I'm trying a slightly different format this week. The article titles I'm discussing are hyperlinked titles introducing the commentary. I think this breaks it up a little better and lets you pick and choose more easily. Let me know if you have an opinion one way or the other. This week we discuss Cryptolocker and how to defend against it. The Register discusses your privates. A journalist convinces random people he is clairvoyant. (And he sorta is but needs Instagram to make it happen.) We get to see which Cloud providers have a handle on data encryption. And last but not least, we talk about the other operating system on your smartphone.
CryptoLocker seems to be one of the more successful pieces of malicious code we've seen in some time, at least from a publicity perspective. I found that there is a decent number of non-INFOSEC people asking questions about it and how should the protect themselves. I've pieced together the blurb below to help raise awareness. Feel free to copy and paste if you find it useful. I just ask that you give me attribution credit/blame and a link back to this post.
Some of you might have heard about CryptoLocker over the past several days. It is a piece of malicious code that encrypts your files and holds them for ransom. This article gives a solid overview that’s easy to understand even if you are not a technical person. The highlights include:
- CryptoLocker most frequently arrives as an email attachment
- It encrypts many of your important files like Word, PowerPoint, Excel, and pictures
- Requires a ransom paid in Bitcoins (Virtual Currency) or MoneyPak (Cash Card)
If you get hit with CryptoLocker, you best defense is having your files backed up ahead of time. You are probably covered at work, but you are on your own at home. Use File History Backup on Windows or TimeMachine on a Mac. Other services you might look into include BackBlaze and Carbonite, for a monthly fee.
For the cost of an external hard disk and a fancy cup of coffee each month, you can protect yourself against Cryptolocker, floods, fires, and accident-prone friends and relatives. Backup is like insurance. You hope you never need it, but are really glad you have it when things go south.
Cloud-based services are increasingly common in business process. There is a lot of advantage and agility to be gained through the use of Cloud services. However, we make a tradeoff for these advantages. That tradeoff is ceding direct control of data, where it’s stored, how it’s shared, and potentially how it’s used. The Electronic Frontier Foundation has a great report on what the major Cloud providers are doing to protect data when it is stored on their respective Clouds. This assessment focused on how vendors encrypt the data entrusted to them. Dropbox, Facebook, Google, Sonic.net, and SpiderOak all have the encryption aspect well in hand. Other providers are still grappling with the problem. Check out the chart in the article for more detail. Organizations must consider these factors and more as they decide how to embrace Cloud technology.
Do you use social media? Many of us do, but don’t realize exactly how much we share. On the surface you might think that the only people interested in your Instagram account would be friends and relatives. That’s a bad assumption. Watch this video and then think about what you’ve been sharing and with whom. While you’re at it, go check out your organization's social media policy to make sure you are staying on the right side of the law.
First off, I don’t make the headlines. I just share them. Direct any concerned comments regarding the headline to John Leyden at The Register. However you feel about this headline, Mr. Leyden has some interesting insight into what makes the world of hacking go round. Not to spoil the surprise or anything, but money is what makes it go. (See earlier article about CryptoLocker.)
I find the underground economy fascinating. I think I can make a good argument that it is the closest approximation of a perfect market theoretical economists fantasize about. There is zero regulation, equitable costs of market entry and exit, and some of the most well-informed consumers available. As INFOSEC professionals, it might be sensible to go make friends with an economist and chat about creative ways we could wreck this perfect market. Wrecking the economic drivers might be more effective than any technology, policy, or user education problem we can devise. Discuss.
The gist of this article is that your phone has an operating system in addition to Android, iOS, or Windows. It’s an operating system that runs the radio and all the core functions needed to communicate on the wireless network. Unfortunately, many of these operating systems were developed in the 90s when security was not a consideration. With the right tools and a little time, security researchers have found ways to exploit these second operating systems to take control of your phone. No indication on how easy this is to do or how wide spread it is.
 G. Burnison, “2014: A ‘New’ War for Talent,” LinkedIn, 19-Nov-2013. [Online]. Available: http://www.linkedin.com/today/post/article/20131119001515-281874400-2014-a-new-war-for-talent. [Accessed: 19-Nov-2013].
 A. Newitz, “All the leaked NSA documents, rounded up into one place,” io9, 20-Nov-2013. [Online]. Available: http://io9.com/all-the-leaked-nsa-documents-rounded-up-into-one-place-1468650331. [Accessed: 21-Nov-2013].
 Q. Hardy, “Amazon Bares Its Computers,” Bits Blog, 15-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/15/amazon-bares-its-computers/. [Accessed: 19-Nov-2013].
 M. Riggs, “An Ex-Cop’s Guide to Not Getting Arrested,” The Atlantic, 07-Nov-2013. [Online]. Available: http://www.theatlanticcities.com/politics/2013/11/ex-cops-guide-not-getting-arrested/7491/. [Accessed: 20-Nov-2013].
 B. X. Chen, “Carriers Reject a ‘Kill Switch’ for Preventing Cellphone Theft,” Bits Blog, 19-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/19/carriers-reject-a-kill-switch-for-preventing-cellphone-theft/. [Accessed: 20-Nov-2013].
 L. Vaas, “‘Catch me if you can’, alleged burglar posts on Facebook - so they did, in 5 minutes,” Naked Security, 22-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/22/catch-me-if-you-can-alleged-burglar-posts-on-facebook-so-they-did-in-5-minutes/. [Accessed: 22-Nov-2013].
 G. Cluley, “CryptoLocker: What is it? And how do you protect against it?,” Graham Cluley, 18-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/cryptolocker-protect/. [Accessed: 18-Nov-2013].
 B. Krebs, “Cupid Media Hack Exposed 42M Passwords,” Krebs on Security, 20-Nov-2013. [Online]. Available: http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/. [Accessed: 20-Nov-2013].
 M. Mimoso, “EFF Scorecard Shows Crypto Leaders and Laggards,” Threatpost - English - Global - threatpost.com, 20-Nov-2013. [Online]. Available: http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987. [Accessed: 21-Nov-2013].
 Encrypt the Web Report. 2013.
 L. Vaas, “FBI: Anonymous has been exploiting Adobe flaws in year-long, ongoing assault on US government sites,” Naked Security, 20-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/20/fbi-anonymous-has-been-exploiting-adobe-flaws-in-year-long-ongoing-assault-on-us-government-sites/. [Accessed: 20-Nov-2013].
 P. Ducklin, “Firefox 25.0.1 - the security update that wasn’t?,” Naked Security, 18-Nov-2013. [Online]. Available: http://nakedsecurity.sophos.com/2013/11/16/firefox-25-0-1-the-security-update-that-wasnt/. [Accessed: 18-Nov-2013].
 “Global forest change,” Flowing Data, 20-Nov-2013. [Online]. Available: http://flowingdata.com/2013/11/20/global-forest-change/. [Accessed: 20-Nov-2013].
 E. Howell, “How habitable is Mars? A new view of the Viking experiments,” Phys.org, 21-Nov-2013. [Online]. Available: http://phys.org/news/2013-11-habitable-mars-view-viking.html. [Accessed: 21-Nov-2013].
 K. Zetter, “How the Feds Took Down the Silk Road Drug Wonderland,” Threat Level, 18-Nov-2013. [Online]. Available: http://www.wired.com/threatlevel/2013/11/silk-road/. [Accessed: 18-Nov-2013].
 G. Cluley, “How to freak out Instagram users, and why they need to be more private,” Graham Cluley, 18-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/instagram-twitter-location-privacy/?utm_source=feedly. [Accessed: 20-Nov-2013].
 G. Cluley, “How your LG Smart TV can spy on you,” Graham Cluley, 20-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/lg-smart-tv-can-spy/. [Accessed: 20-Nov-2013].
 Q. Hardy, “Mapping Bitcoin,” Bits Blog, 19-Nov-2013. [Online]. Available: http://bits.blogs.nytimes.com/2013/11/19/mapping-bitcoin/. [Accessed: 20-Nov-2013].
 M. Williams, “Nationwide Insurance follows banks, using simpler language,” The Columbus Dispatch, 17-Nov-2013. [Online]. Available: http://www.dispatch.com/content/stories/business/2013/11/17/clear-cut-policies.html. [Accessed: 18-Nov-2013].
 “NTRU public key crypto released to open source community,” Help Net Security, 22-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15997. [Accessed: 22-Nov-2013].
 G. Cluley, “Serious security hole in Gmail password reset system found by security researcher,” Graham Cluley, 22-Nov-2013. [Online]. Available: http://grahamcluley.com/2013/11/security-hole-gmail-password-recovery-system/. [Accessed: 22-Nov-2013].
 R. Shaw, “SIM Card Forensics: An Introduction,” InfoSec Institute, 19-Nov-2013. [Online]. Available: http://resources.infosecinstitute.com/sim-card-forensics-introduction/. [Accessed: 20-Nov-2013].
 K. Jackson-Higgins, “SMBs Unsure And At Risk, Survey Finds -,” Dark Reading, 19-Nov-2013. [Online]. Available: http://www.darkreading.com/vulnerability/smbs-unsure-and-at-risk-survey-finds/240164100. [Accessed: 20-Nov-2013].
 SOCIAL MEDIA EXPERIMENT. 2013.
 J. Leyden, “Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES,” The Register, 22-Nov-2013. [Online]. Available: http://www.theregister.co.uk/2013/11/22/cybercrime_market_prices/. [Accessed: 22-Nov-2013].
 “The risks of having a false sense of security,” Help Net Security, 22-Nov-2013. [Online]. Available: http://www.net-security.org/secworld.php?id=15996. [Accessed: 22-Nov-2013].
 T. Holwerda, “The second operating system hiding in every mobile phone,” OS News, 12-Nov-2013. [Online]. Available: http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone. [Accessed: 18-Nov-2013].
 R. Rachwald, “Top Security Predictions for 2014,” FireEye Blog, 21-Nov-2013. [Online]. Available: http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-2014.html. [Accessed: 21-Nov-2013].
 K. Opsahl, N. Cardozo, and P. Higgins, “UPDATE: Encrypt the Web Report: Who’s Doing What,” Electronic Frontier Foundation, 20-Nov-2013. [Online]. Available: https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what. [Accessed: 21-Nov-2013].