Network Solutions blog: How to defend against web skimming attacks

Magecart web skimming group targets public hotspots and mobile users | CSO  OnlineYour eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded. In this post for Network Solutions’ blog, I describe how these attacks work, reference a few of the more newsworthy ones and provide a bunch of tips on how to prevent your own eCommerce site from becoming compromised.


Securing your IRS online account

It is hard to believe that it has taken the US IRS all this time to figure out a better authentication mechanism for taxpayers. But starting next month, all taxpayers can apply for an identity protection personal identification number (IP PIN) to block identity thieves from falsely claiming any tax refunds. To give you an idea of the magnitude of this problem, the IRS says several billions of dollars of phony refunds have been prevented through its half-hearted efforts to date. This includes phony refunds that are issued to taxpayers who never filed returns.

The IP PIN process used to be for high-risk taxpayers: those who have been victims of refund fraud attempts in the past. Starting next month, we can all join this party (hopefully not the victims group). They explain all of this here, which they call “secure access.”

To participate, you will need a “real” cellular phone number (vs. an IP service like Google Hangouts) and your email address. You will also need a credit card or some other financial instrument (not a debit card) to prove your identity. If you are concerned about giving your phone number to the IRS, you can substitute your postal address and they will send the confirmations that way.

The IP PIN is a six-digit code that changes annually. That is annoying — why not use Google-like authenticator smart phone app —  and to make matters more confusing, this differs from the five-digit PIN that is used during the e-filing process for your return. (When I first typed in e-filing, I didn’t use a hyphen and one of the suggestions was effing. That isn’t too far from reality. But I digress.)

Even though the IP PIN effort isn’t happening until next month, you can sign up for your IRS electronic account now.  (CORRECTION: The IRS took down the service until January, see the link in my comment.)

This will be a prerequisite for the universal IP PIN process. You’ll notice that particular link isn’t mentioned in the earlier link that explains what secure access is: Dontcha just love our gummint? Anyway, I spent about 20 minutes getting my digital ducks in order for myself and about the same time for my wife’s account. My first credit card for some reason wasn’t accepted, and the site was initially down the time I tried to sign up my wife. I was going to use my Amex card but the IRS doesn’t take that either. Eventually, both of us passed muster and created our accounts It was nice to see that we didn’t owe the IRS any money from past filings.

If this has awakened a desire to be more proactive about protecting your digital identity, Brian Krebs has a bunch of other suggestions that he calls “planting your digital flag.” They are all good ones, although if you are paranoid about your privacy you might want to think about the security tradeoffs you are making.

Avast blog: The rise of the OGUsers hacking group

The hacker’s forum called OGUsers has ironically been a tempting target for criminals, with a series of at least three successful hacking attempts in the past couple of years: Once in May 2019, a second time in March 2020, and a third time just last week. In my post for Avast’s blog, I talk about how this forum came to be and its involvement in a series of earlier hacks that it originated as well as more specifics on the three attempts. And a few suggestions on what you can do to prevent your account data from being compromised.


Book review: Tom Clancy’s Net Force Attack Protocol

This is the latest in a series of books written by others, in this case by Jerome Preisler. I had high hopes for this book, which is part of a series  about a new cybersecurity-enhanced Seal Team type of military commandos. This shows how good an author Clancy is, and how Preisler is just a pale imitation. Like the “Rocky” movie sequels, the book picks up where previous books end, so you really can’t realize your full value if you read it as a standalone volume. And it just ends at some random plot point, without really resolving many of the characters’ situations. Like Clancy, it is filled with jargon, weaponry, mil-speak, and plenty of explosions and gun play. Unlike Clancy, none of this really makes much sense or is essential to moving the plot along, or even mildly interesting. As someone who works in cybersecurity, I thought its treatment of the IT issues were just juvenile and superficial and didn’t draw me into the narrative or characters. Plus, the actual advanced cybersec defenders are less dependent on those macho things that shoot bullets and more on using their brains and computer skills.  If you are hungry for more Clancy, pick up one of his old classics like “Red October.” Or if you want to read a series that has much better character and plot development how an actual cybersec team works, check out this series.  In either case, you should give this Protocol a pass.

Buy the book from Amazon here.

Network Solutions blog: an IT professional’s guide to virtual events

You’re in your comfort zone. Maybe you’re solving problems related to IT security, network management or cloud computing. Perhaps you’re helping someone reset their password or get set up on a VPN. Whatever the task is, you feel good about it. You understand your specialty, and you like to stay focused on doing what you do best. Then, one day, someone in your organization messages you and asks you to help run a virtual conference.

Time stops. Your hand freezes on the mouse. The text cursor blinks in the reply field, counting down the seconds until you have to respond. A virtual conference? How do you even start to prepare for something like that?

It might be outside of your wheelhouse, but the truth is that IT professionals like you have a critical role to play in facilitating and troubleshooting virtual conferences. Your team needs your help to ensure the event goes smoothly. You’ll need to choose the right conferencing solution, find event management software that fits your needs and learn how to work with a production team. Then, when the big day comes, you’ll have to perform live troubleshooting to make sure it stays on track.

Download my latest eBook from Network Solutions here to learn more about best practices in supporting virtual events.

There was no hacking of our elections. Period.

I have struggled trying to write something about the underlying IT of our recent elections without making this overtly partisan or political. So here goes: there was no hacking of our ballots. We had probably the most secure election in our nation’s history. No foreign power changed any ballots. Numerous recounts verified the results. Biden won, fair and square.

Yes, the precise tabulation of votes was off by a few votes here and there. But not enough to change the overall result or who will become our next president. The states that were called for each candidate – including an early prediction by Fox News that Biden won Arizona on election night — remained unchanged.

Sunday night on 60 Minutes Chris Krebs was interviewed about his role in securing our election. Krebs ran the Cybsersecurity and Infrastructure Security Agency for DHS for several years and built up a powerhouse support team for local elections officials. If you haven’t yet watched the segment, please take the time to do so, or at least read the transcript of his interview. He makes it very clear what happened, and more importantly, what didn’t happen. The claims by our president are just pure fantasy.

Krebs reiterates the points made in this November 12th letter signed by various government election officials who have been supporting the underlying security efforts: “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Krebs wrote an op-ed for the Washington Post.

Krebs and his team put together a special website called “rumor control” that is still online. It contains FAQ about rumors and misinformation about our electoral process. We should have similar pages across all government agencies, especially in these times where facts are hard to come by. The Rand Corporation calls this truth decay and how we can’t agree on the facts anymore.

Ironically, many of these rumors were started by our president and his advisors.

Krebs was very accessible on election day, hosting a series of teleconferences with reporters every few hours. It was an odd series of briefings. I kept waiting for the ball to drop but as the day wore on, it was clear that our vote was clean. “It is just another Tuesday on the Internet,” Krebs said at one point. It was clear that he had done his job well, and we should have praised him. Instead, he was fired by a tweet a couple of weeks later.

In the process of writing about elections security for Avast’s blog, I have met and interviewed some of the computer scientists who wrote their own letter. They firmly state that claims about rigged elections “either have been unsubstantiated or are technically incoherent.” This includes allegations about the operations of one of the tech voting machine vendors: there was no wholesale transfer of votes.

Another irony: it is the abundance of paper ballot backups – and the 100M people that voted early and by mail — that made these claims false. Look at the Georgia manual recount. Yes, Georgia has had some tech problems in the past year, documented by this investigation in the Atlanta newspaper. But they ultimately pulled it together for November. Again, their final tally differs by a few votes here and there. There were some counting errors, but those were done by humans, not computers. And more importantly, they were discovered and corrected. The final tally for both candidates increased slightly. But Biden’s victory margin was tens of thousands of votes and remained intact after the recount. What is more impressive is the number of counties where the counts remained exactly the same.

Our elections – and our democracy – worked. Krebs said last night that it is “a travesty what is happening now with all these death threats to election officials. They are defending democracy. They are doing their jobs.” Here is more from another interview where he talks about these threats to a WaPost reporter.

Avast blog: Return of the Mirai botnet

Remember Mirai? This four-year old botnet was the scourge of the internet and used as the launching pad for numerous DDoS attacks. It continues to be the basis for new attacks, and I blog about this for Avast here. There are several mitigation measures you can take, including  using a free tool from F-Secure that can check your router for any potential weaknesses. You might also use this to put a more complete program in place to ensure all critical network infrastructure has appropriately complex and unique passwords. 

Lessons learned from the Home Depot breach

You might have forgotten about the massive Home Depot data breach. After all, it happened in 2014. More then 56M customers’ payment card data was exposed as a result of malware being installed on the self-checkout lanes in numerous stores. (While I haven’t been in any store in a while, I do recall those self-checkout lanes to be annoying and spending time rescanning my items.) The malware operated for several months before it was detected and removed. At the time, it was the largest breach on record. The main cause of the breach was stolen third-party credentials. A report that SANS has put together is an excellent analysis of what happened.

The company was fined $17.5M as a result as part of a settlement which was announced this past week with various state and federal officials. Reviewing the press release was quite revealing (for once) because it lists a number of action items that Home Depot had agreed to implement to prevent further breaches. These include:

  • Having a Chief Information Security Officer report to C-level executives and the Board of Directors
  • Providing resources necessary to fully implement the company’s information security program, including a comprehensive security awareness and privacy training program
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, and data encryption controls
  • Regular vulnerability scans of their networks that includes risk assessments, penetration testing, intrusion detection, and vendor account management
  • Appropriate network segmentation of their POS equipment and other sensitive areas

One would hope that in the past six years they have actually done all of these. Yes, our legal system moves quite slowly. But it is a handy reference list for all of us to evaluate the IT security of our own businesses. And it isn’t as simple as turning on all the features of their endpoint protection tool (something that Home Depot didn’t do back in 2014 for some odd reason) but implementing more system-wide efforts that need continuous attention. For example, the POS was running Windows XP, which was outdated and quite vulnerable even in 2014.

IT security isn’t a destination, but an evolutionary process. Take your eyes off the ball and you’ll find yourself in a similar situation to Home Depot.

Network Solutions blog: What is Identity and Access Management and How Does It Protect High-Profile Users?

Microsoft AccountGuard banner Image

My latest blog for Network Solutions is about identity and access management. Our email accounts have become our identity, for better and worse. Hackers exploit this dependency by using more clever phishing lures. Until recently, enterprises have employed very complex and sophisticated mechanisms to manage and protect our corporate identities and control access to our files and other network resources. What has changed recently are two programs from Microsoft and Google that are designed to help combat phishing. They are aimed at helping higher-risk users who want enterprise-grade identity and access management security without the added extra cost and effort to maintain it. The two programs are called AccountGuard (Microsoft) and Advanced Security (Google). In my blog post, I explain what these two programs are all about.

Network Solutions blog: Honeypot Network Security, What It Is and How to Use It Defensively

What is a Honeypot | Honeynets, Spam Traps & more | ImpervaThe original idea behind honeypot security was to place a server on some random Internet link and sit back and wait until some hacker happened by. The server’s sole purpose would be to record the break-in attempt — it would not be part of a normal applications infrastructure. Then a researcher would observe what happened to the server and what exploit was being used. A honeypot is essentially bait (passwords, vulnerabilities, fake sensitive data) that’s intentionally made very tempting and accessible. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to your network.

In this blog for Network Solutions, I describe their role in modern network security, compare the features of various commercial and open source products, and provide a series of tips on how to pick the right kind of deception product to fit your business’ needs.