Imagine yourself sitting at home watching YouTube. You are binge-watching your 7th video of the best cat fails. Everything is going great, and then you get that annoying popup in the corner of your screen. It’s time to update your computer again. But wait, didn’t you already update your computer? So what do you do? If you are like most people, you click “remind me later,” or “don’t remind me again.”
Now I’m going to tell you a little secret of mine. Even as someone who is a practitioner and teacher or cybersecurity, even I sometimes click the “remind me later” button. I know, I know. I’m about to give you a dose of do-as-I-say-not-as-I-do.
Why Computer Updates Happen
So why are there updates all the time? I know it seems like your computer wants to update almost every day. Well, it’s an important part of the software lifecycle. You see, when developers write code for the programs that you use, it’s often not a single developer. Most of the time, it’s a team of people and those people make mistakes. When mistakes are made, that unfortunately sometimes results in a security flaw.
Well, the only thing you can do is click the update button. The next time you see an update popup, take the two minutes and click the update button. This is one of the biggest things you can do to better protect yourself. Most of the viruses and ransomware out there rely on a vulnerability in the software you may have on your computer. More often than not, a vulnerability in your browser is what allows hackers to target you with ransomware.
By installing updates to your browser and your operating system, you are more protected from threats like viruses and ransomware. I know it’s not some sexy cyber trick or some next-generation anti-virus program. But to be honest, a lot of the time when you hear things like that from software companies, it’s mumbo jumbo. The best way to protect yourself is good old fashioned software updates.
But Won’t My Next Generation Anti-Virus Protect Me?
There is no one solution that is going to stop hackers in their tracks. It takes layers of defense to make you more secure. This year, I’m making a renewed effort to update my systems and stay on top of patches. I hope you decide to do the same.
2018 was the year of the breach. Hundreds of companies were breached and your data may have been stolen from them. And that’s the ones we know about. Most companies have no idea that hackers have breached their systems. Many companies have hackers in their systems for 1 to 2 years before they ever find out.
All this to say we can’t always trust that companies will protect your personal information. This means that you have to do it yourself. So every month I’m going to go over some of the worst breaches from the previous month. I’ll tell you the main facts and what it means for you. If you have an account with that company, then I’ll also tell you if there is anything you can do to protect yourself.
This month Marriott, Caribou Coffee, Bruegger’s Bagels, Dunkin Donuts, Warby Parker, Facebook, Quora, and 1-800-Flowers are among the victims of data breaches.
It’s hard to say if Marriott is the worst breach of 2018. But it’s in direct competition with Equifax as the worst breach of 2018. Over 500 million Marriott and Starwood customers had their accounts breached. Stolen data was encrypted, but experts are unsure if the hackers were able to steal the encryption password as well. Only a small subset of customers may have had their credit card information stolen. But it is very likely that usernames and passwords were stolen.
My suggestion would be to change your password if you have an account with Marriott. Remember that most credit cards do not hold you liable for fraudulent charges. If you are concerned, you could always request a new credit card number, but that may be unnecessary. You can read more about the Marriott breach here.
Caribou Coffee announced that hackers breached their point of sale systems in 2018. This means that credit card data could have been stolen from several Caribou Coffee locations around the US. The notice they issued here listed the locations that were breached. If you used your credit card at any of these caribou coffee locations, be sure to watch your credit card statements. If you see fraudulent charges, immediately call your credit card company. You could also call your credit card company and get them to issue you a new number.
Bruegger’s Bagels is owned by the same company as Caribou Coffee, so this breach is the same as Caribou Coffee. Bruegger’s Bagels issued a statement here that shows the locations that were breached. If you used your credit card at any of the Bruegger’s Bagels locations, make sure to check your credit card statements. If you discover fraudulent charges, call your credit card company immediately. You may also call them to request a new credit card number if you are concerned.
If you are like me, you are a fan of Dunkin Donuts. They are yet another victim of a data breach in December. According to their announcement, hackers were able to gain access to “first and last names, email address (username), and your 16 digit DD Perks account number and your DD Perks QR Code.” Luckily, no credit card information seems to have been stolen here. But, I would suggest changing your password if you have a DD Perks account.
If you are a customer of the eyeglasses company Warby Parker, you may have been required to change your password recently. Warby Parker announced that hackers were able to get into their systems and steal the usernames and passwords of 198,000 of their customers. They did the right thing by forcing affected users to reset their passwords. But, if you have an account I would suggest changing your password even if they didn’t force you to.
The question and answer site Quora is yet another victim of a breach. If you have an account with Quora, your username and password might have been stolen by hackers. Quora announced that usernames, passwords, and data imported from Facebook and LinkedIn for 100 million of their users was stolen. If you have an account, you should change your password immediately.
The parent company of 1-800-Flowers announced that their Canadian operations suffered a breach. Canadian customers who ordered from 1-800-Flowers could have had their credit card data stolen. The parent company says this breach did not affect any customers in the United States. As always, my suggestion is to watch your credit card statement and call your credit card company if you see any fraudulent charges.
It’s easy to look at these breaches and think there is no hope. But it’s important to remember that there are some simple steps you can take to protect yourself. With any breach that affects your username and password, make sure to change your password. If you use that same password on other sites, it’s also important to change your password there too. That’s why I recommend using a password manager. With a password manager, you can create a unique password for every site you have an account. This way when a breach happens, you don’t have to worry about changing your password on several sites. I teach you how to do all this and much more in my course “A Hacker’s Guide to Internet Safety and Cybersecurity”.
It’s that time of year again. It’s the holiday season and for most of us, that means time with family and friends. But this time of year isn’t only busy for retail businesses; it’s also a busy time for hackers and scammers. They know that everyone is out purchasing gifts for their loved ones. Since we increasingly turn to online stores to get us those great presents, hackers and scammers have figured out how to use that against you. Everyone wants to know the status of their packages from online retailers. Right after Thanksgiving in the U.S., there is a major increase in fraudulent package emails that make their way into email accounts.
How to Identify Fraudulent Package Emails
Hackers and scammers are trying to prey on your worst nightmares when it comes to online shopping – a lost package. They’ll send emails with subject lines like “Package Undeliverable” or “Delivery Exception”. Think about it, if you ordered something and then a couple of days later you got an email saying your package can’t be delivered, how would you feel? Who wants to deal with a shipping company? And what if the package doesn’t arrive on time?
So you open the email, and without thinking, click on the link to try and resolve the issue. That’s where they get you. The resulting link usually has some sort of virus on it. Typically, it’s ransomware that is designed to hold your files hostage until you pay the ransom.
UPS has compiled a lot of really great examples of fraudulent emails that they find. Here’s an example of one –
You’ll see that it looks pretty legitimate. It has the UPS logo and some decent worded language in the email. But, there are a few red flags here. The first thing you should look at is who it’s from. The From line on this email is not a valid UPS URL. That should tip you off right away.
But what if you don’t look at the “from” block of the email? The second issue is that there is no tracking number in this email. Most delivery exception emails from any carrier will have a tracking number in the body or subject of the email. This example has neither.
The last red flag in this email is the link. While this may look like the legitimate UPS URL, it might actually take you to another website. When hackers send phishing emails, they typically use hyperlinks to get you to click on the link. By using hyperlinks, the hackers have the ability to type in www.ups.com but have that go to their website, which typically hosts viruses. The best way to defeat that is to hover your mouse over the link without clicking it. Your browser will show where that link is actually going in the bottom right or left corner of your browser.
What can I do if I’ve received one of these emails?
I always recommend being cautious of any links in emails. Especially emails that you didn’t sign up for. So my first suggestion would be to not click links in any emails. But what if the email is legitimate? Well that brings me to my second suggestion.
Each of the main package delivery services have some sort of online account that will alert you of incoming packages. UPS has UPS My Choice, FedEx has FedEx Delivery Manager, DHL has MyDHL, and USPS has Informed Delivery. With all of these services, you can put in your address and it will inform you of packages that are coming your way. Instead of clicking on the links in an email, log in to the services and see if there are any packages scheduled for delivery. This way you know that the package is coming and you don’t have to worry about clicking any links in your email.
My final tip for you is to forward any suspected fraudulent emails to the shipping company’s fraud department. Each of the major services has an entire department dedicated to fighting fraud. They rely on you to help protect packages and their customers. So if you get one of those emails use the links below to find the email address to forward the phishing email to. This will help them take down the hackers and keep you safer.
When you install an app, you give that app permissions to data that you post on Facebook. One thing you have to remember is that Facebook is not the developer of many of these apps. So you are in essence giving someone other than Facebook to access your photos and posts. Facebook is notifying people if their photos were leaked as a part of this issue. If yours were leaked, you’ll get a notification in the Facebook app the next time you log in. Facebook says that they are working with the app developers to scrub the exposed photos.
How Do You Stop Apps?
There is something you can do about this though. I recommend that everyone look at the apps that are installed. You can see all the apps and the individual permissions that those apps have. Make sure that you are alright with giving that third party access to your data. You can either delete the app or deny permissions to the app.
The image above is an app I had installed. You can see I’ve given this app permission to see my friends list, birthday, pages I like, and my email address. But this page gives me the ability to turn off those individual permissions. So if I don’t want Pinterest to see the pages I like, all I have to do is turn that permission off.
I will warn you in advance, turning off permissions like that could break the app. This means that it may not provide the service you want anymore. I would suggest looking at the apps and thinking about what service it provides you. If you don’t want or need that service anymore, delete the app.
We all give Facebook a lot of information about ourselves and we assume that they will protect that. We all need to do a better job of protecting ourselves online, but especially with regard to social media. It’s clear that the companies we do business with aren’t doing a great job of that. That’s why I’m working on a Facebook security workshop that I plan to launch in the next few weeks. If securing your Facebook account is something you want to learn how to do, sign up using the form below. I’ll send you an email to register for the free workshop.
When I first got in to Cybersecurity there wasn’t much talk about all these complex password requirements and next generation firewalls. The advice from experts was simple – ensure that you have an up to date anti-virus application and make sure that you patch your computers on a regular basis.
Now the advice is much different and the prevailing thought is that anti-virus is largely ineffective at stopping some of the more advanced threats out there. This means that we as individuals have to be more cautious about what we download and what we install on our computers. So let’s take a little bit to understand how anti-virus works and why it’s sometimes ineffective.
How Does Anti-Virus Work?
One of the most common ways that anti-virus finds and stops viruses, malware, and ransomware is by using what’s called “signature-based” detection. Signature-based detections is exactly what is sounds like – the anti-virus vendors create signatures for new viruses and the software and then scan your computer for those signatures.
There are two problems with this type of threat detection. The first is that these signatures are usually looking for something very specific in the virus. This could be some code they know will be in the virus or a specific file that is placed on the system when the virus is run. While these signatures can get very complicated, they are also easily broken by many tactics.
So let’s look at what a very simplistic signature would be. Say you have a virus and once it’s installed it runs the following code “printf (“hello world”)”. Now this is a very simplistic line of code and the likelyhood of this being in any virus is low. However, for this demonstration, let’s pretend our virus runs that. The anti-virus application will be looking for that particular piece of code running on your system.
As a malware author, all I have to do is add some random characters in to that line of code to tamper the anti-viruses signature. So if I change that line before to “printf (\x90 “hello world”)”, I have effectively defeated the anti-virus signature.
As a seasoned professional in the industry, I will be the first to say it’s not as easy as I just made it out to be. The anti-virus vendors are very good at creating signatures. However, the virus authors have been largely successful at getting past anti-virus applications thus far, so we can’t rely on anti-virus as our only means of protection.
New Viruses and Their Non-Existent Signatures
The other pitfall of anti-virus applications is that many of them rely on having seen the virus before. By this I mean that if the virus that gets installed on your computer is new to the internet, then the likelihood that any anti-virus vendor has a signature for it will be slim to none.
Anti-virus vendors have teams that are dedicated to finding new viruses on the internet. They use a highly-trained team of cyber analysts to scour the deep dark places of the internet where viruses are born, find new viruses, and put in protections against them. They also rely on outside people to submit what they think might be viruses to their team to be analyzed.
The problem with this is that if a new virus is released on the internet, it may take a while before their team finds the virus or someone submits it to them. The time between the virus release and the creation of a signature could be days, or even weeks. What this means for you, however, it that your anti-virus software isn’t protecting you against this new virus. If you download and install it before a signature comes out, you could have your data stolen or held for ransom.
What Do You Do?
All hope is not lost. I don’t want you to think after reading this article that anti-virus is awful and that you should uninstall it. anti-virus is a very important part of your layered security model. You just need to understand what anti-virus is good at defending you against and where it is lacking.
Anti-virus vendors pride themselves on being able to block a lot of what I call the “broad-based” viruses and malware. This means that you are protected from many of the common viruses and malware on the internet today. Nevertheless, you cannot open every file and click on every link sent to you and feel 100% protected by your anti-virus system.
My final advice to you is make sure your anti-virus tool is set to automatically update and stay vigilant when you open links and documents from people you don’t know. With these tips in mind, you will be more secure than many people out there, and that is our ultimate goal – be harder to hack than the next person.
Have you ever been hacked? Do you know someone who has been hacked before? Most people I talk to say they feel as though they don’t know enough about computer security. I’ve spent a majority of my career protecting the networks of large companies and I’ve been able to translate what I’ve learned there in to simple tips and techniques that the average computer user can implement to ensure they protect their digital life.
I created a course, A Hacker’s Guide to Internet Safety and Cybersecurity, to teach those tips and techniques. The course has over 30 lectures and over 2 hours of content.
Through out this week I’ll be posting a new preview video on our YouTube channel so you can get an idea of what the class will be like. If you like what you see I’ll be posting a special coupon on Monday July 23rd so that you can enroll at our special introductory price.
Password Reset Questions
We’ve all been there, you enter your password and get the “Incorrect Password” error. You panic because you can’t get in to your account. Then the magical password reset link appears just below the error like an angel from heaven.
Most of the time when you set up an account anywhere online, part of the registration process is to set up password reset questions in case you forget your password. We all typically set up the standard questions:
What’s your mother’s maiden name?
What was the make of your first car?
What is your maternal grandmother’s first name?
These questions are easy questions for us to remember for when we forget our password, but what most people don’t think about is that most of this information is public information. Attackers can easily find out the answers to these questions. A lot of information on your family is public record and sites like ancestry.com have done a great job of collecting these public records and providing a place for everyone to search for them.
How to Choose More Secure Password Reset Questions
Hackers have in the past used the answers to these questions to compromise people’s online accounts. In the video preview I suggest changing the way you answer your password reset questions. The first way to ensure that hacker’s can’t use your password reset questions against you would be to ensure that you choose questions that are not public information. Questions like “What is your favorite food?” or “Where was your favorite childhood vacation?” are better questions because that is not something that a hacker can easily research from public records.
If you are unable to choose password reset questions about your likes and dislikes then you could always lie on the more public record questions. For example if you put your best friend’s last name as the answer to “what is your mother’s maiden name?” hacker’s won’t be able to correctly answer that question from the public research they’ve done.
Another one bites the dust! One of my favorite things is to follow big internet breaches and collect breach data. It seems that many large companies have had their fair share of breaches in the past and Adidas is no exception.
At the end of June Adidas issued a press release stating that they were informed that a third party had acquired some data on their customers from their systems. The press release was very sparse with the details as it usually is. But they did mention that during their investigation they found that “limited [including] contact information, usernames and encrypted passwords” may have been obtained by the third party.
What Should I Do Now?
Breaches like this happen all the time and if you are a customer of Adidas then you should seriously consider changing your password. While the press release says that the passwords were encrypted it’s always good practice to change your password after any breach. Just because a website says that the passwords they store are encrypted doesn’t mean that you are 100% protected from hackers.
Hackers have the ability to brute force or guess every possible combination of a password. Once they do that they run these passwords through the same encryption that the website uses and compares the results. If they find a match then they have been able to successfully get your password.
This is the perfect example of why everyone should be using unique passwords for every website. Hackers will often time exploit a persons password reuse to get into other accounts that user may have. Let’s assume that you had an account with Adidas and that the password for your Adidas account and Facebook account were the same. If an attacker were able to brute force your encrypted password from the Adidas dump they would then have your Facebook password.
However, if you used a password manager and all the passwords for your websites were different the attacker would only have gained access to your Adidas account. They would not be able to use that password on other sites and then get into more sensitive parts of your life. This is where unique passwords really show their value.
What To Do Now?
If you have an Adidas account I would suggest changing your password immediately. After Adidas completes their investigation they may find that there was no issue, but I always say “better safe than sorry”. If you change your password now you know that any password that was leaked will no longer be valid and you can rest assured that the attackers out there will not be able to get into your account using that old password.
If you are not using a password manager, why not? Password managers help you to create unique passwords as well as strong and secure passwords which are harder to brute force. Finally, using a password manager makes changing a password on an individual site very easy, you just let the password manager generate a new password and you never have to remember it.
For those of you who don’t know what TSHARK is you are missing out on a very powerful program. TSHARK is essentially a command line version of wireshark. Now, why is this important? Well when dealing with very large PCAP files, wireshark tends to choke on the file processing. Well, enter TSHARK. It has the ability to quickly go through a large PCAP file, apply a filter and spit out a smaller PCAP of just the packets that match your Wireshark filter. Well, this is all great, but that only scratches the surface of what TSHARK can do.
Let’s take a look at the -T function of TSHARK. According to the manual page for TSHARK the -T function changes the format of the text output from TSHARK. if you use TSHARK with the -T fields function it will spit out individual fields from each packet. Now what does that mean? Well look at the screenshot below. Each of those items in the inspection pane is a field that you can tell TSHARK to output.
Now where TSHARK becomes really powerful is when you combine it with Linux’s powerful command line text manipulation like grep, sort, uniq, sed or gawk. Say for example you wanted to see a list of all the destination IP addresses and how many times they have talked in a particular PCAP file. Run the below command:
So what does each of those command switches do? Well, the -r switch reads in an existing pcap file. The -T switch we’ve already talked about, but I made sure to us the fields command to tell it I wanted specific fields to be output and finally the -e function tells TSHARK which fields you want outputted. Now if I were to just run the TSHARK command I would get all the destination IP addresses for every packet in the http.pcap file. That’s fine, but what I’ve done is piped that list in to sort and uniq -c and that counts the unique IP addresses and the number of times that IP address shows up in the PCAP list.
In the example above we only looked at one field, but what if you want to see more than one field within a packet? Well that’s pretty easy as well, just add multiple -e flags with all the fields you want to see. So for example if you wanted to see the source IP, source port, destination IP and destination port all together you would run something like this:
Well, I hope you learned something with this little tutorial. I was asked to create a video by one of my students on this very topic. I thought it was such an important topic that I included the video tutorial on YouTube as well as in my Wireshark Crash Course. See the video below.