January 14, 2014

Mail Theft

Thieves target mail.
Back in 2011, when Security Checks Matter was starting out, I posted in our four part series on identity theft about protecting your mail. When protecting yourself from identity theft, people do not place much thought into protecting their mail. With so many stories circulating about data breaches, social media dangers, and cyber criminals, you wouldn't think identity thieves would still bother with something so low tech. Recent news stories may have you think otherwise.
Late November 2013, Redmond, Washington police investigate a rash of mail theft occurring in the Redmond and Woodinville areas. Thieves are taking any mail that is of value and discarding on the side of the road unwanted items.  The police have also received reports of people following UPS delivery trucks around to grab packages left on doorsteps.
In Howard County, Maryland, the police and US Postal Inspection Service warn residents to take precautions with their outgoing mail. This comes after investigating 40 different cases of thieves stealing outgoing mail containing checks. The thieves hit unsecure home mailboxes with its red flag up indicating mail pick-up.
During the same month Colorado Springs, Colorado police arrested two people in connection with mail theft from over 60 people around the Briargate and Rockrimmon neighborhoods. From the suspects' vehicle, police recovered driver's licenses, medications, and debit cards, which are all suspected to have been obtained from stolen mail.
The victims from these mail theft cases are concerned with identity theft, and rightfully so. Most identity theft starts with stolen mail. Think about how much of your sensitive information goes through the mail, such as credit card statements, bank statements, new checks, credit card offers. Once you start looking at it from that angle, you can easily see how mail is a lucrative target. 
Here are some security suggestions I recommend to protect yourself from mail theft.

Reduce your risk by reducing the amount of mail with sensitive information by: 
  • opting out of pre-screening credit offers , which will drastically reduce the amount of credit offers in your mailbox.
  • opting for electronic statements in lieu of paper copies mailed to you.
  • having you pick up new checkbooks up at the bank
Drop off outgoing mail in an official Postal Service collection box or directly at the Post Office instead of placing it in your home mailbox unsecured.
Don't go with a traditional mailbox. Opt for a mailbox that locks or use a PO Box.
When selecting shipping options for packages, select one that requires you to sign for delivery, so your package will not be left at the your front door to potentially be picked up by somebody with sticky fingers.
Learn who your neighbors are and have a trusted neighbor sign for your packages.

Graf, H. (25 November 2013). Redmond Police investigate rash of mail thefts.  King 5 News. Retrieved from http://www.king5.com/news/local/Redmond-Police-investigate-rash-of-mail-thefts-233415141.html 
My Fox DC (22 November 2013). Howard County Police investigating mail theft cases. MyFoxdc.com. Retrieved from http://www.myfoxdc.com/story/24046667/howard-county-police-investigating-mail-theft-cases#axzz2mLVNceWw
The Gazette (1 December 2013). Police: More than 60 Colorado Springs residents victims of mail theft. The Gazette. Retrieved from http://gazette.com/police-more-than-60-colorado-springs-residents-victims-of-mail-theft/article/1510280#BTic4GuiRCI6Hhqy.01 
Enhanced by Zemanta

January 12, 2014

Target not only retailer impacted by recent data breach

Target was not the only retailer to be hit by cyber attacks this past year.  The upscale Dallas-based retailer Neiman Marcus came forward, but it is not sure if their breach was related to the Target incident. The retailer was notified in mid-December about potential unauthorized payment activity following customer purchases at stores. On January 1st, a forensic firm confirmed the retailer was a victim of a cyber attack that compromised customers' credit and debit cards. How many customers impacted by this breach is unknown. Neiman Marcus is working with the Secret Service on the breach.
Reportedly, more US retailers fell victim to payment network breach over 2013 to include the holiday shopping season. Smaller breaches on three other well-known US retailers used similar techniques from the Target major data breach that disclosed personal information of over 70 million customers. Sources state the breaches involved mall outlet retailers that have not publicly disclosed the breaches yet.  Target has not publicly stated how the attackers managed to breach into its network.  Law enforcement speculate that the main culprits are from Eastern Europe, which is where most large cyber crime cases from over the past decade originated from. Officials believe the hackers used a variety of tools and techniques to capture the encrypted data, including a malware device called a RAM scraper, which captures encrypted data as it passes through a computer's live memory where it appears in plain text. As retailers improve security, hackers have increasingly relied on this technology to obtain credit card data.
Last year Visa warned retailers in two alerts on this type of cyber attack with technical details and appropriate countermeasures. Whether Target or the other retailers implemented the recommendations is uncertain. Law enforcement sources close to the case doubt the proposed recommendation would have prevented the data breach, since criminals used additional sophisticated techniques.
Target Data Breach
Recently Target discovered that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers, and email addresses. Initial reporting from December about the Target data breach stated the breach only impacted 40 million customers, but further investigation shows it affected even more. You can read more in our "Target data breach: What to do if you're one of the 40 million?" post.
Cyber attacks like this will likely happen again. The United States is the only modern nation that continues to use the magnetic striped payment card technology designed more then forty years ago to store payment card account numbers. US consumers are more than happy to keep the status quo by accepting new account numbers and cards for every compromise instead of demanding the industry adopt more secure payment methods. The rest of the modern world, such as Europe, Asia, and Canada instituted the chip-embedded payment cards which are more difficult to counterfeit.

Acohido, B. (24 December 2013). Why the Target breach won't be the last of its kind. USA Today. Retrieved from http://www.usatoday.com/story/cybertruth/2013/12/23/why-the-target-breach-wont-be-last-of-its-kind/4180251/
Associated Press (11 January 2014). Neiman Marcus confirms security breach. ABC News. Retrieved from http://abclocal.go.com/wls/story?section=news/national_world&id=9389963
Finkle, J., Hosenball, M. and Reuters (11 January 2014). The data breach of Target and Neiman Marcus may be bigger than we realized. Business Insider. Retrieved from http://www.businessinsider.com/hacker-data-beach-2014-1?utm_content=bufferf4271&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer 
Fox News (12 January 2014). More retailers reportedly hit by cyber attacks. Retrieved from http://www.foxnews.com/tech/2014/01/12/more-retailers-reportedly-hit-by-cyber-attacks/ 
Reuters (12 January 2014). More well-known US retailers victims of cyber attacks: Sources. CNBC. Retrieved from http://www.cnbc.com/id/101328744 
Enhanced by Zemanta

January 5, 2014

Security Geek Alert! The Asset

The other week I saw a preview for ABC's latest miniseries "The Asset." The ad was for the first episode "My Name is Aldrich Ames." I don't really watch TV, especially hyped dramas, but I admit that the security geek in me was stoked when I saw this one. ABC was dramatizing the Aldrich "Rick" Ames story and it didn't look super cheesy like all those security education videos I've been tortured enlightened with. Could it be true?
The ABC snippet about the show:
     "1985 serves as the backdrop to the final showdown of the Cold War when Sandy and her partner Jeanne Vertefeuille vowed to find the mole that would turn out to be the most notorious traitor in US History, Aldrich Ames, Sandy is in a race against time to save the Soviet intelligence officers from being caught and killed. Living her own double life at home, this beautiful wife and mother vowed to stop at nothing until she uncovered the truth."
For those not familiar with him, read what the Crime Library from TruTV says about him.

     "During the nine years that he worked for the KGB as a mole, Ames single handily shut down the CIA's eyes and ears in the Soviet Union by telling the Russians in 1985 the names of every 'human asset' that the U.S. had working for it there. In all, he sold the KGB the names of twenty-five 'sources.'...Although Ames didn't know most of the spies whom he betrayed, oone of them was a Soviet diplomat whom he considered to be one of his best friends...Besides revealing the names of every U.S. spy in the Soviet Union, Ames derailed vital CIA covert operations and put dozens of CIA officers at risk..."

The CIA ignored all the red flags on Mr. Aldrich such as living well above his means, had perceived slights from the CIA, major personal issues, heavy binge drinking, grand disillusions of his worth.
Besides Robert Hanssen from the FBI, Aldrich was one of the deadliest modern spies.

 With only knowing this bit of background, you can easily see that the Aldrich "Rick" Ames has plenty of fodder for a great miniseries. You don't even need creative writers to create a plot, just follow the real life story. This doesn't even include the interpersonal drama that played out in his real life. "The Asset" is based on the nonfiction account of Ames by Sandy Grimes and Jeanne Vertfuille, the CIA officers that help the agency discover their mole. I've read a mix of positive and negative reviews so I may need to take the time to watch it myself and come to my own conclusion. Looks like clips from the miniseries would provide great security awareness and education pieces. Hint, hint. Looking at the miniseries trailer, I'm going to be getting my security geek on!

It's on ABC, Thursday night at 10:00 p.m. or you can try to stream it on ABC.

ABC. The Assets. Retrieved from http://abc.go.com/shows/the-assets 
Earley, P. CIA traitor Aldrich Ames. Tru TV Crime Library. Retrieved from http://www.trutv.com/library/crime/terrorists_spies/spies/ames/1.html 

January 1, 2014

Creating Real Security Awareness: Step 5

STEP 5: Develop Material.
Checklist Inspection
This is the sixth installment of our Create Security Awareness series, where we look at the fifth step in our process in tailoring a security awareness campaign. In this step, we roll-up our sleeves to start developing our security awareness material. This is by far my favorite step since this is where I actually start putting my plan into action and get the creative juices flowing. Honestly, there are times I would like to skip all the other steps and go directly to this one; however, the previous steps are essential in leading me to a successful security awareness campaign. When starting to develop material, have all the items you came up with from the previous steps. The two important things you should really have are your:

1) Communication plan. This was covered in our Creating Real Security Awareness: STEP 4 post, but to summarize, the plan highlights your objectives, targeted audience(s), key message, and method. Basically, it's your road map.

2) Research information. Our Creating Real Security Awareness: STEP 3 post covered this topic. For those that missed it, this step resulted in information on communication methods/constraint and topic information.

These two items will direct your creativity. Personally, I prefer to go through old items to see if any of them could be slightly modified, incorporated into the product your developing, or provide any other ideas. Sometimes building off of an older product is easier than starting from scratch. Our posts Resource: Security Posters and Awareness Resource: Customizable Security Guide provide some information that could help you out this area. I consider these freebies! (Added May 2014, 4 FREE Security Awareness Resources can provide additional assistance.)

Image from Philip Martin at pppst.com
Since there are numerous articles circulating the interwebs detailing the writing process, and I have nothing new to add, I will not go into detail about it. For those interested in reading about it may I suggest this link. It should get you started.

The only thing I will highly emphasize is editing. Somebody told me a great plan is not written, it is rewritten. When dealing with deadlines and multiple demands, it is tempting to overlook this part of the writing process. Editing refines the products to provide a polished, professional look. Do NOT skip this part of the process. After you develop your material, it is important for you to step away from it for a day or two, especially if you are working on a lengthy product (i.e. handbook). This gives your brain a serious mental break. When you come back, you will notice the glaring errors you easily overlooked before. Additionally, have others review and edited your work when time permits. If possible, have somebody from the targeted audience preview and provide feedback. What you say as a security professional may not easily translate over to the general workforce.

One other thing when it comes to developing material, don't be afraid to elicit help from different areas of expertise. I often ask the graphic art or the public affairs/advertisement departments for assistance. Sometimes I only give them the concepts, information, and the desired outcomes, then let them do what they do best. By divvying up the work, I can concentrate on the information, while they focus on the image. The teamwork approach really polishes a security awareness material without me completely doing all the work. Score!

Articles in the series:

Enhanced by Zemanta