As always, we can learn from example . . .

A little over a month ago I used my 4GB USB flash drive to move a small executable file from one computer to another. After using it I dropped it back into my computer bag like I always do….

Or, so I thought.

…………………………

Life was good and I had no need for the USB drive. But then I really needed it for moving another file between computers that were not networked.

I rummaged through my computer bag. No luck.

I cleaned the extraneous stuff off my desk. Still could not find the drive.

I even removed all the change in the cup holders in my pickup. No joy.

Finally, it was found deep in the bottom of my computer bag, where it was supposed to be.

………………………….

As The Professor used to say in college, “It’s intuitively obvious” that USB drives can be easily lost.

What should we do? Here a couple of ideas…

• Never store confidential information on a USB drive.
• If you must put confidential information on a USB drive, then encrypt the USB drive, or the files on the USB drive. This is pretty easy. You can use a drive from IronKey, or you can use a generic drive with TrueCrypt.

So, be careful out there. Don’t lose your personal information by putting it on an unencrypted USB drive.

- Dan

http://www.huffingtonpost.com/2010/11/01/what-not-to-post-on-facebook_n_764338.html#s157112

I don’t normally spend a lot of time reading The Huffington Post, but this article is full of common sense. Read it. Pay attention to these recommendations. Use the brain that God gave you.

The vacation countdown is a great one. “I’ll be gone. Come rob me!” Oh, noooooooo……

Be smart.

- Dan

We have been seeing an increase lately in a specific type of phishing email being sent to both company and personal email addresses. I have received variations of this coming to me in my personal email accounts. Some have been making it past the spam filters that we use for the work email.

Phishing email are sent to a person in an attempt to get you to click on a link that is in the email. Sometimes that link will install malicious software on your computer. Other times the link may take you to a legitimate-looking web page where you are encouraged to enter userid/password combinations or credit card information. Many people fall victim to phishing scams.

Here are a couple of examples of email that have been received. If you take the time, you can see the tell-tale signs of phishing.

Let’s look at the first one.

This email looks like it is from Chase bank. It even has the correct logo. It looks legitimate, but it is not. It shows a recent payent of $117 on 8/6/10. How can you tell if it is real?

• Red Flag #1: The recipient of this email does not have a Chase credit card. Chase would not send a payment confirmation if you do not have an account.
• Red Flag #2: The recipient did not make a payment of $117 to Chase.
• Red Flag #3: Look at the From: address at the top of the image. It shows that it is from someone at royalgreenland.com. A real email from Chase would be from someone at chase.com.
• Red Flag #4: Only one of the links in the body of the email indicates that it will take you to chase.com. In the original, if you hover the mouse pointer over the links, they point to places other than chase.com

Looking at the second example, we can see that this purports to come from amazon.com and looks legitimate. But…

• The recipient did not place an order with amazon.com
• The From: address is not amazon.com
• Hoving your mouse pointer over the links points to places that are not amazon.com

I have seen similar email that supposedly come from Best Buy, also.

So, watch out for the links that are in email messages you receive. Check to see if it is reasonable that the company is sending you email. Look at the From: address to see if it matches the company listed in the email. Before clicking links in the email, hover your mouse pointer over the link to see where the link goes.

Just be careful.

- Dan

I checked my email yesterday morning and was greeted with these three headlines:

Employee at Maryland state agency posts client information online

Sensitive database compromised at Buena Vista University

Hospital: files with personal, medical data on 800,000 gone

Whether a state agency, hospital or university, the issues are the same. Confidential information must remain confidential and there must be practices in place to maintain this confidentiality.

This is true for the small business, also.

I have heard many small business owners state that “no one would care about them”. This may have been correct in the past, but it is certainly no longer the case.

Policy statements, and enforcement of that policy, can be a significant deterrent to events such as are depicted in the above links.

Think about this: Who is in charge of updating the business website? Is only authorized information put on the Internet? Who is the one responsible for authorization?

Sometimes a file may accidentally get put on a web server. The contents of the web server should be a part of the regular audits.

Regardless of policy, breach and data loss events are usually a result of someone not being diligent.

I sure not would want to be the one responsible for any of these data loss events.

- Dan

You’ve got to read this article – The Internet’s most successful scams from The Red Tape Chronicles on msnbc.com.

The scams discussed are:

1. Online dating scams
2. Fake anti-virus software
3. Facebook impersonation
4. Becoming a bot
5. The fakosphere

Take the time to read, and focus on the last one, The fakosphere. You just cannot believe everything that you read on the Internet.

- Dan

A few weeks ago I wrote about Why Trust is Important. In that post, the example of using your credit card at the gas station was presented, along with the assumptions about trust that are made.

Yesterday, there was an article posted at dark Reading detailing recent credit card skimming incidents at gas station pumps. It is reported that 180 gas stations in Utah were found to have skimming devices in the pumps.

Bruce Schneir is correct when he states that “The consumer can’t be expected to notice these things.”

What can you do? How about the following …

• Always pay with cash
• Use your credit card inside
• Keep all receipts and watch you statements closely
• Ride a horse

So, watch those statements. If you find charges that are not yours, contact your card company.

- Dan

President Ronald Reagan said, “Trust, but verify.” I used to hold fast to that, but recently have learned that you cannot, nor should you, always verify.

Trust is a critical foundational element of life, government and information security.

Things would be different if trust was non-existant…

• Husbands and wives would always be paranoid.
• Negotiations between teachers and school boards would always go to impasse.
• You wouldn’t have any confidence in your antivirus or IDS system.

Right now, you’re probably saying that is the way things already are. To some extent you are right.

Distrust between two parties is as natural as entropy.

But, consider some of the ways that you do trust.

• You trust that the gas pump gives you what you pay for and that the meter is accurate.
• You trust that the government who puts the accreditation sticker on the gas pump has actually tested it.
• You trust that the person testing the gas pump knows how to accurately test it.
• You trust that the magnetic card reader for swiping your credit or debit card is not skimming that information.

Of course, there are many more examples.

• You trust Google to not share information about your searches, or the contents of your GMail account.
• You trust the security that your bank uses for your on-lne banking.
• You trust the validity of the certificates that are checked when accessing secure web sites.

Our society is built upon the expectation of trust. Sometimes people and organizations successfully show that they can be trusted. Othertimes, not.

Back to President Reagan…

There are times when I trust, but verify.

However, there are many more times when I trust, but either choose to not verify, or the risk is so low that it makes to sense to take the time to verify.

Carefully consider which times verification is important. It just might save the day for you sometime.

- Dan

Take a look at this article from Network World. It provides high-level descriptions of how you can get infected with malware even though you avoid shady or inappropriate websites.

7 Reasons Websites Are No Longer Safe – Network World

And so that you don’t have to read the long version, here is the short version…

1. Polluted ads
2. SQL Injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

Information technology professionals should take the time to understand each of these attack vectors. Users should look at this as an opportunity to increase their awareness.

- Dan

Do yourself a favor. Go grab your wallet. I’ll wait for you to get back…

.

..

…

Now, pull all your credit cards out. Grab your debit cards, also.

Look at them closely. Can you identify where each one of them has been used?

Have you ever used your debit card for on-line transactions?

By spreading your credit and debit card numbers out across cyberspace, you are increasing your target profile, and increasing the risk of compromise.

Speaking from experience, you don’t want those numbers to be used without your permission.

Tip: Create a plan and strategy for the use of your cards.

Here are some things you can do. You may do some other things…

1. Never use your debit card for on-line transactions.

Different banks will give differing explanations about your liability for unauthorized transactions. Minimize your footprint.

2. Have one credit card that is only used for transactions you don’t fully control.

(such as on-line transactions or paying for dinner where you give your card to the server and it’s gone for 10 minutes…)

3. Closely monitor the charges to your cards.

Use the on-line tools your card issuer gives you to see what transactions appear.

4. Don’t write your PIN on the back of the debit card, and don’t give it to your kids to use.

Believe it or not, I just noticed that a friend had done this. It’s like writing the burglar alarm code on the door of your house.

5. Don’t use credit and debit cards.

This is somewhat like using the Google Opt-Out that was reported on the Onion News Network. Radical and gets the job done, but probably not all that practical!

These cards are like the keys to your financial kingdom. Guard them!

- Dan

Twitter hacked by old technique — again by AP: Yahoo! Tech

This article came out yesterday. The short description is that a compromised personal email account led to a compromise at Twitter.

Although the article is written with the focus on Twitter, this can just as easily happen to you and your organization.

Tip: Keep work email and data separate from personal email and data.

We need to constantly remind folks that there needs to be separation between work and personal email and storage. The selling point is that it protects both the employee and the company in the event the other is compromised.

Once again, the weakest link is The Human.

- Dan