This came up at our discussion at ISSA on Thursday so I thought I’d mention it.  Gizmodo published a great article about the problems with passwords.  Couldn’t agree more.  They mention tools like 1Password which is a great app that stores passwords and gives people a shot at creating complex passwords.  I hope we’ll start to see better options for authentication at home.  If you know of some other tools, let us know.

No related posts.

About a month ago my daughter asked if she could sign up for facebook.  A couple of her friends had just done it and she wanted to be a part of the fun.  My reaction surprised me;  I didn’t immediately say no.  That took whole hours.  I started investigating it, looking at it as a parent first.  Of course the first message I sent was to Dave, asking for his opinion.  What follows are some observations and a lot more questions.

The first issue I discovered was that facebook has a policy that requires you to be over the age of 13 to use the service.  (My daughter is…not 13)  Of course kids lie and sign up with or without consent of their parents.  I began to realize that dealing with facebook with a kid is a tough problem:

• Letting an underage kid sign up means you’re agreeing to break rules with your kids
• Not getting them signed up soon enough may result in creating pressures that will encourage them to sign up without your knowledge
• Not letting them sign up wont allow them to build skills that will eventually be necessary

Beyond Facebook, some of the sites I looked at:

Webkinz (web site that accompanies the stuffed animals)

Togetherville (Most promising site in my opinion, links to Facebook for parents)

(I also looked at Kidswirl and Whyville and several others but wasn’t impressed.)

Other resources:

The Online Mom is a great website with a lot of articles that cover opinions on a wide range of ages.

This is still a work in progress and we’re interested in your thoughts.  How would you recommend approaching this issue?  What additional sites are you looking at for kids and what online resources have been helpful?

No related posts.

The Stuxnet worm has been followed by several security experts for weeks now, but only this week are the results coming in and they aren’t good. The worm is far more advanced than anyone suspected. In fact, Roel Schouwenberg, a senior anti-virus researcher at Kaspersky said of the worm, “These guys are absolutely top of the line in terms of sophistication.”

According to Symantec:

Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

Read more at Krebs.

No related posts.

Thought I’d take a minute and send out a reminder about an annoying but necessary topic:  Patching.  There are quite a few patches that have been released in the last few days.  Microsoft, Adobe and Apple are all addressing some serious security issues.  So…Please take some time to update your systems.  It will reduce the likelihood of identity theft and other horrors.

1:  Microsoft OS.  Use the Microsoft updates link in Internet Explorer or visit the Microsoft Update page.  There are approximately 34 updates that are required.  Grab a coffee and sit back.  It takes a while.

2:  Adobe Flash player.  Adobe has been experiencing some serious issues recently and there’s a new one out.  You can either check for the updates button within the adobe applications or visit their website here.

3:  iPhone.  This one is a large download too.  You can access this by connecting your iPhone to your system and in iTunes, select your iPhone.  In the summary page click on the “Check for Update” button.  Instructions are here.

Patching is something many people avoid or ignore.  Treat it like mowing your lawn:  Do it with a beer and it’ll seem like less of a chore.

No related posts.

Yesterday morning, an hour before the sun rose, my wife was on her way to fly to Los Angeles. We live in a somewhat affluent neighborhood (Grosse Pointe) which is situated next to one of the most depressed parts of Detroit. Right on the border of these two different worlds is a Marathon gas station that we often stop at, and it is here that my wife was robbed. Mack and Alter, for those who know the area.

She drove a small Toyota pickup and noticed a man wearing a hoodie at the pump across from her was staring at her purse. Instinctively, she threw her purse on the passenger seat and locked up the truck. Just as she was putting the hose back in the gas pump, she heard a smash behind her. She swung around to see the man in the hoodie pulling her purse out, dive into his car and squeal out of there. All in the course of about 2 seconds.

One of the many things I love about my wife is her ability to keep her head when all about her are losing theirs. She ran after the car long enough to memorize his plate (turned out, the car had been stolen earlier that morning). Then she ran into the gas station and yelled for a paper and pen to write it down. American Express was great. They told her that within the last 15 minutes, the robber had already made three purchases at as many gas station and she would not be responsible for them.

Let me add at this point, that the guys who run this Marathon station are the nicest you’ll ever meet. Always smiling and considerate. They let my wife borrow their phone for as long as she needed as her iPhone was in her stolen purse.

The next thing she did was brilliant. She made a mental walkthrough of her purse and wallet, visualizing each card, piece of jewelry, everything. Within 30 minutes in a dangerous gas station parking lot at 6AM, she had canceled every card, her travel plans and contacted myself and her parents. The first thing I did was dial 611, which on AT&T will allow you to remotely cancel an iPhone. Since the iPhone was under my account, I was able to do this. Don’t worry—you can’t just randomly cancel someone’s phone as a prank!

Then we contacted Scott (co-creator of Social Threat) as he deals with identity theft a lot. We weren’t sure if this would happen, but never assume. He gave us the link to an identity theft protection service run by Experian. We signed up immediately and feel much better about our safety.

Then I treated my wife to a new iPhone 4.

TIP: If you are robbed, think like my wife:

1. Try and get any details you can: license plates, color, make and model of vehicle, physical descriptions of people. Tattoos are great identifiers.
2. Shut your eyes and visualize what was stolen. What did it look like when you last had it? What was in it? This will come in handy later for the police report and your insurance company. This may be one of the most important things you can do.
3. Cancel cards immediately. Do not wait until you get to safety. They will be putting charges on your cards within minutes if they are pros.
4. Always keep paper copies at home of everything: photocopy your cards, your drivers registration, etc. Buy a safe (you can get great fireproof safes at most office supply stores) and keep these copies in there. You’ll thank me later.

Have you been robbed? How did you handle it? Any additional tips?

No related posts.

A large number of WordPress users are noticing that they cannot log into their blogs this weekend. Or if they can log in, their site has an iframe that points to a malware site (networkads.net/grep). Original posts on the story pointed it at blogs hosted by Network Solutions. NetSol, however, claims it is not just them—that other hosts are being infected as well. They mention a “rogue plugin” however they will not say which one it is, and so far, the only complaints have been from NetSol blogs. Another early “fact” claimed by many was that this attack was only hitting 2.92 users, but comments indicate other versions have been hit as well.

Sucuri Security has a fantastic write-up of the attack, details and the fix, which will likely scare those unfamiliar with PHPMyAdmin. According to Sucuri:

“What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.”

If you find yourself infected, and are confused by the directions, do yourself a favor: ask a geeky friend to do this for you. It’s not beginner stuff.

TIP: One thing you can do immediately without accessing your wp-options table is turning off, then simply removing your xmlrpc.php file from your WordPress install. It’s always at the top level (root) of your WordPress install.

Has your blog been hit by this attack? How did you fix it?

No related posts.

Please and thank you?  Microsoft has had some serious security issues over the years but recently there have been several problems that are so severe that they’ve had to release a fix outside of their normal schedule.  This is a pretty radical step since this causes companies (not to mention the rest of us) to spend time and resources that we hadn’t planned for.  Today, Microsoft released another out of cycle patch for Internet Explorer.  There have been a growing number of attacks that are exploiting this vulnerability.  I would recommend that you update with this patch as soon as possible so you can get back to Dave’s great series on scam spotting

No related posts.

Sadly, so true…

No related posts.

Esteemed military bank, USAA was recently targeted by an email phishing scam. Thankfully, USAA has an incredible security team, who discovered it and warned their members before anything happened. Details of the email can be found on their site.

No related posts.

And it’s spreading fast! The email is short, cheesy and semi-Engrish, but nonetheless contains a password stealer that is instantly activated once you open it. The password stealer may grab more than just your Facebook credentials, so please do not open this email. The email itself has the following elements:

From: help@facebook.com
Subject: Facebook Password Reset Confirmation Customer Support
Email Body: Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook

You can tell from reading the email, that the grammar is atrocious, the subject line is overly long and somewhat contradictory (you wouldn’t confirm something the user hasn’t done yet), and customer support would not be in charge of an email server operation. The opening, “Dear user of facebook” is clearly not how Facebook would address you. It would have your name, and if they did reference themselves, they would certainly capitalize Facebook. And ending with “Your Facebook?” Please.

More details on All Facebook.

No related posts.