December 26, 2013

Post-Christmas Trash

Christmas presents under the tree
Christmas presents before.
Image from Alan Cleaver and used
under Creative Common license.
Christmas came and gone. All the presents are unwrapped leaving behind used wrapping paper, empty boxes, and other packaging. As part of the clean up process these items will eventually find its place on the curb in time for trash pick-up. Does our trash say something about us? The discarded packaging placed upon the street in front of our homes may provide burglars clues on what treasures lay inside your home.

Could there be a treasure trove behind the front door? Your trash may be saying more than you know.

Christmas presents after.
Image from Lisa Yarost and used
 under Creative Common license.
Right before the first trash day after Christmas, criminals will cruise the neighborhood looking for the discarded packaging from expensive pilferable items. If you're like many families, there were probably a number of electronic gifts given ranging from a new iPad, gaming console, and laptop, to just name a few. These items sell quickly on the black market fetching some fast cash for thieves, especially if the original owner never serialized or marked it. Considering most people cannot wait to use their new presents, I doubt the original owners have done that yet. Additionally, if you can afford these types of gifts, you probably have other expensive items in your home that burglars could get their grubby little hands on.

Reduce your risk of becoming a target by: 
  • Take the time to break down the boxes and packaging. This makes them less noticeable. An added bonus: broken down packaging takes up less room in the trash can, which means you can throw more stuff away. If you have rambunctious children in the house, put their destructive nature to use by "helping" break down the packaging. 

  • Place it out on the curb just before trash collection time. By not leaving your holiday packaging out on the curb for long, criminals would have less time to analyze it.

  • Take it to a recycling center or dump yourself. If you're able to, opt to drop your holiday garbage to the recycling center or local dump instead of leaving it sitting in front of your home.
Hope the spirit of the season live on and you're able to enjoy your presents throughout the year.
Tassler, M. (26 December 2012). Crooks are watching your Christmas trash. Classic KXRB Country 1000. Retrieved from 
Urbach, V. (March 2010). What burglars don't want you to know. The Urbach Letter. Retrieved from 

December 21, 2013

Target data breach: What to do if you're one of the 40 million?

Target targeted in large data breach.
Criminals target onto Target during busiest shopping period of the year.

The major retailer, Target reports one of the largest consumer data breaches since the TJX Company incident from 2005 to 2007 that exposed 45.7 million credit/debit cards to fraud. Target and law enforcement entities are investigating a data breach that could affect up to 40 million customers that shopped in one of the 1,797 Target U.S. based stores any time from November 27 to December 15. The Canadian Target stores were not affected.

The breach involves the theft of the data stored on the card's magnetic strip, which includes names, credit/debit card number, and card expiration dates. Target reports there are no indications that the 3 or 4 digit security number on the back of the card or the PIN from debit card transactions were compromised. This runs contradictory to some circulating news articles. Reportedly the breach does not involve online purchases; however, online Target consumer comments on articles about this breach indicate initial reports may be wrong. Without in-depth research into those particular comments, it is hard to tell.
Target has not disclosed how the breach occurred, but states it has fixed the cause. Some speculate that it was caused by crooks tampering with machines customers use to swipe their cards when making purchases. Since the breach is more on a national scope instead of being a localized problem, I highly doubt the breach was caused by tampering point-of-sale machines with skimmers. That is a lot of machines to tamper! According to a CNN Money article hackers "either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was on route from Target to its credit card processors." (2013) I suspect hackers obtained the information between the Target store and payment processors. The TJX breach mentioned earlier, attackers gained access through a wireless network to access systems used to store debit/credit card transaction information. Due to the amount of money Target spends on payment process security, Avivah Litan, a security analyst with Gartner Research believes the breach was the result of an inside job. We will see as more information slowly becomes available.
According to the San Francisco-based financial services firm, Javelin Strategy and Research, data breaches tied to credit card fraud are on the rise. In 2012, 28% of customers who were notified their cards were compromised usually became victims of fraud within that same year. Despite industry guidelines to protect payment card data, criminals continue to exploit vulnerabilities in data security, and will continue as payment options focus on mobile wallet and payments. 
If you were a Target shopper, what can you do?
  • Routinely monitor bank and credit card statements. Regardless if your were a victim of this breach or not everybody should check their statements to make sure all charges are legitimate. Immediately call and dispute unknown charges as soon as possible.
  • Order your credit report for FREE. All Americans are entitled to an annual free copy of their credit report from the three major credit bureaus at I recommend you only access one reporting agency every four months, so you can monitor your credit throughout the year for FREE! Free can be good.
  • Place free 90 day credit alert. The alert makes it inconvenient to open new lines of credit because it creates additional steps for creditors to verify the identity of the individual opening the credit line. It does not affect the ability to use existing credit cards and lines of credit. Call 
  • Place a credit freeze. If you want something a bit more substantial than an alert, you can use this option. This locks down your credit report until the consumer reporting agency (i.e. Equifax) receives permission from the individual to disclose. While this is preferred over the alert, this option is not necessarily free. Costs may vary by state. Identity Theft Resource Center provides a state identity theft resource map to help you learn more.
  • Cancel and replace affected cards. While this would be the most inconvenient option, it is one of the more secure and best options.
  • Target  urges people who suspect unauthorized activity to contact them at 866-852-8680. Based on the critical consumer comments circulating, do not expect much help if you can get through.
CNN Money (19 December 2013). Target: 40 million credit cards compromised. CNN. Retrieved from 
D'Innocenzio, A. (20 December 2013). Fury and frustration over Target data breach. Associate Press. Retrieved from
Identity Theft Resource Center. ITRC fact sheet 129 I received a security breach letter: What do I do now? Retrieved on 21 December 2013 at
Javalin Strategy and Research (12 December 2013). Card breach-related fraud has increased 340% since 2010. Retrieved from,pressRoomDetail
Krebs, B. (18 December 2013). Sources: Target investigating data breach. Krebs on Security. Retrieved from
Scherzer, L. (19 December 2013). What to do if you shopped at Target during its data breach. Yahoo! Finance. Retrieved from
Sidel, R. (19 December 2013). Target hit by credit-card breach. The Wall Street Journal. Retrieved from 
Target. (19 December 2013). Target confirms unauthorized access to payment card data in U.S. stores. Target Press Release. Retrieved from 

December 15, 2013

A year after Sandy Hook Shooting: Need National discussion on mental health

The 26 victims from the Sandy Hook shooting.

December 2013 marks the one anniversary from when Adam Lanza gunned down 20 children and six adults before taking his own life at Sandy Hook Elementary School. The little town of Newtown, Connecticut struggle to find a new "normal" as the still hurt and mourn the lost lives on that fateful day December 14, 2012.

Some contend that this incident is the September 11th for parents, educators of young children, and security professionals. As a nation, we should have learned from the past school shootings such as Columbine, Beslan, and Virginia Tech, but we often quickly forget as our attention turns to the latest headlines.

The questions raised are; have we learned anything from this; and, how can we prevent this from happening again?
Within days after the Sandy Hook shooting, Washington D.C. was clamoring for tighter gun control, as if it would have prevented this tragedy. National news outlets were debating gun rights. Yet very little national attention focused on the underlying root problem...Mental health. Adam was a troubled, socially isolated young man, due to mental health issues. His mother tried to help him, but she was in over her head. Shortly after the massacre, Liza Long wrote, Thinking the Unthinkable, where she shares her personal struggles with her son's violent episodes, and a system that offers little support. When sharing her story she claimed "I am Adam Lanza's mother. I am Dylan Klebold's and Eric Harris's mother." Unfortunately, the way the U.S. system is set up, the only way for families like Ms. Long to get the help for their mentally ill child with violent tendencies is to have them placed in the criminal justice system. In order to be placed in the criminal justice system, they need to have committed a crime. As Ms. Long's social worker told her, "no one will pay attention to you unless you've got charges." This is just sad for a leading nation that parents are forced to wait for their child to become a criminal before they can get the help they need. 
Fortunately for Ms. Long, when her post hit national headlines, a medical expert contacted her to provide a correct diagnoses for her son. Since starting his new treatment regimen, he has not had any violent episodes. Mental health treatment can help, but the person needs access before being placed in the criminal justice system...BEFORE hurting somebody.
The parents of one of the Sandy Hook victims, Jeremy and Jennifer Richman, set up the Avielle Foundation, which is named after their only daughter. The foundation supports research into the brain pathologies behind violence. According to the foundation's website, "too little is known in the field of brain health in regard to what drives violent behaviors...Once a deeper understanding has been established, we can apply these insights to educate health care providers and communities about identifying and responsibly advocating for those at risk of violent behaviors." I applaud their efforts in creating a legacy for their child in hopes that it could help prevent other tragedies. 
The mental health issues on Aaron Alexis, September 2013 Washington Navy Yard Shooting, or Tamerlan Tsarnaev, one of the Boston Marathon Bombers continue to highlight the need to keep mental health in the national dialog right there with gun control. Both individuals reported to be hearing voices, which influenced their decision to commit their horrific violent acts.

Avielle Foundation (2013). About the foundation. Retrieved from
Blogman (25 October 2013). What can happen if a blog post goes viral? Tossing it out there. Retrieved from 
Jacobs, S., Filipov, D. and Wen, P. (15 December 2013). The fall of the House of Tsarnaev. The Boston Globe. Retrieved from 
Long, L. (14 December 2013). Thinking the unthinkable. The Anarchist Soccer Mom. Retrieved from 
Marcus, R. (27 November 2013). Nancy Lanza, a mother tragic and infuriating.  Washington Post. Retrieved from 
Melia, M. (11 December 2013).  Newtown reflects on year of horror, grief and tough choices. Associated Press. Retrieved from 
Sancier, G. (13 December 2013). One year after Sandy Hook: Behavior cues of mentally ill. PoliceOne. Retrieved from
Wyllie, D. (13 December 2013). Active shooters in schools: How far have we come since Sandy Hook? PoliceOne. Retrieved from 

December 14, 2013

Blogoversary or Blog Birthday: A year in review.

Happy Birthday!
Security Checks Matter enters
 the terrible twos!
Here we are, Security Checks Matter hits its second year in the blogosphere. Throw cyber confetti. Some people call it a blogoversary as a play on anniversary and blog to signify a significant blog date. When I think of anniversary, I think of the obligatory romantic evening out together. That's not my bag, baby. I prefer blog birthday. Birthdays are fun with parties always involving cake and you cannot go wrong with cake! YUM!

This blog has matured since starting out. This past year I maintained more consistency by publishing at least one security post a month. Score! Certainly an improvement over the erratic posting from the first year, when I would sometimes go months without posting. Need to have content to sustain and increase viewership. This helped with Search Engine Optimizing (SEO), plus I picked up some other SEO tips to increase hits. I set up social media pages to help drive viewership. Twitter proved to be far more valuable than Facebook in getting clicks. Considering I went from only averaging 200 readers a month when posting on Facebook, to 400-600 monthly viewers now. Twitter became the big difference.

To continue with summarizing this year's achievement, here's a nice top ten viewed posts of the year. What's a little birthday celebration without a nice top ten to look at the passing year?

Top 10 Posts.

Learning about security posters is
our 2013 most read post.
1)  Resource: Security Posters. The article is a review on possible security poster sources. Honestly, I am really surprised this is the number one viewed post from 2013. Considering this post was never posted on the social media sites, the viewership was purely driven by search engines. That means somebody went to Google, or some other search engine of choice, to purposely look for security posters. This is where the SEO tips came in handy.

2) Army Security Incident Process. The article articulates the security breach response process an organization must go through in accordance with Army Regulation 380-5, Information Security. The story behind this post is quite simple. I had a simple assignment to write about the security incident process for classified material. After finalizing a 12 page (double-spaced) paper, I re-read the instructions and realized the teacher was only looking for three paragraphs summarizing the process, NOT 12 pages detailing it. I redid the assignment as per the instructions, but I could not let my lengthy master piece go to waste. I worked too hard on it. I brought to the inter-webs for all. I would also like to point out, that all information used for the report are in the public domain.

3) Scam U: Job opportunity scam. This post is part of a new monthly segment called Scam University, or often referred to as Scam U. It teaches people how to identify and properly respond to on-going scam tactics in the real world. With a lagging economy and high unemployment rates, more people are falling victim to the job opportunity scam.

4) Prevent vehicle break-ins. One day I read my friend's Facebook post about her vehicle being broken into while on vacation. Hearing about the horrible ordeal her family and she had to go through inspired this post. Learn how to prevent a vehicle break-in, so you don't have to live through her nightmare.

5) Privacy: Why you should care about PRISM. When the NSA spying scandal first broke out back in the May/June timeframe, I read multiple comments that horrified me. People nonchalantly saying, "I don't care. If you didn't do anything wrong, you don't have anything to worry about." This is my rant against those people. You should care!

6) New NSA rule in light of the Snowden data breach. This post takes a look at the new security rule the NSA implemented in response to the Snowden data breach. I wish there was some nice little back story I could add to this, but I got nothing. Sorry.

7) Timeline: Aaron Alexis, Navy Yard Shooter.  After the horrible September Navy Yard Shooting, there were numerous news articles circulating about the shooter, Aaron Alexis. The different news agency reported different facts about him, so Security Checks researched and consolidated the information into a simple timeline. After reviewing the timeline, you can see the glaring indicators missed by Naval Security Clearance officials.

8) Scam U: Phantom Debt. For a November post, it certainly shot up into the top ten viewed  posts fast. This is the 3rd installment of the Scam U series (as mentioned in #3 of this list). This scam warns about scammers calling people claiming you owe some mystery debt.

9) Basic User Info: Protecting Classified Documents. Much like the Army Security Incident Process post, this one was originally developed for a class. I reached a new month with no posts, so I modify the assignment into a blog post for interwebs to enjoy. Similar to the Resource: Security Posters post, I didn't advertise it on social media, so all views were purely driven by search engines.

10) Scam U: Instagram Scam "Something for Nothing".  This is the latest installment of our Scam U series, which was released just last month. Considering three out of the four Scam U posts made the top ten, I think we'll continue with it. You can read all Scam U posts here. This edition of the series looks at the recycled phishing scheme being used on Instagram.

What does the upcoming year hold as the blog heads into our terrible twos? Well, I'm going to work on the consistency thing with the goal of two posts per month. This past year I learned about the easiness of scheduling posts, so hopefully I can learn to be patient and harness my writing spurts. For instance I had multiple posts in June, while other months I struggled.(By the way, what's up with June?) By scheduling, I could have staggered the multiple posts while still focusing on content. Additionally, I will continue to maintain viewership at 400 or higher per month. I know this is a low goal, but considering I didn't do it all year, I think this is a reasonable one. I can get to over 400, it is just maintaining it that is the challenge. The consistent fresh content combined with posting on multiple social media platforms should get me to this goal. These are feasible goals to help grow the site while still making it a manageable side job. I need to focus most of energy to the job that pays the bills.

December 9, 2013

FBI can covertly activate webcams

Recent news articles report that law enforcement has the capability to covertly activate webcams without triggering the indicator light that alerts users it is recording. When activated the webcam could transmit real-time images to investigators. Before law enforcement can do this, it needs to infect your computer with surveillance software. One method the FBI used to accomplish this was to send phishing emails with misleading subject and text to trick the intended party into downloading the software that permits them to exploit the webcam. This is similar to a method hackers use to spread malware. The FBI's most powerful surveillance software can also covertly download files, photos, and stored emails. It's not a recent capability considering the FBI has used this technique in past terrorism cases and other serious criminal investigation. Back in 2007they used a surveillance software program to surreptitiously monitor an individual suspected of sending bomb threats to a Washington high school. This is part of what they call their "network investigative techniques" as they use spyware to bring criminal wiretapping into the cyber age. Mind you, the criminal wiretapping is overseen by the courts, so there is some type of oversight.
This is certainly discerning to privacy right advocates as it raises Fourth Amendment violation questions.  Since a Washington Post article about how the FBI hunts down the bomb threat suspect, Mo, and the recent public outrage over the NSA surveillance discovery from the Snowden leaks, I suspect the FBI network investigative techniques may receive more scrutiny than usual. The Federalist Papers already posted a sensationalized article waiving the Fourth Amendment violation flag based on the Washington Post article; however, they failed to mention the FBI sent the surveillance software 3 days AFTER receiving court approval, the software FAILED, and the targeted individual was NOT a US citizen and within US territory. The Washington Post article mentioned these items, but The Federalist Papers conveniently overlooked these items. Don't get me wrong, this capability is ripe for abuses, and we should have an ongoing national dialog about it, but let us be rational, base it on facts, and leave out the emotional, misleading sensationalism. 
Missing from the conversation is discussion on how others use the same ruse, particularly those with ill intent. While you may be unconcerned about being targeted in a FBI investigation, cyber criminals still have you in their sights and have the same capability (if not better) as outlined here. Plus they don't have court oversight to prevent them from going after you. Computer security is a must and users should not have a false sense of security when using the World Wide Web from the comfort of their home.
Computer Security Basics:
  • Don't click on email links
  • Don't download email attachments. If you insist on having the attachment, scan it prior to opening it.
  • Read the header of the email. The “from” line can easily be (and often is) spoofed, but if you dig a little deeper in the email header, you can figure out where that email came from. There is a good tutorial on how to read email headers at 
  • Analyze the topic and body of the email. Is it rather generic? If it is from a known sender, does the sender typically send email like this?
  • Ensure your anti-virus and operating software have the latest update. Updates fix known software vulnerabilities often exploited by hackers. 
  • Use anti-virus add ons that alert you whether a site is safe, questionable, or unsafe. 
  • Use computers instead of smartphones to surf the Internet. Computers have more security software than mobile devices, which means more protection. 
  • Disable unused devices, and disconnect from wi-fi when not needed.
Franceschi-Bicchierai, L. (7 December 2013). How the FBI used hacker tricks to track down a would-be bomber. Mashable. Retrieved from 
Nakashima, E. and Timberg, C. (7 December 2013). FBI's search for 'Mo,' suspect in bomb threats, highlights use of malware for surveillance. Washington Post. Retrieved from
Oliveira, P. (7 December 2013). FBI can turn on your web cam. New York Post. Retrieved from
Poulsen, K. (18 July 2007). FBI's secret spyware tracks down teen who made bomb threats.  Wired Magazine. Retrieved from
Straub, S. (7 December 2013). Ex-Official says FBI can secretly activate an individual's webcam without the indicator light turning on. The Federalist Papers. Retrieved from 
Valentino-Devries, J. and Yadron, D. (3 August 2013). FBI taps hacker tactics to spy on suspects. Retrieved from 

December 8, 2013

Fake delivery notices

Have you been receiving emails that look like shipping notifications, but you don't recall ordering any packages? Don't look now, but it could be a scam.
This holiday season, scammers are taking advantage during this time of year of increased package deliveries . By emailing fake shipping notifications to trick people into downloading a computer virus, they're hoping to snag some victims. With over 131 million online shoppers over Cyber Monday in 2013, many people will expect some type of delivery notice and will likely click on the malicious download. It only takes a few minutes with your guard down to fall prey to this phishing scheme.
FedEx delivery notice. Is it real or fake?
One of the popular shipping companies, FedEx warns about a phishing scam masquerading as a FedEx delivery notification. According to SecureWorks, one phishing FedEx message circulating will infect a person's computer with the Gameover ZeuS Banking Trojan after clicking on it. The Gameover ZeuS Trojan malware aims to steal sensitive information such as online banking credentials, and is harder to get rid of since its distribution is through peer-to-peer networks. According to some reporting, the fake notification looks very close to a real version, so it's hard to differentiate between them.
FedEx is not the only company scammers are using for phishing shipping notifications. Reports indicate they are using other popular companies, such as Amazon, eBay, Wal-Mart, UPS, DHL, and Target. According to SecureWorks, other subject lines used by scammers are:
  • "You have a New encrypted message from your bank" 
  • "USPS is notifying you that your package is available for pickup" 
  • "You have received your payroll invoice" 
  • "Your FED TAX payment was rejected"
  •  "Advisors Online Documents Activated"
  •  "Transaction notification from your bank"
  •  "Docusign To all Employees - Confidential Message" 
Simple tips to not fall victim to this scam.
  • Approach any email with caution, especially ones you were not expecting.
  • Don't click directly on links within the email. Go directly to the known, trusted website to verify shipping information.
  • Don't open email attachments. If you trust the source, scan the attachment prior to opening.
  • If you're concerned about a legitimate package, call the company directly and don't rely solely on email traffic.
Ellyatt, H. (2 December 2013). It's Cyber Monday: Over 131 million expected to shop online. NBC News. Retrieved from 
FedEx. (2 December 2013). Holiday scams - beware. Retrieved from
Howard, C. (4 December 2013). Fake package tracking email may be malware. Clark Howard Rip-Off Alert. Retrieved from 
Rubenking, N. (13 November 2013). Malware loves company: How malware evolution triggered a change in our testing. PC Magazine: Security Watch. Retrieved from
SecureWorks. (2 December 2013). Fake order confirmations and delivery notices.  Prosecurity Zone. Retrieved from 

December 7, 2013

Christmas Holiday Security Posters

Looking to add some holiday cheer to your security awareness program? Here are some Christmas theme security posters from our Security Poster Library.

Even the big, fat man must comply with access control procedures.

Santa does a double check, make sure you do when locking up for the day.

Classified packages need to wrapped with care not just this time of year, but all year around.

Sensitive information must be handled with care.

A holiday reminder of individual security responsibilities.

Grinch holiday theme security poster.

Security is a 24/7 responsibility, even during the holiday season.

Holiday OPSEC poster.


Even during the holiday season, we must practice security.

Parent practice OPSEC to keep the children's belief in Santa.

Holiday wishes from Security.

Holiday theme poster posing the question, do you know who you're dealing with on the Internet? Practice OPSEC, even online.

In a letter to Santa, Foreign Intelligence Services state what they want for Christmas. Their "Wish List"  never changes. They're after your secrets.

Santa Christmas security poster reminding people that security is everybody's responsibility.

Even during the holiday season, it is security season.

Security Department's holiday greetings.

Even during the holiday season, keep up your security responsibility. I believe this is an old picture of the Defense Intelligence Agency (DIA) building.

Holiday themed security poster to remind people about security.

Holiday themed security poster to guard against complacency by practicing their security responsibilities.

Holiday wishes from the Security Department.
Enhanced by Zemanta

December 2, 2013

Spam Can: "419" UN winning scam

Previous Spam Can posts looked at the minimalist approach to phishing, but today I finally got something with a bit more meat to it to disect.

The email I received from "Mr. Boisard" is almost word-for-word from the 419 scam example at the site The only differences between the 419Scam's 2012 example and my 2013 email is the subject and email address. The phone number +44701114872 is a United Kingdom number that redirects the caller to a cell phone in another country. Phishing scams will often list cell phone numbers, so the scammer can easily answer the call on the go or sitting at an Internet cafĂ©.

419 Scam UN Lotto Winner

The "officials" listed use free web-based email services instead of professional email services. For instance, US government emails would end with ".gov," military emails would end with ".mil" and United Nations email would end with "" The email appears to come from a Mr. Marcel A. Boisard. Based on a quick Internet search on this name, he is listed as the Under-Secretary General to the United Nations and former Executive Director of United Nations Institute for Training and Research. Scammers will often use real names to add a sense of legitimacy to their email; however, I'm certain that the real Mr. Boisard has an efficient staff to reach contacts on his behalf. While I admit that I'm a pretty cool person, I doubt that any Under Secretary will personally contact me, let alone from

The scammers insert official sounding language to lull the receiver into a false sense of security. Why would the send you the "PIN code" and "Password" into a single email then ask you to verify yourself by sending sensitive information. While more and more people are becoming more comfortable with passing sensitive information through emails, please hesitate to do so when you don't even know the identity of the sender.

Another sign that this email is a phishing attempt is the poor use of the written language. Written correspondence from officials will not switch back and forth between using capital or lower case letters.
Enhanced by Zemanta