The Ohio Cyber Range Institute and the Ohio Cyber Reserve took part in a cyber security exercise at the University of Cincinnati July 15, 2022. Maj. Gen. John Harris said, āThis is just a next level of training for our Ohio Cyber Reserve. Our responsibility first and foremost is to respond if there is a crisis here in Ohio.ā https://t.co/F8HQ2oQKbq
85 percent of computer and network breaches involved a human element, according to Verizon’s “2021 Data Breach Investigations Report,” while over 80 percent of breaches were discovered by external parties. That is good news. Does that mean if each one of us could modify our behavior, then perhaps this ransomware and breach problem might go away?
Well… Everyone works under some kind deadline pressure. And if you are like me, you tend to procrastinate. To meet that impending deadline, we have to work quickly. So, when that application or operating system security update pops up, we have to push it away. Or the I.T. department applies the update. Of course that is the day our assignment, proposal, paper, or whatever is due for presentation or submission. If you work remotely, that’s when you notice that your organization’s system is crawling along slowly or the company network is unavailable. You have already forgotten about or quashed that warning you received updating your home or office workstation to the latest security patch. Or your antivirus program that has been interrupting you for days does it again. And that’s when a “Digital Pearl Harbor” is most likely to occur.
Our I.T. computer people and the information technology industry can’t fix this. Together with the leadership, we can.
There is no silver bullet or firewall that the computer/network security industry can set up to protect you or your organization from yourselves. Again, 85% of the problem it is a behavior issue.
When was the last time your immediate supervisor asked about whether you saw that operating system security update or antivirus update? When did your boss take an interest in that phishing training offered over lunch or online? Never? Well, there you go. Unless your entire organization takes the appropriate amount of interest based on their risk managementprocesses, what can you hope to do to fix this? Or if you work for yourself at home or remotely for your company; when was the last time you made sure your computer operating system was updated, your cable modem or home router internal operating systems were updated?
Defend yourself!
Here are some examples of what that means in practice
If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
If you trust the linked site, type out the linkās web address manually.
If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
If you decide youāre going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that itās possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as aĀ homograph attack. For example, a Cyrillic āŠā might be used to mimic the usual Latin āOā we see in English.
If the link appears to be a shortened URL, use a URL expander service such asĀ URL ExpanderĀ orĀ ExpandURLto reveal the actual, long link it points to before clicking.
Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in aĀ Faraday bagĀ when not in use ā or at least away from where you have sensitive conversations (a good idea even if itās in a Faraday bag).
Use nondefault browsers. According to a section titled āInstallation Failureā in the leaked Pegasus brochure, installation may fail if the target is running anĀ unsupported browserĀ and in particular a browser other than āthe default browser of the device.ā But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.
a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in aĀ Faraday bagĀ when not in use ā or at least away from where you have sensitive conversations (a good idea even if itās in a Faraday bag).
Use nondefault browsers. According to a section titled āInstallation Failureā in the leaked Pegasus brochure, installation may fail if the target is running anĀ unsupported browserĀ and in particular a browser other than āthe default browser of the device.ā But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.
Unless or until information security becomes a priority for society, including organizations and individuals we are heading for a serious setback to our way of life or even life itself
Here is where the reader will expect me to come up with a frightening scenario. I will not waste my time. Suffice it to say that unless we use fundamental risk management processes, then we will simply lose – and lose big – even lose life itself. Lose to nation-states, terrorists, criminals (sometimes sponsored by nation-states or terror organizations).
Here is how to begin to take cyber information security seriously
From there, it will be easy to understand what and how you and/or your organization need to begin your process to prevent a Digital Pearl Harbor that would impact, you and even society as a whole
UPDATE 2 Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities; Using one flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections. https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/
UPDATE: National Security Agency Confirms Windows 10 Security Flaw āMakes Trust Vulnerableā “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we canāt say anything about the actual risk for the average user.” https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/ You should put together a test computer with any proprietary software or non-off-the-shelf, mission essential software and test the patch first.
UPDATE: National Security Agency Confirms Windows 10 Security Flaw āMakes Trust Vulnerableā “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we canāt say anything about the actual risk for the average user.”
January 14, 2020 – Microsoft MAY release a patch TODAY that is supposed to fix a huge security vulnerability. I am providing this notification because I recommend that only a test computer be patched, IF you are running non-off-the-shelf software. That is anything that you can’t buy at a store, like Office programs, etc. If you are using any proprietary software or software designed for your business systems, then you should ALWAYS test Microsoft patches before implementing them. This is a story by Brian Krebs, a leading #cybersecurity journalist. “Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog.” https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
What does physical security and cybersecurity have in common? Among other things; it’s the simple stuff that will get you.
I decided to stop by the Sylvania Township, Ohio Starbucks on Central Avenue for “Coffee with a cop.” October is National Cybersecurity Awareness Month and I thought it would be a good idea to check in with our local police first responders. These officers were from the Sylvania, Ohio Police Department.
I had a pleasant surprise because Chief Paul Long and Deputy Chief Ray Carroll were there. Both of these officers have already had long successful and distinguished law enforcement careers.
Upon entering and shaking hands, I asked whether there were any assets or other material that these local heroes needed. I am sure that there must be something local citizens could do to better support the police. However, Chief Carroll said that their message is simple: “Lock your house, garage and car(s).”
And that’s where the convergence of cyber and physical security intersect – it’s the simple stuff. Lock up your possessions to keep them secure. Cyber – “Keep you operating system up-to-date.” Why are they so similar?
Whether we like it or not, the basic design of our computers and networking equipment and operating systems follow the open academic beginnings of computing and internet/networking. Up to the early 1990s personal computers were not networked. A few of us could maybe wrangle internet access from a local college or university and that was it. The World Wide Web did not exist. Fast forward to the cobbled together systems that we now use. If you don’t keep your operating system up-to-date with a firewall and antivirus, then you are doing the same as leaving your house unlocked.
Enough preaching. What I loved about meeting with the several police officers and command officers was how much we all have in common. We all agreed. It does not matter how fancy your security system is – either physical or cyber. It is the mindset and care of the people who are operating or failing to operate them. If you have a lock on your door and you don’t use it, then you have a much better chance of losing your stuff. And it is the same with your personal information that you keep in your computer.
I am looking forward to more conversations with our first responders. Even a geek like me will learn and be motivated by the exchange of ideas.
UPDATE: WHY SHOULD YOU CARE? If true, then your electronic devices will spike up in price because more than 90% of them are made in China. That would end. The potential damage to national security would cost the government 100s of billions of dollars and you as a tax payer will see the bill. Apple and Amazon have unequivocally denied that this hack ever took place. Folks, Bloomberg is a top notch publication with almost incomparable reporters and editors. They spent a year researching this story. On the other hand, Apple and Amazon could be just as screwed as Elon Musk, if the SEC or other regulatory agency finds that their statement(s) of denial are false. So far this is first relatively comprehensive discussion that I have found. https://itunes.apple.com/us/podcast/325-chinese-spy-chips-microsoft-announcements-pixel/id430333725?i=1000421160995&mt=2
How many Americans have purchased drones, phones, and computers that are assembled in China? Millions and millions, for sure…
According to a well reported story from Bloomberg, a chip the size of a grain of rice that appears to be a common part of a circuit board was stealthily placed by secret members of China’s Peoples Liberation Army in devices used in some U.S. servers. This chip is not detectable by operating systems nor by any antivirus. Further, it is found on circuit boards made in China and sold to U.S. enterprise-class computer server manufacturers. Companies like Amazon, Apple and even (reportedly) some government agencies.
This is may be the greatest intelligence coup of the decade, as well. See the story HERE.
The Bluetooth that you use to connect your smart watch, speakers or other peripheral is seriously compromised. Please check that you have updated your device to the latest operating system version. This applies to iPhones and Android devices. The devices include Apple, Android smart phones, smart watches like Apple Watch and other devices (perhaps even Chrome laptops).
Failure to update your operating system may expose your confidential information to a nearby hacker who could ruin your finances and/or snoop on your messages and possibly put you in danger.
This wikiHow teaches you how to manually update an Android phone or tablet operating system. While your Android will typically update automatically, you can speed up the update process by manually updating as soon as you know an update is available.
Quick Summary
1. Connect to Wi-Fi.
2. Open Settings.
3. Tap System.
4. Tap System Update.
5. Tap Download and Install.
Open “Settings.” It’s a gray app with gears that’s typically located on your home screen.
Scroll down and tap “General.“
Tap Software “Update.” It’s at the top of the menu.
Tap Download and Install or Install Now. If a software update is already downloaded, the Install Now button will appear below the update description. Enter your passcode if prompted. Enter the passcode you use to unlock your phone.
Your phone will restart and the update process will begin.
In some cases, you may have to set up your phone again, although all your apps and data should be intact.You’ll need to accept legal agreements before manually downloading the update.
Need help? Call or text Pilum Technology at 419-862-5252 email paulhem at paulhem dot com
Many successful data thefts and attacks relied on vulnerabilities that had patches available
First please heed this: If you are a large or small business leader or associate do not patch before you test that patch with any specialized software – that is any software other than generic office apps, like Microsoft (R) Office apps. Even commercial scheduling software should be tested. At least make sure that you create a Restore Point. before updating. Of course, Windows is supposed to create one for you. Do not bet your operation on that!
Many highly publicized data breaches occurred because firms did not patch or update software. For example Equifax had at least two months to patch/update specific software before 143 million people had their personal information stolen.Ā And some Equifax personnel were even aware of the need to patch the software in question. The U.S. Office of Personnel Management lost several million security clearance background investigation details because a contractor failed to update his computer.
As mentioned in My take on security, even if an individual believes that their information is not important enough to be stolen or abused, it can and will be collected and used.
The FBI and Cisco warned us this week that theyāve infiltrated 500,000 routers in more than 50 countries across the globe by using a malware system known as VPNFilter.
The compromised routers could be used for lots of things, but the experts believe the malicious software used to hack them are part of a plan for a huge cyber attack on Ukraine.
To torpedo the Russian plot, the FBI got court approval to seize a domain the hacking group was using to coordinate the operation.
The computer code used in the malware program shares code with previous Russian cyber attacks.
FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE
SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malwareās network activity is complicated by its use of encryption and misattributable networks.
DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
Of course, your personal information is valuable so the cybercrooks will still come after you. Not the end-all-beat-all…. This will help make your Facebook privacy more robust, however.
UPDATE (3/30/18): We have updated this post and its screenshots to reflect how Facebook reorganized and removed some settings this week.
You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.
Over the weekend, it became clear that Cambridge Analytica, a data analytics company, got access to more than 50 million Facebook users’ data in 2014. The data was overwhelmingly collected, shared, and stored without user consent. The scale of this violation of user privacy reflects how Facebook’s terms of service and API were structured at the time. Make no mistake: this was not a data breach. This was exactly how Facebook’s infrastructure was designed to work.
In addition to raising questions about Facebook’s role in the 2016 presidential election, this news is a reminder of the inevitable privacy risks that users face when their personal information is captured, analyzed, indefinitely stored, and shared by a constellation of data brokers, marketers, and social media companies.
Tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used. That starts with meaningful transparency and allowing truly independent researchersāwith no bottom line or corporate interestāaccess to work with, black-box test, and audit their systems. Finally, users need to be able to leave when a platform isnāt serving them ā and take their data with them when they do.
Of course, you could choose to leave Facebook entirely, but for many that is not a viable solution. For now, if you’d like keep your data from going through Facebook’s API, you can take control of your privacy settings. Keep in mind that this disables ALL platform apps (like Farmville, Twitter, or Instagram) and you will not be able to log into other sites using your Facebook login.
Log into Facebook and visit theĀ App SettingsĀ page (or go there manually via the SettingsĀ Menu > AppsĀ ).
From there, click the “Edit” button under “Apps, Websites and Games.” Click “Turn Off.”