Wednesday, December 7, 2016

Six steps to block credit card fraud

Credit Card Fraud spelled out using Scrabble tiles

Just over a year ago, I put together a simple guide to dodging financial fraud; it quickly became one of the most popular posts on this site. Given some recent cyber events, now seems like a good time for an updated version.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was two years ago, but it still remains a hot topic. Between Target, The Home Depot, Sears, Dairy Queen, Wendys, Cici's Pizza, Goodwill, Trump Hotels, Hyatt, Hilton - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story this week, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries? 

Saturday, November 26, 2016

RIP Tom Hanks? No, it's a fake malware scam

Tom Hanks is not dead. That doesn't stop crooks from using news of his demise to attract victims.

Updated 29 November with additional context after I analyzed the malicious link. TL;DR: Tom Hanks is not dead, and the fake news link on Facebook leads to a malicious website. As an aside, Tom Hanks is not the first celebrity to be used in fake news scams, and I am sure he won't be the last. Other recent malvertisements have claimed the demise of Harrison Ford, Sylvester Stallone, Beyonce, and even Facebook's own CEO Mark Zuckerberg.


No, Tom Hanks is not dead. However, a malicious advertisement circulating on Facebook over Thanksgiving weekend uses that headline as bait; readers that click the "news story" to find out more instead get more than they bargained for. 


Instead of a news article, the advertisement leads to a web page that blares an incessant alarm sound and displays the following warning message. As a clever twist, the malicious content itself imitates Google's own malicious website warning. 

Victims that call the phone number on the screen will no doubt be instructed to pay a "Microsoft Technical Support" fee to have the malware removed - a twist on the classic technical support scam.

Sunday, November 6, 2016

November 8 is about more than just the Oval Office

Decisions made November reach from the White House to your and my houses.

The bulk of this was written a year and a half ago. This election cycle has brought about caustic attitudes, and a very large number of people stating they simply would not vote this year. I have for the most part stayed out of any political discourse this season, but the following tweets from Leslie "Hacks4Pancakes" Carhart spurred me to update my post.


Even if you're fed u with presidential candidates, please vote local and for the next 10+ years of SCOTUS.

The current presidential election cycle has truly brought out the worst in this country. I've seen caustic arguments between friends and family members. Individuals in each camp call supporters of the other everything from foolish to evil (frequently in less kind terms). Over and over again I hear comments of "I can't vote for anyone but I surely have to vote against so-and-so" or "there's no one worth voting for so there's no use voting." Lost in the noise is that November 8 is about far more than just who will occupy the Oval Office for the next four years.

The soon-to-be President of the United States will appoint at least one Supreme Court justice (replacing Justice Antonin Scalia, who passed away this year). Given the ages of other currently-serving justices, he or she may well appoint as many as four. The current court is an evenly-balanced mix of justices who tend toward liberal and conservative; for the incoming President to replace four justices would put decided slant on the court, one way or the other.

Thursday, October 27, 2016

A $17 Social Engineering Lesson From a Blind Man


Today I fell for a scam.

I often walk around the Texas Capitol complex during lunch, or when I need to mull over something. Today as I was walking, a blind man stopped me and asked if I could direct him to Lamar Street. I stopped to talk with him for a moment, and he explained he was trying to get to the Texas School for the Blind. 

Texas School for the Blind is a solid 4 miles from downtown, so I offered to get my car and give him a lift. He appeared grateful - and then said he wanted to call ahead and make sure it wouldn't be a wasted trip. See, he was living in a halfway house and his rent was due; if he couldn't come up with seventeen dollars to make rent, he would be out on the street tonight. He thought Texas School for the Blind offered emergency assistance.

I let him borrow my phone to make a call. From his side of the supposed conversation, it was obvious he did not get the answer he was hoping for. I gladly gave him what I had in my wallet, shook his hand, and wished him well.

Being the skeptical soul that my profession makes me though, when I got back to my office I redialed the number he had called. Surprise, surprise - the number was not in service.

Working downtown I frequently encounter people asking for a handout. I have my own ideas that influence my decisions to give or not to give, but it is not my intent to turn this into a philosophical or political discussion. What makes this event stand out in my mind though is how his pitch was so polished, rehearsed - and phish-like.

It was a veritable lesson in social engineering.

Tuesday, October 11, 2016

Amazon joins the password merry-go-round

Like many companies, Amazon.com regularly looks for evidence that its customers' usernames and passwords have been exposed. The company apparently discovered a trove of usernames and passwords recently, and is resetting some passwords as a precaution.

The company has not said how many accounts are affected, nor where they found the user details; the only thing they have said is that the list was not Amazon-related. This could mean it was a list of usernames and passwords from a completely unrelated site, but for individuals that reused the same passwords at Amazon.

The details are almost identical to reports about 6 months ago of a similar incident: Amazon reset some users' passwords after a list of names and passwords was found online. the list was not for Amazon accounts, but the account owners used the same passwords for their Amazon accounts. Go back a year, and the same scenario played out yet again.


What should you do?


First, don't panic. There is no indication that Amazon.com has been hacked. Rather, Amazon does an excellent job of searching for breaches elsewhere, and identifying customers that used the same password at Amazon.

  1. There is no harm whatsoever in changing your Amazon.com password just to be safe, even if you have not received a notice from the company.
     
  2. More important, make sure your Amazon (and every other account) password is long, and is not reused anywhere else. If the same password is used everywhere, a stolen password can give an attacker access to all of your accounts. A stolen password is far less damaging if it only unlocks that single account.
     
  3. If you do receive an email that appears to be from Amazon, don't click the password reset link in the email! While I haven't seen any examples specific to Amazon, fraudsters love to imitate a well-known service and claim your account is in jeopardy. In this example from last year, scammers sent a phishing email pretending that your Apple ID was amiss. When you click the link and "verify your information" though, you instead are giving the hacker your information so they can login as you.

    What to do instead?

    Go directly to Amazon.com, and change your password there.

If you received a phishing email imitating Amazon, I'd love to have an example to add to this story. I'll gladly credit you, or keep you anonymous, as you wish!

Thursday, October 6, 2016

Basic cyber advice

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

For the second year in row, Security For Real People is proud to be a National Cyber Security Awareness Month Champion. NCSAM is a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. It began as a joint effort government and industry program between the National Cyber Security Alliance and the Department of Homeland Safety. It now includes over 700 corporations, small and medium businesses, educational institutions, and individuals, all with the shared goal of making the digital world just a bit safer for us all.

The news is full of stories about extraordinary threats: Baby monitors hacked to spy on you. A billion Yahoo email accounts exposed. Sophisticated spies taking over iPhones. Movie plot-worthy heists draining millions of dollars from thousands of ATMs at once.


Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Wednesday, September 28, 2016

Someone's watching the baby, and it isn't you

"A greyscale image of a webcam," by Asim Saleen, used under license CC BY-SA 3.0


It seems like a scene out of a Transformers movie, but it happened right here in Austin. Local news station KVUE reports that an Austin family noticed their Wi-Fi baby monitor moving on its own one evening last week. It was being controlled by an unknown person, for an unknown purpose.

I hesitated to write this story, since I do not have a Wi-Fi camera to test myself and provide recommendations on. The intent of Security for Real People is not to spread fear, but to give practical advice you can use to keep yourself and your family safe online.

I decided to share the story anyway, for this reason: Internet-connected devices are becoming more and more common, and entering more and more intimate areas of our lives. But in many cases online safety is an afterthought. With a refrigerator or TV, maybe that's not a big deal, but a camera inside the home lends itself to voyeuristic abuse or worse.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.