

For years, I have watched these sorts of global cost estimates travel across the wire, and yet I have found little use of the information because the data points are, with absolute certainty, all over the board.

Nowadays I simply ignore these ‘informationals’ when they cross my path—long term exposure to them has desensitized me. However, these changes would not have occurred if our industry was desensitizing our target audience with inaccurate information.

The moral of this story—we as security professionals need to focus on relaying relevant information to the rest of the world and to do so as accurately as possible. There is no room for guessing games in our industry.

10 Great Online Privacy Guides

Best Practice Guidelines for Maintaining Your Privacy Online

I've stumbled across so many great privacy resources online lately, that I just can't keep them to myself. Here's a good collection for you to consider bookmarking.

1. Facebook Privacy Settings Guide   
2. 4 Tips to Keep Your Privacy on LinkedIn 
3. Security and Privacy Tips for Twitter Users 
4. 3 Tips to Keep Your Privacy on Twitter 
5. 3 Tips to Keep Your Privacy on Google+ 
6. Snap Chat Privacy Issues 
7. Help Avoid Instant Message Viruses 
8. Using Instant Messaging and Chat Rooms Safely 
9. A Renter's Guide to Privacy: Top 5 Privacy Tips for Renters 
10. 10 Online Privacy Tips for Librarians (that can be used by anyone)