Recent Facebook Data Breach

With the recent data breach at Facebook, highlighting the importance of knowing how to minimize the risk of cyber threats and how to respond if your personal data may have been compromised is very important to everyone.

On Friday, it was reported that approximately 50 million user Facebook accounts were impacted by a data breach. Facebook did not indicate if any user information was accessed.

The Office of Consumer Protection recommends the following best practices for consumers who use social media:

§  Change your password regularly, and always use a strong password.

§  When available, use two-factor authentication for login.

§  Refrain from using any automatic sign-in functions/features of social media accounts and applications.

§  Monitor your privacy settings and adjust as needed.

§  Remove birth dates, addresses, and phone numbers from your account information.

§  Carefully consider the information you post, recognizing that in the event of a data breach, it could end up in the hands of people intent upon stealing your identity or conducting other malicious activities.

Scammers who obtain the personal information of others may try to open new accounts or extort money from their victims. According to the office of Consumer Protection, there are several options for people to monitor their credit and keep their identities safe, including:

§  Don’t pay a ransom. Paying a ransom is an ineffective way of handling the exposure of your personal information. It’s best to focus on proactively securing your identity.

§  Consider a free security freeze. A security freeze allows you to “lock up” your credit information so no one can access it without your permission. A freeze prevents a thief from taking out a new mortgage, applying for a credit card, or getting financing with your identity. When you “freeze” your credit, it stays frozen for as long as you’d like – until you can comfortably “thaw” it once again.

§  Place a fraud alert on your credit. Fraud alerts are a special message you can place on your credit report. The alert tells credit issuers there may be fraudulent activity on an account. Fraud alerts last for 90 days; although they won’t stop a scammer from being issued new credit, they can slow them down.

§  Request a free credit report annually.  Reviewing your credit report is a great way to check for unauthorized activity.  Visit www.annualcreditreport.com or call 1-877-322-8228 to request your free annual report.

§  Credit monitoring services offer additional protection.  Credit monitoring services track changes in your behavior and send you notifications about your credit score and potential fraud. These services typically cost between $10 — $30 per month.

Spectre & Meltdown - What you should know

Security researchers revealed two more major software vulnerabilities that, in one way or another, affect just about anything with a processor. The flaws, called “Spectre” and “Meltdown,” can potentially allow hackers to steal encrypted passwords as you type them in. If Spectre has you spooked, read on to learn more about these vulnerabilities and what’s being done to fix them.

What are Spectre and Meltdown?
Both Spectre and Meltdown refer to variants of the same vulnerabilities, all of which many researchers are considering catastrophic due to their widespread nature. And, they’ve been given names to match the extent of their impact. Spectre refers to a root cause, or to something that is difficult to fix (and will haunt us for years to come!). Meltdown is used to describe the “melting of the security boundaries” that is occurring, since the bugs make the usual protections from hardware unenforceable.

The vulnerability was originally thought to only impact Intel chipsets. However, it’s far more complex and widespread: nearly all systems are affected, from desktops and laptops to mobile devices, across Intel, AMD and ARM processors. All memory data from running apps is potentially vulnerable: password managers, photos, documents and more. As one researcher told ZDNet, “an attacker might be able to steal any data on the system.”
Essentially, each vulnerability is a security flaw in nearly every processor built in the last 20 years. This means a vast number of systems – all those built with Intel, ARM, or AMD processors – will require a security update. The bug itself is linked to how regular apps and programs “discover the contents of protect kernel memory areas.” In operating systems, kernels act as the core component; tying together applications and data processing, memory and hardware. The flaw in the affected processors may allow hackers to maneuver around the processor’s kernel access protections, making the contents of the kernel’s memory vulnerable.

Just how bad is it?
The initial focus of the patches has been on personal devices. Numerous patches are already available, but researchers are still investigating the effect Spectre may have on cloud services,
where several organizations are sharing the same resources. There’s been some speculation about data vulnerabilities—where one cloud tenant may be able to access the data of another.
Consider the impact, across the cloud, with privilege escalation. The reality is, data could be stolen in any instance where tenants share the same chip in services such as Amazon Web Services (AWS) or the Google Cloud. Small to mid-size organizations are especially vulnerable here, since so many of them run their entire businesses on shared cloud services.

Regarding your personal computer, this is when a hacker could leverage Spectre essentially take over your entire computer. But before you panic, remember, there are other ways a hacker could do this today (without these newly discovered vulnerabilities), so frankly, it’s up in the air as far as how much your risk has increased.

What’s being done about it?
Software patches have been released one after the other to help reduce the risk. Microsoft released an emergency patch January 3 and Intel is issuing updates for all types of processors, starting with those new in the last five years. Apple has released three updates to protect Safari and WebKit. And, cloud service providers, such as AWS and Microsoft Azure, are all deploying patches as well, while they wait for third-party patches to roll in to complement their efforts. But to truly reduce the risk, updates will need to be released across all vendors, from Intel and AMD to anti-malware vendors whose software needs to work appropriately with the new patches.

There’s been much discussion among IT professionals about the impact that these updates and patches could have on system performance. Some speculate it could cause systems to dramatically slow down, and others say that if Intel processors are using Skylake or more recent architecture, the impact will hardly be noticed. If organizations do experience a noticeable slowdown in performance, it’s likely they are using older processors.

What you can do about it
There’s a few things you can do now to mitigate your risk. The following steps will help shield you from the Meltdown variant:
• If you use Chrome or Firefox, update to the latest versions
• In the meantime, for Chrome users, here’s an easy workaround: copy and paste “chrome://flags/#enable-site-per-process” into your browser, and click “Enable.” Site Isolation loads each individual website as a separate process, preventing other remote connections from hijacking otherwise safe sites.
• Be diligent about your Windows updates. Make sure update KB4056892 is installed.
• Regularly check with your PC manufacturer’s website to see if they’ve released any news or firmware updates.
• Wait and install third-party updates as they become available.

Rules for Securing Your IoT

Most people here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here are some basic rules for minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

If you can, change the systems default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.” If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.