Doug Bedell — December 11, 2017, 10:56 am

Meet the ‘Good Guys’: White-Hat Hackers


Steve Zurier on the DarkReading blog fills us in on who the “good guys” are in seeking to keep the Internet reasonable free of hackers.

“Most knowledge-seekers,” Steve explains, “have been involved in the bug bounty scene for less than two years and want to learn more. Bugcrowd reports that 63% say they invest their earnings from bug hunting back into professional development and security tools. The vast majority are attracted to bug hunting for the challenge and fun of it and with 69% being ages 18-29, they are one of the younger bug hunting groups. Nearly 56% have either a bachelor’s or advanced degree and 23% still identify themselves as students. Members of this group are serious about the security field: 29% aim to become penetration testers and 27% aspire to become full-time bug hunters.”

So these are the ‘good guys’. Bless ’em.

Doug Bedell — December 8, 2017, 1:40 pm

Perimeter Security Involves Length, Sizes and Values


You may think that securing a perimeter is simply a matter of putting up a fence and letting it be. Not so, notes the Advanced Perimeter Systems blog. It depends on the perimeter in question and what’s inside it.

Here, for example, are three perimeter settings – an international airport, the Great Pyramids of Giza and a parrot cage at the Edinburgh Zoo. (People aim to steal the rare birds.)

Each site is unique to its own setting, extent and value. Perimeter protection planning – “PPP” – needs to be done sensitively in accord with the site involved.

Doug Bedell — December 6, 2017, 4:00 pm

‘Phishers’ and ‘Spear Phishers’ Explained


Phishing and spear-phishing – the difference between these two forms of cyber security attacks is explained in a TechCrunch post.

“Spear-phishing, like phishing, involves emailing a malicious link or file. Whereas phishers send mass emails in hopes of stealing credit card information, Social Security numbers and login credentials from as many people as possible,” Tom Chapman explains, “spear-phishers are more precise. They usually target one or (a) few individuals at an organization, and they conduct extensive research in order to craft a very personal and convincing email. The spear-phisher has a very specific and often more sinister objective than the phisher.”

So be wary of both forms of email attacks.

Doug Bedell — December 4, 2017, 1:18 pm

A Security Tale: Truant With a Plastic Bag


Here’s an off-the-beaten path piece from Naked Security about the efficacy of almost anything an employer might issue to track his or her employees during business hours. The employer of an electrician in Australia issued a GPS-enabled personal digital assistant (PDA) to an employee who, sad to say, placed it in an electrically conductive “cheese curly crunchy snacks” bag and went off to play golf instead of working.

The bag was electrically conductive and made an excellent “Faraday cage” for mobile devices. (A Faraday cage, explains Wikipedia, “is an enclosure used to block electromagnetic fields. … Faraday cages are named after the English scientist Michael Faraday, who invented them in 1836.”) “It’s a pretty greasy way to block electromagnetic current and to thereby keep your employer from tracking your whereabouts.”

But, finally, the employee’s wayward ways were detected and he was fired. “It was determined that he had been going AWOL to play golf – more than 140 times – while reporting that he was working.” Familiarity with the nuances of modern life is essential for truants of any ilk.

Doug Bedell — November 29, 2017, 9:39 am

Cybersecurity Tests Looming for Internet Use in 2018


Get ready for cybersecurity challenges to your Internet presence in 2018. That’s the not so surprising warning/invitation from In Homeland Security as the new year approaches.

“As the continuing digital transformation of our lives entails the ongoing digital transformation of crime, vandalism and warfare, 2018 could bring a lot of new takes on old vulnerabilities, some completely new types of cyberattacks, and successful new defenses.”

Would you expect anything different? Probably not, but In Homeland Security offers 60 predictions for the cyber security tests of 2018. Well worth spending some time on.

Doug Bedell — November 27, 2017, 10:52 am

Theft Risks in Providing Student Financial Aid Data


Parents of children seeking financial aid from colleges should be mindful that a great deal of information on their family finances and other personal matters becomes potentially available to computer hackers in the process.

Brian Krebs of Krebs on Security lists 108 items – from the student’s driver’s license number to his or her Social Security number – that are required on financial aid forms from the U.S. Department of Education. About all that’s not covered, he jests, is “What was the name of your first pet?”

Which is not to say, of course, that students shouldn’t apply for financial aid. But their families should be mindful of, and appropriately alert to, the tangential risks involved, however slim they may be.

Doug Bedell — November 24, 2017, 9:46 am

Our Web Tracks Can Be Followed by the Sites We Visit


Referencing security researchers at Princeton University, Bruce Schneier provides information on how websites may be collecting and storing our every move on them for playback to their owners.

“The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”

Get over thinking of the Web as a trackless landscape.

Doug Bedell — November 21, 2017, 10:59 am

Network Penetration Testing Well Worth Considering


George Mateaki on the Security Metrics blog explains penetration testing – Network Penetration Testing 101 – and why it’s advisable for businesses to confirm the security of their workaday environments.`

“Penetration testing, in general,” Mateaki explains, “is a type of ‘ethical certified hacking’ during which a pen tester will attempt to enter and exploit your IT environments. There are a few types: Segmentation Checks, Application Penetration Tests, Wireless Penetration Tests, and Network Penetration Tests.

“Segmentation Checks look for misconfigured firewalls. Application Penetration Tests find security issues that are due to application coding flaws. But when we pen test a network, we look for security issues in the design, implementation and maintenance of servers, workstations, and network services.”

“Hackers will target anything that stores, processes or transmits credit card information or personal identifying information (PII). And if you’re in the HIPPA realm, that includes protected health information (PHI). The location(s) at which you store this information are collectively known as the Cardholder Data Environment (CDE).

So there you have it, in a tight summary. If you’re not feeling secure (or maybe even if you are), have a Network Pen Test done.

Doug Bedell — November 17, 2017, 11:23 am

Watch Out: You’re Not As Secure As You Think You Are


You think you’ve got a reliable home or business security camera or wireless router. Maybe so, maybe not.

“Several widely available security cameras and wireless routers can be easily hacked to reveal customers’ video feeds online, InHomeland Security reports, reigniting privacy concerns four years after the Federal Trade Commission filed charges to eliminate similar vulnerabilities.”

It’s advisable to read the rest of the InHomeland Security post, and to be aware that web security is an ever-continuing concern.

Doug Bedell — November 14, 2017, 8:41 pm

Cyber Security Alerts from the Dept. of Homeland Security


Connect with the U.S. Department of Homeland Security (DHS) on cyber security alerts, whether it be, in this instance, regarding North Korea, or other mischievous cyber activity. They call them U.S.–CERTs.

“The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens,” advises DHS. “Working closely with our interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies.”

There’s plenty of malicious cyber activity out there – working together on awareness, alerts and defenses is the way to combat it.