Here’s Why Physical Security Walkthroughs Are a Great Test

Posted on September 7, 2015 by Carmelo

If you act like you belong, it’s not often you get questioned about your actions. This has been proven time and time again at many places with a lot of turnaround. This has especially worked well for a recent Walmart thief.

In Grapevine, Texas; at a Walmart, a man posed as an employee, wearing a vest and name tag, walked into a Walmart, grabbed four large televisions, and walked right back out with them.

walkingoutwithtvs

One Walmart employee took notice and was suspicious, he wrote down the license plates of the vehicle that the thief was loading the televisions into, but it turned out that the plates were also stolen.

Apparently, the thief acted out the same crime successfully in Bedford a week earlier. What if the thief impersonated a CFO or a system administrator? Or an Armored Truck Driver?

Either confront the individual(s), grab a manager, or contact security. Train your workers to report crimes. It makes it better for everyone in the long run.
Reporting needs to be established and metrics developed.

Posted in Security Blog | Tagged , , , , | Comments Off on Here’s Why Physical Security Walkthroughs Are a Great Test

Security Awareness Training Evolution

Posted on September 6, 2015 by Carmelo

The lesson here, is that you shouldn’t make security awareness training; dull, boring, and strictly compliance based.

Keep it:

  • Fun
  • Fresh
  • Measurable
Posted in Security Blog | Tagged , , | Comments Off on Security Awareness Training Evolution

New Android Ransomware from the NSA?

Posted on September 3, 2015 by Carmelo

There is new ransomware floating around that encrypts the contents of Android phones called Simlocker. It pretends to be from the NSA, uses XMPP (Extensible Messaging and Presence Protocol) and is hard to detect with anti-malware tools.

Check Point’s malware research team has seen evidence that hundreds of thousands of dollars have been paid instead of victims wiping their devices and starting over. Read the Check Point post on it here.here

C’mon people, the NSA claiming to only take PayPal?

Posted in Security Blog | Tagged , , , | Comments Off on New Android Ransomware from the NSA?

Trouble Picking a Password?

Posted on August 31, 2015 by Carmelo

It’s sometimes hard picking a password, and hopefully this can help, add emoticons (sometimes called emoji) to your password.

Of course don’t just use the emotes, but bolster your whole password with upper and lower case, numbers, and other special characters. Diversify your passwords. It’s common practice for hackers and script kiddies to find an email address and password and try the same combo for every type of account they think you have a login to.

EMOJI NAME CODE
shark Shark  (^^^)
penguin Penguin <(“)
robot Robot :|]
smile Smile :)
frown Frown :(
tongue Tongue :P
grin Grin :D
gasp Gasp :O
wink Wink ;)
glasses Glasses  B-)
sunglasses Sunglasses B|
grumpy Grumpy >:(
unsure Unsure :/
cry Cry :'(
devil Devil 3:)
angel Angel O:)
kiss Kiss :*
heart Heart <3
kiki KiKi ^_^
squint Squint -_-
confused Confused o.O
confused-rev Confused Reverse o.O
upset Upset >:O
pacman Pacman :v
colonthree Colon Three :3
Posted in Security Blog | Tagged , , , , , | Comments Off on Trouble Picking a Password?

When a Security Manager Just Needs Tasks Automated

Posted on August 31, 2015 by Carmelo

do it!

Posted in Security Blog | Tagged , , | Comments Off on When a Security Manager Just Needs Tasks Automated

Security Awareness Memes

Posted on August 31, 2015 by Carmelo

Lumberg says

ewww

Sorry… I’m childish…. I’m not really sorry.

risks

how will you protect the data?

gladimir putin

people clicking on links in email is too damn high

only you can prevent social engineering

i see cyber risks everywhere

my passwords are stronger than you

knowing the same tricks as a con man

updates_setitandforgetit

I too like to live dangerously

IT Risk Management

locks his workstation

Posted in Security Blog | Tagged , , , | Comments Off on Security Awareness Memes

Let the Data Tell Your Story

Posted on August 30, 2015 by Carmelo

Big data doesn’t necessarily mean good data. This presentation, created Aug 25 2015, makes us realize that bad guys have the good data and it enables them to keep attacking successfully. (It’s a 47 minutes presentation)

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on Let the Data Tell Your Story

Uber Hires Charlie and Chris, the Famous Vehicle Hackers

Posted on August 28, 2015 by Carmelo

As Uber grows, they are looking at further developing autonomous, self-driving cars, and they hired the famous vehicle hackers, Charlie Miller and Chris Valasek, to hopefully make those vehicles strongly hacker resilient.

Car hacking is very possible and the dangers are very real.

Posted in Security Blog | Tagged , , , | Comments Off on Uber Hires Charlie and Chris, the Famous Vehicle Hackers

Business Email Compromise Leads to $737,000 Transfer to China

Posted on August 28, 2015 by Carmelo

The FBI classifies “phishing that leads to loss” as Business Email Compromise (BEC). In a recently released story that closely matches the BEC hack in Omaha I wrote about back in February, another company fell victim to a spearphishing attack where an email that appeared to come from the CEO to an accountant with instructions to a wire transfer of $737,000.00 and to expect a follow-up call from a lawyer who would have the account numbers to complete the transaction.

The scammers, believed to be members of organized crime groups from Africa, Eastern Europe, and the Middle East, primarily target businesses that work with foreign suppliers or regularly perform wire transfer payments. The scam succeeds by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques. Businesses of all sizes are targeted, and the fraud is proliferating.

When the CEO happened to call into a meeting the next day, the accountant, also in the meeting, told the CEO that the transaction was completed… that’s when this happened:

shfan

 

The following BEC statistics were reported to the Internet Crime Complaint Center from October 2013 to August 2015: link

• Total U.S. Victims: 7,066
• Total U.S. exposed dollar loss:

$747,659,840.63
• Total non-U.S. victims: 1,113
• Total non-U.S. exposed dollar loss:

$51,238,118.62
• Combined victims: 8,179
• Combined exposed dollar loss:

$798,897,959.25

 

Posted in Security Blog | Tagged , , , , , , , | Comments Off on Business Email Compromise Leads to $737,000 Transfer to China

Third U.S. Federal Circuit Court Allows FTC to Sue You

Posted on August 26, 2015 by Carmelo

If you have poor infosecurity practices and you know it, the FTC now (as of 8/25/2015) has the power to sue you.

Wyndham Wordwide, whom have licensed their brand name through 90 independently owned hotels, has been hacked and had their data breached three separate times, back in 2008 and 2009.

Each Wyndham branded hotel has a property management system that processes customer information (including payment card).

The charges against Wyndham (or independently owned hotels under Wyndham) are:

  • Storing payment card data in plaintext
  • Easily guessed passwords where the password matched the username
  • Not using firewalls where appropriate
  • Knowingly allowed an independently owned hotel to connect to the corporate network using an operating system that hasn’t had patches available for it in the last three years
    • Didn’t change default user IDs and passwords
  • Didn’t adequately restrict third-part vendors to it’s network
  • Did not self audit
  • Did not have incident response procedures
  • Failed to monitor for malware used in previously successful hacking attacks

The US Court of Appeals for the Third Circuit has made the decision to reaffirm the FTC’s authority to hold companies accountable for failing to safeguard consumer data.

Know that the U.S. Government in the form of the FTC, can and most likely will jump in and add even more cost to an expensive data breach.

It’s highly recommended for business executives and business attorneys read the FTC report.FTC report

Posted in Security Blog | Tagged , , , , , , | Comments Off on Third U.S. Federal Circuit Court Allows FTC to Sue You