The FCC (Federal Communications Commission) passed new rules to protect consumers’ online privacy in the U.S. last October.  The new rules were to ensure that ISPs (Internet Service Providers) could not use or sell their customer’s Internet browsing history, mobile location data, and other personal information that passes through your telecom or Internet provider.

Some large telecom and cable providers, including AT&T, Comcast, and Verizon, have been pushing to be able to use or sell their customer’s personal information for some time.  Even with encrypted browsing or using private mode with a browser, your ISP still has the ability to track everywhere you go on the Internet.

These new rules would require these service providers to obtain their customers’ explicit permission to use this data before they could share it with third parties.

Unfortunately, this protection for consumers did not last long.  Congress voted in favor of the big telecom providers and ISPs to prevent the consumer protections from taking effect.  Then in March of this year, President Trump approved Congress’s repeal of these consumer protections by the FCC.

References:

Fung, B., & Timberg, C. (2016, October 27). The FCC just passed sweeping new rules to protect your online privacy. Retrieved August 10, 2017, from https://www.washingtonpost.com/news/the-switch/wp/2016/10/27/the-fcc-just-passed-sweeping-new-rules-to-protect-your-online-privacy/?tid=a_inl&utm_term=.6625ed72f166

Fung, B. (2017, March 29). What to expect now that Internet providers can collect and sell your Web browser history. Retrieved August 10, 2017, from https://www.washingtonpost.com/news/the-switch/wp/2017/03/29/what-to-expect-now-that-internet-providers-can-collect-and-sell-your-web-browser-history/

Biometric data including facial recognition is being scooped up by companies including Facebook and Google.  Although this technology is not new, since Casino operators have long used software to try to identify card cheats, it is becoming widespread and far more accurate due to advances in software, hardware, and higher quality, less expensive cameras.

There are two predominant approaches to facial recognition.  One is geometric, which is based on the distances and facial features, such as the distance between eyes.  This is known as “feature based” facial recognition.  Then there is “photometric” which is a “view based” facial recognition system.  Photometric facial recognition relies on reflected light from different facial features as captured by camera and cataloged by computer systems.

Disadvantages of facial recognition systems are that they require high quality cameras and good lighting for the most part.  They can be easily avoided by disguises and cosmetic makeup.  FedTech recognizes four limitations of facial recognition, being:

1.   Image quality
   2. Image size
   3. Face angle
   4. Processing and storage

Facial recognition is being used by law enforcement to track the movements of suspects on watchlists in public places including airports and has been used to years by the gaming industry to identify card counters and other undesirable customers in casinos.  Facebook is using facial recognition in photographs to identify Facebook members to make it easier to “tag” friends in posted photos.

Facebook explains that they “currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features, like the distance between the eyes, nose and ears. This template is based on your profile pictures and photos you’ve been tagged in on Facebook. We use these templates to help you tag photos by suggesting tags of your friends.”  The Washington Post reported that the Facebook facial recognition software is 97.25% accurate.

References:

Limitations of Facial Recognition Technology. (2013, Nov. 22). Retrieved July 30, 2017, from http://www.fedtechmagazine.com/article/2013/11/4-limitations-facial-recognition-technology

Facebook. (2017). How does Facebook suggest tags? Retrieved July 30^th, 2017 from https://www.facebook.com/help/122175507864081

What happens when facial recognition tools are available to everyone. (n.d.). Retrieved May 20, 2016, from https://www.washingtonpost.com/news/innovations/wp/2015/12/23/what-happens-when-facial-recognition-tools-are-available-to-everyone/

You may remember the big crack down on the Silk Road marketplace on the so-called dark web a couple of years ago (Meisner, 2015).  This did not shut down the buying and selling of drugs, stolen credit cards and other items.

The dark web continues to be a place where people can meet to buy and sell under the radar of law enforcement, however law enforcement caught up to a couple of big marketplaces the other day.

This activity continues on the dark web as witnessed by the latest bust of drug bazaars AlphaBay and Hansa Market by U.S. and international law enforcement.  Krebs of Security reports that Dutch investigators took control of Hansa on June 20^th (Krebs, 2017).  Brian Krebs reports that AlphaBay and Hansa Market sold a range of black market goods on the dark web, but “especially controlled substances like heroin.”

Krebs wrote that the U.S. Justice Department stated that AlphaBay alone had around 40,000 vendors and around 250,000 listings of illegal drugs.  It was reported that 122 vendors were selling Fentanyl, the dangerous synthetic opioid responsible for many opioid-related deaths in the U.S.

Sources:

Meisner, J. (2015, May 29). Biggest dealer on underground Silk Road given 10 years in prison. Retrieved July 23, 2017, from http://www.chicagotribune.com/news/local/breaking/ct-silk-road-drug-trafficking-met-20150528-story.html

Krebs, B. (2017, July 20). Krebs on Security. Retrieved July 23, 2017, from https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/

In looking for good online cybersecurity sources, previously I wrote about the importance of finding credible sources and credible information.  I wrote about using the CARS checklist for evaluating sources for Credibility, Accuracy, Reasonableness, and Support.  I will post the CARS criteria here again, for convenience:

• Credibility

trustworthy source, author’s credentials, evidence of quality control, known or respected authority, organizational support. Goal: an authoritative source, a source that supplies some good evidence that allows you to trust it.

• Accuracy

up to date, factual, detailed, exact, comprehensive, audience and purpose reflect intentions of completeness and accuracy. Goal: a source that is correct today (not yesterday), a source that gives the whole truth.

• Reasonableness

fair, balanced, objective, reasoned, no conflict of interest, absence of fallacies or slanted tone. Goal: a source that engages the subject thoughtfully and reasonably, concerned with the truth.

• Support

listed sources, contact information, available corroboration, claims supported, documentation supplied. Goal: a source that provides convincing evidence for the claims made, a source you can triangulate (find at least two other sources that support it).

In my previous post on cybersecurity sources of information, I listed some good, reputable sources.  Please reference my CYBR650, Week 2 post for those.  I also wanted to add some others that you might find useful.

Schneier on Security  – Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is also the author of 13 books.

Dark Reading – Christina Chipurici at Heimdal Security says Dark Reading is a widely-read cyber security site that addresses professionals from the IT environment, security researchers and technology specialists. They use their experience and knowledge to provide articles, recommendations, news and information on IT security.

CIO Magazine – a venerable favorite for IT news, insight and analysis.  CIO has a section devoted to cybersecurity.

InfoSecurity Magazine – an online magazine covering cybersecurity and security strategy.

References:

CARS Checklist (n.d.).  CIS 629, Managing Emerging Technologies, Bellevue University.

Harris, R. (2015, January). Evaluating Internet Research Sources. Retrieved June 18, 2017, from http://www.virtualsalt.com/evalu8it.htm

Chipurici, C. (2017, January 06). 50 Amazing Internet Security Blogs You Should Be Following [Updated]. Retrieved July 14, 2017, from https://heimdalsecurity.com/blog/best-internet-security-blogs/

The purpose of this blog is to write about information security or cybersecurity issues that small to medium sized organizations face.  Often the cybersecurity issues written about in the media pertain to large data breaches and other widespread cybersecurity issues.  Small to medium sized organizations often don’t feel like these issues pertain to them and sometimes think that bad actors and cyber criminals are uninterested in them.

The organizations often do not employ full-time IT staff and likely do not have a cybersecurity professional on staff or even in a consultative role.

I provide managed IT services to small to medium sized organizations.  I serve as the part time CIO to smaller organizations and am also a technical account manager and project manager.  Most of these small to midsized organizations outsource some or all of their IT functions to companies like mine.  Some organizations may employ an IT generalist or have someone who can handle many daily IT issues, but we are able to provide the specialized, experienced professionals as needed for projects or difficult issues while remotely monitoring our client’s networks, servers, and other systems.

This blog is not limited to discussions about small to medium sized organizations however.  I may write about any current cybersecurity or IT topic that I find interesting or relevant.

As I posted last week, the Petya ransomware attack might have been more of a disruptive or damage inflicting attack than having the ransom motive.

The Petya or NonPetya (as some researchers claim) malware attack was propagated using vulnerabilities in the SMB v1 (Server Message Block) protocol.  This is another good reason to not use operating systems that are past their end of lifecycle or “sunsetted.”

When an operating system is supported, vulnerabilities are often discovered and the operating system’s vendor then creates a patch or a “fix” for the vulnerability.  After support ends, as it has for Windows XP and Windows Server 2003, no patches or fixes would be expected to be forthcoming when additional vulnerabilities are discovered.  These leave the users of those systems possibly at perpetual risk until they decide to update their systems.

The Petya ransomware propagates itself through remote code execution by using a vulnerability in SMB v1.0.  Server Message Block v1 has been a deprecated protocol for years.  Microsoft recommends that you disable the SMBv1 protocol completely.  This is another good reason to not have XP or Server 2003 still in an environment since those OS’s rely on SMB v1.  Also, some older scanner/printers rely on SMBv1 for their “Scan To” feature, so some newer servers might have it turned on and could be vulnerable.

Microsoft Security Bulletin MS17-010 has an explanation and links to patches for various Windows versions:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

References:

Krebs, B. (2017, June 27). Krebs on Security. Retrieved June 30, 2017, from https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/#more-39734

Mackie, K. (2017, June 28). New Petya Ransomware Outbreak Tapping SMB 1 Windows Flaw. Retrieved July 09, 2017, from https://redmondmag.com/articles/2017/06/27/petya-ransomware-outbreak.aspx

Ransomware has been successful because of its business model.  If one gets infected and their files get encrypted, by paying the ransom, the person with the infected computer usually gets their files back.

The latest wave of malware that worked its way across the globe last week, seems to be something different.  On the surface it appeared to be ransomware, but it reportedly encrypts the entire hard drive, maybe just deleting the data.  It isn’t fully clear yet.

It was also reported that the email address to pay the ransom was quickly turned off, leaving no avenue for the transaction.  Researchers are still questioning the motives of this latest attack.  Some researchers have speculated that the attack was more about causing disruption than about the traditional ransomware motive of getting paid.

Reference:

Washington Post Editorial Board (2017, July 01). A cyberattack swept across the globe last week. We should be ready for more. Retrieved July 02, 2017, from https://www.washingtonpost.com/opinions/a-cyberattack-swept-across-the-globe-last-week-we-should-be-ready-for-more/2017/06/30/1d697c88-5c2f-11e7-a9f6-7c3296387341_story.html?utm_term=.9369cc6ad829&wpisrc=nl_rainbow&wpmm=1

In Krebs on Security, Brian Krebs covered an interesting case of a robocall that a reader decided to investigate further.  Most of us have received robocalls on our home phones, and now on our smartphones.  It even seems that the frequency of these have been increasing.

Many of these calls actually sound like a real person looking for someone, but it is really a clever AVR or automated voice response system.  When I receive a robocall, I typically assume that there is just that one entity or company involved in annoying me in an attempt to sell some dubious service.

As Krebs on Security reports, behind that singular call might be a tangled web of connected organizations.  This reader who received the call had become increasingly irritated at getting these calls and decided to stay on the line to play along.

The reader ended up being connected to a representative at creditfix.com.  Later, the reader tried calling the phone number back that had called him and found it disconnected, “suggesting it had been spoofed to make it look like it was coming from his local area” (Krebs, 2017).

He then looked up the domain creditfix.com and found it registered to someone named Michael LaSalla with a mail drop in Las Vegas.  The IP address used by creditfix.com is registered to a company called System Admin, LLC in Florida who lists LaSalla as a manager.  A search for the company’s physical address turned up a filing with the FCC that showed the CEO of System Admin, LLC to be an entrepreneur associated with founding voip.com, an internet telephone service.

After reaching creditfix.com by email, their compliance department said that creditfix.com was likely scammed by a lead generation company called Little Brook Media, a “marketing firm in New York City.  Krebs reports that multiple attempts to contact Little Brook Media were unsuccessful.

As this tangled web points out, the company placing the robocall might not be the company one gets connected to.

Reference:

Krebs, B. (2017, June 25). Krebs on Security. Retrieved June 25, 2017, from https://krebsonsecurity.com/2017/06/got-robocalled-dont-get-mad-get-busy/

There is a lot of information available these days on information security (which is often called cybersecurity), threats, vulnerabilities, data breaches, and cybersecurity news in general.  Where does one go, and importantly, how do people know if they are getting good, trustworthy information.

I often use the CARS Checklist for Evaluating Sources (Bellevue University, n.d.):

• Credibility

trustworthy source, author’s credentials, evidence of quality control, known or respected authority, organizational support. Goal: an authoritative source, a source that supplies some good evidence that allows you to trust it.

• Accuracy

up to date, factual, detailed, exact, comprehensive, audience and purpose reflect intentions of completeness and accuracy. Goal: a source that is correct today (not yesterday), a source that gives the whole truth.

• Reasonableness

fair, balanced, objective, reasoned, no conflict of interest, absence of fallacies or slanted tone. Goal: a source that engages the subject thoughtfully and reasonably, concerned with the truth.

• Support

listed sources, contact information, available corroboration, claims supported, documentation supplied. Goal: a source that provides convincing evidence for the claims made, a source you can triangulate (find at least two other sources that support it).

Below, I list some sites that I check regularly and find useful for cybersecurity information.  This is not a comprehensive list by far, but this would give most people a good starting place.

The Security Bloggers Network:  http://securitybloggersnetwork.com/

Krebs on Security.  Brian Krebs’ excellent security news and investigative site.  Well written blog on current cybersecurity events:  https://krebsonsecurity.com/

Blogs at the SANS Institute.  The SANS Institute hosts various blogs on different cybersecurity topics.  Some very good work here:  https://www.sans.org/security-resources/blogs

Security Magazine:  http://www.securitymagazine.com/topics/2236-cyber-security-news

US-CERT.  The United States Computer Emergency Readiness Team:  https://www.us-cert.gov/

References:

CARS Checklist (n.d.).  CIS 629, Managing Emerging Technologies, Bellevue University.

Harris, R. (2015, January). Evaluating Internet Research Sources. Retrieved June 18, 2017, from http://www.virtualsalt.com/evalu8it.htm

C.A.R.S. Checklist (n.d.).  CLRC Writing Center. Santa Barbara City College.  Retrieved from https://www.sbcc.edu/…/CARS%20Checklist%20for%20Evaluating%20Sources.pdf

Everyone who uses email gets spam.  I can’t think of anyone who likes it.  I don’t even know anyone who responds to it knowingly.

Of course there are the fake emails that pretend to be your bank or a delivery service saying there was a problem with a delivery.  Sometimes people do mistakenly click on one of these and find they now have a virus on their computer.  If it is a fraudulent email seemingly from their bank, they might be duped into entering a password or account information on a criminally run website pretending to be their bank.  This can lead to identity theft, and a loss of money and time.

Spam is usually just commercial advertising that you don’t want.  It is a very cost-effective way for some organizations to reach a massive amount of email addresses.  Many of these are commercial in nature, in that they are offering a product, and that you might receive the product they are advertising after purchasing it.  The problem is that legitimate offers for products or services, even if you don’t want to receive them, are sometime indiscernible from malicious (and also unwanted) email.

How many times do you read about one of these spammers being caught and charged with any type of criminal offenses.  Probably not often.

Recently, MICHAEL PERSAUD, 36, of Scottsdale, Arizona was indicted by the U.S. Department of Justice and charged with 10 counts of wire fraud.  Persuad was claimed to have fraudulently registered email domains using false identities and creating fraudulent “From Address” field names to conceal that he was the sender of these spam emails.

According to Krebs on Security, Persaud has been doing this for a long time.  He has also been sued, found guilty and fined before, yet this must be a lucrative business because Persaud has been at this since at least 1998.  Persaud is also listed on the Spamhaus Project’s Top Ten Spammers site.

Persaud was sued by AOL in 1998, and had charges filed against him by the San Diego District Attorney’s office in 2001.  He paid restitution and damages of over a half-million dollars to AOL.  There seems to be a strong financial incentive for those who do this, and little downside so far.

We will have to watch this to see what the court decides on this one.  For a copy of the DOJ indictment, check it out here on the Krebs on Security website:  https://krebsonsecurity.com/wp-content/uploads/2017/02/Persaud-indictment-filed.pdf

References:

Alleged Cyber Spammer Indicted on Federal Fraud Charges. (2017, February 7). Retrieved February 19, 2017, from https://www.justice.gov/usao-ndil/pr/alleged-cyber-spammer-indicted-federal-fraud-charges

Top 10 Spammer’ Indicted for Wire Fraud. (2017, February 8). Retrieved February 14, 2017, from https://krebsonsecurity.com/2017/02/top-10-spammer-indicted-for-wire-fraud/

The Spamhaus Project – The Top 10 Spammers. (n.d.). Retrieved February 14, 2017, from https://www.spamhaus.org/statistics/spammers/