Tuesday, June 6, 2017

The warrior inside you: Protect yourself from knife attacks

This post takes a detour from virtual security to physical security. I raise this issue because here in America we are not well acquainted with small-scale terrorist attacks—the type of attacks that Israelis are well-versed in combating.

A couple years ago, I heard Dr. Robbie Friedmann speak about the types of terrorist attacks that we can expect to see more of. He specifically mentioned knife attacks, whereby an aggressor appears in a public location like a city sidewalk and suddenly wields a knife, stabbing at any human being within reach.

Because we've seen more of these lately, including this week's London Bridge attack, I reached out to women's self-defense and security expert Celia Cortes, founder and CEO of Seva 6 Security Consulting.

When I asked Celia how we can defend ourselves in a situation like this—one with no escape route—she advised that going on the offensive may the best way to save lives. Most importantly, the decision whether to act offensively or defensively must be made quickly:
"A knife is more dangerous than a gun. You have to decide if you want to attack offensively or protect yourself defensively. 
If the attacker is upon you, you have no choice but to burst in and attack offensively. That means going after the knife. Or at the very least the arm that is holding the knife and doing your all to control the weapon and/or disarm the guy. If you are with other people, one should go for the knife, the other should go for the legs. A group of people can easily overpower an attacker but they have to overcome the fear of being cut. Cut is better than killed. 
It happens so very fast, so there is no time to hesitate. 
Here's hoping you never have to deal with it but if you ever do, call on the warrior inside you and protect your life."
In other words, should an attack like this occur, act immediately. If others are present, work together against the attacker. There is power in numbers. For me, that means summoning up the courage of 9/11 hero Todd Beamer, who famously motivated other passengers on Flight 93 to take down their attackers when he said, "Let's roll!"

Some may disagree with how Celia or I would respond in this situation, and how you react will depend upon the totality of the circumstances and your presence of mind in the moment.

Wednesday, May 24, 2017

Do's and don'ts for securing your Android

Here is a list of tips and some resources to help you secure your Android phone. The list may seem long and you may not be able to do all of these, but that is OK. No device or app can ever be 100% secure. Every step you take to lock down your smart phone and reduce your online footprint improves your defenses against attackers.



  • Download apps outside of Google Play
  • Connect to unsecured Wi-Fi
  • Allow application installations from unknown sources (this is the default configuration in Settings)
  • Share too much on social media
Also, as with any computing device, be sure to keep your operating system updated (in Settings), as well as your apps 
(ensure your apps are set to auto-update over Wi-Fi in Google Play > Settings)

Tuesday, May 16, 2017

DocuSign users, beware email phishing attempts

If you are a user of an electronic document signature service called DocuSign, you may be the target of an email phishing attack. Be very careful and think before you act on any email that purports to be from or about DocuSign. Do not click attachments or links in DocuSign emails.

According to the company web site, email addresses of DocuSign users were exposed to hackers before May 9, 2017.

Brian Krebs (KrebsOnSecurity.com) posted this sample image of a malicious email with subject line Completed: docusign.com - Wire Transfer Instructions for recipient-name Document Ready for Signature.

DocuSign phishing email

If you get an email like this, do not interact with it. On that note, any unexpected email about a "wire transfer" is suspicious. Don't fall for it! For more information, see the DocuSign online Trust Center at https://trust.docusign.com/en-us/personal-safeguards/.

Thursday, May 4, 2017

USAA members beware phishing email about money transfer

This fake email from USAA is making the rounds to USAA members. Do not click links in the message! The links do not point to the legitimate USAA.com web site.

This is a way for bad guys to get you to input your USAA login credentials on their scam web page and capture all your login information. They can then log in as you on the real site and take over all of your USAA accounts.

If you get an email that looks like this, send it to your spam folder or delete it:

Remember to never click links in emails that appear to be from your financial institution. Instead, navigate to the trusted URL in your web browser, and log in from there.

Thursday, April 27, 2017

Protecting your kids online

The Department of Homeland Security (DHS) provides a wealth of resources to help parents navigate the vast digital world that their kids interact with every day called the Internet.

DHS encourages all parents to follow these common sense steps to protect your children online.
  • Create an open and honest environment with kids.
  • Have regular conversations with kids about practicing online safety.
  • Emphasize the concept of credibility to teens: not everything they see on the Internet is true and an people on the Internet may not be who they appear to be.
  • Watch for changes in behavior — if your child suddenly avoids the computer, it may be a sign of being bullied online.
  • Review security settings and privacy policies for the websites kids frequent. These settings are frequently updated so check back regularly.
  • Make sure mobile devices are secure.
  • Use PINs and strong passwords, only install apps from trusted sources, and understand the privacy settings and permissions for all apps.

For more information about protecting children online, visit the Stop.Think.Connect. Chatting with Kids about Being Online booklet. For additional resources, access the Stop.Think.Connect. Toolkit at www.dhs.gov/stopthinkconnect-toolkit.  

Sunday, April 16, 2017

How much you do know about cyber security?

I challenge you to test your basic cyber security knowledge with this short 10-question quiz from the U.S. Department of Homeland Security. I did!

Pew Research Center’s study about what the public knows about cyber security sheds light on the fact that many Americans are unclear about key cyber security concepts. The majority of Internet users were able to answer less than half of the questions correctly. Though cyber security can be a complex topic, the quiz includes general concepts and basic building blocks that experts stress are important for users to protect themselves online. 
Test yourself and let your kids try it too! Take the Cyber Security Knowledge Quiz and see how your results compare with the 1,055 randomly sampled adults that took part in the national survey.
To help improve your general knowledge of basic security and best practices, see the Stop.Think.Connect. Campaign Toolkit at www.dhs.gov/stopthinkconnect

Sunday, April 9, 2017

Three steps to secure messaging (by Teen Vogue)

Can an outsider eavesdrop on the SMS texts that you send from your phone? Of course they can. Can you take steps to thwart that type of activity? The answer is yes, and it is something that you and your kids should be proactive about doing.

I work for a progressive data privacy platform provider, which makes me a huge fan of Internet privacy. Recently, a friend of mine from my organization's security operations center shared this article with me: How to Keep Messages Secure, posted in March 2017.

It is enlightening to see a youth magazine educating its readers in the Internet security arena. We need more sharing like this, across the globe. Talk to your kids about the three steps described in Teen Vogue:
  1. Keep your phone operating system (OS) updated—whether it be Android or iOS. For help, just google the phone OS name with the word "updating" or "patching" (i.e., updating Android).
  2. Set a long PIN to unlock your phone, and don't use personal dates (like anniversaries) or years (such as your birth year) in your PIN. Better yet, use biometric authentication (like a fingerprint) or a passphrase (as opposed to a shorter password) where offered.
  3. Use a secure messaging app instead of SMS for texting—for example, Facebook messenger, WhatsApp, or Signal. 
For details, see the entire article or go to this one from Business News Daily: 5 Best Secure Messaging Apps. Stay safe online!

Sunday, March 26, 2017

Got Gmail? Watch out for this clever scam

News of this effective email phishing scam that targets people with Google email accounts (Gmail) was first published by Fortune two months ago and was picked up by Bruce Schneier, who linked to it on his infamous Schneier on Security blog on March 17, 2017. It works like this.

The Gmail recipient receives an email with an object that appears to be a PDF file attachment to the message. This "attachment" is actually an image file embedded in the message contents. It was made from a screen shot of a PDF file attachment and looks like this:

Fake PDF "attachment" image

Saturday, March 18, 2017

Be on the alert for IRS tax scam emails

It's that time of the year when scammers take advantage of unsuspecting citizens by baiting them with a simple phishing scam.

Earlier this month, Dark Reading published 9 Phishing Lures that Could Hijack your 2017 Tax Refund. The nine sample phishing emails are shown below, and the full article is here: http://www.darkreading.com/perimeter/9-phishing-lures-that-could-hijack-your-2017-tax-refund-/d/d-id/1328334.

Defending against this is easy. If you get any email purporting to be from the IRS, know this: The IRS does not send email to taxpayers. If you are getting audited or owe taxes, you will be notified by snail mail. The IRS will not send you email promising a big payback either. Delete it.










Whenever you receive an unexpected email or any message that seems out of the ordinary, remember to stop, think and do not click.

Tuesday, March 7, 2017

Scam email from Mystery Shopper recruiter

Thinking of working as a mystery shopper? It's a legitimate business, but be aware that these companies don't recruit by email.

Here is just one example of a fraudulent email designed to trick you out of money:

How the scam works

You receive a bank check along with a request that you deposit it immediately and then go shop; you are also told that you'll get to keep some of the money. But the scammers ask you to wire the remaining money back to them right away. As you might have guessed, their check is bogus but the money you wire back is real.

Things to remember

  • When you receive a check, wait until it fully clears before spending it.
  • Never accept a check for more than what is owed with instructions to send back the rest. 
  • Always be wary if you are asked to wire funds.

Think before you click!

Saturday, February 4, 2017

CEO fraud and W-2 scams running at full-tilt during tax season

In Wyoming, two health organizations fell victim to a W-2 phishing scam last month. At Campbell County Health, an employee clicked a link in an email that appeared to be sent by a hospital executive. End result: SSNs and W-2 information of 1,400 employees were disclosed. A similar breach occurred at eHealthInsurance when one of their employees sent W-2 information in response to a phishing email that he/she believed was sent from a company executive. 
In Kansas, Sedgwick County lost $566,000 when a Georgia (U.S.) hacker sent an email to a county employee that appeared to be from the CEO of another company. The email included a form requesting payments be made electronically to a new account at a Wells Fargo Bank in Georgia. The payment was made. 
In this particular case, the hacker was caught, and George S. James is now charged with one count of wire fraud. See https://www.justice.gov/usao-ks/pr/georgia-man-charged-cyber-crime-cost-sedgwick-county-566000
The moral of the story: Things are not always as they seem
It's called "CEO fraud" because typically the email address of the CEO is spoofed in the "From" line on an email that is delivered to an employee or other C-level executive of the company. Just because an email appears to come from someone you know doesn't mean it actually is.
The lesson here is that you should never send sensitive information like W-2s (or money!) based on an email you received. Always verify an email's origin before taking action. When it comes to sharing private or otherwise sensitive information, trust but verify.

Saturday, January 7, 2017

Hey Mom, is that really you on the phone?

There is no end to phishing innovations. The new Adobe VoCo software can take an extremely short audio recording of someone’s voice—say, from a YouTube video, and allow a user to create new audio in that person’s voice… all on the fly. This is pretty amazing technology, but the potential for voice phishing is scary. Think of the ways this could be exploited at work and at home. For example:

“Mom, I am in jail and my lawyer needs $3000 to bond me out.”
“Sis, what is your SSN again? I need to make you a beneficiary on my new benefits program.”

The possibilities are endless. Will all humans need to invoke phone passcodes going forward? Or should we invoke call-backs whenever dealing with sensitive information by phone? ("I will call you back with that information."

You decide.