go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: security news and commentary

Go to Homepage [0], contents or to navigation menu

Use WordPress database? Better update it!

We do not use this plug in on the blog, but saw this article via Twitter called: This WordPress vulnerability could let hackers hijack your entire site and it talks about a plug in called word press database. It allows someone to manage the database, but the vulnerability makes the entire web site disappear if the hacker wanted. Read the entire article on this one, it sounds pretty serious enough.

Comments (0)

Trend Micro’s January webinar

This month, Trend Micro will go through the predictions of 2020.

• What threats your organization needs to prepare for in the coming year.
• How to pitch your focus towards what issues matter most to you.
• How protections can be put in place to mitigate the risks these predictions may bring.

John Clay will be hosting this, Here’s a link to sign up and just fill in your info. It may have mine, just overwrite it with yours to sign up.

I’ll do my best to tape this webinar and get it out there. I’ve not forgotten the webinar I said I’d cover, it’ll be coming. Hope to have you join me!

Comments (0)

Security Now from last week

I started doing this last year, and now I’ll try again. Here are the notations of Security Now!

Here is their RSS feed and here is the web page if you wish.

SN 749: Windows 7 – R. I. P.
?Tuesday, ?January ?14, ?2020, ??7:18:33 PMGo to full article
This Week’s Stories:

  • Windows 7 support dies today, but 1 in 7 PCs are still running it
  • Cablehaunt- the remote exploit with the catchy logo that works on ALL cable modems
  • US government still wants backdoor access to iPhones
  • CheckRain iPhone jailbreak keeps getting better
  • How Apple scans your photos for evidence of child abuse
  • The sim swapping threat
  • Anatomy/timeline of the exploitation of an unpatched VPN bug
  • And speaking of patching right away… patch your Firefox browser right now!
    Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve’s site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Hope this finds some interest on people.

Comments (0)

Yahoo forcing random password resets … am I the only one supporting someone having trouble?

This is more of a curiosity thing than anything else, but I have a hunch from what I’m told that this has been going on for a number of years now.

The service AT&T has email service. When we started with this service it was known as SBC Yahoo! Through the years, some have gotten straight att.net addresses although the web site is a dot com for everything else.

In this world, we’ve got many types of people with varying degrees of capability in the technology world. We also know that Yahoo! email has been breached and that came to light three years after the fact.

When you authenticate as an SBC Yahoo! customer using mail, you go to the Yahoo! mail web site.

The authentication is your full email address I.E. jrimer2002@sbcglobal.net which belongs to me. It also asks for your password, which is the account password for that address.

Here’s the problem. I was able to switch the account to a different interface two weeks or so ago. But for awhile now, ATT Yahoo! account holders need to reset their password every two weeks.

My grandmother has had an SBC Yahoo account for a number of years, and has never experienced this until recently. I never experienced it, although I don’t use my SBC address anymore, in favor of my accounts on my domain and my gmail. I understand this has been going on for a couple of years now, and enough is enough! The National Institute of Standards and Technology (NIST) folks changed the guidelines where passwords are not needing to be changed as often, as long as there is not a valid reason for the passwords to be reset.

My grandmother is older than most on this blog, reads facebook, comments on things, plays games, checks email, and does some shopping on amazon for things she needs. Nobody except ATT Yahoo! services have prompted her to change her password.

Here is my hunch based on what I know:

  • passwords may not be as secure as they should
  • company never sent email to my knowledge about said policy
  • too much time was spent on hold trying to get the issue resolved and
  • frustration as to why no email can be accessed and wondering why the account was locked out.

I’ve never seen any of this behavior with any company before. Unless there was a valid reason, I’ve never changed my password, even after all of these breaches. The fact my biological data is potentially out there now, its game over for me! I know this, and I’ve been working hard to make sure I don’t use the same password everywhere and thats why I have Lastpass, the last password you’ll ever need.

I’m thinking that this is targeted because of the potential weakness of the passwords given to me, yet my password may not be all that secure over there anyhow. I’m thinking it may be the same password i use somewhere else.

So ATT, what gives? Why are you making an elderly person who has no knowledge of why and what to do about the issue if you don’t tell them in writing or email or phone?

If this issue persists, I’ll have no choice but to help her either set up a gmail, or even set up an address on the domain purchased for her and hosted through me. Then, I’ll either have to show her that web mail, or set it up through Tunderbird.

For someone who has so much in the way of notifying people and companies, I’m not going to be impressed with having to have her do all of this, and I can hopefully have mail forwarded to the new address in the meantime, but this is enough! Was it the weak passwords? You can check the hashes without knowing the password, and if you notice its weak, reach out! There is no need to make someone change their password every two weaks without probable cause. I know nobody else who is going through this experience, and I’ve not been tipped off to any articles saying there is a problem of this scope.

If anyone else is experiencing this, I’d love to hear from you. Please get in touch!

Comments (2)

Bard express throws errors, fixes in the works

Hello all,

I just saw the following from BARD support today. For those who use the BARD express and have it installed currently, you aren’t effected. Any new users may receive a waring about it being from an unknown publisher.

This is because the certificate expired on December 2nd. NLS is going to precure a new cert and will release an update soon.

Here is the official email notice from NLS directly.

Hello List Subscribers,

The software that certifies BARD Express as “safe to install” expired on Monday, December 2, 2019. The expiration of this certificate does not affect current
users. It does, however, impact patrons who install BARD Express on or after December 2, as they will be warned that the software is from an unknown
publisher. The software is safe to install.

NLS expects to procure a new software certificate in the coming weeks, at which point an update to BARD Express will be released, and users will no longer
receive this warning.

We apologize for any inconvenience.

The BARD Support Team

NLS should be ashamed of themselves letting the cert expire and not replacing it on a timely manner. It is too dangerous today to have software that is not signed as required now. I hope the fix comes sooner than later.

While this is specialized, we have to hold all companies that provide software responsible to fix their software whether its an expiring cert, or if it is a bug that effects functionality.

This can’t be good practice, and NLS is run by the government so I don’t expect any better.

If I hear any news, I’ll be sure to pass it along.

Comments Off on Bard express throws errors, fixes in the works

NCSAM: Have you read Kevin Mitnick’s books?

I’ve read Kevin Mitnick’s books, three out of the 4 are on BARD. Nice to see him writing again!

Recently I got really board and wanted to see what Kevin Mitnick was up to. I then Started this book entitled The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data and I read the first chapter as a free sample. This book is not available on BARD, however, it is available on Bookshare. I decided to buy the book here at Amazon, and when I did, it updated itself with some 2019 notes in regards to the various breaches that have been notable since the beginning of the year.

About the Book

Kevin Mitnick, the world’s most famous hacker, teaches you easy cloaking and countermeasures for citizens and consumers in the age of Big Brother and Big

Like it or not, your every move is being watched and analyzed. Consumers’ identities are being stolen, and a person’s every step is being tracked and stored.
What once might have been dismissed as paranoia is now a hard truth, and privacy is a luxury few can afford or understand.

In this explosive yet practical book, Kevin Mitnick illustrates what is happening without your knowledge – and he teaches you “the art of invisibility”.
Mitnick is the world’s most famous – and formerly the most wanted – computer hacker. He has hacked in to some of the country’s most powerful and seemingly
impenetrable agencies and companies, and at one point he was on a three-year run from the FBI. Now, though, Mitnick is reformed and is widely regarded
as the expert on the subject of computer security. He knows exactly how vulnerabilities can be exploited and just what to do to prevent that from happening.

In The Art of Invisibility Mitnick provides both online and real-life tactics and inexpensive methods to protect you and your family, in easy step-by-step
instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Invisibility isn’t just for superheroes
– privacy is a power you deserve and need in this modern age.

If you’ve never read anything by this hacker turned security professional, then I highly recommend that you start with Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker which is on BARD and is also available on Bookshare. I actually started this book through Learning Ally, formerly Recording for the Blind and Dyslexic.

Abpout the book

Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world’s biggest companies-and however
fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through
cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn’t just about technological feats-it was an old fashioned confidence
game that required guile and deception to trick the unwitting out of valuable information.

Driven by a powerful urge to accomplish the impossible, Mitnick bypassed security systems and blazed into major organizations including Motorola, Sun Microsystems,
and Pacific Bell. But as the FBI’s net began to tighten, Kevin went on the run, engaging in an increasingly sophisticated cat-and-mouse game that led through
false identities, a host of cities, plenty of close shaves, and to an ultimate showdown with the feds, who would stop at nothing to bring him down.

Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape and a portrait of a visionary whose creativity, skills, and
persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies
protect their most sensitive information.

I thoroughly enjoyed this book, and thought I would see if there was anything else. The first book in this article I’m writing now, was not known to me, although it may have been recommended to me through my reading of Scotts book Cybersecurity Is Everybody’s Business: Solve the Security Puzzle for Your Small Business and Home Kindle Edition which I only found here and on Amazon. BARD does not have any of Scott’s books, and with the advancement of hacking, the blind and disabled reader must learn how to protect themselves. These books are not difficult, technical, and with Scotts book, was very short chapters.

In my recommendations after downloading Scotts book, I found something that really caught my eye and I’m also reading as well. How I can read two books at the same time, I don’t know. The book is by Paul R. Wilson. The Art of the Con: How to Think Like a Real Hustler and Avoid Being Scammed 1st Edition, Kindle Edition is the name of the book. This guy, in short chapters, talks about cons and scams that have gone on for many years. Some of these are still successful today!

About the Book

A sucker is still born every minute. In this modern and interconnected world, con-men are lurking everywhere – it’s never been easier for them to dupe
us, take from us, and infiltrate our lives.  

One of the world’s leading and celebrated experts on con-games takes the reader through the history of cons, how they’ve been updated to the modern age,
how they work, how to spot them, and how to protect yourself from being the victim of one.

R. Paul Wilson is a con-man who works for the other side – our side. He has spent a lifetime learning, performing, studying, and teaching about the ins
and outs of the con world in order to open up our eyes to the dangers lurking about us – and to show us how not to get taken. Paul has never made a living
as a con-man, profiting off of marks – he has used his expertise throughout his life to help people avoid cons.

In this fascinating book, Paul takes the reader through the history and developments of the con game, what elements from the past are based on basic human
psychology and have stood the test of time, what has been updated for the modern era and how it’s getting used in the computer age, the structure of how
these cons work, and – most importantly – how to recognize one, protect yourself and your loved ones, and avoid becoming just another sucker.

I’m not sure if this book is available on BARD or Bookshare, but you can look.

About BARD and Bookshare

BARD is the Braille and Audio Reading Download service by the National Library Service in the United States. This service is available to international patrons, but only if they initially live in the United States and are traveling internationally for some reason.

Bookshare is a paid service, although with the NLS partnership, they’re offering free accounts for those of us who have NLS memberships. You can get books in multiple formats including daisy, aduio mp3 (TTS) and braille files.

In this NCSAM month, I’m hoping that these books are a symbol of something that people should read, and get interested in. As I’ve discussed, we can’t do it alone, and the email scams and cons will only trick you if you don’t know what to look for.

Other Books you can find on Bard

I’ve read all of these books, and forgot about the other two. The following are books that BARD has on Kevin Mitnick, that are authored by him. There is one about Kevin’s takedown written by another author, but I’m not going to put that book here.

Note, that for this blog, I’m putting the DB number for reference and nothing else.

  • Ghost in the wires: my adventures as the world’s most wanted hacker DB74947
  • The art of deception: controlling the human element of security DB56450
  • The art of intrusion: the real stories behind the exploits of hackers, intruders, & deceivers DB60593

Have you read the linked books? What about the others not linked but are listed? What have you thought? Please discuss it in the comments! I look forward in reading what you’ve got to say.

Comments Off on NCSAM: Have you read Kevin Mitnick’s books?

NCSAM: scam or not? You Decide

NCSAM: looks like a scam or Phish, can you tell?

Hello folks,

In the following exercise, I’m going to give you the beginning of two forms. One of which came through the IP Unblock form for my customers, and the other that came from MENVI. In both instances, they filled out the bug reporting yes, and the comments section.

Out of curious instincts, I went to the link separately and there is a picture, I didn’t go any further to identify it or anything.

Can you tell if this is a scam?

Below is the result of your feedback form. It was submitted by
on Saturday, October 19, 2019 at 17:15:48
Name: Hellen[BqdeqwhVinejonuQ,2,5]
phone: 82919675993
contact_method: both E-mail and phone
bug: no
additional_bug_info: Hello, I apologize for this letter, but I have no other choice!

This is a 4-year-old girl Lisa Filameshina!

Lisa has retinoblastoma (retinal cancer). Her eye needs urgent treatment! In the Swiss clinic «Hospital Ophtalmique Jules-Gonin» (Lausanne) they guarantee
the preservation of the organ so important for the future life of the child.

It is necessary to collect $9000 before October 31.

We will be grateful for any amount of money!

I beg you help!

That is wallet address for payment bitcoin :157CfZ3qhHpRWKbzqoroUAxTMgDhhmPfPt

I give the payment details in bitcoins, since another transfer is problematic in our country.

Sorry again.

The next one was sent overnight.

Below is the result of your feedback form. It was submitted by
on Sunday, October 20, 2019 at 03:32:03
name: HellenInjex
City_State_Province: Avarua
country: Cook Islands
Phone: 81797884724
contactmethod: Please use both E-mail and telephone to contact me
contact: Please have Jared Rimer: (MENVI webmaster) to contact me
reporting_bug: No, I’m not reporting a bug with the web site at this time
reporting_bug_Yes: Hello, I apologize for this letter, but I have no other choice!

This is a 4-year-old girl Lisa Filameshina!

Lisa has retinoblastoma (retinal cancer). Her eye needs urgent treatment! In the Swiss clinic «Hospital Ophtalmique Jules-Gonin» (Lausanne) they guarantee
the preservation of the organ so important for the future life of the child.

It is necessary to collect $9000 before October 31.

We will be grateful for any amount of money!

I beg you help!

That is wallet address for payment bitcoin :157CfZ3qhHpRWKbzqoroUAxTMgDhhmPfPt

I give the payment details in bitcoins, since another transfer is problematic in our country.

Sorry again.

Both messages look exactly the same. Both are pleading for money, and I believe there are two different bitcoin wallet addresses.

REMOTE_ADDR: is on MENVI’s and REMOTE_ADDR: is on the IP unblock request form.

My hunch is that this is part of the Nigerian 419 scam, begging for money but with a different purpose. The purpose is to help a little girl but now I got curious. As I write this, I ran Jaws picture smart on the photo on the URL. It says:

Caption is a little boy wearing a hat.

I’m unaware of NVDA having a picture smart option, but Jaws now tells me through this technology that it is a boy, not a girl. Very clever they are. The fact they say they want money by a certain time frame before its too late is also a telltale sign of a problem.

This network has a donations page found both on the blog pages and our main web site. In no way are we begging for money on any page, and in no way are we saying to donate by a certain time point.

While we would like people to donate to the network to offset costs of running it, and to help offset the independent artist project of playing independent music from around the world, there is no urgency. I have mentioned it on my shows, and on my show notes, but I don’t make it a habit either. Its just the way it is, and the way it must be so that we do not get flagged as a potential target.

This network also does not solicit any type of donations by email like this even though we’d love to get some money as described above.

I believe the goal of the email is entitled Phishing but it is targeted phishing for money. Its a bate to part with your money, the term of which you could look up and correct me if I’m wrong.

I don’t claim to know the exact terms correctly, because I get confused of what they are, but I know two things.

  • I do not have a bit coin wallet.
  • I do not know how to buy bitcoin, and if I did, I’d be using the money for my own purposes, I.E. buying things, or sending it to paypal for spending later.

I think we can utalize this as a point of learning to show people what types of things are being sent today.

Have you seen these and determined that it was no good? If you’ve been bitten, what did you think of this one that could have made you pause to think … “This can’t be right.”

Lets discuss this!

Comments Off on NCSAM: scam or not? You Decide

Will Apple get hacked more in the future? Business insider says yes

With apples IOS 13, and very successful hacks in to the IOS platform, we’re starting to see Apple being targeted. According to this article from Business Insider entitled A cybersecurity expert explains why we’re likely to see more Apple hacks in the future we’re going to see more hacks toward IOS and Mac devices. Windows is also covered, and rightly so.

While my phone is older, and I’ll be looking to replace it soon, making sure our software is as up to date as possible is now more crucial. This is going to get interesting as we continue to see these types of issues including data breaches in general.

The fact that the article talks about whats app as an entry point, whats app developers need to fix that hole too. Its not all the operating systems fault, whether its windows, mac, ios, android, lynux, or any other operating system out there.


Comments Off on Will Apple get hacked more in the future? Business insider says yes

Alabama got hit with Ransomware, pays ransome

Hello all,

Well, the news this week deals with Alabama getting hit with Ransomware. According to this article entitled Ransomware attacks are insidious. Experts urged healthcare CIOs to invest in proactive security measures to combat the growing threat. Alabama was the target. Unfortunately, Ransomware is not going to be going away, and thats because its a great moneymaker.

I wonder how this type of thing is created to begin with? I’m not saying that I’d send it out and demand money, since my goal of the blog and podcast is to alert you all on whats out there so we can protect myself. We all need money, but we need to do it the right way.

For example, on one of the pages on the blog is a donations button I believe. But if not, thats OK. Money isn’t the object of this podcast, but if you’re interested in donation options, get in touch.

I’m confident when I reminisce about the story one of my buddies told me about one of our own in the blindness field getting targeted with Ransomware. Remember this article entitled ATPC Hit with Ransomware, Does Not Pay where I talked about a textbook case of doing it correctly? We should bring it out and show companies that a company serving the blind community did it correctly, and we should all learn.

Getting back to the article at hand, Security Now covered quite a bit of ransomware this week in their episode for this week. If that show goes in to ransomware mode, whereby they’re covering nothing but ransomware in the news, its going to be the whole entire show. This can’t be a good sign.

Here are the notations from that episode.

  • Ransomware hits schools, hospitals, and hearing aid manufacturers
  • Sodinokibi: the latest advances in Ransomware-as-a-Service
  • Win7 Extended Security Updates are extended
  • A new Nasty 0-Day RCE in vBulletin
  • There’s a new WannaCry in town

As you can see, there are lots of things going on here, and its not going to go away any time soon. The fact that the main topic of this blog is ta;lking about the Alabama case, there is a lot more happening that we should be learning about too, and thats why I find the story of value. This is going to get very interesting.

Comments Off on Alabama got hit with Ransomware, pays ransome

Trend Micro’s next webinar

The title of the next webinar is going to be “What’s Up with Web Threats?” It’ll be held on October 29th at 1 ET 10 PT and I am going to try and make it. If not, a recording will be provided afterword.

Today’s threats are now hitting us hard. Web threats, email threats, telephone calls, and more. Please sign up and learn how you can protect yourself and teach others what they can do afterword. We can do this together.

With the popularity of the web, and everything that is connected to it, there is no surprise it is the second most detected threat within our customer

In this month’s threat webinar, I will review the numerous types of web-based threats affecting your employees, such as embedded URLs within emails, malvertisements,
drive-by downloads, and command and control (C&C) servers.

As well, I will be reviewing some best practices you can use to better protect your organization, employees, and web servers from these attacks. Because
when you can prepare for, withstand, and rapidly recover from threats, you’re free to go further and do more.

That’s The Art of Cybersecurity.

I’ll see you there!

Comments Off on Trend Micro’s next webinar

NCSAM: Part 2: Scott Schober’s latest book is a must read

If you read nothing else this month, I’ve been referencing Scott Schober’s second book Cybersecurity’s Everyone’s Business and I read part 2. Part 2 of the book covered several breaches including the biggest in health care, Anthom Blue Cross, Equifax, and more.

Equifax still has a bunch to say for itself, and I have two articles myself I wrote through the Vocal platform. They are: Equifax Breach: Why You Should Be Worried After the Latest Breach September 15, 2017 and <a href=”More On the Equifax Breach: Why It’s Time to Keep that Software Up to Date which was posted to 01.media on September 26th of that same year. I’m sure you can find other articles and Krebs was also cited in this part in numerous breaches.

What I found amazing ws the details or lack there of when it came to DynDNS, which took half the net down, or so it seemed.

Some of these breaches we have no control of, especially the equifax breach. Some people even went so far as to call them equifish, (equiphish) and this is no joke. Steve Gibson, the guy behind Security Now on the twit network was at a loss. Nobody can really explain the hack, and the fact they paid millions of dollars doesn’t explain the piss poor job there.

Uber I was not a customer of when that breach happened. The fact they went through several CEO’s and the future of the company is still uncertain because it blows through money should probably not surprise me. I know I’ve blown through money when I was younger, and I bet you we all do it. I’ve had some great experiences with Uber, even at my new location, so I have nothing bad to say. A couple of times were interesting, but I was never stranded, thats paratransit for you.

The goal of this post is not to cover paratransit, but to cover the portion of the book I’ve read to date. These chapters are short, but delve out the information you need to know. I still feel the book is a must read for everyone. Have you gotten your copy?

Some articles this brings me back to include but not limited to:

Podcast 288 talks about Equifax one year later, in articles i’ve read and a whole lot more about the cybersecurity incident.

This also brings me back to the article I posted recently: Cybersecurity: 99% of email attacks rely on victims clicking links where one of the hacks was the cause of phishing or social engineering. This I feel is only going to get worse, and I don’t know what the solution is besides training. NCSAM: Is training to stay safe not sinking in? that is the big question here. I feel we all can use training. Every single one of us. It has to start somewhere.

Comments Off on NCSAM: Part 2: Scott Schober’s latest book is a must read

NCSAM Passwords and innocent conversation

I’ve been thinking about something that resonates with me in the latest book by Scott Schober Cybersecurity Is Everybody’s Business and I thought I’d put this up for discussion on the blog.

Innocent conversation, asking about your family, or pets may seem to be regular day to day OK. In this book, Scott talks about a skit that was later played on TV.

Someone asked someone else about their password. They mentioned that it was the dog’s name, and the year they graduated high school. While these types of passwords are not recommended, I’m not about to tell people how to use their passwords at all.

The person then asked two innocent questions and they were answered. Boomb! There is the password.

Would I use this password today? Probably not. I’m surely thinking that they felt comfortable and they had no idea they were about to reveal their password. Today, I still use a combination of a couple of passwords on a few sites, mainly because I never changed them, and on one, I’ve got two factor. On one email account, I have a very strong password, even though its for list communications only.

One account, I really need to change that password, but I don’t feel its necessary. The point is here that we should observe what we should do or not do. There are always things we should do, but it is our choice.

What do you think of innocent conversation that could reveal ones passwords or password habits without even asking for it?

Comments Off on NCSAM Passwords and innocent conversation

NCSAM: your own phone number calling

I want to put my own NCSAM post up, and maybe others have seen this. Since last Friday, I’ve seen my own telephone number call me. Yesterday, I decided to answer it, just to see what it was about.

“Hello, this is Anna from Microsoft,” it said. “We’ve been trying to reach you. Your IP will be shut down due to violations,” it continues and it says that I should press 1 to speak to a representitive.

I’m saying it, because it was a TTS engine, not a real girl. I knew this. I also knew that Microsoft, along with most major businesses, don’t call you for things of this nature. If they were going to shut off your IP, I’m sure an investigation would be involved, and maybe an investigator at your place of residents or business. They wouldn’t actually shut off your IP, they’d actually discontinue your internet service, or even seize your computer.

To clarify, Microsoft can’t shut down your IP or your Internet service, that would be with the provider you’re with such as AT&T, Comcast, Verizon, or any others across the country I’ve not mentioned. Microsoft, as most know, is a company developing software. They’ve help investigate suspicious activity, but they themselves can’t shut you down. I’m sure you can find on your own, articles where Microsoft may have had a hand in investigations where their networks were used, or other things of that nature.

Other things to read:

The first call, came in Friday afternoon as I was going from the underground portion of the train station to the street to catch a bus to continue my journey home. The second call came in some time later. I believe I’ve had a couple of others before yesterday, all displaying my own cellular telephone number.

I figured since no voice mail was left, then I wasn’t dealing with it. When you call your own cell number, you’re actually connected to the voice mail platform to check voice mail.

I’m confident it was one of these things to try and get personal information out of me, but I wasn’t biting. Now that I heard what it had to say, I’m hoping I don’t see that again.

  • Phishing and social engeneering happen through voice and text.
  • Text even SMS can contain links to places that may be questionable.
  • Telephone calls may say they’re from a prominent company, and tell you a story about something like the above, and get you to connect with someone.

I’ve never seen this, and I thought, why not write my own NCSAM post? The phone is just as valuable now as the Internet, as the phone also connects to the Internet, whether its yours or the network of your provider that you pay for your phone.

Your thoughts are welcome. Let me know what you think.

Comments Off on NCSAM: your own phone number calling

NCSAM: Is training to stay safe not sinking in?

The second post I found of interest deals with Phishing and the training behind it. In the question that Phishlabs posts for their first post in their series Training Not Sinking In? Try a Programmatic Approach Phishlabs dives in to several different topics they’ll be covering during the week. Headings in this blog post include:

  • Choosing a Training Program
  • Designing a Captivating Awareness Campaign
  • Implementing a Reward & Remediation Strategy

Each section is quite ointeresting in this endeavor to train each and every one of us on how to stay safe as well as getting training that would benefit everyone in a company setting.

One tip is to take it slow, and not give a bunch of stuff in one setting.

Choosing the best training program isn’t enough, though. It’s critical that you understand how the organizational climate impacts training success. In
a later blog post, we’ll discuss this in detail.

I think this is very important. You may have older people involved in your company, and they may not understand this. I think that shorter lessons will be the key.

Just like my struggles in my braille course, training to spot problems before they are a problem for your small business, yourself as an individual, or even if you work for another business of any size, you need to understand what you’re looking for. In the braille course, its understanding the certain parts, and trying to put it all together. My mistake in this was to put it together based on my understanding of the thing, they wanted the typeforms. The same type of thing is crucial on protecting your business and even your personal finances. You don’t want to figure out how to pay bitcoin to someone just because you clicked on a link that said you did something, or you’re accused of something and it locks up your files.

There are different types of phishing, and I’m really not familiar with the different kinds too well. But this is why we’re learning together, and I’m happy to share what I can understand and of course what I think we should do.

Under the heading of designing a campaign: some of the bulleted points include:

• Choose a cohesive brand
• Include a mix of mediums
• Start marketing your program early

There are two things. First, I am not a marketer. Second, I don’t really have mediums, except for the blog (text) and audio (the podcast) which are both good. But I’d like to develop something and either sell it or offer it for free, but I just don’t know how.

Phishlabs has been doing this a long time, and I give them props. They’ve called me to let me know of issues, and I reached out to them for something. I love the work they do, so I want to pass their knowledge of this to my readers.

Under the rewards program, they write:

What drives your workforce to participate in security training or to practice good security hygiene? What keeps them accountable if they slip up? An effective
reward and remediation strategy that fits within your organizational culture is critical to achieving your learning objectives. As every organization is
different, there is no one-size-fits-all approach. Later this month, we’ll cover this topic in detail.

I’m definitely looking forward to see what they have to say on this. There is no one size fits all approach to teaching, so lets go!

Your thoughts are welcome, and I will await comments and suggestions. Thanks for reading!

Comments (2)

NCSAM: lets start with password managers

Last Pass’s first article to kick off National Cyber Security Awareness Month deals with the password manager. While their article talks about their own product, lets just talk about password managers in general.

The Last Pass article is entitled Owning Your Digital Profile by Setting Up LastPass. What if you don’t have Last Pass?

First, take a look at the password manager that you have decided to use. Why a password manager? According to Lastpass, it is safer to use a password manager like theirs instead of the browser. The article The Eternal Question: Why Can’t I Just Use my Browser? should answer why the browser isn’t a good choice. If you’ve listened to Twit’s Security Now you’ll also understand why this is a bad idea.

The goal here is not to force you away from what you know, but to educate you on why it is a good idea to think about it. I have moved away from the browser and had even paid for Lastpass Premium at one point until I realized that I could have most of the features for free. The premium offerings I wasn’t using, but the faster time for support was nice but I hardly used it. It is a benefit to support the companies, and I plan to do this at some point again.

There are other password managers out there, so search around and decide which one works best for you.

What do you think of password managers? Have you utalized them? Which one do you use and why? Lets discuss!

Comments Off on NCSAM: lets start with password managers

NCSAM, today is the first day

Hello everyone, NCSAM is this month, and its already October! Can you believe it?

Each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. That’s what National Cybersecurity Awareness
Month (NCSAM) – observed in October – is all about!

One thing I really love is Lastpass’s coverage of NCSAM. Each week, they cover a very different topic dealing with cyber security, and I’ll share these like I did last year.

To learn more about National Cyber Security Awareness MNonth Visit this page on Stay Safe Online and lets continue to do our part to keep each other safe.

Comments Off on NCSAM, today is the first day

We take security … however

There was a retweet I saw. It said that every email that has been sent out in the last 10 years when a breech has occurred says that “we take security seriously however …” and goes on to explain what happens. This is something I’ve been thinking about as of late as we’ve been publishing stories of various kinds of breaches, ransomware, and the like. No wonder we don’t even have a solution except sorry.

What we need to do is start from the beginning. The beginning indicates that if you don’t look for it, don’t click it. If you’re curious like I am, really look to determine it isn’t a threat before you click. If it looks too good, don’t even open the attached file or even click or press enter on the link. Other thoughts?

Comments Off on We take security … however

The Cyber underground, taking a look at 5 underground forums and activities

Trend Micro had an event today which I attended. The event is called a webinar. This is basically like a telephone conference, but all over the Internet using a platform to listen. This particular event delbt with the cyber underground of 5 different countries. One question was in regards to two others, but there wasn’t enough time to cover every single one.

Here are some take aways:

  • The Russian cybercrime forum is full of different things including the most active on finding and using vulnerabilities and using them to do harm.
  • None of them want to harm people, a lot are informational, sharing links to stories and other things of that nature.
  • A lot of the attacks use home devices provided by your internet provider. I really should look to see how I can change, if needed, those default log ins.
  • Shodan was talked about as a research tool. We should search our own IP and see what it has to say. You aren’t going to get “asked for it” if you don’t look, however, we just don’t know. It doesn’t hurt to look.

I wasn’t sure how I was to ask this, but the webinar was saying “he” meaning males are involved in all of this. I’m curious if any females are involved in this type of activity in their research, but wasn’t really sure how to ask it so we’ll see what comes out over time.

Here is the link to register for this event so you can get access to the on demand copy when it becomes available.

This was quite interesting, and if you do view the on demand, let me know what you think.

Comments Off on The Cyber underground, taking a look at 5 underground forums and activities

The book Scam Me If You Can

I just finished reading the book Scam Me If You Can by Frank Abagnale. Here is the Amazon Link to this book so you may buy it via Kindle or paper if you wish. Its available on Bookshare, and thats where I got a copy of it.

The reason I want to write about this book here is in regards to the very last chapter. I can relate a little bit to several different stories, even going back to Podcast 289 (56mb) where Jennifer was used to talk about one such scammer.

Since then, there have been several others. Each one wanted me to send them itunes gift cards, and even one when I told them I couldn’t see pictures, never said another word. The Thing with Julia and her behavior was the insistancy of me buying gift cards so she can comne to see me. I could get what I wanted, if only I sent the gift card.

Another one that I believe was trying to Scam Me was Boivon Donald. This person, claimed that they were in the millitary, and then indicated they needed to have me open a bank account. While I don’t have the conversation any longer, and its not the point of this article to rehash the conversations, I was very skeptical when I was asked to provide a bank account, send an itunes gift card, or have anything to do with sending money when i haven’t even talked to them by phone.

Everyone refused to call me by phone, even one named Brenda Rogers who stopped communicating with me when I said that this was a text relationship. She started calling me honey and baby and indicating that I knew what to do to start a call. All of these people refused to place a call when I asked to talk to them by voice. Even the one who sent me pictures quit talking to me when I said I couldn’t see pictures. One even asked what I wanted in life, and I haven’t sent them another message.

While I want a relationship, if you don’t want to call me and talk to me so I can hear your voice, than you’re not worth my time. Twitter, Facebook, and other social Media even Hangouts is used for these types of scams. In the last chapter, we learn about the typical types of scams. I just had to say out loud, “uh-huh” as the chapter read to me out loud through my app that is connected to bookshare. If you’ve not listened to podcast 289, you will want to listen to it now. The scams aren’t going away, and I want people to learn about what types of things are going on now a days.

“This is just going to get worse,” says Abagnale. He’s 70 years old, turned his life around, and his story needs to be told.

Here is a link to Frank W. Abagnale from Amazon. This link till take you to all of his 4 books. I suggest you read them. It doesn’t matter the order, they’re all good. If we can teach what types of things are out there and how we can protect ourselves, we can be even better educated not to get caught.

Have you read these books? If you have, what did you think?

Besides the last chapter which really interested me as of late, Frank Covers more than just romance. He covers everything you can find in regards to scams. Web sites are also given where appropriate. Please read this book, and the others in the series. I enjoyed it.

Other reading:

Here’s something to ponder: a con man turned cybersecurity pro has tips August 18, 2019

Comments Off on The book Scam Me If You Can

Ransomware not going away?

I was catching up on Ransomware coverage from the program Security Now. This show is hosted by Steve Gibson and the Twit Network. Steve’s got show notes in PDF as well as a transcript available on his Security Now page on GRC. I was very interested in the ransomware epidemic, because I’ve been following it as of late. This is going to get interesting, because everything I’ve read, and what I’ve also heard from this show indicate that Ransomware will not be going away. Everyone I’ve read and listened to indicate its going to stay for awhile.

As disabled people, this can really be a problem if our businesses or even personal computers get hit. I don’t know how the computer would work with our assistive technology applications if files start to get encrypted. I got to thinking about this when hearing this episode. Episode 730 of the podcast talks about the epidemic, and 731 talks about a ransomware author getting way too gredy and didn’t even get a dime. SN 730 and SN 731 are here for you to peruse and listen to.

SN 731 talks about fake things too, including how someone modified their voice to sound like the boss, and someone wired money as instructed by the boss in one story. What the landscape is having. This is going to get interesting, and Steve’s site has transcripts so you can read what he’s saying if it is too confusing to you, or you have a hard time.

What do you think will happen for the ransomware epidemic? I’d love to hear your thoughts.

Comments Off on Ransomware not going away?

Older Posts »

go to sections menu

navigation menu

go to sections menu