Internet Theft and the Holidays
As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.
“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.
This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.
In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.
Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.
The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.
Or did I?
See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.
In the News
Here are three security articles we found rather interesting this week.
Researcher Wows Black Hat with NFC-based Smartphone Hacking Demo (CIO)
Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).
I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.
The truth behind those Nigerian 419 scammers (TechRepublic)
419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?
Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:
The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective (The Huffington Post)
Adam Levin of Credit.com wrote an interesting story documenting Wisconsin’s complete inability to secure public information.
Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.
This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.
A Simple Lesson in Protecting yourself against Malware
We see the stories in the news each and everyday.
Malware hit Android. Malware took advantage of known flaws in Windows. Source code was released for a new family of malware. The thing is … none of this is really news.
I’ll make it simple for you. You can ignore all the rest of the malware stories that come out this year if you remember the following points:
- Attackers get better day-by-day. After all, if they didn’t, they’d lose.
- As defenders, you must also get better day by day. If you don’t, you’ll lose.
- Since we can’t control what the attackers do, the best you can do is play to not lose. This means:
1) Harden your systems (patch them, check users/passwords, remove uneeded software).
2) If you can’t harden your systems, get rid of them.
3) If you can’t harden your systems or get rid of them, implement compensating controls and understand where the gaps leave you exposed.
4) If you can’t do any of these three, get help. Sorry to toot my own horn here, but this is what we specialize in. You don’t need to be perfect, you just have to be getting better a bit faster than the attackers do.
5) If you can’t get help, give up. Just post your banking credentials, customer list and passwords on your website. The attackers are going to get them anyway. If you’re not going to protect yourself, just give up and enjoy the ride down as best you can.
A client shows that Macs are not as safe as you think
A common misconception among Mac users is that their Apple products are immune from malware and security issues often seen in Microsoft products. A decade ago, this was pretty much true. Mac OS had a streamlined approach to security that was difficult to crack, but more importantly, Apple users were massively dwarfed by Microsoft and weren’t worth the time to target. Hackers wanted the easy score, not something they actually had to work at. Unfortunately, many Mac users still believe they’re impervious to threats, but they are ignoring two major changes in the computer landscape.
1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.
2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!
Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.
Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.
What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”
Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.
Sophos Apple Resources:
Download Sophos’ free Mac anti-virus software.
1 in 5 Macs has malware on it. Does yours?
Are Macs safer than PCs?
Last.fm leaks passwords
LinkedIn wasn’t the only major web presence with a security breach last week. Popular streaming music service, Last.fm, sent out emails this weekend to their 40+ million subscribers regarding a password breach and were quick to point out the breach only affected a “small fraction” of users and that “this follows recent password leaks on other sites …” I suppose if everyone else is doing it, you might as well join in on the fun!
As a Last.fm user, I received one of their customer emails. Unfortunately, it went straight to my Spam box and I didn’t see it until this morning. Here’s what it said:
Much like the LinkedIn breach, the same rules for changing your password that Josh outlined last week apply with Last.fm. In case you missed his post, read it here. Otherwise, here are Josh’s tips for creating a strong password:
- Change your password to something random, long and complex… at least 20 characters.
- Do not use this password anywhere else.
- If you don’t remember these sorts of passwords easily, use a tool like KeePass, LastPass or1Password.
- If you are responsible for the security of others, get them to change their passwords too.
Isn’t that easy? Now go and change your Last.fm password and your LinkedIn one, too, if you haven’t already done so. And if you’re looking for love via eHarmony (data breach last Wednesday), change that password, as well!