Knowing full well that American Express is the credit card of choice for many professionals, cyber criminals are targeting AMEX customers in a wave of convincing phishing emails. The emails appear to be from AMEX stating that fraudulent activity has been detected on the recipient’s card, and provides a link for the user to update their information. The link actually leads through a series of redirection scripts on compromised websites and eventually lands the user on a website that has the outward appearance of a legitimate AMEX website. This site’s sole purpose is to collect critical personal data such as your Account ID, Social Security Number, Mother’s Maiden Name which will shortly be used to perpetrate some actual account and identity theft.
What this means for you:
By now you should naturally be suspicious of any emails that show up in your inbox asking you to reset your credentials, especially if you did not explicitly perform a password or credential reset. Rolling over the links in the emails will show you the destination URL, and if the link isn’t one you recognize, stop right there and trash the email. Even if the URL looks legitimate, don’t use the link in the email. Go to your credit card website by manually typing in a URL that you know is good. Not sure what the URL is? Look for one printed on the back of your credit card, or failing that, just call the customer service number via phone. As a rule, credit card companies and banks will notify you via phone of suspected fraudulent activity, so emails like this should always be viewed with a healthy amount of skepticism.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
Many of you already know this because you, or your company has partially, or even fully embraced this concept: technology continues to expand the way businesses can take advantage of remote workforces and telecommuting. According to BusinessInsider.com, the number of people working remotely or telecommuting in the US has grown by nearly 80% from 2005 through 2012. However, the actual number of people working in this fashion (3.3m, not including the self-employed) still only comprises less than 3% of the total American workforce.
Despite the gains telecommuting has been making in the business world, many more companies still cling to the more traditional office-bound cultures, even such as Yahoo, where former Googler and now CEO Marrisa Meyer infamously rescinded Yahoo’s extensive telecommuting labor policy, citing the need for more teamwork and collaboration. This is perhaps the most popular justification for eschewing a dispersed workforce, but many successful small business, both startups as well as established business are taking advantage of the decreased overhead and a happier, more productive workforce, and the internet is making collaborating over distance easier every day.
What this means for you:
As a small business owner, or someone who is looking to shake up the culture of a more traditional work environment, the arguments for decreasing real estate expenses, infrastructure costs and administrative overhead will come fairly easily. However, be prepared to answer how you will maintain or even improve collaboration and teamwork, especially now if your staff can no longer pile (physically) into a single conference room with a few minutes notice. Security, standards compliance, quality control and performance management will also require new processes and new ways of thinking, and as we all know, change never comes easy, especially when someone’s paycheck or dividend is on the line.
All of the preceding challenges can be met with current technology that is affordable and often easy to use, but if you buy a bunch of laptops and webcams and ditch the cubicle farm without preparing both your people and your business, you may be in for a rude surprise. As is always the case, plan carefully how you implement technology: the easiest step is purchasing shiny new toys. The hard part is implementing them properly and securely, and making sure they are properly aligned with your business.
Image courtesy of jannoon028 / FreeDigitalPhotos.net
As predicted, the zero-day flaw in multiple versions of Microsoft’s web browser, Internet Explorer, is now being actively exploited by multiple APT (Advanced Persistent Threat) groups in attacks that are targeting large numbers of people. The most publicized and successful of these attacks have been focused on government websites. Their primary purpose: to install rootkits on government worker machines to facilitate access to confidential government documents. On top of the growing number of attacks leveraging this weakness, the Metasploit framework (an open source hacking tool used by security researchers and white-hat hackers) just released a module to the public that demonstrates how this security flaw can be used to hack IE, theoretically making it even easier for malicious agents to understand and develop their own exploits. Microsoft has yet to say when a patch will be released to fix this weakness, which affects just about every version of IE from 6 through 10.
What this means for you:
If you are using Internet Explorer, whether by corporate mandate or by choice, make sure you’ve applied Microsoft’s temporary fix, or ask your IT guy if they’ve distributed the fix throughout the company. If you work for the government, either as an employee or contractor, be extra wary of strange behavior on your computer, and ensure that your antimalware software is fully functional and up to date.
If you are using some other browser, you don’t have to worry about this particular exploit, but as always, remain ever vigilant and make sure your OS, software and antimalware are fully patched!
You thought you’d done a good thing: you finally listened to all the warnings and locked your iPhone with a passcode or, if you are one of the lucky few with a shiny new 5s, the new fingerprint lock. Sadly, one of Apple’s other famed technologies may betray you in the end. An Isreali security analyst has uncovered a significant flaw in iOS7 security when access to Siri on your iPhone’s lockscreen is enabled. The problem is part convenience and part bug: using Siri while your phone is locked allows you to make calls without having to punch in a passcode, something that is indispensible while driving, or when your hands are otherwise occupied. Unfortunately, using Siri in this manner leaves a back door open in the form of unfettered access to the phone app, while your phone is still locked. Oh, and did you remember that Siri responds to anyone’s voice, not just the owners?
What this means for you:
“How bad could this be?” I hear you asking. While in the phone app, the user can access the phone’s voicemail, send text messages, view the calendar and look through all the contacts in your phone. If you don’t consider that private, you are part of a very small minority on this planet. The fix is simple: disable access to Siri from the lockscreen. The recommendation: do it now if you care about your phone’s security. It’s likely Apple will fix this flaw, but will they do it in time to protect your confidential data?
When you are king of the mountain, everyone lines up to take a shot at you, and the iPhone is no exception. In this particular case, security analysts were taking bets on how long it would take for someone to defeat the brand-new iPhone 5s fingerprint scanner. They didn’t have to wait long, as it seems a German hacking group known as the Chaos Computer Club was first to publish a technique they claim will defeat Touch ID’s technology. Though the claim has yet to be independently verified, it has the same trappings as the infamous “gummi bear hack” that poisoned public perception of biometric security measures over a decade ago. In a nutshell, the hack requires a high-resolution scan of the target’s fingerprint, which is then used to create a fake finger from a laser printer and a thin layer of latex.
What this means for you:
According to the Chaos Computer Club, their intent behind publishing the findings was to demonstrate to the public the weakness of fingerprint-based security, pointing out two very obvious weaknesses: (1) we can’t change our fingerprints if they happened to get compromised, and (2) we leave them everywhere we go. Whether or not CCC’s technique proves replicable, it is only a matter of time before other techniques are published, and their points still stand. Multi-factor authentication methods can surmount this particular problem, as can biometric patterns that aren’t so easily replicable (such as your cardiac signature), but the fact remains that the easiest method to gain access to your phone is for someone to gain access to one that isn’t protected at all, either by fingerprint, pin or password. Unless the only thing you use for smartphone for is games, you should always have some form of protection on your phone, and doubly so if you use it to conduct work.
Anyone who’s watched a Hollywood thriller in the past three decades is familiar with biometric scanners, and along with it, the various means movie villains have used to subvert these systems, including methods that would be horrifying to consider when applied in real life. Now that the new iPhone 5s has a fingerprint scanner, those of us with more vivid imaginations have envisioned a new rash of thefts paired with bodily mutilations. Fortunately for everyone, the manufacturers of the fingerprint scanner on the new iPhone have stated quite clearly that the only way the scanner will register a proper fingerprint is if the finger is still attached to its living owner.
What this means for you:
It’s too soon to tell whether or not the technology in Apple’s latest smartphone is subject to the same hacks that rendered earlier incarnations useless for serious authentication. There are also concerns that Apple, or even the NSA could be gathering fingerprints for their super-surveillance database. Given all the attention the NSA has already been given regarding its privacy invasions, it’s a safe bet that they are going to steer clear of this particular minefield (at least for the time being) and Apple is also savvy enough to avoid alienating its passionate fanbase with such a heavy-handed misuse of their personal privacy.
Frankly, if the convenience of the fingerprint authentication gets you to secure your iPhone where before you did not, then I’m already a fan. For you Android users out there jealous of Apple’s spy gadget tech, have a look at Nymi, and watch for other biometric gadgets to arrive, especially now that Apple is trying to make them sexy again. You should always secure your mobile devices, especially if you use them to access email or work data. As we can all attest, passwords and pins are a big hassle, especially when you are on the go, but you should never let your phone out of the house without one.
Image courtesy of thawats / FreeDigitalPhotos.net
If you’ve taken to heart any of the security advice or practices that I or many other technology professionals have been dispensing for the past few years, you’ve probably developed a healthy skepticism for any emails that land in your box that are unexpected and contain unfamiliar links. Even more so if your email provider marks the email as spam or a possible phishing attempt.
For example, I recently received an email with the subject “iPhone iPod touch Class Action Settlement” that was immediately marked as spam by Gmail. This email purportedly offered me a part of a class action settlement with Apple. Seeing how many people own iPhones and iPods, it seemed like good phishing bait so I assumed this was yet another scam. It had all the trappings of a well-made con:
- broad target demographic
- based on a recent, actual event
- contained lots of official-sounding text that didn’t read like a 4th grader wrote it
- no overt clues that the sender was an obvious bad agent (non-US domains, inappropriate reply-to addresses, spoofed mail headers, etc.)
It would probably lure people into clicking a link that would either load up their machines with malware, or entice them into giving up some personal information that would later be used in an identity theft attempt. I opened it up with the intent of warning my audience and clients about the potentially well-crafted fraud.
As it turns out, this is a legitimate email that Gmail incorrectly identified as spam, probably because the sender was flagged as a spammer by justifiably suspicious readers like you and me. A little research online reveals this is part of the original case that made headlines back in May of this year. Emboldened by this information, I used Chrome (bolstered by a variety of anti-scripting extensions) to visit the included link, and, lo and behold, it’s a legitimate website. Because of the relative newness of this initiative, there isn’t a lot out on the web about this yet, so unless you are an experienced internet researcher, your searches might have come up with little evidence that this was a legitimate email.
What this means for you:
Most cautious internet citizens might have trusted their email provider’s guidance on this and just deleted this email, potentially missing out on as much as $200 as a settlement award. False positives are an unfortunate side-effect of a proper security protocol, and in this case, even Google didn’t provide enough information to immediately assuage my suspicions, and a few search results actually led to conversations where people immediately labeled it as a scam. Sometimes the internet does not provide instantaneous answers, nor is it always right, and as always, you should always take your search results with a grain of salt, especially if there is money at stake. If your search results turns up a dearth of information, your best course of action is to wait a few days for the internet to catch up (it always does!) and research again, or to contact a tech expert like C2 Technology to get a second opinion.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net










