Tuesday, May 1, 2012
The Canadians know how to write a law. Here we have laws for phone marketing and we have laws for fax marketing and we have laws for email marketing. The Canadian way does not encompass all forms of marketing, but it should and it is a good start. These days e-mail is almost rendered useless by SPAM.
Here is how the Canadians do it, via ITBusinessEdge online:
"The Canadian government passed CASL in December 2010 to establish a regulatory framework for permission-based marketing, including email marketing, social media marketing, text, and other electronic messaging. This framework will protect electronic commerce in Canada, deter damaging and deceptive forms of spam, such as identity theft, phishing and spyware, and drive out spammers."
Enforcement is the defining issue. We shall see.
Thursday, April 26, 2012
Identifing a Phishing Message
http://www.itbusinessedge.com/slideshows/show.aspx?c=94496&slide=1
Good advice here. If all of these are present in an email you receive, be very suspicious. Italics below are mine... Thomas
Does the email contain information obtainable from social web sites ( Facebook, Twitter, etc. )?
The dizzying amount of information being loaded into social networking sites makes it trivial for an attacker to use them as a source of information to craft a spear phishing message or to gain a victim's trust. With this in mind, private information should always be regarded as belonging to the public domain once they can be found on social networking sites such as Facebook or Twitter. Indeed, a woman in Singapore was arrested recently for allegedly cheating victims of thousands of dollars by masquerading as their cousin. All her information — including their contact number and name of their real-life cousins — was apparently obtained from Facebook accounts.
Is there a web link in the email ?
One predominant objective of hackers entails the loading of malware or Trojans onto their target's PC. Given that executable files are typically blocked in email attachments these days, black hats have evolved their techniques to either trick their victims into downloading the malware over the Internet, or directing them to visit a specially crafted website loaded with a browser exploit. To protect yourself from such scenarios, you should almost never click on a URL link unless it is from a reputable site, and even so you should usually type in the URL manually.
Or get it from your Favorites/Bookmarks if you have it there.
Does the email reference a recent event ?
Major news events such as large-scale catastrophes or the death of celebrities are quickly followed by a wave of phishing messages touting the same news events in their subject lines or email body. No doubt, phishers are hoping that confused or overeager users will let their guard down and click on their proffered URL links in their haste for more information. Hence, be on your guard when you see an email that refers to a current news event.
Also note, who is the email from ?
Does the email have a tone/language a known friend/colleague would use ?
It is trivial for hackers to collect the email addresses and names of colleagues and friends. Larger companies typically publish their staff information on the Internet, while simple social engineering methods could be used to glean details such as the name of one's immediate supervisor or colleagues. The guideline here is to filter such messages based on what we know of the purported senders and how they typically write. Getting a curt "Check out this link" email from a normally verbose coll0eague or a "Nice babes" from a female boss should set alarm bells ringing.
Phishers hijack contacts from online web sites ( Yahoo for example which has been happening quite a bit lately, ) then act like the owner of the contacts, your friend or associate.
Is the email pushing for an immediate response ?
Phishers want their victims to respond immediately, or soon after reading their phishing message. This prevents them from checking with more knowledgeable colleagues, or to otherwise wise up to the trickery. It is for this reason that a message demanding an immediate response deserves a far greater dose of skepticism, and should hence be scrutinized more carefully.
Wednesday, April 11, 2012
Free Apps Kill Smartphone Battery Life
Free Apps Kill Smartphone Battery Life
http://www.cio.com/article/703714/Free_Apps_Kill_Smartphone_Battery_Life?page=1&taxonomyId=3067
Network World — Those free apps like Angry Birds, Instagram and Tiny Wings may be loads of fun, but they suck the battery life out of your smartphone by tracking your geographical location, sending information about you to advertisers and downloading ads.
....
The researchers findings show that 65% to 75% of the energy used to run free apps is spent for advertising-related functions. The free Angry Birds app, for example, was shown to consume about 75% of its power running "advertisement modules" in the software code and only about 25% for actually playing the game. The modules perform marketing functions such as sharing user information and downloading ads, according to the researchers.
....
"A particular source of power inefficiency is a phenomenon called 'tails.' In principle, after an application sends information to the Internet, the 'networking unit' that allows the phone to connect to the Internet should go to a lower power state within a fraction of a second. However, researchers found that after the advertising-related modules finish using the network, the networking unit continues draining power for about seven seconds. The tails are a phenomenon of several smartphone hardware components, including 3G, or third-generation wireless systems, GPS and Wi-Fi, not flaws within the app software itself. However, software developers could sidestep the problem by modifying apps to minimize the effect of tails," Hu said.
....
Today, energy is the single most important factor plaguing smartphones. Modern smartphones come with faster processors, latest sensors, incredible screen resolutions, faster network connectivity, and as such these factors together contribute to the ability of the smartphone to consume energy at much faster rate than the ability to produce/store energy, i.e., the battery capacity. For example, the CPU performance over the last 15 years has grown by 246 times while the battery energy density has only doubled during the same period," wrote Abhinav Pathak, a Purdue doctoral student who was part of the research team.
http://www.cio.com/article/703714/Free_Apps_Kill_Smartphone_Battery_Life?page=1&taxonomyId=3067
Network World — Those free apps like Angry Birds, Instagram and Tiny Wings may be loads of fun, but they suck the battery life out of your smartphone by tracking your geographical location, sending information about you to advertisers and downloading ads.
....
The researchers findings show that 65% to 75% of the energy used to run free apps is spent for advertising-related functions. The free Angry Birds app, for example, was shown to consume about 75% of its power running "advertisement modules" in the software code and only about 25% for actually playing the game. The modules perform marketing functions such as sharing user information and downloading ads, according to the researchers.
....
"A particular source of power inefficiency is a phenomenon called 'tails.' In principle, after an application sends information to the Internet, the 'networking unit' that allows the phone to connect to the Internet should go to a lower power state within a fraction of a second. However, researchers found that after the advertising-related modules finish using the network, the networking unit continues draining power for about seven seconds. The tails are a phenomenon of several smartphone hardware components, including 3G, or third-generation wireless systems, GPS and Wi-Fi, not flaws within the app software itself. However, software developers could sidestep the problem by modifying apps to minimize the effect of tails," Hu said.
....
Today, energy is the single most important factor plaguing smartphones. Modern smartphones come with faster processors, latest sensors, incredible screen resolutions, faster network connectivity, and as such these factors together contribute to the ability of the smartphone to consume energy at much faster rate than the ability to produce/store energy, i.e., the battery capacity. For example, the CPU performance over the last 15 years has grown by 246 times while the battery energy density has only doubled during the same period," wrote Abhinav Pathak, a Purdue doctoral student who was part of the research team.
....
Friday, March 30, 2012
The Supreme Health Care Debate
I am going to do something here that I normally prefer not to do publicly, dive into a heated political debate. Actually I am using a Washington Post editorial to do the talking because is comes closest to how I feel about this issue. With that said, here are the excerpts that I believe best summarize the key issues. ..... Thomas
The Supreme Health Care Debate ( my title .... Thomas )
via The Washington Post, Editorial
http://www.washingtonpost.com/opinions/the-supreme-courts-civics-lesson/2012/03/29/gIQASfdZjS_story.html?wpisrc=nl_cuzheads
Civics lessons from the Supreme Court ( their title, my bolds )
By Editorial Board, Published: March 29
"...the Supreme Court this week ... treated to a challenging civics lesson on federalism, liberty and the limits and potential of government authority. Three points in particular struck us.
....
[ first ]...We share in the disappointment that the justices on both sides of their ideological divide are, for the most part, so predictable. That’s not, in the ideal world, how judging is supposed to work. But we also think there’s a kind of cynicism, or at least intellectual laziness, in asserting that this is an easy or obvious call — that no justice could possibly strike down the mandate out of honest, reasoned conviction. ...it’s not an easy question.
....
...The health-care market is different from all others because virtually everyone, like it or not, will become entangled in it. ...The government, already deeply involved in regulating the health-care market, has a legitimate interest in encouraging you to prepare for such an eventuality.
....
second point — the idea that no American should go without health care, and that society as a whole should be willing to pitch in toward that end, strikes us as much more of a slam-dunk.
....
...Congress could have created a system of incentives to draw in young, healthy people. Or it could have enacted a broadly based tax to pay for the health care it wants to subsidize.
It didn’t — and this brings us to the third point — for a couple of reasons. One was that reform advocates didn’t seriously entertain the constitutional vulnerability of the mandate. But the bigger reason is a more familiar one in Washington these days: None of the politicians wanted to acknowledge the costs.
....
But you can’t get something for nothing, not even something as noble as universal health-care coverage."
The Supreme Health Care Debate ( my title .... Thomas )
via The Washington Post, Editorial
http://www.washingtonpost.com/opinions/the-supreme-courts-civics-lesson/2012/03/29/gIQASfdZjS_story.html?wpisrc=nl_cuzheads
Civics lessons from the Supreme Court ( their title, my bolds )
By Editorial Board, Published: March 29
"...the Supreme Court this week ... treated to a challenging civics lesson on federalism, liberty and the limits and potential of government authority. Three points in particular struck us.
....
[ first ]...We share in the disappointment that the justices on both sides of their ideological divide are, for the most part, so predictable. That’s not, in the ideal world, how judging is supposed to work. But we also think there’s a kind of cynicism, or at least intellectual laziness, in asserting that this is an easy or obvious call — that no justice could possibly strike down the mandate out of honest, reasoned conviction. ...it’s not an easy question.
....
...The health-care market is different from all others because virtually everyone, like it or not, will become entangled in it. ...The government, already deeply involved in regulating the health-care market, has a legitimate interest in encouraging you to prepare for such an eventuality.
....
second point — the idea that no American should go without health care, and that society as a whole should be willing to pitch in toward that end, strikes us as much more of a slam-dunk.
....
...Congress could have created a system of incentives to draw in young, healthy people. Or it could have enacted a broadly based tax to pay for the health care it wants to subsidize.
It didn’t — and this brings us to the third point — for a couple of reasons. One was that reform advocates didn’t seriously entertain the constitutional vulnerability of the mandate. But the bigger reason is a more familiar one in Washington these days: None of the politicians wanted to acknowledge the costs.
....
But you can’t get something for nothing, not even something as noble as universal health-care coverage."
Many people are saying this is win or lose. I disagree. What we have done is put the issue on the table. All parties, political, individual and financial, have been served notice that something must be done about the issue before it devours us all. .... Thomas
Thursday, March 29, 2012
Is That Healthcare Website Making You Sick?
Is That Healthcare Website Making You Sick?
http://www.informationweek.com/news/galleries/healthcare/patient/232700416?pgno=1
A good slide show article to show what a good health related web site should do to substantiate itself and a couple of corroborating sites to verify. .... Thomas
National Center for Complementary and Alternative Medicine
http://nccam.nih.gov/
The fact that alternative medicine websites vary in quality shouldn't discourage you from investigating the field of CAM (complementary alternative medicine). The National Center for Complementary and Alternative Medicine (NCCAM) takes a balanced, objective approach to the subject, posting both positive and negative reports on herb therapy, nutritional supplements, and a variety of other natural remedies.
What separates this site from less credible ones is the quality of the evidence. The website recently reported on a study that found meditation done over an 8-week period reduces the severity of irritable bowel syndrome symptoms in women. This study, for instance, was carefully controlled to rule out other contributing factors that may have influenced symptoms, and it was published in a respected medical journal--The American Journal of Gastroenterology--which means it first had to go through a review by skeptical scientists who would have rejected it if it hadn't met high standards.
WebMD
http://www.webmd.com/
Contrast Sensa's discussion about weight loss to WebMD's balanced approach. The article on weight-loss supplements pictured above presents the pros and cons in plain English so you can make an informed decision.
For instance, here's an excerpt from the site's discussion of green tea: "Although [the nutritionist Toby] Smithson cautions that there are not enough human studies to prove the effectiveness of green tea extract as a weight-loss supplement, she tells WebMD '...there is some thought that regular consumption may promote weight loss by adjusting resting energy usage and increasing the use of energy.' "
The language here is optimistic but cautious. It suggests that some experiments might support the use of green tea for weight loss, but it's also clear that there's not enough human data to prove its effectiveness.
It's also important to understand the difference between animal versus human research. As you look through health-related web sites, you'll likely find many claims of product success based on "solid scientific evidence published in respected journals." But often the research has been done using only mice. That's hardly proof that the same results will occur in people.
WebMD also earns points for including a list of sources at the end of the article, so users can do their own research on the credibility of the reports cited.
ConsumerLab.com
http://www.consumerlab.com/
The web is full of articles about the benefits of nutritional supplements, and there's good research to suggest some of these supplements can in fact help prevent and treat certain diseases. But many consumers wonder about the quality of the specific brands that they see in the supermarket or online. Does that tablet actually contain 500 mg of vitamin E as listed on the label? Are there any unsafe contaminants in that calcium pill? At least one website can help answer these questions.
ConsumerLab.com does disintegration analysis on numerous products to determine whether they actually dissolve once they enter a person's digestive system or pass through whole. It also contracts with independent laboratories that perform a variety of other tests to verify that the dosage on the label is accurate, for instance, or to check for lead contamination.
One recent analysis of Omega-3 fatty acid supplements reported on the site found quality problems with 7 out of 24 products. Problems included a product with less Omega-3 fatty acids than cited on the label, a children's fish oil formula that was spoiled when purchased, and an enteric-coated fish oil soft-gel that released its oil too early. (Enteric coating prevents a capsule from breaking down until it reaches the small intestine.)
ClinicalTrials.gov
http://clinicaltrials.gov/
Most physicians are much too busy to keep up with all the latest medical research and innovations, and even their online reference tools can sometimes be outdated or too narrowly focused to cover every patient's unique situation. Unfortunately, some clinicians can also be quick to dismiss potentially helpful therapies that are unfamiliar. If your doctor has exhausted all treatment options and you're still suffering, perhaps it's time to think about looking for a clinical trial.
The federal government keeps an online database called clinicaltrials.gov, which lists federally and privately supported clinical trials conducted in the United States and around the world. It provides information about each trial, including its purpose, who may participate, locations, and phone numbers for more details. The site, however, also cautions: "This information should be used in conjunction with advice from health care professionals."
A search for trials for patients suffering from fibromyalgia--a mysterious disorder that causes musculoskeletal pain, fatigue, and localized tenderness--revealed several studies testing the value of acupuncture, and another study examining whether vaccinations play a role.
Medical Library Association
http://caphis.mlanet.org/consumer/
Evaluating medical websites can be a full-time occupation. Fortunately, there are information professionals who are up to the task. CAPHIS, the Consumer and Patient Health Information Section of the Medical Library Association, puts out a useful list of trustworthy health websites and categorizes them by specialty, including women's and men's health, parenting and kids, drug information, and senior health.
Health on the Net Foundation
http://www.hon.ch/HONcode/Conduct.html
The Health on the Net Foundation outlines 8 attributes that a health-related website should include to be considered trustworthy. Sites that follow this "code of honor" can qualify for the foundation's seal of approval, indicated by the HONcode icon on certified sites.
To qualify, a website must be authoritative and maintain complementarity, which means the information should support and not replace the relationship you have with your doctor. The site should also provide attributions for the statements it posts. A page on the site puts it this way: "Where appropriate, information contained on this site will be supported by clear references to source data and, where possible, have specific HTML links to that data. The date when a clinical page was last modified will be clearly displayed..."
Other criteria to earn the HONcode icon: financial disclosures should be provided to identify any funding sources; advertising and editorial content should be separate and clearly marked. And perhaps the most important requirement is something the foundation calls justifiability: "Any claims relating to the benefits/performance of a specific treatment, commercial product, or service will be supported by appropriate, balanced evidence..."
http://www.informationweek.com/news/galleries/healthcare/patient/232700416?pgno=1
A good slide show article to show what a good health related web site should do to substantiate itself and a couple of corroborating sites to verify. .... Thomas
National Center for Complementary and Alternative Medicine
http://nccam.nih.gov/
The fact that alternative medicine websites vary in quality shouldn't discourage you from investigating the field of CAM (complementary alternative medicine). The National Center for Complementary and Alternative Medicine (NCCAM) takes a balanced, objective approach to the subject, posting both positive and negative reports on herb therapy, nutritional supplements, and a variety of other natural remedies.
What separates this site from less credible ones is the quality of the evidence. The website recently reported on a study that found meditation done over an 8-week period reduces the severity of irritable bowel syndrome symptoms in women. This study, for instance, was carefully controlled to rule out other contributing factors that may have influenced symptoms, and it was published in a respected medical journal--The American Journal of Gastroenterology--which means it first had to go through a review by skeptical scientists who would have rejected it if it hadn't met high standards.
WebMD
http://www.webmd.com/
Contrast Sensa's discussion about weight loss to WebMD's balanced approach. The article on weight-loss supplements pictured above presents the pros and cons in plain English so you can make an informed decision.
For instance, here's an excerpt from the site's discussion of green tea: "Although [the nutritionist Toby] Smithson cautions that there are not enough human studies to prove the effectiveness of green tea extract as a weight-loss supplement, she tells WebMD '...there is some thought that regular consumption may promote weight loss by adjusting resting energy usage and increasing the use of energy.' "
The language here is optimistic but cautious. It suggests that some experiments might support the use of green tea for weight loss, but it's also clear that there's not enough human data to prove its effectiveness.
It's also important to understand the difference between animal versus human research. As you look through health-related web sites, you'll likely find many claims of product success based on "solid scientific evidence published in respected journals." But often the research has been done using only mice. That's hardly proof that the same results will occur in people.
WebMD also earns points for including a list of sources at the end of the article, so users can do their own research on the credibility of the reports cited.
ConsumerLab.com
http://www.consumerlab.com/
The web is full of articles about the benefits of nutritional supplements, and there's good research to suggest some of these supplements can in fact help prevent and treat certain diseases. But many consumers wonder about the quality of the specific brands that they see in the supermarket or online. Does that tablet actually contain 500 mg of vitamin E as listed on the label? Are there any unsafe contaminants in that calcium pill? At least one website can help answer these questions.
ConsumerLab.com does disintegration analysis on numerous products to determine whether they actually dissolve once they enter a person's digestive system or pass through whole. It also contracts with independent laboratories that perform a variety of other tests to verify that the dosage on the label is accurate, for instance, or to check for lead contamination.
One recent analysis of Omega-3 fatty acid supplements reported on the site found quality problems with 7 out of 24 products. Problems included a product with less Omega-3 fatty acids than cited on the label, a children's fish oil formula that was spoiled when purchased, and an enteric-coated fish oil soft-gel that released its oil too early. (Enteric coating prevents a capsule from breaking down until it reaches the small intestine.)
ClinicalTrials.gov
http://clinicaltrials.gov/
Most physicians are much too busy to keep up with all the latest medical research and innovations, and even their online reference tools can sometimes be outdated or too narrowly focused to cover every patient's unique situation. Unfortunately, some clinicians can also be quick to dismiss potentially helpful therapies that are unfamiliar. If your doctor has exhausted all treatment options and you're still suffering, perhaps it's time to think about looking for a clinical trial.
The federal government keeps an online database called clinicaltrials.gov, which lists federally and privately supported clinical trials conducted in the United States and around the world. It provides information about each trial, including its purpose, who may participate, locations, and phone numbers for more details. The site, however, also cautions: "This information should be used in conjunction with advice from health care professionals."
A search for trials for patients suffering from fibromyalgia--a mysterious disorder that causes musculoskeletal pain, fatigue, and localized tenderness--revealed several studies testing the value of acupuncture, and another study examining whether vaccinations play a role.
Medical Library Association
http://caphis.mlanet.org/consumer/
Evaluating medical websites can be a full-time occupation. Fortunately, there are information professionals who are up to the task. CAPHIS, the Consumer and Patient Health Information Section of the Medical Library Association, puts out a useful list of trustworthy health websites and categorizes them by specialty, including women's and men's health, parenting and kids, drug information, and senior health.
Health on the Net Foundation
http://www.hon.ch/HONcode/Conduct.html
The Health on the Net Foundation outlines 8 attributes that a health-related website should include to be considered trustworthy. Sites that follow this "code of honor" can qualify for the foundation's seal of approval, indicated by the HONcode icon on certified sites.
To qualify, a website must be authoritative and maintain complementarity, which means the information should support and not replace the relationship you have with your doctor. The site should also provide attributions for the statements it posts. A page on the site puts it this way: "Where appropriate, information contained on this site will be supported by clear references to source data and, where possible, have specific HTML links to that data. The date when a clinical page was last modified will be clearly displayed..."
Other criteria to earn the HONcode icon: financial disclosures should be provided to identify any funding sources; advertising and editorial content should be separate and clearly marked. And perhaps the most important requirement is something the foundation calls justifiability: "Any claims relating to the benefits/performance of a specific treatment, commercial product, or service will be supported by appropriate, balanced evidence..."
Tuesday, March 27, 2012
Why Hackers Set Their Sights on Small Businesses
Why Hackers Set Their Sights on Small Businesses
CSO Security and Risk Online, March 22, 2012
http://www.csoonline.com/article/print/702672
....
"SMBs [ Small and Medium Businesses ]don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime," Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
....
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],..."
"...they'll target point-of-sale systems [ POS ], as four Romanians did recently. "That kind of attack is increasing, because they're low-risk and low-cost attacks for organized crime."
....
But if small businesses are increasingly vulnerable, Porter characterized the tactics they should employ in response as "quite simple.
If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."
Verizon's Fifth Annual Data Breach Report
The fifth-annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.
Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."
What does the Verizon report recommend small businesses do? The report cites three simple things:
In addition, Porter recommends some other simple steps:
Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."
---------------------------------------------------------
Also, in a related article:
http://www.csoonline.com/article/print/702667
...hackers used relatively simple methods in more than 90% of data breaches in 2011...
...in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. ...
....
...based on the investigations into more than 850 data breaches. ...
....
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon report though shows a far more mundane reality.
....
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
....
-----------------------------------------------------------------
I could add some smart comment here but it would just be redundant of what the article states. Ok, I will say it anyway. Simple steps will go a long way. Now that we are on the Internet, the bad guys have 24/7/365 to get in. Be aware, do something. .....Thomas
CSO Security and Risk Online, March 22, 2012
http://www.csoonline.com/article/print/702672
....
"SMBs [ Small and Medium Businesses ]don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime," Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
....
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],..."
"...they'll target point-of-sale systems [ POS ], as four Romanians did recently. "That kind of attack is increasing, because they're low-risk and low-cost attacks for organized crime."
....
But if small businesses are increasingly vulnerable, Porter characterized the tactics they should employ in response as "quite simple.
If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."
Verizon's Fifth Annual Data Breach Report
The fifth-annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.
Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."
What does the Verizon report recommend small businesses do? The report cites three simple things:
- Use a firewall. Install and maintain a firewall on Internet-facing services to protect data. Hackers cannot steal what they cannot reach.
- Change default credentials. Point-of-sale (POS) and other systems come with pre-set credentials. Change the credentials to prevent unauthorized access.
- Monitor third parties. Third parties often manage firewalls and POS systems. Organizations should monitor these vendors to ensure they have implemented the above security recommendations, where applicable.
In addition, Porter recommends some other simple steps:
- Educate your staff, especially in regard to social phishing. "Set up policies, and then make sure they're being followed. The weakest link in security will always be the carbon-based life form."
- Follow through on what you've bought. "Businesses spend a lot of money on security technology, but then they don't configure them properly, or ignore the reports. A well-tuned intrusion detection system that's tailored to your environment is a powerful tool for finding hacking incidents on the network."
- Think about security frequently, not just when you're being audited. "Check the logs of your Windows OS system, your POS system, and your security software." If that represents too big a time commitment, then hire someone to do it. Don't ignore them.
Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."
---------------------------------------------------------
Also, in a related article:
http://www.csoonline.com/article/print/702667
...hackers used relatively simple methods in more than 90% of data breaches in 2011...
...in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. ...
....
...based on the investigations into more than 850 data breaches. ...
....
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon report though shows a far more mundane reality.
....
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
....
-----------------------------------------------------------------
I could add some smart comment here but it would just be redundant of what the article states. Ok, I will say it anyway. Simple steps will go a long way. Now that we are on the Internet, the bad guys have 24/7/365 to get in. Be aware, do something. .....Thomas
Monday, March 12, 2012
Ransomware Spreading into U.S.....
Via http://www.csoonline.com/article/701938/ransom-trojans-spreading-beyond-russian-heartland?source=CSONLE_nlt_techwatch_2012-03-12
Ransom Trojans spreading beyond Russian heartland
....
Ransomware is really the ultimate form of social engineering malware in that people are invited to agree to defraud themselves. The trick is to get people to believe there is no alternative to agreeing to their malware's terms.
After existing at very low levels for years, ransom attacks suddenly started to spike in mid-2010, examples of which include an attack in which Windows users were accused of running a counterfeit version of the OS and asked for a $143 (APS91) payment.
Trend itself reported on a worm that used the more common tactic of locking the PCs of victims (the exact method varies in severity from example to example but is often relatively trivial), demanding a small payment to have control returned.
Closer to home, a ransom Trojan affecting UK users impersonated the Metropolitan Police in order to persuade users that porn had been detected on their computers, requiring a payment to be made. Versions of this scam have appeared in almost every European country.
Trend comes up with two explanations for the form's growing popularity among criminals, the biggest of which is the recent disruption of the industry behind fake antivirus scams. This has sent developers to new types of attack that can make use of payment channels less dependant on credit cards, which create an evidence trail.
"Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business," said Trend threat engineer, Roland Dela Paz.
---------------------------
Ukash and Paysafecard are of European origin. What will the use in the States ? Paypal ?
Don't trust your e-mail. Thomas
Ransom Trojans spreading beyond Russian heartland
....
Ransomware is really the ultimate form of social engineering malware in that people are invited to agree to defraud themselves. The trick is to get people to believe there is no alternative to agreeing to their malware's terms.
After existing at very low levels for years, ransom attacks suddenly started to spike in mid-2010, examples of which include an attack in which Windows users were accused of running a counterfeit version of the OS and asked for a $143 (APS91) payment.
Trend itself reported on a worm that used the more common tactic of locking the PCs of victims (the exact method varies in severity from example to example but is often relatively trivial), demanding a small payment to have control returned.
Closer to home, a ransom Trojan affecting UK users impersonated the Metropolitan Police in order to persuade users that porn had been detected on their computers, requiring a payment to be made. Versions of this scam have appeared in almost every European country.
Trend comes up with two explanations for the form's growing popularity among criminals, the biggest of which is the recent disruption of the industry behind fake antivirus scams. This has sent developers to new types of attack that can make use of payment channels less dependant on credit cards, which create an evidence trail.
"Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business," said Trend threat engineer, Roland Dela Paz.
---------------------------
Ukash and Paysafecard are of European origin. What will the use in the States ? Paypal ?
Don't trust your e-mail. Thomas
Subscribe to:
Posts (Atom)