The NSA: My Best Friend

How much does the NSA really know about you?

The folks at Alltime10s published a YouTube video entitled 10 Ways the NSA Spies on You. The video contains unsettling revelations about the NSA from recent news articles, citing evidence that the agency engages in the following activities.

  1. Can collect info on people 3 degrees of separation from suspects (The Guardian)
  2. Use metadata to get around privacy laws, rather than monitoring conversations (The Register)
  3. PRISM, a major electronic spying program, using existing information from social sites (Wikileaks, The Guardian, Facebook)
  4. Wiretap all overseas communications in and out of the US (NY Times, Washington Post)
  5. Can turn your phone & computer’s camera & microphone on remotely: a ‘roving bug’ (ABC News)
  6. Work closely with companies like Google, incorporating code into Android phones (Business Week)
  7. Spent $254.9 million cracking email encryption for millions of people (The Guardian)
  8. The Treasury Department’s ‘SWIFT’ monitors financial transactions of suspects & foreign nationals (Discovery)
  9. Engage in MitM, or ‘Man-in-the-Middle’ attacks (CNET)
  10. Spy on love interests (Wall Street Journal)

Scary, huh?

So what can law-abiding citizens do to protect their privacy? Here are a few tips:

These tips aren’t foolproof for keeping the NSA out of your personal business, but it’s a start.

On a lighter note, you can give Cory Doctorow’s book Little Brother a read. 1984 for today’s teens. Fictional, but just barely. Great stuff.

That, or you can kick back, relax, and accept that the NSA probably knows more about you than your best friend.

Identity and Access Management 101

Here’s another one of my infosec 101 presentations, this one drawing on my years of experience implementing and supporting identity and access management solutions for a large international retailer.

If you’re planning on consolidating multiple identity stores into one centrally managed solution, then you’ll want to give this a once over ahead of time.

Don’t Get Fooled by a Phishing Attack

Want to see who’s viewed your Facebook profile? Then just click here.

The app won’t do what it advertises, but it will steal your username and password. Oh, and it will record everything you type with a key logger, and then send that info to the developer’s email address.

If you’re not familiar with the term phishing, Wikipedia does a pretty good job of summing it up.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

When it comes to cybercrime, attackers have a number of avenues open to them. Researching vulnerabilities and developing exploits is a great way to get your geek on, but let’s face it: it’s easier to just trick people into giving up their username and password.

If you don’t want to fall for this type of attack, make sure you always do the following:

  • Avoid clicking on links from people you don’t know. If I get a “security” message from any online service (banking, email, social media… you name it), I never click on the link. Instead, I either google the site or type the URL in directly (if I already know it).
  • Hover over the URL and check the destination first. Take this link for example: https://www.facebook.com/. Where do you think it will take you? If you hover over the URL, the comment will tell you Facebook, but look in the lower left-hand corner of your screen for the real destination. Don’t believe me? Click it, and see for yourself.
  • Check the URL before you enter your credentials. Think you’re logging into Facebook? Then the URL in the browser should being with https://www.facebook.com/. If it doesn’t, then chances are you’re not logging into Facebook. Simple as that. Oh, and if the URL contains an IP address (something like https://31.13.64.81/), don’t trust it. Play it safe and go the website by its DNS name instead.

And remember, folks: if it sounds too good to be true, it probably is.

Information Security Management 101: The Fundamentals

Did you know I went to school to be a music teacher?

I’ve played piano and trumpet since I was 10 years old. Taught myself to play guitar when I was 16. When it was time for me to go to college, I started as a double major in Computer Science and Music Composition. Within the first year, I dropped CompSci (when would I ever need to know that much about computers?), and I switched from Music Composition to Music Education. For the rest of my college career, I studied voice and sang in one of the best collegiate choirs in the world.

Suffice it to say that when I landed a job as the information security manager for a multibillion dollar international luxury retailer, tasked with implementing and maintaining a security program that supported their PCI compliance efforts, I had a few things to learn.

One of the first things I learned: pick a security framework that aligns with your business goals.

I learned a LOT in that role, and I made some pretty sweeping changes to the infosec program. After I moved to Jacadis, I took that hands-on experience and put together a short presentation with the hopes that I could spare other infosec pros some of the pain and frustration I experienced along the way. I’ve been fortunate enough to have been able to share this presentation at nine (9) different security conferences and professional group chapter meetings, not to mention the 20-minute version I shared via Hacker Hotshots.

Whether you’re brand new to infosec or you’ve been at it for decades, chances are you’ll find some info in this presentation that will help you with your own challenges.

If you want to discuss anything from the presentation in more detail, drop me a line. I’m always up for a chat.

Who’s Reading Your Email?

By now, you’ve probably heard the phrase, “Use strong passwords!” so much that you want to puke.

Like it or not, it’s great advice for keeping your private information private. But if you think that’s enough to keep people from reading your email, just ask Sarah Palin. The widely publicized hack of her email account in 2008 should be enough to convince you that maybe, just maybe, you’ll want to make sure you’ve done all you can to secure your email account.

Here are a few simple tips to help you protect your email account(s):

  • Use multiple email accounts. For the typical end-user, email is both free and disposable. If you’re going to sign up for an online media site with the same email address and password you use to do your online banking, then it’s only a matter of time before you see unauthorized withdrawals from your checking account. At a minimum, I recommend using one email account for any financial/healthcare correspondence, and another email for everything else. If you’re only signing up for a site for a short period of time, then I recommend using a temporary email account that you’re going to walk away from as soon as you’re done visiting the site.
  • Use two-factor authentication. Simply put, two-factor authentication requires that users provide a password (first factor) and something else (second factor) to prove that they are who they say they are. In most cases, that second factor will be a code sent to your mobile device (something you have in your possession) each time you login. A lot of online service providers offer simple two-factor authentication options today, including Google, Yahoo!, and Facebook. If you want step-by-step instructions on how to enable two-factor authentication, give this Lifehacker article a read.
  • Configure encrypted email on your mobile devices. If you browse to Gmail from your laptop, Google is automatically going to flip to an SSL-encrypted connection to keep your data safe. But if you’ve got your Gmail account on your smartphone configured to connect over HTTP instead of HTTPS, then email traffic from your smartphone is at risk each time you check your messages while connected to a public wi-fi network. For iPhone users, you can change this setting by going to Settings > Mail, Contacts, and Calendars > choose the email account you want to update  > Account >  Advanced >  Use SSL, and flip this to the ON position. For Android, BlackBerry, and Windows Phone users, I’m afraid you’re going to have to Google for device-specific instructions.

How To “Career-Proof” Your Social Media Profiles

Someone recently posted this question to me on Facebook:

How do I “teacher-proof” my Facebook profile?

My wife taught music in the public schools for quite a few years, and I have quite a few teachers in both my family and my circle of friends. As social media continues to become more integrated into our daily lives, teachers in particular find themselves in a tough spot. If a teacher has a rough day and vents about it on his or her Facebook profile, that teacher can end up unemployed.

But teachers aren’t the only ones with this challenge. Facebook posts have resulted in firings of doctors, polices officers, and even a guard at Buckingham Palace.

If you’re going to use social media, there’s ALWAYS a risk that someone will use your comments, tweets, and status updates against you. Sometimes, it’s to protect people, especially when kids are involved. The truth is, people rely on their social media circles for support and encouragement. They use social media to vent frustrations. They also use social media to share their life experiences with friends and family all around the world.

So how do we take full advantage of social media while minimizing the risk of getting fired over what we say and share online?

Here are a few suggestions:

  • Establish clear boundaries between your social media profiles. For me, Facebook is for personal and creative use only. I use it to share writing and filmmaking projects, to stay in touch with family and friends, and to express my personal views and opinions. I have two Twitter accounts, one for “creative Jerod” and one for “infosec Jerod.” I also have a LinkedIn account that is all business. No personal stuff there, ever. Once you draw these lines, the next step is to sever unnecessary connections between your social media profiles. If you’ve got your Facebook account configured to automatically tweet your status updates, don’t be surprised when a supposedly private rant ends up on Twitter.
  • Think before you post. There’s only so much you can do to technically protect your social media profiles. The truth is, anyone in your friends list can take a screenshot of a tweet or a status update and send it to your boss. Keep your friends and followers list reasonable, taking time every few months to review and update your connections. But remember this: all it takes is one irresponsible post, and you’re putting your career at risk. Just ask Anthony Weiner.

Five Tips for Safely Browsing Websites

The Internet is full of awesome, but it’s also got a nasty side. Some folks make a living by infecting computers with malware and then joining them to botnets that they can rent out to attack online businesses. Others make a living by swiping valid credential sets and then using those credentials to either steal cash or to trick people into sending them cash.

If you want to enjoy the awesome while avoiding the bastiches, here are five simple tips to help keep you safe online.

  • Keep your operating system and your apps up to date. One of the most popular ways to infect a computer is to get a webpage or a malicious file to exploit a flaw in an app or in the operating system. By keeping your system up-to-date with security patches, you’re stopping these types of attacks before they can get a foothold in your computer. Apps like Google Chrome and iTunes have auto-update options that take will take care of this for you, and you should DEFINITELY have Windows Update and Mac Software Updates turned on. If you want to check your entire computer for any out-of-date software, you can always run an app like Secunia PSI or Patch My PC.
  • Use antivirus. By tricking people into voluntarily clicking on executable files, attackers can infect your computer even if the computer’s fully patched. In the unfortunate event that you fall for this type of social engineering attack, antivirus is a nice backup control to detect and delete malware from your computer before it can do too much damage. Sites like AV Test do an incredible job of comparing AV products to help you pick the best one for your own needs. Check it out!
  • Use a password safe. You can use an app like LastPass to store all of your usernames and passwords. What’s even better is that LastPass can generate strong (unique) passwords for each site. Strong passwords are less likely to be cracked if a site is hacked, and avoiding password reuse is critical if you want to keep attackers from using the same password to login to ALL of your accounts.
  • Check for SSL-protected web pages. If it says HTTPS before the website name, it’s encrypted. Simple as that. If you’re visiting a website to read awesome security tips or to look at some of the most tremendous pictures on the Interwebz, then SSL isn’t a big deal. If you’re logging in to a site, or if you’re submitting a form that contains private data (social security number, national identifier, credit card, etc.), then SSL is a pretty big freakin’ deal. Check before you click.
  • Use a safe browsing tool like Web of Trust. Before you visit a website, especially if it’s your first time there, it’s nice to know whether or not anyone else can vouch for the trustworthiness of that site. That’s what Web of Trust aims to accomplish. You can install the WOT plugin in Firefox, Chrome, Internet Explorer, Opera, and Safari, and WOT will indicate whether or not a site is trusted before you click on the link.

Remember: there’s no one “silver bullet” that’s automatically going to make you secure. By combining security controls, though, you’re going to make it a helluva lot harder for an attack to be successful.

Stay safe out there!

Securely Dispose of Old Computers and Mobile Devices

First, consider how often Apple releases a new iPhone:

  • iPhone (June 2007)
  • iPhone 3 (July 2008)
  • iPhone 3GS (June 2009)
  • iPhone 4 (June 2010)
  • iPhone 4S (October 2011)
  • iPhone 5 (September 2012)
  • iPhone 5s (September 2013)

That’s right. Apple releases a new iPhone EVERY YEAR. With our addiction to all things technological, chances are that you’ve got AT LEAST one older device (smartphone, tablet, laptop, desktop) lying around your house, just waiting to be gifted or sold.

The big question is: How can we securely delete all of our personal data from these devices before getting rid of them?

Well, you’ve got one option that work for mobile devices, desktops, and laptops:

  • Physically destroy the device / hard drive. Let’s face it: this solution kills the resale value, but it’s an almost surefire way to ensure that no one is getting any data off of your old device. Device + hammer = unrecoverable data.

If that option’s off the table, you’ve got another option unique to mobile devices:

  • Reset the device to factory settings. The process varies from device to device, but start in the Settings and look for Reset or something similar. If you get stuck, you can always Google it.

If we’re talking desktops and laptops only, here are a few options that come with automated tools to make the process easier:

  • Use Darik’s Boot and Nuke (DBAN). Chances are the geeks in your family already know about DBAN. Just put DBAN on a thumb drive or a CD and then boot from that media. DBAN’s simple menu-driven options will walk you through totally obliterating the data on the hard drive while leaving the hard drive intact. No hammers.
  • Encrypt your sensitive data. I looooooooove TrueCrypt. It lets you either encrypt your entire hard drive, or just create an encrypted “container” for you to keep your files in. From a user perspective, the encrypted container looks and acts just like another hard drive. This second option is a great proactive way to protect your data, regardless of when you plan on getting rid of your computer. As long as you choose a secure password (or passphrase) when creating the container, you don’t have to worry (much) about someone getting to the data inside that container, even if you forget to delete the container before you part with your computer.
  • Manually delete the data. Sometimes, though, you want to leave the operating system intact (especially if sending the computer to a family member or friend). If this is the case, you can start by uninstalling all the programs on your computer that you don’t want the new owner to have. Maybe you leave MS Office in place, but you remove Quicken and TurboTax. Once you’ve deleted these programs, install and run CCleaner. CCleaner targets temp files and app data that you didn’t even know existed and wipes it from your hard drive. (If you’re a Mac user, check out OnyX as well.)

Manually deleting the data is tricky, so I’d recommend you reach out to a geeky family member or friend to help out. Dropbox, for example, will uninstall just fine, but that doesn’t mean it will delete all of the Dropbox files stored locally on your computer. Same goes for Google Drive. And don’t even get me started on iTunes backups. Those files are a treasure trove of personal information.

A couple of quick notes on using CCleaner:

  • Under Options > Settings, make sure you enable Secure Deletion. The US Department of Defense spec is Advanced Overwrite (3 passes), and chances are the DoD has more sensitive data on their systems than you have on your home computer.
  • Under Tools > Drive Wiper, set security to Advanced Overwrite (3 passes) and wipe Free Space Only. This will delete any file remnants on your hard drive that were there before you read this blog. (And yes, you can use CCleaner to wipe your entire drive, similar to DBAN.)

One last note: recycle your old tech! Google for local technology recycling centers, or better yet, take some old tech to your kids’ school for a “Take Apart Day.” They’re a blast. Trust me on that one.

OWASP Mobile Security Project

If you’ve ever talked infosec with me, you’ve no doubt noticed that I love the OWASP Top 10 Project. Every few years, they update their list of the 10 most significant web application security risks to help provide developers and security testers with guidance on how to protect web applications.

What you may not know is that they have a separate OWASP Mobile Security Project that tracks their top 10 list of mobile risks. The current list includes:

  1. M1 – Insecure Data Storage
  2. M2 – Weak Server Side Controls
  3. M3 – Insufficient Transport Layer Protection
  4. M4 – Client Side Injection
  5. M5 – Poor Authorization and Authentication
  6. M6 – Improper Session Handling
  7. M7 – Security Decisions Via Untrusted Inputs
  8. M8 – Side Channel Data Leakage
  9. M9 – Broken Cryptography
  10. M10 – Sensitive Information Disclosure

If you’re a mobile app developer, or if you work for a company that develops their own mobile apps. check it out. For the short version, you could check out their SlideShare presentation or watch their YouTube video.

OWASP Mobile Top 10 Risks