Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

4 Easy Steps To Protect Your Identity

Four major areas of your daily life that are frequently used as gateways into your private data, Protect those areas!

It's no secret that the damage caused by a single identity fraud event can take years to fix. Many consumers don't even discover they have been affected until months after the attack occurs. In fact, identity fraud is the fastest growing crime in the world, costing billions of dollars annually.

So what should we do? The ubiquity and anonymity of the Internet, coupled with old-fashioned method of stealing identity via "dumpster-diving" makes this problem unmanageable for average folks, right? Wrong. 

There are four major areas of your daily life that are frequently used as gateways into your private data. Paying attention to them can help you stay safe from the bad guys. 

Tactic #1: Guard Your Mail. 

Pay attention to your physical mailbox to reduce the chance of being victimized. The mail system has been vulnerable since the days of wagon trains and stage-coaches.

Action Steps:
1) Never use the red flag on your mailbox. It notifies potential thieves that there may be something of value left unattended in the box.

2) Lock your mailbox if possible. Fraudsters look for checks, parcels and other valuables in unattended mailboxes.

3) Place your outgoing mail in a mailbox inside post offices whenever possible. Outdoor mailboxes are magnets for mail thieves and mischief-makers.

Tactic #2: Guard Your Unique Personal Information. 

Your personal data points are often referred to by the acronym SNAPD, which stands for SSN, Name, Address, Phone, and Date of birth. Our SNAPD elements are the "coins of the realm" in the financial underworld and your Social Security Number (SSN) is the Holy Grail.

Action Steps:

1) Never share your SSN, name, address, phone numbers, or date of birth with others unless absolutely necessary.

2) Only share your SNAPD information when it is mandatory. Healthcare, government and financial services organizations will often require these details, but you would be amazed how little NPPI (Non-Public Personal Information) you can share without causing a fuss.

3) Paper shredders are crucial. All SNAPD info (at home and in the office) should be disposed of in a nice cross-cut shredder.

Tactic #3: Guard Your Payment Tools. 

You would never think of leaving any significant amount of cash out in the open and unguarded, so why leave your checks, credit or debit cards exposed? Check fraud is an old yet extremely prevalent practice. Credit and debit cards look similar but are governed by different laws, responsibilities, and remedies. It should be obvious that your debit card puts your immediate personal assets at risk as opposed to the risks associated with credit card fraud. 

Action Steps: 

1) Guard your checkbook, credit, and debit cards and closely examine your monthly statement for unauthorized charges (even tiny ones). By promptly reporting any discrepancies, your financial institution can help investigate, minimize or correct any damage done.

2) Regularly review your credit report.

Tactic #4: Protect Your Computer(s). 

Apply protection controls to not only your desktop, notebook or tablet device, but also your smartphone. According to a study from the Pew Research Center's Internet & American Life Project, 56% of Americans now own a smartphone, a new demographic referred to as "The Mobile Majority". 

Action Steps: 

1) Install and frequently update anti-virus, anti-malware protection for all devices including smartphones.

2) Create passwords with at least 9 alphanumeric digits, and change them every 6 months. Consider using encryption on all your devices.

3) Exercise good data privacy habits by locking your devices, surfing and downloading safely, and guarding the physical security of each machine.

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

• Application Security Standards
• Regular Security Assessments for measurement
• Training for each role in the SDLC

The mature organizations share common characteristics by:

• Writing and adopting security architecture and development standards.
• Training their development teams on application security topics based on role, platform, and technology used.
• Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
• Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

5 Quick Lessons on Privacy

Privacy Matters - How Easily Someone Could Hack Into Your Life?

Being diligent about your personal privacy is a learned behavior. Often the best way to practice is to take a closer look at the every-day activities in which you and your friends, colleagues and family members take part. 

Below are some quick-hit resources that serve as good reminders of the privacy threats we are exposed to each day.

• A Quick Guide to YouTube Privacy 
• The Financial Dangers of Retailer Prepaid Cards
• Why Your WiFi May Be On, Even When It's Off
• Ramifications of Hacking a Friend's Facebook Account (not that you would do that anyway, right?)
• Just How Hackable Your Life Really Is (infographic)

Cybersecurity is a never-ending Tom and Jerry cartoon

The Coming Wave of Security Startups

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants. Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved.

The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete. As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups.

Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing.

According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars. Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years. Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date.

Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks. The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products.

Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source. These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices. Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage.

Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups.

For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks. Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

10 easyways to reduce security headaches in a BYOD world

How you can improve security "Old School style" in a BYOD World?

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe. 

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. Here are 10 ideas that might help you get through this transition.

1: Secure your data
Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security
Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create -- you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy
Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption
If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

5: Take advantage of mobile application management (MAM)
You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide
There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

Scam Of The Week: "Held For Ransom"

Your Computer Has Been Locked

I would like to alert your users that a particularly effective scam is growing by leaps and bounds recently. It's not new, but it's bursting into mainline cybercrime these last few weeks. The scam takes over the full screen of the PC, stating that the FBI has locked that PC until a fine is paid. The PC may look locked down, but it was a cyber criminal who did that, not the Feds.

What to do: Do NOT PAY

This is malware on the PC. Treat it like malware and clean that system. The bad guys have found this is a scam that works really well for them. Scared PC users are often willing to pay hundreds of dollars to avoid getting in hot water with the FBI.

More than $5 million per year is extorted from victims. If it's a PC in the office, call IT. If it's a PC at the house, here is a video from security company Symantec how to remove this for free: http://www.youtube.com/watch?v=_dKBXeoLIFo.

DDoS Security Checklist

Help I am under DDoS!! What should I do?

DoS or Denial of Service is an attempt to make a machine or network resource unavailable to its intended users. When such a DoS is carried out by a large number of attack sources, it is called DDoS or Distributed Denial of Service.

Basic types are:

• Consumption of computational resources
• Disruption of configuration information
• Disruption of state information
• Disruption of physical network
• Disruption of the communication media between the victim and its intended users.

How can I prevent DDoS?

While it would be incorrect to say that DDoS attacks can be prevented, the impact can be mitigated and even thwarted if your IT infrastructure is sufficiently hardened, distributed and secured. We have listed some of the preventive steps below:

• Use rate-limiting in firewalls, routers, load balancers and other network perimeter devices.
• Enable TCP SYN cookie protection.
• Test your applications and deployment architecture for DoS vulnerabilities and fix them.
• Conduct regular configuration audits of your perimeter devices.
• Use updated software/firmware
• Use updated Anti-virus and regularly check for malware, bots on your systems. (This way you are less likely to contribute to DDoS on others).
• Use multiple ISPs or hosting providers for redundancy.
• Maintain a backup site for quick switchover.
• Install or configure network monitoring systems which can alert you as soon as any DDoS hits.
• Check with your ISPs or hosting providers how they handle DDoS and be aware of financial implications in case you are hit with a massive DDoS.

Dealing with a DDoS underway is incredibly difficult. The first step should be to try to understand the type and source of the attack. Understanding the attack type greatly helps in effectively dealing with the attack. Some of the things that you may consider are:

• Blackholing and sinkholing
• Enable rate-limiting in firewalls, routers, load balancers and other network perimeter devices.
• Obtain a new IP address or range from your ISP or hosting provider if the attacker is targeting an IP address or range. If you have multiple ISPs then try switching your primary ISP.
• Switch to something like Akamai, Cloudflare or Incapsula who have known expertise to handle DDoS.

What to do post the incident?

• Conduct a root cause analysis and ensure that no other malicious activity was done on your servers other than DDoS.
• If blackholing or sinkholing was done, restore the same.
• If the preventive measures listed above are missing, you may consider implementing some of them to be better prepared.

Cybersecurity is about more than technology

Securing Supply Chains Beyond Vendors and Service Providers

Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.

The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.

According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.

But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.

We see organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: 

Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. 

Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it. Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it. This is a huge area of the supply chain that now exists that is completely shadowed.

Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.

But as long as employees can find better technology than their employers offer, they will concoct ways to use them. Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive.

Organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

"Likes" provide an incredible amount of insight into our private lives

Your 'Likes' Lead to Snap Judgments, False Assumptions

Much of our online behavior leaves a trail. Sometimes we are aware of it; sometimes we aren't. "Liking" on Facebook (or "+1-ing" on Google+, and all the other clickable options allowing you to show your appreciation for posts) may be one such behavior done with reckless abandon. Often a user will "Like" something only because a friend asked him or her to. These users may not be aware of the picture those "Likes" can paint.

The Wall Street Journal has written a fantastic article that may change mindless "Liking" behavior somewhat. The article highlights a recent study that revealed our "Likes" provide an incredible amount of insight into our private lives. Individually, the "Likes" may not reveal much; but monitored and analyzed overtime, they can shed light on very personal, private details. One example:

The researchers found that "Likes" for Austin, Texas; "Big Momma" movies; and the statement "Relationships Should Be Between Two People Not the Whole Universe" were among a set of 10 choices that, combined, predicted drug use.

Whoa. How's that for crazy assumptions? Or scarier, how's that for accuracy? You can bet this research is only the beginning and that the algorithms these researchers used are soon to be commercialized and sold to any number of entities... with any number of intentions.

The takeaway for now? Watch what you "Like," and keep up-to-date on the privacy settings that can prevent others from tracking your online trail. 

TIP

If you use the Chrome browser, you can go "incognito" and hide many of your online activity trails  automatically collected. To do this, press <CTRL><SHIFT><N>. See this Google resource for more information.  

Is It Safe & Secure To Use Free Email Service?

If a government wants to peek into your Web-based e-mail account, it is surprisingly easy, most of the time not even requiring a judge’s approval

Ever wonder what Google has planned for all of the information it's collecting on its users? Well, their intentions may be completely irrelevant. As it turns out, Google has been compelled to give over their user data by law enforcement at an increasing and alarming rate.

In the second half of 2012, the tech giant received more than 21,000 requests for information, which represents a 70-percent increase over three years. The majority of the requests came from the federal government, who was hoping for a peek into users' email accounts. In most cases, the Feds didn't need a judge's okay.

Google is fighting back, trying to rally support against government access to personal data. In this professional's opinion, however, that's a bit ironic considering Google's own policies on collecting user information.

Just remember, anytime you are using a webmail site like Gmail for communication, understand your email is absolutely not protected and is not private.

Do not send sensitive information or conduct business using these types of free webmail services.

If you must use these sites, gather the emails through an off-cloud software system, like Microsoft Outlook. Then, configure your Outlook settings to delete the emails from Gmail, Yahoo, Hotmail or whatever cloud email service they are coming from, as soon as Outlook downloads them.

In-House App Stores is MUST for Enterprise?

A Do-it-Yourself Approach to Ensuring Mobile Security

As personal mobile devices become ubiquitous in corporate networks - even in organizations without official bring-your-own-device policies - IT and security personnel are implementing new approaches to prevent malware and ensure data integrity. 

One approach beginning to take root is the creation of in-house corporate app stores, where organizations offer users access to custom-built, secure applications designed specifically for that organization, along with access to approved public apps for smart phones, tablets and other personal devices.

Tackling Application Insecurity

With malware infesting the authorized commercial app stores, including the two largest - Google Play for Android and to a lesser extent, the Apple iOS App Store - corporate security and IT executives are exploring new strategies to limit the use of unauthorized applications on devices connected to corporate networks.

Because of the rapid growth in the use of personal devices for work-related tasks, IT departments generally do not permit users to install any application on corporate computers but many companies still have not yet established similar policies for personal devices. 

Companies that opt for a private app store can minimize much of that risk by requiring users to select only from applications that are certified by their employer as safe.

Any suggestions or ideas?

ENISA Identifies Top Cyberthreats

What are the emerging threats and vulnerabilities, and how should organizations globally respond to them?

ENISA, the European Union cyber-agency, is out with its first-ever Threat Landscape report.

Drive-by exploits, worms/Trojans and code-injection attacks are the three top cyberthreats to organizations, according to the new Threat Landscape report published by the European Network and Information Security Agency.

The ENISA Threat Landscape provides an overview of threats, together with current and emerging trends. One of the key objectives of this report is to give the information security community a comprehensive look at risks.

It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 140 recent reports from security industry, networks of excellence, standardisation bodies and other independent institutes have been analysed. 

Among the top 10 threats ID'd by the report:

• Drive-by exploits (malicious code injected to exploit web browser vulnerabilities) Worms/Trojans;
• Code injection attacks;
• Exploit kits (pre-packaged software to automate cybercrime);
• Botnets (hijacked computers used in attacks such as DDoS).

Among technology trends, mobile gets the most attention because that's the platform where users, data and adversaries increasingly converge.

Please refer here to download the report.

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

• Does it follow any recognized standard (internal or external)?
• How well has it documented? Do people know about it and their role in it?
• Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

• Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  
• Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  
• Have roles and responsibilities been defined?
  
• Are the response strategies devised appropriate to the potential level of disruption?
  
• Are the plans tested? If so, how, when and by whom?
  
• Are the test results evaluated, lessons learned and plans enhanced?
  
• Are the initial response structures well-known and fully tested?
  
• Are appropriate communications with external parties defined and tested?
  
• If pre-defined alternate locations are designated, do staff know how to access them?
  
• Are all critical resources backed up and recoverable?
  
• Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Beware of 12 SCAMS during Christmas

Study investigated behaviours of Americans but it's still relevant to Australians

A Harris Interactive study, conducted online among over 2,300 U.S. adults, investigates the online habits and behaviors of Americans, including those who indicate that they will engage with the Internet and mobile devices while shopping this holiday season.

While Americans have become accustomed to shopping online, and will do so in droves, they are also using their mobile phones for more of their everyday activities.

As 70% of those surveyed plan to shop online this holiday season, a surprising 1 in 4 (24%) of them plan to use their mobile devices, and while aware of the risks, they are willing to give away their personal information if they can get something they value in return.

In fact, despite the fact that 87% of smartphone or tablet owners surveyed are at least somewhat concerned that their personal information could be stolen while using an app on a smartphone or tablet, nearly nine in ten of them are willing to provide some level of personal information in order to receive an offer that is of value to them.

Among those Americans planning on using smartphones and/or tablets to purchase gifts this holiday season, over half (54%) are specifically planning to use apps for shopping and/or banking during the holiday season; as such, mobile devices have proven irresistible to cybercriminals, and now they are targeting mobile users through malicious applications.

With roughly three in ten (28%) American smartphone and/or tablet owners admitting they do not pay attention at all to app permissions and 36% paying attention but specifying they do not always do so, Cyber-Scrooge criminals are ready to pounce.

‘Tis the season for consumers to spend more time online - shopping for gifts. 88% of those Americans who plan on shopping online during the 2012 holiday season plan on using a personal computer to do so, and 34% will use a tablet (21%) and/or smartphone (19%).

But with nearly half (48%) of Americans planning to shop online on Cyber Monday for sales (45% using a computer, 10% using a mobile device), here are the “12 Scams of Christmas,” the dozen most dangerous online scams to watch out for this holiday season, revealed by McAfee.

1. Social media scams - Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays.

Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.

2. Malicious mobile apps - As smartphone users we are app crazy, downloading over 25 billion apps1 for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.

3. Travel scams - Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.

4. Holiday spam/phishing - Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.

5. iPhone 5, iPad Mini and other hot holiday gift scams - The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.

6. Skype message scare - People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.

7. Bogus gift cards - Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!

8. Holiday SMiShing - “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.

9. Phony e-tailers - Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.

10. Fake charities - This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities. 

11. Dangerous e-cards - E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.

12. Phony classifieds - Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Using multiple devices provides the bad guys with more ways to access your valuable “Digital Assets,” such as personal information and files, especially if the devices are under-protected. One of the best ways for consumers to protect themselves is to learn about the criminals’ tricks, so they can avoid them.

Beyond that they should have the latest updates of the applications on their devices in order to enjoy a safe online buying or other experience. We don’t want consumers to be haunted by the scams of holidays past, present and future – they can’t afford to leave the door open to cyber-grinches during the busy holiday season.”

What to Do About DDoS Attacks

Security Tips for the Banks

The distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages.

Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore. Banking institutions should: 

• Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;

• Assess ongoing DDoS risks, such as through tests that mimic real-world attacks; Implement online outage mitigation and response strategies before attacks hit; 

• Train staff to recognize the signs of a DDoS attack.

In layman's term, during a DDoS attack, a website is flooded with "junk" traffic - a saturation of requests that overwhelm the site's servers, preventing them from being able to respond to legitimate traffic. In essence, DDoS attacks take websites down because the servers can't handle the traffic.

Most banks have failed to address this vulnerability to high volumes of traffic. Starting in mid-September, DDoS attacks have resulted in online outages at 10 major U.S. banks.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters has taken credit for the hits, saying the attacks are motivated by outrage related to a YouTube movie trailer deemed offensive to Muslims. But security experts say DDoS attacks are often used as tools of distraction to mask fraud in the background.

To reduce their risk of DDoS takedown, banks need to address three key areas: 

1. Layered user authentication at login, which consumes bandwidth;
2. Reliance on Internet service providers not equipped to handle extreme bandwidth demands; and
3. The internal management of Web servers, which limits banks' ability to hand off traffic overflow when volumes are excessive.

Fraud should always be an institution's top concern, meaning addressing DDoS threats should be a priority. "DDoS protections have quickly become a new industry best practice. But DDoS attacks pose unique challenges for banks and credit unions.

The additional layers of security institutions already implement, such as enhanced user authentication, transaction verification and device identification, demand more bandwidth. So when a bank is hit by a DDoS attack, bandwidth is strained more than it would be at a non-banking e-commerce site.