All posts by David

Part 2: On Passwords, Password Policies, and Teaching

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/xUY98wlIycU/part-2-on-passwords-password-policies.html

I noted in yesterday’s post that I used the answers to drive a conversation with a student employee, but didn’t provide details. I was asked what the assignment was, and thought that it might be of interest.I provided the initial question, and my response about what drives institutional policy – essentially what I summarized here. The assignment was:Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:A large multinational corporationA commercial website like Amazon, or a cloud service like Dropbox or PicasaA small company or non-profitThis sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.

_uacct = “UA-1423386-1”;
urchinTracker();

Part 2: On Passwords, Password Policies, and Teaching

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/xUY98wlIycU/part-2-on-passwords-password-policies.html

I noted in yesterday’s post that I used the answers to drive a conversation with a student employee, but didn’t provide details. I was asked what the assignment was, and thought that it might be of interest.I provided the initial question, and my response about what drives institutional policy – essentially what I summarized here. The assignment was:Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:A large multinational corporationA commercial website like Amazon, or a cloud service like Dropbox or PicasaA small company or non-profitThis sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.

_uacct = “UA-1423386-1”;
urchinTracker();

On Passwords and Password Expiration

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/a-hYO-gQkP4/on-passwords-and-password-expiration.html

One of the things that I believe is an important part of my job is to answer user questions in a way that educates them about the topic they ask about in addition to providing the answer. At times, this can be frustrating, but it also challenges me to think about why I’m providing the answer that I do. It also means that I have to review the choices I, and my organization make about policy, process, and the reasons for both.I recently exchanged email with one of our users who questioned our password policy which requires periodic changes of passwords. The user contended that periodic password changes encourages poor password choice, that users who are forced to choose new passwords (even on a relatively infrequent basis) will choose poor passwords, and that in the end, that password changes serve no purpose.In my institution’s case, there are a number of reasons why password changes make sense, and I believe that these are a reasonable match for most companies, colleges, and other organizations – but not necessarily for your Amazon account, or your banking password. It is critical to understand the difference between a daily use password for institutional access that provides access to things like VPN access, email, licensed software, and the rest of the keys to the kingdom, and a single use password that accesses a service or site. Thinking about your password policy in the context of institutional risk while remaining aware of how your users will react is critical.The reasons that help drive password change for my institution, in no particular order are:Password changes help to prevent attackers who have breached accounts, but who have not used them, or who are quietly using them, from having continued access.Similarly, they can help prevent shared passwords from being useful for long term access.They can help prevent users from using the same password in multiple locations by driving changes that don’t match the previously set passwords elsewhere.They can help prevent brute forcing, although this is less common in environments where there are back-off algorithms in place. In many institutions, that central monitoring may not exist, or may not be easy to implement.Password changes continue to be recommended by most best practice documents (including PCI-DSS and others). Including password expiration in your password policy can be an element in proving due diligence as an organization.When you read the list from a user perspective, it is difficult to see a compelling reason for them to change their passwords. There isn’t a big, disaster level threat that is immediately obvious, and the “what’s in it for me” is hard to communicate. When you read it from an organizational perspective, you will likely see a set of reasons that when taken as a whole mean that a reasonable password expiration timeframe is useful at an organizational level. Here’s why: The environment in which most of us work now has two major external threats to passwords: malware and phishing. With malware targeting browsers and browser plugins, and institutional policies that accept that users will visit at least common sites like CNN, ESPN, and other staples of our online lives, we have to acknowledge that malware compromises that gather our user’s passwords are likely.Similarly, despite attempts we make at user education, phishing continues to seduce a portion of our user population into clicking that tempting link, or responding to the IT department that needs to know their password to ensure that their email isn’t turned off. Again, we know that passwords will be exposed.Bulk compromises of passwords are likely to involve captured hashes, which most organizations have spent years designing infrastructure to avoid as tools like Rainbow Tables and faster cracking hardware became available. Thus, we worry more about what access to our networks, and what individual accounts, or small groups of compromised accounts can do. In the event of a large-scale breach of central authentication, the organization will require a password change from every user, typically with immediate expiration of all passwords.In this environment, we will require our users to change their passwords when their account is compromised, but will we know to require that? We know that advanced persistent threats exist, and that some attackers are patient and will wait, gathering information and not abusing the accounts they collect. We can continue to fight those threats with periodic password changes for the accounts that provide access to our institutions.It would, of course, be preferable to use biometrics, or tokens, or some other two factor authentication system. It is also expensive, and difficult to adapt into a diverse environment where credentials are used across a variety of systems that are glued (or duct taped, bubble gummed, and bailing wired) together in a variety of ways. For now, passwords – or preferably passphrases – remain the way to make these heterogeneous systems authenticate and interoperate.In the end, I learned a lot from my exchange with the user. Over the next few months, I’ll be adding additional information to our awareness program reminding users that password changes that change from “Password1” to “Password2” aren’t serving a real use, we’ll add additional information about tools like Password Safe to our posters and awareness materials, and I’ll be working with our identity and access management staff to see if we can leverage their tools to prevent similar poor password practices. In addition, I’ve been using it as a learning opportunity for my staff, and as a challenge for my student employee.I’m aware that I won’t win with every user – I’ll still have the gentleman who resets his password once a day for as many days as our password history and minimum password age will allow so he can get back to his favorite password. I’ll still have the user who changes their password to “Password1!” and claims that yes, they have used a capital and a number and a symbol, and that thus they have met the requirements for a strong password. But I also know that our population continues to grow more security aware, and that many of our users do get the point.If you’re interested in this topic, you may enjoy this Microsoft research about users, security advice, and why they choose to ignore it, and NIST’s password guidance provides a well reasoned explanation of everything from password choice to mnemonics and password guessing.

_uacct = “UA-1423386-1”;
urchinTracker();

On Passwords and Password Expiration

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/a-hYO-gQkP4/on-passwords-and-password-expiration.html

One of the things that I believe is an important part of my job is to answer user questions in a way that educates them about the topic they ask about in addition to providing the answer. At times, this can be frustrating, but it also challenges me to think about why I’m providing the answer that I do. It also means that I have to review the choices I, and my organization make about policy, process, and the reasons for both.I recently exchanged email with one of our users who questioned our password policy which requires periodic changes of passwords. The user contended that periodic password changes encourages poor password choice, that users who are forced to choose new passwords (even on a relatively infrequent basis) will choose poor passwords, and that in the end, that password changes serve no purpose.In my institution’s case, there are a number of reasons why password changes make sense, and I believe that these are a reasonable match for most companies, colleges, and other organizations – but not necessarily for your Amazon account, or your banking password. It is critical to understand the difference between a daily use password for institutional access that provides access to things like VPN access, email, licensed software, and the rest of the keys to the kingdom, and a single use password that accesses a service or site. Thinking about your password policy in the context of institutional risk while remaining aware of how your users will react is critical.The reasons that help drive password change for my institution, in no particular order are:Password changes help to prevent attackers who have breached accounts, but who have not used them, or who are quietly using them, from having continued access.Similarly, they can help prevent shared passwords from being useful for long term access.They can help prevent users from using the same password in multiple locations by driving changes that don’t match the previously set passwords elsewhere.They can help prevent brute forcing, although this is less common in environments where there are back-off algorithms in place. In many institutions, that central monitoring may not exist, or may not be easy to implement.Password changes continue to be recommended by most best practice documents (including PCI-DSS and others). Including password expiration in your password policy can be an element in proving due diligence as an organization.When you read the list from a user perspective, it is difficult to see a compelling reason for them to change their passwords. There isn’t a big, disaster level threat that is immediately obvious, and the “what’s in it for me” is hard to communicate. When you read it from an organizational perspective, you will likely see a set of reasons that when taken as a whole mean that a reasonable password expiration timeframe is useful at an organizational level. Here’s why: The environment in which most of us work now has two major external threats to passwords: malware and phishing. With malware targeting browsers and browser plugins, and institutional policies that accept that users will visit at least common sites like CNN, ESPN, and other staples of our online lives, we have to acknowledge that malware compromises that gather our user’s passwords are likely.Similarly, despite attempts we make at user education, phishing continues to seduce a portion of our user population into clicking that tempting link, or responding to the IT department that needs to know their password to ensure that their email isn’t turned off. Again, we know that passwords will be exposed.Bulk compromises of passwords are likely to involve captured hashes, which most organizations have spent years designing infrastructure to avoid as tools like Rainbow Tables and faster cracking hardware became available. Thus, we worry more about what access to our networks, and what individual accounts, or small groups of compromised accounts can do. In the event of a large-scale breach of central authentication, the organization will require a password change from every user, typically with immediate expiration of all passwords.In this environment, we will require our users to change their passwords when their account is compromised, but will we know to require that? We know that advanced persistent threats exist, and that some attackers are patient and will wait, gathering information and not abusing the accounts they collect. We can continue to fight those threats with periodic password changes for the accounts that provide access to our institutions.It would, of course, be preferable to use biometrics, or tokens, or some other two factor authentication system. It is also expensive, and difficult to adapt into a diverse environment where credentials are used across a variety of systems that are glued (or duct taped, bubble gummed, and bailing wired) together in a variety of ways. For now, passwords – or preferably passphrases – remain the way to make these heterogeneous systems authenticate and interoperate.In the end, I learned a lot from my exchange with the user. Over the next few months, I’ll be adding additional information to our awareness program reminding users that password changes that change from “Password1” to “Password2” aren’t serving a real use, we’ll add additional information about tools like Password Safe to our posters and awareness materials, and I’ll be working with our identity and access management staff to see if we can leverage their tools to prevent similar poor password practices. In addition, I’ve been using it as a learning opportunity for my staff, and as a challenge for my student employee.I’m aware that I won’t win with every user – I’ll still have the gentleman who resets his password once a day for as many days as our password history and minimum password age will allow so he can get back to his favorite password. I’ll still have the user who changes their password to “Password1!” and claims that yes, they have used a capital and a number and a symbol, and that thus they have met the requirements for a strong password. But I also know that our population continues to grow more security aware, and that many of our users do get the point.If you’re interested in this topic, you may enjoy this Microsoft research about users, security advice, and why they choose to ignore it, and NIST’s password guidance provides a well reasoned explanation of everything from password choice to mnemonics and password guessing.

_uacct = “UA-1423386-1”;
urchinTracker();

How to handle "I want to be a security guy" with an easy assignment

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/6gQIEf5LNoM/how-to-handle-i-want-to-be-security-guy.html

As the manager of a security team I’m often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.Over the years I’ve developed a simple list of things that I tell people who express an interest:Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.Skim the book, and read anything that catches your eye. Don’t try to read it cover to cover, unless you really find that you want to.Come back and talk to me once you’ve done that, and we’ll talk about what you found interesting.It’s a very simple process – but I’ve found it immensely valuable. Those who are really interested, and who will put the time into the effort will buy the book, and will come back with questions and comments. A certain percentage will get the book and will realize that information security isn’t really what they want to do, or they will realize that they need or want to know more before they tackle a career in security. A final group are interested, but not enough to take the step to follow up.Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you’ve read the book yourself, as you’ll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:OWASP – particularly WebGoat and MultilldaeInvestigation of vulnerability scanners like Nikto and Nessus andExploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OSSANS courses like SANS 401 and 501A whole range of options exists once you start to have the conversation – but you’re certain you’re having the conversation with someone who is interested enough to follow up, and who has helped you identify what they’ll have some passion for.

_uacct = “UA-1423386-1”;
urchinTracker();

How to handle "I want to be a security guy" with an easy assignment

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/6gQIEf5LNoM/how-to-handle-i-want-to-be-security-guy.html

As the manager of a security team I’m often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.Over the years I’ve developed a simple list of things that I tell people who express an interest:Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.Skim the book, and read anything that catches your eye. Don’t try to read it cover to cover, unless you really find that you want to.Come back and talk to me once you’ve done that, and we’ll talk about what you found interesting.It’s a very simple process – but I’ve found it immensely valuable. Those who are really interested, and who will put the time into the effort will buy the book, and will come back with questions and comments. A certain percentage will get the book and will realize that information security isn’t really what they want to do, or they will realize that they need or want to know more before they tackle a career in security. A final group are interested, but not enough to take the step to follow up.Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you’ve read the book yourself, as you’ll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:OWASP – particularly WebGoat and MultilldaeInvestigation of vulnerability scanners like Nikto and Nessus andExploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OSSANS courses like SANS 401 and 501A whole range of options exists once you start to have the conversation – but you’re certain you’re having the conversation with someone who is interested enough to follow up, and who has helped you identify what they’ll have some passion for.

_uacct = “UA-1423386-1”;
urchinTracker();

What does the LastPass security breach mean?

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/djEsxW7nEv0/what-does-lastpass-security-breach-mean.html

Most people in the security world – and many Internet users – have read over the past two weeks about the possible exposure of LastPass‘s password database. Since LastPass (which I’ve written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted – which would make them harder to figure out – many users still use poor passwords which could be easily retrieved.The good news is that LastPass did a lot of things right, starting with their first blog post: “We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.” They went on to explain why they were worried “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” and “we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)”.They explained what this might mean: “We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”Best of all, they then explained who might be in danger: “If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.”They even note that they’re not sure that the whole thing is an actual issue – but that they want to do the right thing: “We realize this may be an overreaction and we apologize for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.”Since then, LastPass has done a lot more things right and they’ve described it on their blog. They’ve done everything from providing frequent updates to trying to make sure that any future issues are handled properly. They’ve analyzed the mistakes they’ve made, and have acted to correct them, and have implemented a number of improvements to their infrastructure, design, and their overall processes.Some of the things that I’m happiest to see are:They have engaged 3rd party code reviewers and have committed to doing several reviews per year and sharing the results of the reviews.They are soliciting community feedback at https://lastpass.com/support_security.phpThey’ve split their infrastructure to keep back end systems away from their production service systems.They’ve created a bastion host log serverTo enterprise security folks, these will all look like normal best practices, and they are – but the fact that the folks at LastPass learned, and learned quickly is a great sign.So, if you’re a LastPass user, should you be worried? The answer is…probably not. While storing passwords in the cloud has some innate security risk, their reaction to the event had all the things I would want to see, and their basic technology not only appears well founded, but it also continues to get better. For now, my recommendation remains the same: if you’re interested in cloud based password storage, LastPass is a good choice – and it appears that it will continue to improve. Regardless of what you use for password storage, a good master password is critical.If you’re not comfortable with a solution like LastPass, Password Safe and similar solutions can still be kept in the cloud – you just need to keep a client handy to access them once you retrieve the encrypted file.

_uacct = “UA-1423386-1”;
urchinTracker();

What does the LastPass security breach mean?

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/djEsxW7nEv0/what-does-lastpass-security-breach-mean.html

Most people in the security world – and many Internet users – have read over the past two weeks about the possible exposure of LastPass‘s password database. Since LastPass (which I’ve written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted – which would make them harder to figure out – many users still use poor passwords which could be easily retrieved.The good news is that LastPass did a lot of things right, starting with their first blog post: “We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.” They went on to explain why they were worried “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” and “we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)”.They explained what this might mean: “We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”Best of all, they then explained who might be in danger: “If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.”They even note that they’re not sure that the whole thing is an actual issue – but that they want to do the right thing: “We realize this may be an overreaction and we apologize for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.”Since then, LastPass has done a lot more things right and they’ve described it on their blog. They’ve done everything from providing frequent updates to trying to make sure that any future issues are handled properly. They’ve analyzed the mistakes they’ve made, and have acted to correct them, and have implemented a number of improvements to their infrastructure, design, and their overall processes.Some of the things that I’m happiest to see are:They have engaged 3rd party code reviewers and have committed to doing several reviews per year and sharing the results of the reviews.They are soliciting community feedback at https://lastpass.com/support_security.phpThey’ve split their infrastructure to keep back end systems away from their production service systems.They’ve created a bastion host log serverTo enterprise security folks, these will all look like normal best practices, and they are – but the fact that the folks at LastPass learned, and learned quickly is a great sign.So, if you’re a LastPass user, should you be worried? The answer is…probably not. While storing passwords in the cloud has some innate security risk, their reaction to the event had all the things I would want to see, and their basic technology not only appears well founded, but it also continues to get better. For now, my recommendation remains the same: if you’re interested in cloud based password storage, LastPass is a good choice – and it appears that it will continue to improve. Regardless of what you use for password storage, a good master password is critical.If you’re not comfortable with a solution like LastPass, Password Safe and similar solutions can still be kept in the cloud – you just need to keep a client handy to access them once you retrieve the encrypted file.

_uacct = “UA-1423386-1”;
urchinTracker();

BP Loses Personal Data

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/SR0ZsOW6_t0/bp-loses-personal-data.html

The AP and other news sources are reporting that BP lost a laptop containing the personal information of 13,000 people who applied for compensation for damages. The laptop was unencrypted, but was password protected. BP has sent notification letters to those effected.This is just another reminder that laptop encryption makes life easier…and may even cost less than notification letters!

_uacct = “UA-1423386-1”;
urchinTracker();

BP Loses Personal Data

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/SR0ZsOW6_t0/bp-loses-personal-data.html

The AP and other news sources are reporting that BP lost a laptop containing the personal information of 13,000 people who applied for compensation for damages. The laptop was unencrypted, but was password protected. BP has sent notification letters to those effected.This is just another reminder that laptop encryption makes life easier…and may even cost less than notification letters!

_uacct = “UA-1423386-1”;
urchinTracker();

Messages from the (purported) Comodo Hacker

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/fEEytgsfT1w/messages-from-purported-comodo-hacker.html

The purported Comodo hacker has posted a number of documents on pastebin. The hacker claims to have used API access to generate the certificates mentioned inComodo has also recently announced that two additional resellers were also breached.The documents are well worth a read to understand how web based infrastructure services might be breached, and where we might expect to see attacks in the future. API accessibility and vulnerable servers make for a nasty combination when a trust based infrastructure is in play.

_uacct = “UA-1423386-1”;
urchinTracker();

Messages from the (purported) Comodo Hacker

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/fEEytgsfT1w/messages-from-purported-comodo-hacker.html

The purported Comodo hacker has posted a number of documents on pastebin. The hacker claims to have used API access to generate the certificates mentioned inComodo has also recently announced that two additional resellers were also breached.The documents are well worth a read to understand how web based infrastructure services might be breached, and where we might expect to see attacks in the future. API accessibility and vulnerable servers make for a nasty combination when a trust based infrastructure is in play.

_uacct = “UA-1423386-1”;
urchinTracker();

Anatomy of a Scam – Secret Shoppers

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/7r6fHv6xQN0/anatomy-of-scam-secret-shoppers.html

Here’s a recent example of a secret shopper scam. Like many scams, this one attempts to lure people who think that accidentally receiving a secret shopper invitation is a way to free money. In the end, it is merely an attempt at identity theft – though it may also involve a fee scam as well!If the recipient bothers to check who it is from, it purports to come from Dow Chemical, with an email address that is [email protected], with a cc to [email protected] The hsbrv.net domain points back to a Betty Prevo, with an email address listing [email protected] That sounds suspiciously like our david212 address as well. The whois results are below:Administrative Contact: Prevo, Betty [email protected] 1368 X W. Estes Ave Chicago, Illinois 60626 United StatesFor those who are interested, that address points to an apartment building in Chicago. Interestingly, Betty Prevo apparently exists and does live in that area in Chicago, but she’d probably be interested to find out that she’s running various domains. Blumail? Well, it’s a free email service that, “provides global e-mail accounts, educational content, employment needs, entrepreneurship, networking, story / experience sharing, mentoring and volunteering opportunities to youth and others who are coming online in developing countries.” In this case? It’s a great place for a scammer to get free email hosting. It’s also a well known 419 scam domain. Blumail is a legitimate service, unlike the hsbrv.net domain we first looked at.Now, the actual scam letter:Hello there, My Name is David Anderson and I am your group regional Instructor from within the USA.Henceforth you will be working with me on the completion of your Mystery Shopper’s Position application. Like you already know, your weekly per assignment is $300:00 Flat for working with us and will come in payments of $300 each per assignment you complete for the company.Note that the name actually somewhat matches the email address – that’s often a missed detail for our scammers. PAYMENT TERMS: Your payment would be sent ($300) per assignment , Also the company is in charge of providing you with all expense money for the shopping and other expenses incurred during the course of your assignment.All the tools you will needing would be provided to you with details every week you have an assignment. JOB Description : 1} When an assignment is given to you,You would be provided with details to execute the assignment and in a timely fashion. 2} You would be asked to visit a company or store in your area and they are mostly our competitors as a secret shopper and shop with them to know more about their sales and stock , cost sales and more details as provided by the company then report back to us with details of whatever transpired a the store. But anything you buy at the shop belongs to you,all we want is an effective/quick job and reports.Free money, and what sounds like a somewhat reasonable reason why the company would want you to do this. The grammar is even better than most letters of this type. ASSIGNMENT PACKET : Before any assignment we would provide you with the resources needed {cash}Mostly our company would send you a check which you can cash and use for the assignment. Included to the check would be your assignment packet .Then we would be providing you details on here. But you follow every single information given to you as a secret shopper .It starts to fall apart here with lines like “Then we would be providing you details on here”.And now for the meat of the scam: KINDLY RECONFIRM YOUR INFORMATION BELOW TO PROCEED ON FIRST ASSIGNMENT: Full Legal Name : Full Physical Address : City : State : Zip code : Age: Nationality : Home and Cell # : Present Occupation: Email: Thank you for reading. Yours sincerely. Contact Person: David Anderson Time: 24 Hours daily by e-mailAnd that’s the anatomy of a secret shopper scam. A simple way to hook the gullible into providing details for identity theft.

_uacct = “UA-1423386-1”;
urchinTracker();

Anatomy of a Scam – Secret Shoppers

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/7r6fHv6xQN0/anatomy-of-scam-secret-shoppers.html

Here’s a recent example of a secret shopper scam. Like many scams, this one attempts to lure people who think that accidentally receiving a secret shopper invitation is a way to free money. In the end, it is merely an attempt at identity theft – though it may also involve a fee scam as well!If the recipient bothers to check who it is from, it purports to come from Dow Chemical, with an email address that is [email protected], with a cc to [email protected] The hsbrv.net domain points back to a Betty Prevo, with an email address listing [email protected] That sounds suspiciously like our david212 address as well. The whois results are below:Administrative Contact: Prevo, Betty [email protected] 1368 X W. Estes Ave Chicago, Illinois 60626 United StatesFor those who are interested, that address points to an apartment building in Chicago. Interestingly, Betty Prevo apparently exists and does live in that area in Chicago, but she’d probably be interested to find out that she’s running various domains. Blumail? Well, it’s a free email service that, “provides global e-mail accounts, educational content, employment needs, entrepreneurship, networking, story / experience sharing, mentoring and volunteering opportunities to youth and others who are coming online in developing countries.” In this case? It’s a great place for a scammer to get free email hosting. It’s also a well known 419 scam domain. Blumail is a legitimate service, unlike the hsbrv.net domain we first looked at.Now, the actual scam letter:Hello there, My Name is David Anderson and I am your group regional Instructor from within the USA.Henceforth you will be working with me on the completion of your Mystery Shopper’s Position application. Like you already know, your weekly per assignment is $300:00 Flat for working with us and will come in payments of $300 each per assignment you complete for the company.Note that the name actually somewhat matches the email address – that’s often a missed detail for our scammers. PAYMENT TERMS: Your payment would be sent ($300) per assignment , Also the company is in charge of providing you with all expense money for the shopping and other expenses incurred during the course of your assignment.All the tools you will needing would be provided to you with details every week you have an assignment. JOB Description : 1} When an assignment is given to you,You would be provided with details to execute the assignment and in a timely fashion. 2} You would be asked to visit a company or store in your area and they are mostly our competitors as a secret shopper and shop with them to know more about their sales and stock , cost sales and more details as provided by the company then report back to us with details of whatever transpired a the store. But anything you buy at the shop belongs to you,all we want is an effective/quick job and reports.Free money, and what sounds like a somewhat reasonable reason why the company would want you to do this. The grammar is even better than most letters of this type. ASSIGNMENT PACKET : Before any assignment we would provide you with the resources needed {cash}Mostly our company would send you a check which you can cash and use for the assignment. Included to the check would be your assignment packet .Then we would be providing you details on here. But you follow every single information given to you as a secret shopper .It starts to fall apart here with lines like “Then we would be providing you details on here”.And now for the meat of the scam: KINDLY RECONFIRM YOUR INFORMATION BELOW TO PROCEED ON FIRST ASSIGNMENT: Full Legal Name : Full Physical Address : City : State : Zip code : Age: Nationality : Home and Cell # : Present Occupation: Email: Thank you for reading. Yours sincerely. Contact Person: David Anderson Time: 24 Hours daily by e-mailAnd that’s the anatomy of a secret shopper scam. A simple way to hook the gullible into providing details for identity theft.

_uacct = “UA-1423386-1”;
urchinTracker();

RSA Hacked – SecurID Information Exposed

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/854QQfuo-NI/rsa-hacked-securid-information-exposed.html

EMC’s RSA division announced that they had been hacked and it appears that they’re doing the right thing for their customers by telling them. From their announcement:”Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”If you’re a current SecurID customer, you’ll likely want to keep track of this as further detail is released. RSA notes that they expect to release details to the community -“As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”I’ll post further detail as it becomes available.

_uacct = “UA-1423386-1”;
urchinTracker();

RSA Hacked – SecurID Information Exposed

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/854QQfuo-NI/rsa-hacked-securid-information-exposed.html

EMC’s RSA division announced that they had been hacked and it appears that they’re doing the right thing for their customers by telling them. From their announcement:”Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”If you’re a current SecurID customer, you’ll likely want to keep track of this as further detail is released. RSA notes that they expect to release details to the community -“As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”I’ll post further detail as it becomes available.

_uacct = “UA-1423386-1”;
urchinTracker();