Aug
07
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 07-08-2017

According to the South African Banking Risk Information Centre (SABRIC), South Africans lose in excess of R2.2bn to internet fraud and phishing attacks annually!

This gives South Africa the embarrassing status of having the third highest number of cybercrime victims worldwide!

South Africa has suffered more cybercrime attacks than any other country in Africa.

Antonio Forzieri, Cyber Security Practise Lead: EMEA at Symantec, is quoted as saying that “one in 214 emails sent in South Africa during 2014 was a spear-phishing attack.”

This morning’s attack on the University of Stellenbosch was a spear-phishing attack. (“spear-phishing” is not a new water sport!)

Phishing emails target a broad group of users in hopes of catching a few victims but spear-phishing emails are far more focussed.

SPEAR-PHISHING is where the perpetrator targets a specific person or organisation – like the university. This takes the form of emails addressed to you, ostensibly from within the organisation using an internal e-mail account. It looks familar and appears legitimate!

This morning’s attack came in the form of an e-mail, disguised as being sent from a trusted source, (a known university e-mail address) and tried to fool victims into voluntarily disclosing sensitive information such as usernames and passwords, by encouraging people to open a link that took them to a site that was disguised to look like the university’s webmail login page.

Most spear phishing emails have a “call to action” as part of their tactics, which an effort to encourage the receiver into opening a link or attachment or suffer some consequence: “We have detected your mail settings are out of date…Sign in and automatically update your mailbox…”

What was concerning about this morning’s attack, was that the perpetrators had registered a South Africa domain name (which can only be done South Africa) using a name very similar to Stellenbosch, and by including the university’s network acronym, SUN in the domain name! This was not a random attack. It was focussed and judging by the amount of e-mail addresses it was sent to, was specifically engineered to compromise the university network.

What can we do?

  • Prevention always begins with educating all employees about the new reality of spearphishing attacks. By now, everyone should know about the old-style phishing emails, full of typos and promises of unearned millions – they are no longer your main worry. New spear-phishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone that your colleagues trust.
  • Always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today.
  • Report anything suspicious. If you accidentally executed anything that you later became suspicious about, you should report it as well. It is important to remove the stigma and embarrassment of being fooled. Anyone, even security experts, can be tricked today, given the sophistication of the attacks.
  • Start to aggressively test employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past.
  • Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
  • Lastly, if a spearphishing attempt is successful in your institution, then use the actual phishing email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons into focus is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

Aug
07
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 07-08-2017

As if the recent ransomware scares and cleverly disguised phishing scams weren’t enough to keep you up at night, password breaches continue to make news.

Although “online safety” feels more and more like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur. It all starts with getting rid of those overly used, poorly designed passwords you know are terrible but you use anyway.

The most secure password in the world is useless if a hacker steals it, but the real problem comes if it is the same password you use for every single log-in.

In other words, it’s essential that you employ a different password everywhere you conduct online affairs.

The well-known data breach repository “Have I Been Pwned”, has recently released a database of over 306 million passwords contained in multiple data breaches.

Previously I used the “Have I Been Pwned” website, by entering my work email address to check if one of my accounts had been compromised by hackers in a data breach.

I was shocked to find out that two of my online accounts, one with Adobe and another with vBulletin, had been compromised by a data breach. My username, passwords and other personal information had been obtained and made publically available by hacker groups.

Embarassing!

Last week, the process for checking the safety of your passwords was given a helping hand by the creator of the Have I Been Pwned site:

A dedicated Passwords page  has been added to the website, allowing users to check a password against a database of 306 million passwords.

The passwords contained in the list were compromised in various data breaches, making them accessible to hackers and other attackers.

While you may be tempted to enter your current passwords into the Have I Been Pwned website, you should never enter current active passwords into any third-party service.

The Passwords page allows you to compare potential new passwords against the database of compromised keys to determine their security. I found it very useful, giving me the peace-of-mind that my current method of creating passwords was relatively safe – for now!

Jul
25

These days, it seems we have to hand out our cellphone number like sweets at a kids party. Whether it be required for signing up for a new account, entering into a raffle, returning a purchase at a retail store, or registering for a discount, your phone number seems to be like a “skeleton key” for opening up all manners of doors.

Does giving out your cellphone number put you at risk of identity theft?

The answer is both “Yes” and “No”.

Yes, oversharing or giving out your number too frequently can lead to more scam calls, texts or unwanted solicitors. These days, our cellphone numbers are being used increasingly by information brokers to gain access to personal information that’s kept by nearly all corporations, financial institutions, and social media networks.

If someone you had just met asked you for your ID number, you would likely not give it to them. What if the same person asked you for your cell phone number? My guess is that you would readily tell them the ten-digit number, with no questions asked.

No, identity thieves cannot open new lines of credit, apply for benefits or make large purchases with your cellphone number.

However, the real threat is with the device itself.

Your cell phone number – which is unique to you – is the doorway to your identity. It provides an entrance to all the data contained on your phone, and can link your other information to you – your email address, physical address, bank account number etc. If your smartphone falls into the wrong hands and isn’t protected, a thief could access your email account and change all of your account log-ins, get into your Facebook and post malicious links, access your two-factor authentication, or even drain money from your mobile wallet.

What can you do about it?

  1. Safeguard your mobile device: Make sure it has a passcode and is set to lock quickly. You’ll also want to have a phone finder app installed so that if it is lost or stolen you can either find it, or worst case, remotely erase all of your data.
  2. Use common sense: If you’re asked for your phone number, ask why. In general, don’t give it out to people you don’t know see if you can leave it blank on online forms – even if that means it may take a few seconds more to identify you the next time you make a purchase.
  3. Enable two-factor or multi-factor authentication on all your devices: This is what happens every time you go to an ATM: to make a withdrawal you need both your debit card and a PIN number. That’s two-factor authentication, which increases the level of security on your devices.
  4. Sign up for the “do not call” lists, which are helpful for run-of-the-mill solicitations. While hackers don’t subscribe to such lists, you won’t get as many pesky marketing calls.
  5. Get more than one cell phone, and only gives out the number to the phone that contains no data or links to personal information.
  6. Choose which private data you are willing to share: When asked for your cell number, especially at a retailer, you may be able provide an email address, zip code or just your name as a way to identify you. It’s worth asking about.

All of this takes more time and effort, but ask yourself ow much privacy and security are you willing to trade away for a little more convenience?

Jul
24

According to International Business Times, a new study finds more than 80% of Americans reuse their passwords, and many others continue to use inadequate security practices when it comes to the passwords they use to protect their accounts.

The security provider SecureAuth and research firm  Wakefield Research found that not only do people use the same password more than once, they also use the same login credentials for at least 25 percent of their accounts.

While most millennials are more tech savvy and open to new and more secure forms of authentication like biometrics, their password practices are worse than the general population. A whopping 92% of millennials admitted they reuse passwords, compared to 81% of Americans overall.

Even more troubling, more than one in three people – 36% – reported they use the same password for 25 percent or more of their online accounts.

Despite the rampant reuse of passwords – a major security weakness – most Americans are very concerned about the possibility of their account information being stolen. 69% said they were more worried about their online information being stolen than their wallet.

Many Americans have already experienced such a breach of an online account. 35% of people surveyed said they have had an online account hacked – including 50% of millennials.

Of those people who have fallen victim of a hack, 91% reported the account breach carried severe repercussions for them. The biggest issue for those who have been hacked include spam messages (42%), account lockouts and money stolen (38%) or an unauthorized purchase being made from their account (28%).

About one in five people—19%—who had an account hacked reported having personal information stolen, including Social Security numbers, date of birth, photos, tax records and other sensitive personal files.

Despite identity-based detection techniques such as geo-location, device recognition, and phone number fraud prevention, the practice of reusing passwords puts users at increased risk in the case of a data breach. Once passwords are stolen from one site or service—an occurrence that happens regularly—a malicious actor could use that same password to gain access to another account belonging to the same user.

Given the number of massive database breaches, including those from sites like LinkedIn or Yahoo that included millions of users, it is relatively easy for an attacker to cross reference an account and use the stolen credentials to attempt to break into another account.

Additional security protocols like using two-factor or multifactor authentication or using a password manager to generate more secure, unique passwords can provide some additional protection from these types of attacks.

Don’t think for a moment that this survey is only relevant to Americans, in an article recently tweeted by Stellenbosch University’s Information Technology, South Africa has the third highest number of cybercrime victims worldwide and lose in excess of R2.2bn to internet fraud and phishing attacks annually. South Africans are just as bad as the Americans with their poor password practices!

Apr
14
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 14-04-2013

wordpress-under-attack-cropSince 12 April 2013, the WordPress blog system world-wide is facing its most serious coordinated brute force attack. Some WordPress hosts have reported that they have blocked as many as 60 million requests against their hosted WordPress customers in a single hour.

This attack, which targets administrative accounts, appear to be coming from a sophisticated botnet that may have as many as 100,000 computers, based on the number of unique Internet addresses the attacks are coming from.

…And Internet security experts have estimating that the botnet has the power to test as many as 2 billion passwords in an hour.

WordPress users should always make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, that’s good advice for just about any password you use, but it’s especially applicable right now.

While it’s difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. It has been suggested that the perpetrator could be trying to upgrade a botnet composed of ordinary PCs into one that is made up of servers.

Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.

One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, it’s not just the blogger’s posts that are at stake, as the attacker could potentially use the login to gain access to the hosting server, a more valuable prize that could cause even more damage.

This botnet is going around all of the WordPress blogs it can find trying to login with the “admin” username and a bunch of common passwords.

If you still use “admin” as a username on your blog, change it, use a strong password, and better still change the name of the admin account to something else, which will certain block the botnet attack.

I personally run 7 WordPress blogs, excluding this GERGABlog, and a year or so ago, after a attack crippled 3 of the sites, I removed the default “Admin” account and had set very strong passwords on all of them.

On Friday evening I installed a small plugin, recommended by my hosting company, which blocks an Internet address from making further attempts after a specified limit of retries is reached. I set the plugin to log all Internet Addesses that had been locked out, and after barely 30 minutes, 3 of my 7 blogs had logged more than 5 Internet addresses that has tried to attack my blog and had been locked out. I could see that the attack was underway and was very glad that my paranoia had paid off!

May
28
Filed Under (Events, Reviews & Opinions) by David Wiles on 28-05-2012

Social networking services like Facebook are dangerous. You lose your privacy and open yourself to a number of risks.

For example, two masked robbers robbed the wrong home, hours after a teenager posted a photo on Facebook of a large pile of her grandmother’s savings.

Police in New South Wales, Australia, said that the men, armed with a club and a knife, struck at the home of the 17-year-old’s mother in the country town of Bundanoon on Thursday night, but were told the daughter no longer lived there.

The bandits searched the house and took a small amount of cash as well as other property before leaving. No one was injured.

Police said that earlier in the day the girl had posted a picture on her Facebook page of a “large sum of cash” she had helped count at her 72-year-old grandmother’s home in Sydney, 75 miles north-east of Bundanoon.

No matter how “cool” or convenient Facebook is, it is always important to keep a close watch on its security implications. Each of these services comes with its own set of security concerns which can put your information
systems and/or personal data at risk. (the incident above is one such example)

For example, you have posted an update on your Facebook profile say: “Looking forward to the family holiday next week at the beach house.” Although these might seem relatively harmless, the third bullet point could raise some concern. You have just told all your friends, as well as all their friends, that you will be away from home for a full week. This is comparable to putting a sign on the main road that shouts “Empty House” for passers-by to see. Even if you have a burglar alarm or neighbors keeping an occasional eye on the home, you still don’t want to create the temptation for strangers (Friends of Friends) to consider helping themselves to the contents of your house.

This is just one of the risks you might encounter when using Facebook, and this is one to the reasons why I prefer to steer away from social networking services. You rarely know or meet your “friends”, and this exposes you to unacceptable risks to your personal safety! Optimism aside, the world is full of mean-spirited people who would want to exploit and harm you. Be careful!

 

Mar
02
Filed Under (e-Learning, Reviews & Opinions) by David Wiles on 02-03-2012

Moodle and Blackboard are both popular online LMS solution (Learning Management System) with which the Faculty of Health Sciences can develop complete online courses that can include multimedia content.

How do the two compare to each other and what are the benefits unique to each course delivery system?  Let’s explore some of these benefits of  Moodle and Blackboard.

Firstly let’s clear the deck and note what Moodle and Blackboard are.

Moodle is an Open Source Learning Management System that is provided freely and can be run on many operating systems. According to the Moodle website it is “free to download, change, share, improve, and customize to whatever you want it to be,”. Therefore, any lecturer can use it to build or supplement a course.

Blackboard on the other hand is a proprietary Learning Management System and its use is typically limited to institutions like the university which pay a sizeable fee each year to take on a license agreement for its use. Each and every student at the university pays a small amount every year for the licencing.

Moodle’s is definitely the gawky teenager here. It is constantly in a state of development and improvement, there’s no waiting for the company to fix a bug or impove the program. Being “open source” each and every user has a unique opportunity to contribute to the development of the product.

The new features of Moodle mostly centre around increased usability, these include: easier navigation, improved user profiles, community hub publishing and downloading, a new interface for messaging, and a feature that allows teachers to check student work for plagiarism. Text formats will also allow plug-ins for embedded photos and videos in text (but Blackboard allows for this too).

A major improvement over previous releases is that anyone can set up a community hub, which is a public or private directory of courses. Another notable feature is that Moodle now allows teachers to search all public community hubs and download courses to use as templates for building their own courses. Also, teachers can now see when a student completes a certain activity or task and can also see reports on a student’s progress in a course.

Many small scale open source platforms require that users support the product themselves, getting their “hands dirty” tweaking and improving the hard way – of course using the open source community as their primary resource. However Moodle has an advantage, it has become so popular that a small industry has evolved around it, providing a wide range of support and services. Two of the most popular support and hosting services are  Moodlerooms and Remote-Learner.

Blackboard Learn is Blackboard’s newest and most innovative upgrade to its Blackboard Learn package.

Improvements in its uses for higher education include course wikis (Moodle improved theirs as well), blogs and journals that stimulate conversation and reflection on a course, and group tools that make group collaboration and communication easier than the previous version. Its most notable feature is its Web 2.0 interface, which makes it easy for educators to navigate when adding content to an online course and for students to navigate when accessing course content.

Blackboard Learn now incorporates Blackboard Connect (of course at an additional cost), which alerts students to deadlines, due dates and academic priorities within a course. The new release also allows educators to more easily incorporate videos and photos directly into text for a more complete learning experience.  Finally, Blackboard features Blackboard Mobile Learn (also at an additional cost – and why am I not surprised), which lets students connect to their online courses using various handheld devices, such as the iPhone or iPad.

So, what are the biggest differences?

Features & Functions: Both of these tools have a lot of different functionality available, either natively, or through add-on types of functionality. If different functions are going to be the deciding factor in selecting one of these versus the other, you will really need to drill in and compare and decide for yourselves which features and functions will make the difference for the Faculty.

Cost: This is clearly different. As an open source product, Moodle is simply less expensive. Blackboard is sort of the “Rolls Royce” of today’s LMS, and there are users of the product who would tell you that if you want the best LMS money can buy, you should make the financial commitment to Blackboard. On the other hand, if you want a premier product for a much lower cost, Moodle is really the way to go. Another thing to be aware of is that Blackboard builds substantial annual increases into their pricing model, since they are continually procuring and integration additional products into their offerings, with the intent of adding value for their users.

Product/vendor model: As indicated above, Moodle and Blackboard are very different products with very different vendor models. One is open source, and there are many support and service vendors to choose from, while the other is proprietary and there is just the one company to work with. How that impacts your decision is up to you and your institution to determine.

Oct
20
Filed Under (Reviews & Opinions) by David Wiles on 20-10-2011

If you were born after 1960 or so you will realise how frightengly rapid technology is progressing and changing. In the first half of the 2000s, retailers were buzzing about the wonders of MP3 players and netbooks, but by the end of the decade, those products had largely been replaced by smartphones and tablets.

We will all have to face the facts – some of the gadgets you may currently rely on will disappear or made obsolete by the end of this decade in 2020, no longer be produced for a mass-market audience.

In this largely speculative article we ask the question: Which popular products today will join the likes of VCRs, cassette players and transistor radios disappearing from the shelves and our lives forever? (except perhaps in an antique collection)

Standalone GPS Systems

The days of spending R1500 or more on a standalone GPS device won’t last much longer, analysts say. “Portable navigation devices like those sold by TomTom and Garmin will probably not be sold in 2020, just because mobile phones will have taken on that function themselves and because GPS systems will be standard equipment in cars,” says Charles S. Golvin, an analyst at Forrester, a market research firm. So here won’t be much of a need to buy a product whose only function is to tell you directions. If there is a demand for these GPS systems, it will likely come from a very specific segment of consumers, like mountaineers climbing Mount Everest or long-distance truckers or the military, but for the vast majority of consumers, standalone GPS systems will be irrelevant and redundant.

E-Readers

The e-reader has already undergone significant changes in its short history, evolving from a product with a keyboard to one with a touchscreen and more recently being integrated into a kind of a tablet-hybrid, but according to Golvin, the market for e-readers will mostly disappear by the end of the decade. “The tablet will largely supplant the e-reader in the same way that the iPod increasingly gets displaced by smartphones,” Golvin says. “Tablets will take on the e-reader function of handling magazine, newspaper and book reading.” In essence, spending money on an e-reader that can only handle reading when tablets can do this and more will come to seem as useless as buying a GPS system that can only look up directions when other technology does this as well. Just how small the e-reader market becomes may depend somewhat on advancements in display technology. One of the biggest incentives for consumers to buy a pure e-reader is to have an e-ink display (like reading from a book) rather than a backlit display (like reading from a computer screen), but according to Golvin, manufacturers are already working on ways to merge the two reading experiences and create a tablet that doubles as an authentic e-reader. Even then, there may be still be some e-readers on the market at the beginning of next decade, but not many. “It could be that by 2020 you can still buy a super cheap e-reader for R160, but by and large, the volume of sales will be so close to zero as to be indistinguishable, like CD players are now,” he says.

Feature Phones

A feature phone is a mobile phone that, like smartphones, combines the functions of a personal digital assistant (PDA) and a mobile phone. Today’s models typically also serve as portable media players and camera phones with touchscreen, GPS navigation, Wi-Fi and mobile broadband access.

Several of the products that are likely to be phased out will ultimately be the victim of advances to smartphones, and none more directly than feature phones. Tim Bajarin, a technology columnist and principle analyst with Creative Strategies, predicts that 80% of all phones sold in 2015 will be smartphones and every phone sold in 2018 will be a smartphone. This rapid decline will come about thanks to a drop in prices for consumers and an increase in revenue opportunities for carriers. “Even today, the money that is made is not on the phone itself but on the services,” Bajarin says, noting that carriers will opt to “fade out” their feature phone option in favor of smartphones with more services.

Low-End Digital Cameras

When Apple unveiled the iPhone 4S, smartphone competitors probably weren’t the only ones beginning to sweat. Digital camera makers also have much to be worried about. Apple’s newest phone has a killer 8-megapixel camera that takes in more light and records video at 1080p HD video. Until recently, those kind of specs were unique to digital cameras, but increasingly smartphones are taking over the market. “Flip cameras went bye-bye and now low-end camera functions are being taken over by smartphones,” says Rob Enderle, principle analyst for the Enderle Group. Going forward, consumers will have less incentive to carry around a camera when they already have a phone in their pocket that takes quality pictures. “The point-and-shooters – and particularly the cameras that sell for under R1500 – will eventually go away and be replaced by cellphones that do the same thing.” On the other hand, Enderle predicts more expensive and high-tech cameras may have a brighter future, though not by much, as a smaller market of photo enthusiasts seek out professional-quality cameras that go above and beyond what’s offered on a phone.

DVD Players

DVD players are in the process of being phased out now by Blu-ray players and will likely be erased from the consumer landscape by the end of the decade. “The DVD player should be replaced by digital delivery,” says Ian Olgeirson, a senior analyst at SNL Kagan, who points to streaming movie services like Netflix as being the future. “Blu-rays and whatever the next generation high-end movie format emerges could prolong the lifespan because of challenges around streaming, but eventually the disc is going to be phased out.” The idea of placing a disc into a DVD player to watch a movie will eventually seem as outdated as placing a record on a turntable.

Recordable CDs and DVDs

Using CDs and DVDs to view and store content will soon be a thing of the past. “CDs are clearly not going to make it over the next 10 years because everything will shift over to pure digital distribution, so all those shiny discs will be gone,” Bajarin says. This will be due in part to more streaming options for music and movies and a greater reliance on digital downloads, combined with more efficient storage options for consumers, including USB drives, external hard drives and of course the cloud. “All a CD is is a medium for distribution of content … and within 10 years, you won’t need a physical transport medium,” Bajarin says.

Video Game Consoles

Popular video game systems such as the Wii, PlayStation and Xbox may still be in homes next decade, but they will look much different. Rather than buy a separate console, Enderle expects that consumers will instead buy smart televisions with a gaming system built into it, not to mention tablets and smartphones that will continue to ramp up their gaming options. “It looks like analog game systems won’t make it until the end of the decade,” Enderle says. “You are already seeing the Wii have a tough time holding on to the market and PlayStation has been struggling for a while.” The gaming systems that will succeed in the future will be those that manage to move away from being focused solely on video games and more on other entertainment options such as movies, evolving from a traditional game console into more of a set-top box.

By Seth Fiegerman, MainStreet

Oct
07
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 07-10-2011

Steve Jobs – CEO and co-founder of Apple – who passed away on 5th October – hasn’t even been buried yet and already there are numerous scams using his name and company to extort information and money.

As an example, the stevejobsfuneral.com site, attempts to collect e-mail addresses for a supposed lottery with a 1-in-15 chance to win a Macbook. And it links to an online store selling Apple products as way to pay tribute to Jobs, by buying Apple products.

Conveniently for the site, this link also contains affiliate advertising info that brings revenue for any purchases made though the link.

It is probably needless to say that people should avoid stevejobsfuneral.com, which was already registered on September 20th. The vultures have been circling around for quite a while.

Criminals have gotten pretty good at making fake Web sites (for PayPal, eBay, Facebook, etc.) look like the real thing. But what they can’t fake quite as easily is the location of the Web server that’s hosting their fraudulent site. You might be looking at a perfect replica of, say, Bank of America, but if the site is hosted in Uzbekistan, it’s a good bet you shouldn’t input your password.

Flagfox for Firefox makes this kind of detective work simple: it determines the Web server’s physical location and pastes the corresponding country’s flag at the end of the address bar. Clever!

If you’re wondering how it works, Flagfox bases its flag choice on the actual location of the server you’re connected to, rather than just the nationality of the domain name–which may be different.

After installing the plug-in and restarting Firefox, just head to any site and you’ll see the flag at the right end of the address bar. If you click the flag, you’ll get a new tab containing detailed geographic information about the site.

If you right-click the flag, Flagfox pops up a list of other handy tools, including Whois, SiteAdvisor, Web of Trust, and URL-shortener bit.ly. Head to the settings (via Tools, Add-ons) for the plug-in and you’ll find a dozen or so other options you can add to the list.

This is a great little addition to Firefox, one that combines convenience with added security. What’s not to like?

By Rick Broida, PCWorld