Sunday, December 20, 2015

If the IRS calls, hang up!

Listening to the local news a few days ago, I cringed as another innocent victim fell prey to the well-known IRS scam whereby an "agent" calls you to report you are delinquent on your taxes and owe penalties in the form of heavy fines. See the story: Local couple loses money to IRS scam.

If you receive a message of this nature on your voice mail, do not return the call. If you pick up the phone and someone claims to be from the IRS, hang up the phone without saying anything.

Know this: The IRS will not call you to collect back taxes. They use the postal service for notifications of this nature.

Victims of this scam are typically immigrants and the elderly. But any of us can become a victim of fraud or any social engineering scam if we aren't on our toes. Stay alert and reject any such phone calls. If you do return such a call or engage these guys on the phone, then you've validated your phone number, and they will keep trying.

Just hang up!

If you do receive such a call, you can report it to the U.S. Treasury Inspector General for tax administration at 800.366.4484. If you receive an email that appears to be an IRS scam, forward it to phishing@IRS.gov, and then delete the message or send it to your spam or junk email folder. Do not reply to any such email.

How do we fight back? Sharing this message with anyone and everyone you know is the best way to put a stop to this threat. Spread the word. Information is our most effective weapon.

For more information:



Saturday, December 12, 2015

A few online holiday shopping reminders

For those last-minute shoppers, I hope you've ordered your online gifts by now because it looks like deliveries might be delayed this year due to the big couriers like UPS and FedEx being overwhelmed with deliveries. (Note that Amazon.com has said they're going to buy their own fleet of long-haul trucks; that'll take care of the recurring holiday shipping delays in the future.)

But for those of you still shopping, here are three tips for safe shopping on the web, from Bob Sullivan's blog:

  1. Update your software first. Make sure all the latest patches are installed before you start spending online.

  2. Use two-factor authentication on e-commerce and banking sites that offer it. Amazon just recently started using this extra step that makes it really hard for your account to get hacked.

  3. Use only one credit card online. This is how I do it. I have a card that I carry with me, and another that I've memorized and use for all my online shopping and other online payments. No sites have my checking account number, and I'll never provide it.

  4. Stick with known shopping sites; if not, do your research before using a "small business" or other site that you're not familiar with, for that extra special, custom gift.

  5. Enable text alerts on banking transactions. I haven't done this one yet, but it's a good idea. I'm going to do it today. Going forward, I'll receive a text any time my credit card is used.

Tuesday, December 1, 2015

Keeping the Holidays Free From Fraud: Tips for Your Business

If you are a small business owner, read on.

This morning a friend of mine who owns a small business shared a BizAhead article with me, written by Laura Buck. Here is a bullet list of the tips she offers for keeping your small business safe from fraudsters this holiday season:

  • Encrypt payment information with end-to-end encryption
  • Be on the lookout for suspicious sales, such as unusually large orders without any contact from the customer or rush orders for pricey goods
  • Watch and educate your employees - train them in not clicking that link, and then test them, re-test them, and test them again
  • Be observant - keep an eye out for credit card skimmers
  • Be sure to shred sensitive information - don't take short-cuts because it's the holiday season
  • Keep your wallet and credit cards close by - the other day while I was shopping, a woman left her purse in the top of her grocery cart and walked away just long for someone to grab it; no one did, but it would have been sooooo easy
  • Be vigilant about security and safety
  • Protect your passwords, pass phrases and PINs

For the full article, see Keeping the Holidays Free From Fraud: Tips for Your Business. The holiday season is prime fraud and scam time. Stay alert and question anything out of the ordinary or unexpected.

Saturday, November 28, 2015

Safe and secure online holiday shopping

To remind you in staying safe online and prevent becoming a victim of a 'no-delivery' scam, listen to this 1-minute podcast from the FBI:

Online Holiday Shopping

Never click links in pop-up ads. Ever!

Saturday, November 7, 2015

Are you using two-factor authentication to secure your banking credentials?

What is "2FA" in geek speak? It stands for two-factor authentication, which is a fancy way of saying that your successful login to a computer system is dependent upon two separate things from any of these categories:

  • Something you know, like a password.
  • Something you have, like a cell phone.
  • Something you are, like a fingerprint or heart beat.

If your login credentials require only user name and password, that's called single factor authentication because there is generally only one unknown in that combination: your password. User names are rarely hard to guess.

But passwords are made to be broken. If you're not using a very strong or really long password, your credentials can be easily cracked and your bank account wiped out. (See earlier posting How do I create a strong password?)

The best protection you can get is to use multiple authentication methods to gain access to your sensitive web-based accounts. If your web site provider offers 2FA, turn it on. It's something you'll have to enable on the site, but figuring out how to do that is easy thanks to Turn it On: The Ultimate Guide to 2FA, which provides instructions for many (but not all) sites that offer 2FA. 

Try it out. Navigate to Turn it On, then type "Google" in the search box and press the Enter key on your keyboard. If the Turn it On web page doesn't have instructions for the site you're looking for, just check with your web site provider. 

Go to your banking web site today and turn on 2FA. Don't wait!

For more information, see

How Not To Be Hacked: The Definitive Guide for Regular People

Earlier this week, my boss told me of a special speaker coming to our office soon: consultant, author and fellow Atlanta resident James J. Deluccia, IV. My boss then handed me a signed copy of James' newly released book, called How Not to be Hacked: The Definitive Guide for Regular People.

The book is a quick and easy read. James shares the most essential tips for keeping your data and your family safe and secure online.

On pp. 141-144 of the book is a nicely summarized list of all the tips that James has to offer to regular folk who are not security experts or don't do this stuff for a living.

One of those tips is about using two-factor authentication for every online account you access that involves your money. This includes banking web sites, credit card account logins, retirement account web sites (frequently accessed through your employer benefits portal), bill payers, online retailers who have your credit card number, homeowners association (HOA) sites where you pay your dues, online brokerage firms, your pet insurance seller, or any web-based site where you are moving money. And that is exactly the topic of my next posting.

James' book already has a unanimous 5-star rating on Amazon and is available for just $12.99. This is a great gift for anyone and everyone you know who has a computer, tablet or mobile phone. 

A perfect Christmas gift for someone you love! If you read the book, please post your comments here. I'd love to hear from you.

Sunday, November 1, 2015

Are you cyber aware?

October was cyber security awareness month, but every month is security awareness month at (SANS) Securing the Human.

Stay on top of what's happening in cyber and how to protect yourself and your family online with free SANS.org resources. Here are three popular resources to bookmark or download:


Remember to visit Securing the Human year-round to access dozens of tools, videos, and articles all related to security awareness. You don't have to be part of an organization or corporation to take advantage - these resources are for everyone!

Sunday, October 25, 2015

Atlanta, GA: Join us Saturday, Oct. 31st for the 2nd annual Super Run!

Join in the fun on October 31, 2015, for the Savvy Cyber Kids' 2nd annual Super Run Atlanta! Be a super hero for a day and make every day a little safer online!

In honor of National Cyber Security Awareness Month, Savvy Cyber Kids is hosting the second annual Super Run Atlanta. Savvy Cyber Kids is asking our community to lace up your shoes and don your masks and capes to support cyber security awareness!

You can run, walk, volunteer to help at the event, cheer on the runners, or donate in support of keeping our kids safe online.

When:       October 31, 2015 (early morning!) 
Distance:   5K or 1K Fun Run/Walk
Where:      Brook Run Park, Dunwoody, GA
Who:         You!
Registration: http://thesuperrun.com/locations/atlanta/

Donations can be made online at Savvy Cyber Kids. Last year, over 200 runners & walkers became superheroes. And though they may not be able to shoot laser-beams, speak with aquatic animals, or leap buildings in a single bound, they definitely made a difference!

Latest press release: Ionic Security Celebrates National Cyber Security Awareness Month 2015


Thursday, October 8, 2015

Are you shredding your used boarding passes?

This week I found out that we should be shredding our airline boarding passes after using them, based on the myriad of details easily gleaned from the data on the pass and in the bar code.

For example, if you take a snapshot of your boarding pass and upload that image to your FaceBook page, anyone with access to your page can take a screen shot of the image and then upload it to a web site called Inlite that reads bar codes. Inlite decodes and spits out the contents of the bar code.

As it turns out, the boarding pass contains lots of information about you and your trip, as well as your frequent flier number (FFN). For airlines that allow you to log in to their web sites using your FFN as your user name, that is exactly one half of the credentials needed to log in as you—unless, of course, the login requires multi-factor authentication.

With your login name in hand, cracking your password and logging in as you is not hard for hackers to do, especially if the secret question used to unlock your account is your mother's maiden name.

This is a fascinating story. For details, see Brian Krebs' article What's in a Boarding Pass Barcode? A Lot.

Saturday, October 3, 2015

Securing the human

October is National Cyber Security Awareness Month, and the SANS Securing The Human team has extensive free resources to help you stay safe and secure online.

Resources include:
  • Newsletters
  • Videos
  • Posters
Access free resources at: http://cyberaware.securingthehuman.org/
  

Securing Kids Webinar

  • Cyber security expert Lance Spitzner will outline the top three risks to kids online and how you can protect your family.
  •  October 14 1:00 p.m. EDT/ 10:00 a.m. PDT.
  •  Register now for the Securing Your Kids webcast

Want more tips? Visit the #cyberaware resource hub for tools, tips and more: http://cyberaware.securingthehuman.org/

Sunday, September 20, 2015

Phony toll-free numbers scam can cost you

Can fat-fingering a toll-free number cost you money? You betcha.

I read about this in the September 2015 edition of AARP Bulletin: Phony Phone Numbers can Cost You, by Sid Kirchheimer. Scammers are buying up toll-free numbers that are one digit away from an established number so that when you misdial the number, you are connected to a fraudster.

In North America and some other countries, toll-free numbers start with an area code of 800, 844, 855, 866, 877 or 888. Some companies and organizations employ "vanity" toll-free numbers that spell out words or acronyms, like 1-800-FLOWERS.*

Be careful when dialing these numbers. What would happen if you misremember the correct area code and inadvertently dial 1-888-FLOWERS, for example? Would the same organization answer the phone? Not likely. This is exactly the kind of mistake that scammers are hoping you make.

The AARP article linked to above tells the story of a Snellville, GA man who thought he was calling the AARP travel benefits line. The representative on the line offered him "free" gift cards and travel vouchers, in exchange for a nominal $2 shipping fee. The caller provided her with his debit card number. The next day, charges against his bank account were invoked from "FreeShippingRewards" and similar companies.

Interestingly, the operator specifically told the man that she is not with AARP but would transfer him momentarily. By he did not get transferred to AARP, and operator had possession of his debit card number and had issued bills against it. All of this was legal.

Read the AARP article for tips on how to avoid this scam. A good rule of thumb is to never give your debit card number away. Remember, this provides full access to the money in your bank account, and affords you no protections. Additionally, if it's too good to be true, it probably is. Nothing is 'free' if you have to provide a debit or credit card number to obtain it. Be careful when you dial and don't give out any personally identifying information.

* For more information about how toll-free numbers work, see this FCC Guide, What is a Toll-free Number and How Does it Work?

Saturday, September 5, 2015

Protecting your PIN at ATMs and other card swipers

Criminals are inventing more "skimmers" that they use to steal the data from your debit card when you swipe or insert it at an automated teller machine (ATM) or other card swiping device, like those used at gas station pumps, convenience stores and other kiosks. But the account data that thieves steal is virtually useless if they don't know the card's corresponding personal identification number (PIN).

We all know to look closely at any swiping device and beware of any irregularities before swiping our cards, but today's skimming devices can be wafer-thin and undetectable to the average account holder. If you think it's a silly idea to cloak your fingers as you input your PIN on the touch pad, think again. There are cameras everywhere, some the size of a pinhole.

Security expert Brian Krebs has posted a lot of information about skimmers. See his latest post, More ATM 'Insert Skimmer' Innovations, at https://krebsonsecurity.com/2015/09/more-atm-insert-skimmer-innovations/.

Covering your PIN-typing hand at an ATM or gas pump is a simple method of protecting your PIN credential. This should be habit for you by now. If you haven't made it a habit yet, start today.

To see photos of skimmers and keypad overlays that thieves have put into use, Google this phrase: atm skimmer image. If you come across a skimmer, call the police. This step provides law enforcement an opportunity to open an investigation and conduct surveillance on the equipment.

Sunday, August 30, 2015

Snapchat isn't as safe as kids think it is

I first heard of the mobile app called Snapchat a few years ago when the Georgia Bureau of Investigation (GBI) graciously sent members of its Child Exploitation and Computer Crimes Unit to my place of employment to speak about child safety on the Internet.

Snapchat is an online messaging app that allows users to share "moments" by sending photos and brief videos (annotated with the sender's comments) to one or more recipients. The unique feature of Snapchat is that the image sent is deleted within 10 seconds of being viewed. Unfortunately, this function gives kids the illusion that their image cannot be recorded, saved, and shared with others.

That's where they are wrong. The old adage of "Once it's on the Internet, it's there forever," rings true even with an app that claims to dispose of images instantaneously. Most computing devices—cell phones, tablets, laptop computers and desktops—have the ability to save an image that is displayed on screen by creating a screen shot of it, often with the simple press of the Prt Sc (print screen) key on the keyboard, or other shortcut, depending upon the operating system. That screen shot can be quickly saved to a file, stored and re-shared publicly and privately.

Snapchat is often referred to as "the sexting app." To "sext" is to send sexually explicit photo images or text messages via mobile device. Snapchat provides uninformed children with a seemingly safe way to sext. The average kid thinks this is harmless, until an illicit selfie snapped in his/her bedroom is revealed to, say, all the kids at school. Or, worse, the image is maliciously posted publicly on FaceBook, YouTube, or other social media site.

To compound things, it's doubtful that most children are aware that any visual depiction of sexually explicit conduct involving a minor (under 18 years of age) is a felony under Title 18 of the United States Code. For first time convicted offenders, this will land them 15-30 years in Federal prison. If you think your teenager is immune from prosecution or other legal consequences, read this horror story on CNN: 'Sexting' lands teen on sex offender list. What kind of life does that teenager have to look forward to, forever branded?

For more information about the law, see the Citizen's Guide to U.S. Federal Law on Child Pornography on the Department of Justice web site.

For more information about Snapchat, simply Google the phrase "dangers of snapchat," or read A Parent's Guide to Snapchat by ConnectSafely.

Sunday, August 9, 2015

Snapping photos of my kid can be dangerous?

Today's smartphones typically come equipped with (1) a camera, and (2) geolocation services (that rely on the Global Positioning System, or GPS).

When you snap a digital photo using a device that has GPS navigational services enabled, that photo file is embedded with the time, date, location, device information and other "metadata" (data about data). This is called geotagging, and it means that when you post a photo online that was taken with your smartphone, essentially you are uploading a digital file that contains private information about the whereabouts of the original photo.

That data, in conjunction with all the information you've posted on FaceBook about your recent trip to Disney World, your dog's name, information about your kid's soccer tournament, the PTA, etc., provides stalkers with a fairly complete picture of your child's world.

Side note: Keep in mind that many phones upload your pictures to some cloud service automatically. This is a feature that you might consider opting out of on your phone. For example, if you have your Android device configured to back up your phone's photos via your Google Plus profile, it puts a copy of all those photos on your Google Plus Photo page. All of that location data goes with those photos, wherever they may go on the Internet. And guess what? Google has full access to those photos, as well as equal ownership. But that is another story, outlined in your Google terms of service agreement, should you choose to read it.

Parents, here is where you want to pay attention. Pictures of your child in his or her bedroom, at school and elsewhere can provide the rest of the world sufficient information to locate that child, as outlined in this NBC affiliate news story posted to YouTube: https://www.youtube.com/embed/N2vARzvWxwY?rel=0.

What is your recourse? You can either disable geotagging on your smartphone, or disable all location services on your phone (which improves your privacy drastically, but disables your ability to navigate with a map app and renders useless all of your apps that rely on geolocation services).

To learn how to disable geotagging, conduct a Google search on how to disable geotagging coupled with your particular phone type. Sample queries on Google.com are: "How to disable geottagging Android," and "How to disable geotagging iPhone."

For more information, see:

Friday, July 31, 2015

Is your child addicted to technology?

I've heard more than once lately that there is scientific evidence supporting the assertion that sugar is as addictive as cocaine or heroine. This is a truism that is both borne of and funded by the food industry over the past four decades.

The sugar addiction is blatantly obvious based on rises in child obesity and type 2 diabetes in children, an illness formerly confined to adults.*

In a similar vein, our society has fallen prey to a new, growing addiction that contributes not only to the obesity problem in children but to insomnia, inability to focus, reduction in motor skills, early exposure and addiction to porn, reduced social skills, inability to read and think linearly (such as reading a book cover-to-cover), online bullying (and other misdeeds), and poor performance in school.

Did you know that 92% of two-year-old children have an online record?

Ben Halpert, Internet safety advocate and founder of the 501c(3) organization Savvy Cyber Kids, has collected some statistics in this arena. Ben's recently aired 12-minute TED Talk, Technology Addiction and What you can do About It is a must-see for parents with infants, toddlers, elementary school children, tweens and teenagers alike.

In the video, Ben provides some shocking statistics and offers simple suggestions for parents to help stave off technology addiction—like establishing a family rule that forbids tech gadgets at the dinner table and in bed.

And parents, that goes for you, too!


*To find out more about sugar addiction, see the 90-minute movie "Fed Up."

Sunday, July 26, 2015

What is ransomware?

Our various wares

First there was software and hardware; as people found ways to exploit each of those, a concept was developed called malware—malicious software—code that is intended to damage or disable computers. As digital technology advances, so do the criminal methodologies used to harness it. One clever example of that is ransomware.

What is ransomware?

Ransomware is a form of malware that holds your computer and its files hostage. Typically, when your computer is infected with ransomware, the PC is locked down so that you can no longer boot into the operating system (OS, i.e., Microsoft Windows), and all of your files are encrypted so that you can no longer access them until you gain access to the "key" that decrypts the files. A nefarious message is displayed on screen demanding you pay a ransom in order to get access to your computer and all of your programs, documents, photos, and other saved data.

Is the ransom for real? You betcha. If you don't pay the bad guys, you lose everything that is not already backed up in a secure location. A Massachusetts police station that fell victim to ransomware chose to pay the ransom in order to regain access to its files. See that story here. But, keep in mind that payment is no guarantee that you'll get your files back.

How do I prevent ransomware infection?

Ransomware is installed and activated just like any other malware. Frequently, it comes from clicking a link or opening an attachment in an unexpected or unwanted email (like a spam message), although ransomware can also come from surfing to untrusted web sites. The simplest way to avoid ransomware is this: Do not click links in emails, and do not open attachments to emails. 

Other tips that aid in prevention:
  • Keep your computer up to date with the latest patches, for the OS as well as your applications
  • Do not open attachments or click links in emails that are unexpected, unwanted, come from untrusted sources, or are in any way questionable or supicious
  • Do not click on ad links on web sites, even on sites that you trust
  • Use an anti-malware/anti-virus program on your PC, and keep it up-to-date
For more information, see Brian Krebs' article How to Avoid CryptoLocker Ransomware.

How do I counteract ransomware?

Back up your data on a regular basis. Maintain a full backup on separate media (like an external hard drive) that is not perpetually attached to your network. Keep in mind that any device or system attached to your network is susceptible to the same malware infection as your computer. If you update your backup weekly, then the most data you can lose in the event of infection is seven days' worth. 

If your computer is infected with ransomware, the best solution is to wipe the hard drive clean and do a full restore of your system image and files.

Saturday, July 11, 2015

Is the content of your resume putting your identity at risk?

A co-worker provided my team with this advice: Don't provide your full street address and real email address on your resume. Hiding these two bits of information protects them from being one more nail in the identity theft coffin and reduces the risk of having your email address added to more spam lists.

This advice is especially recommended if you are posting your resume online. Be thoughtful about the personal information that you are including in that document before sharing it electronically. 

Regarding your residential address, future employers don't need to see that on your resume; hiring companies may be interested in knowing the city you live in, but street address (and zip code, I would argue), are not necessary. Your zip code is commonly used by payment systems to validate your credit card number. Save that information for when you are invited to fill out a job application.

As for your email address, when you are seeking employment you can create a temporary email address that you throw away later. Configure it to forward to your real email address. When your job hunt is completed, you can disable the temporary email address.

For more tips, such as why you don't need to include your graduation dates on your resume, see the Identity Theft Resource Center article: Your Resume and Identity Theft.


Sunday, June 28, 2015

How to catch a phish

Email and SMS texting inboxes everywhere are full of spam and phishing messages. The goal of each is to social engineer* you into clicking a link, opening an attachment or responding with personal identifying information (PII) about yourself.

In many cases, just replying to a questionable email message (or text message) is enough to get you added to a database owned by spammers or tricksters. Why? Because by responding you're letting the sender know that your email address is "live" and being monitored by a human. That's why it's called phishing—if you reply, click the link or open the attachment, you've taken the bait.

Phishing attempts also occur by phone and, albeit rarely, in person; so it is important that we remain on the alert for these social engineers at all times. These guys are getting better and better at composing fake messages that appear to be from someone you know or some organization that you do business with. Know that it is very, very easy to "spoof" the name of the sender on the "From:" line. Anyone can fake the name that appears in that field in the message. Just because it says "From: Aunt Geraldine," doesn't mean that your Aunt Geraldine initiated, wrote or sent the email to you.

How can you tell when an email message might be an attempt at social engineering?

Remember, it's not always easy to tell if a message is safe. But, if you have any suspicions whatsoever about a message, treat it as suspicious until you are 100% convinced otherwise. Here are some potential red flags:
  • The message is unexpected.
  • The message is unwanted.
  • The message is alarming.
  • The message contains a hyperlink.**
  • The message contains an attachment—a file that you can click to open (which is essentially the same thing as downloading the file to your machine).
  • It appears that the message is from someone you know, but the language, tone, or verbiage is unusual; it just does not sound like something your acquaintance would say or write.
  • The grammar or spelling is bad, as if written in a language other than the writer's primary language.
  • The email tells a story about someone you love being in jail or other dire straits.
  • The message is regarding a dire emergency requiring funds.
  • The message is asking for funds. Period.
  • You have won something.
  • You need to reset your password.
  • You're over your email storage limit.
  • You have a delivery. (UPS and FedEx do not email you unless you sign up for delivery notifications. Even then, be wary of such notifications if any part of them is out of sorts.
If any of these things raise a hair with you, investigate the email more closely before proceeding; or, unless it might be extremely important (and valid), delete it.

Any more tips?

  • Use a very strong password on your email account, and make sure it isn't the same as any of your other passwords. 
  • Avoid using Hotmail or Yahoo email accounts. (Those seem to be the most hacked email accounts out there, but don't quote me on that. Any account using weak credentials like a short password can be hacked.)
  • Enable spam filtering. Providers like Google enable spam filtering automatically—or allow you to configure your email settings yourself to enable it. Many Internet service providers (ISPs) that provide you with broadband access in your home (like your cable or phone company) offer spam filtering. If not, there are plenty of reputable anti-virus (AV) software companies that provide spam filtering with their AV software.
  • Don't open email messages that land in your spam or Junk email folders. Delete these unless you are 100% certain that they are not, in fact, spam or suspicious.
  • If you receive a lot of unwanted SMS text messages, check with your cellular service provider about blocking these.
  • In email, redirect suspicious emails to your spam folder or Junk folder. (See your email service provider or email client application provider for instructions.)
  • If you are able to determine that an unsubscribe link provided in an email is safe to click, use it to be removed from a marketing email list. When in doubt, do not click; call the vendor instead.
  • Delete, delete, delete.

*If you are not familiar with social engineering, read this truly informative book by former hacker Kevin Mitnick: The Art of Deception. Everyone should read this book. Your children should read this book when they are old enough to understand the concept of deceit, scamming and trickery.

** Consider living by this rule: Never click links in email or text messages. Until/unless you are tech savvy enough to determine the real URL behind the link and know whether that URL points to a trusted domain or not, it's better to launch your web browser and navigate to the known web site yourself instead of clicking an inline link.

Saturday, June 6, 2015

Keeping kids safe online: Step 2

Step 2: Parents, talk to your kids.


As discussed in an earlier posting, the first step in keeping your kids safe online is for parents to educate yourselves. The second step revolves around communicating with your children and educating them in safe Internet practices.

When I was growing up, Mom's message was, "Don't talk to strangers." In the digital age that we live in now, these strangers are anonymous and could be communicating with your child from anywhere in the world. Worse, they are "invisible" to parents. Your child's social network is not just the playground anymore. It is vastly larger and scarier. How do you keep your children from trusting online entities? 

First, if you have not yet watched this 5-minute video, watch it now: Make the Internet Less Scary. In it, Ben Jun convinces parents of the importance of teaching your kids how to maintain communications with you so that if things get bad or scary, your child is comfortable going to you for help. Here are his tips:
  • Teach your kids boundaries. 
  • Make sure your kids know who they are speaking to online and let them know what they can and cannot share.
  • Teach your kids how to set limits, then role play with them to help them gain confidence in maintaining boundaries.
  • Inform them to treat every online conversation (even a SnapChat) as if it's going to be there forever.
  • Teach them to respect what belongs to others (such as digital photos of their friends).
  • Give your kids tools they can use.
Second, read the FBI publication A Parent's Guide to Internet Safety, and discuss it with your spouse or partner. From it, you'll learn to recognize signs that your child might be at risk. If your children have adult siblings, ensure that they read this guide as well. 

Third, talk to your children and explain the risks of online activity to them. The ISC(2) Foundation provides a Top Ten Online Safety Tips for kids. Parents, be sure your kids know these. You can make a game out of memorizing the safety tips, and reward your child for reciting all ten. Do occasional "pop quizzes" at the dinner table to ensure they are still on track.
  1. Keep passwords private
  2. Think before you send
  3. Respect yourself and others
  4. Report bullying
  5. Keep all settings private
  6. Always log off
  7. Never meet an online friend alone
  8. Tell a trusted adult of something makes you feel uncomfortable
  9. Keep personal information private
  10. Use these tips for mobile devices too
Last but not least, make online safety fun for your youngest ones. Have them watch the videos at iKeepSafe.org. Better yet, watch with them, in case they have questions. For kids of reading age, buy these books for them from SavvyCyberKids.org. And keep at it. Keep the communication going, no matter how old your child is.

More information is available at:

Saturday, May 30, 2015

Keeping kids safe online: Step 1

Step 1: Parents, educate yourselves


Here are a few facts about online safety that I learned by visiting the Cyber Safety Village at the RSA Conference this year:
  • 65% of 8- to 14-year-olds have been involved in a cyber bullying incident
  • 49% say that they have been the online bully
  • Only 6% of parents were aware of this
  • 49% of teens do not believe that posting personal information online might have a negative impact on their futures

The Internet can be a scary place for kids—and for parents. And yet, children are using the Internet by the time they are three years old. According to one study, which included 1100 parents and 825 children, kids spend twice as much time online as their parents think they do. Here are some statistics from that study:
  • one in seven children under the age of 16 spend 4+ hours a day glued to the screen
  • 64% of kids indicated they have had a negative experience online
  • 6% of children have been exposed to violent porn
  • one-third of children say it is harder to focus on offline tasks, like reading a book
  • one in 20 said they had met up with a stranger that they first met on the Internet

The truth is that most kids do not understand the risk; and most parents are not experts in cyber security. But kids need our help. What can you do as a parent to keep your kids safe online?

First, as a parent, you need to educate yourself, whether you are tech-savvy or not. There are many resources available to you. Don't be overwhelmed by the number of resources. Here are some starting places:
  1. Visit the RSAC Cyber Safety: Kids page
  2. Watch the brief cyber safety videos
  3. Read the Top 10 Online Safety Tips for Parents, distributed by the Internet security and safety giant, (ISC)2. 
  4. Bookmark these resources, and peruse them all:

OK, that's enough information for parents to get started. Don't put this off. Spend an hour or two with these resources, and discuss them with your partner. Arm yourself with information before you have that conversation with your kids. If you need some motivation to get started, read Alicia's story.

Secondly, communicate with your children. Have open discussions about online safety and stay positively engaged with your children. We'll take a look at ways to do this in our next posting, Keeping kids safe online: Step 2.


Saturday, May 23, 2015

Why you should care about Patch Tuesday

If you are a Windows user, you should be familiar with the term "Patch Tuesday." This refers to the second Tuesday of every month—the day that Microsoft releases the latest updates for its Windows operating system (OS).

All software has flaws, a.k.a. bugs. This will always be the case with any automation system created by humans. Many of these bugs create vulnerabilities that can be exploited by bad guys. Believe me, the bad guys are hard at work, day and night, finding these bugs and figuring out ways to take advantage of them and gain control over Windows systems* anywhere and everywhere.

Because all software requires periodic updating, software manufacturers like Microsoft provide software updates ("patches") that must be installed in order to bring systems up-to-date and help protect from unwanted intrusion. Microsoft issues patches on the second Tuesday of every month—a day that has become known as "Patch Tuesday."

A few things to note: First of all, home users want to keep your operating system and software applications patched. This is regardless of the fact that, once in a blue moon, a patch is released that inadvertently breaks another application on your system, like Microsoft Excel or Outlook, for example. Mistakes happen, and these are generally the result of testing failures in the Microsoft test labs. (I know because I worked in one of those labs in the mid-90's.) Think about the millions of computers running Microsoft Windows in a seemingly infinite number of configurations. Not every single case can be tested, but Microsoft is adept at hitting most of them.

Side note: If you're running a business that is reliant upon other Windows applications, you'll want to develop a testing process whereby you test patches before deploying them. The average home user isn't running critical applications and doesn't need to set up special test cases. Regardless, whether you are a home user or a small business owner, you need to understand patching and always have a recent backup in place. We'll talk about backing up your data in another post.

The point is, for home users, experiencing the very rare malfunction caused by patching is not a valid reason to decide you are not going to patch your systems (unless you don't care about being hacked or having your identity stolen). Not patching puts you and your data in a vulnerable position. My mom always said, "Better safe than sorry." Besides, if a Microsoft OS patch breaks an MS-Office product, rest assured it will be discovered and fixed rather quickly.

Secondly, all of this patching is self-automating in Windows by a program called Windows Update, which is a pre-installed component of the Windows OS. Users don't need to lift a finger. Windows Update should be set to "automatically install updates." This is your best bet. To check your settings, go to the Windows Update page.

More advanced users can use these methods to view and change Windows Update settings:
  • In Windows 7, click Start, select Control Panel, and click the Windows Update icon. 
  • Windows 8.x users, read the FAQ for more info.
  • Windows XP users, if you exist, you should immediately disconnect your obsolete computer from the Internet and go buy a new computer running a newer OS.
Finally, some (but not all) patch installations require a reboot. Keep an eye out for this important notification—especially after Patch Tuesday—which is visible when you use your mouse pointer or other pointing device to hover over the Shut down function. If your Windows Shut down control shows the "shut down Windows and install updates" icon, as shown in the image here, then that is exactly what you should do.


Additionally, Windows may prompt you to restart in 10 minutes. Save your work and click Restart now. Do exactly what it says. You are able to postpone, but I recommend you restart or shut down (whichever the case may be) as soon as possible. The next time the computer starts up, give it it time to finish installing the updates, if instructed on screen to do so.


*Computers running on the Apple platform (called iOS) also have bugs; however, Windows systems have a greater market share and therefore are more highly targeted. This doesn't mean that Mac users shouldn't pay heed to software update needs; it just means that I'm not focusing on iOS security in this blog posting.

Saturday, May 9, 2015

Should I freeze my kids' credit?

I was having coffee with a friend and fellow information security professional a few weeks ago when he told me that not only did he and his wife get letters from Blue Cross/Blue Shield regarding the Anthem breach, but so did each of his children. He has since frozen their credit with all three credit bureaus to protect it.

According to Marc Goodman, author of Future Crimes, kids are fifty-one times more likely to be victims of identity theft than adults. In the United States, 500,000 children become the victims of identity theft every year. And their parents don't even know it. Most of these kids don't find out about this crime committed against them until they are over 18, when they apply for student loans. Nineteen states allow parents to freeze their child's credit. For details, see Identity Theft Poses Extra Troubles for Children, a New York Times article posted April 17, 2015.

Every parent having a youngster at home should read that article and consider freezing the child's credit. I've received the same advice from friends of mine in the U.S. Secret Service and the FBI: The best protection you have against identity theft is to freeze your credit.

The credit bureaus claim it is an administrative nightmare for them, and I buy that, but a credit freeze doesn't pose any significant challenges to the consumer. Thawing your credit temporarily while you change cellular carriers or apply for a loan is easier than you might expect. Granted, freezing your credit won't stop someone who has pilfered your social security number (SSN) from filing a tax return in your name or using your medical insurance if he can gain access to your personal and group ID numbers, but credit freezing is one line of defense that shouldn't be overlooked.

Let's face it, the truth is that the bad guys are one step ahead of us. Protecting personally identifying information (PII) from falling into the hands of malicious actors is getting harder and harder to do. Why? Because our PII is stored electronically in countless databases in systems all over the world. All it takes for someone to steal your identity is knowledge of your name, SSN, date of birth, and address.

Three out of four of these identifiers can be too easy for anyone to find. (This is why it is not a good idea to post your birthday on your Facebook page.) The fourth, your SSN, is something you should protect to the best of your ability. Never give your SSN to someone who calls you on the phone, and never enter it on registration forms (like at your doctor's office) where there is no need-to-know. And don't carry your SSN card with you. For more information, see the U.S. Secret Service web page referenced at the end of this posting.

If you know your PII has been breached, freeze your credit; at the very least, subscribe to a credit monitoring service. Most retailers, financial institutions and other providers (like Anthem) will offer credit monitoring for free for a year or two following a compromise of your data. For more information, see the Consumer Financial Protection Bureau article, Should I use a credit monitoring service to protect myself from identity theft?, which compares credit monitoring to credit freezing.

Additionally, the FTC offers plenty of helpful information for consumers. See their web page Consumer Information | Identity Theft, or download Taking Charge: What to do if you identity is stolen (PDF format).

Monday, May 4, 2015

How do I create a strong password?

In my previous posting, I recommended that you change the default administrator user name and password used to access the configuration settings on your wireless router. These are frequently set by the router manufacturer to be admin/admin. All the hackers are aware of that fact and know that most of us probably don't know enough to change our credentials to something unique and hard to crack.

When you change the user name, make it something innocuous and unguessable. When you set a new password, make it long. Very, very long. Don't use dictionary words or dates or local sports team names. Don't use the name of your dog or your daughter's birthday—that information is readily accessible on your Facebook or Flickr page and a dozen other places. And do not reuse a password that you're using elsewhere.

A number of people's lives and finances have been ruined by password reuse. If you're using the same password for your Apple ID account, email account, online banking site, and more, then you're in deep doo-doo if just one of those accounts gets hacked. For an example of a huge loss endured following a password crack, read about the epic hack against Mat Honan of Wired magazine here.

OK, so what is a strong password? For one thing, it's no shorter than 14 characters (according to the Georgia Tech Research Institute). I wholeheartedly agree. Typically, a strong password is both long and complex—meaning it is a combination of upper- and lower-case letters, numbers and special characters (symbols, such as #, &, !, etc.). These are all good things to have in your password; in fact, the more random characters you use, the better.

Even Edward Snowden will tell you (in one of his April 5th interviews with John Oliver), that we need to stop thinking in terms of passwords, and start thinking about pass phrases instead. The longer the phrase, the better.

Know this: any password is crackable, given enough time and computing power. The goal is to make your password too hard to crack within a reasonable amount of time. A strong 14-character password can take centuries to crack. Those are the kind I like to use.

One great method for creating a password is described in the 3-minute video referenced in this article by security company Sophos: How to choose a strong password. Watch the video. I can't stress this enough. Got three minutes? Watch the video.

If you want to know more about how the bad guys crack passwords, see Bruce Shneier's blog posting about Choosing Secure Passwords. There are also plenty of web sites that provide a password strength checker. Just be sure not to test with a current or future password on those sites. For example: How secure is my password? Also, Microsoft has one at their Safety & Security Centre.

In the security industry, we all agree that password authentication is a fairly weak form of authentication, primarily because humans are the ones making up the passwords, and we've got too many passwords to remember. They say that passwords are going away and will be replaced by biometrics and other stronger forms of authentication. But not today. For now, we're still stuck with passwords for most of our online authentication.

In the meantime, for sites that hold sensitive or personally identifiable information (PII) it's a good idea to implement unique user names and strong passwords; and, if the site offers multi-factor authentication, take advantage of it. Got a Gmail account? Use Google's two-step verification. Most online banks offer this now, as well. Take advantage.

In a nutshell, make sure your passwords are unique and strong (i.e., long and complex); don't save passwords in a clear text file (in other words, unencrypted) stored on your PC; and don't write down your passwords or otherwise store them in an unsecured location.

Also, do not share your password with anyone. Anywhere. Anytime. Ever. No one, not even technical support staff, should ever ask you for your password. Would you hand your front door keys to a stranger? Treat your passwords the same way.

Saturday, May 2, 2015

How do I secure my home network?

It's easy to lock a deadbolt on your front door when you leave for the day, but how do you know if your home network is secured?

At home, most of us use a modem and a line from an Internet Service Provider (ISP) to connect to the Internet. Whether we use a cable modem (i.e., we subscribe to Comcast), a DSL line (via phone) or, more rarely, a satellite link, this modem provides our primary link to the Internet.

Typically, we configure our various computing devices within the home to connect to the modem wirelessly. For those intermediary connections, like laptops, smart phones, iPads, TVs, ROKUs, etc., we connect a wireless ("Wi-Fi") router to the modem. Sometimes the wireless adapter component is built into the modem.

Because your Wi-Fi network is available to any other human holding a device within range that can 'see' your home network, you need to secure it.

The three most common mistakes made that leave your Wi-Fi vulnerable to attack are:
  1. Not changing the default Wi-Fi network name, also known as the Service Set Identifier (SSID), and not disabling broadcasting the SSID. If you don't do the latter, your neighbors and anyone driving down the street can see your network name on their wireless computing device. Anyone who can see the network name can attempt to connect to it. Change the default name so the bad guys can't guess your SSID based on that router box that you put out in the recycle bin at your curb.
  2. Not changing the default administrator user name and password that is pre-set on the router. Typically, this is configured by the manufacturer to be admin/admin and is accessible through an interface that you use to configure your router settings called the administrator console.
  3. Not using strong encryption to secure the data transmitted over your wireless network. Too many unsuspecting users are still using the weakest protocol of all, WEP, instead of one of the stronger encryption protocols like WPA/WPA2. There is a huge difference in security between WEP and WPA encryption algorithms.
Those are the fundamentals. Even if you change just those configuration settings on your wireless router, you're way ahead of the bad guys who are trying to hack into your home wireless network.

How do you configure these three things on your router, and implement more security features? It's really quite simple. Using any web browser on your desktop, simply perform a web search (e.g., via Google) on your router manufacture name and model. A simple query on www.Google.com, for example, might be "secure LinkSys router," if you own a wireless router made by LinkSys. Better yet, search the model number: "secure linksys wrt54g," for example. 

Or, visit the manufacturer's web site and download the manual associated with your particular model. A quick Google search will get you to the manufacturer's web site (e.g., http://www.linksys.com/us/).

The user manual describes how to connect to your router directly, log in as the administrator, disable SSID broadcasting, enable strong encryption, and change the administrator login credentials (the administrator login name and password). A savvy user will not only change the default administrator password to a strong password, but will take it one step further and also change the administrator login ID from "admin" to something completely innocuous. (Don't use your own name!)

Stay tuned for more tips on Wi-Fi security. 

Friday, May 1, 2015

Why this blog?

Welcome to my new blog, Susie and Security. This is something I've been meaning to do for years. The audience for this blog is anyone and everyone. Most people are not technology experts or information security "infosec" specialists. And yet, thanks to the explosion of the Internet of Things (IoT), most people interact with a variety of digital devices throughout the day—both at home and at work, and in between. Is your phone, TV, laptop computer, wireless printer, home Wi-fi network, household alarm system and car secured? How do you know?

The purpose of this blog is to help and educate. The best way we can prevent breaches and understand how to detect and respond to them when they do happen—and they will—is by being aware, alert and informed. The fact is that we cannot necessarily keep the bad guys out, but we can take steps to limit the damage when they do compromise our systems.

Going forward, if you find this blog useful, please feel free to share the link (http://www.susieandsecurity.com/) with family and friends.

Thanks for visiting and stick around for my first security post this weekend!

Susie
May 1, 2015