π¦ Can you delete yourself....?
Jul 20, 2021 4:14 pm
...you might think it's a somewhat trivial task. Sweeping yourself off the internet is no cake walk.
Hi. I'm Jon Fedor and this is InCyber Regular, edition 16. I love helping people live more digitally-secure lives. Call it my passion project. Is that cheesy? Yes. But here's the thing: I always answer my own rhetorical questions.
At InCyber I talk about cyber-related issues and security-awareness for smaller enterprises, the cyber-curious, and the security-conscious. Sometimes we talk tactics, sometimes theories; always, security.
Today:
- A very good way to build consensus in times of security trouble
- Can you delete yourself?
- These devices experienced a 700% increase in attacks during COVID
A security consultant walks into the room...
...and everyone turns on the VPNs on their phones.
This is an intimidating situation. Imagine: your company just got hacked. Ransomware's locked you out of all your systems. You work on the IT team. Everyone's judging you in their hearts.
In walks Hal Pomeranz. (Great follow on Twitter).
Here's how he started handling this situation.
Text from the image above:
"Lately I've been dealing with a lot of ransomware cases.
And often our team runs into issues with the IT staff from the victim organization.
Whether they're embarrassed or afraid of being shown up or for whatever other reason, they're uncooperative or in some cases actively working against our investigation
So on a recent case, during our engagement kick-off call, I laid it out like this.
"We're going to investigate and figure out where this started.
And it will be an unpatched system, or somebody clicking a link, or somebody just being unlucky with a web site they visited."
"And NONE of that is YOUR FAULT.
All organizations are vulnerable, because I have yet to meet an org whose security budget exceeds their attack surface."
"You are not the assholes here. The assholes are the ones who took that vulnerability and used it to drop ransomware all over your network.
Just because you forgot and left your door unlocked doesn't make it right for somebody to come in and trash your place."
"We are the good people.
The ones who are trying to figure out what happened and make things better.
This is a team effort that is going to require everybody's help.
Nobody is to blame, we are all just trying to fix this mess we find ourselves in."
Later in the engagement, several people from all levels in the IT staff said they appreciated those words and the timing and it helped them move on from the initial FUD stage of the incident and be more productive.
Your mileage, as always, may vary.."
I'd love to work with this guy.
DeleteMe
DeleteMe is an interesting proposed solution to a problem we all have: online privacy.
Let's face it. Our digital footprint is wide. Our data is everywhere. We're sloppy like a Sig Ep party out there in the digital wild.
In comes DeleteMe promising you "the right to be forgotten."
From the website:
DeleteMe is a service site that facilitates its users in deleting their presence on other sites. Itβs also a site that provides information on privacy laws in multiple countries to better educate the users on their rights in relation to data privacy.
So. Does it work? Should you use this service? Here's the start of my weighing mechanism for answering that question:
1. DeleteMe is a really neat service. It reduces the time it takes to do a lot of the tracking down and clearing personal information on your own (from search engines, primarily).
DeleteMe is a great start if you:
A. Can invest the time to set it up (people say it takes a lot of time),
B. are comfortable putting basically *all* your personal information, ironically, into yet another place (DeleteMe), and
C. just know that security-by-obscurity is essentially a constant battle.
2. Something that's important with any security effort is to define what you're trying to solve - the job(s) to be done. Getting a really good handle on that question is usually critical to picking the tool for the job.
3. Security-by-obscurity is tough to nearly impossible to achieve without a dedicated large amount of time and money (like paying a full-time guy with an ear piece and near-paranoia to monitor your life constantly).
Our information (like credit history, residence history, purchase history from credit cards etc) is replicated in so many places it tends to propagate again even after getting deleted.
Take it for what it's worth.
Attacks on IoT devices increased 700%
HelpNetSecurity published an article that caught my eye. During the pandemic attacks on Internet of Things (IoT) devices increased by more than your total takeout orders increased.
Zscaler (an IT security company) analyzed data from their logs and made a few observations. Here are three that stand out for me:
One
"The report analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked over the course of two weeks in December 2020 β a 700% increase when compared to pre-pandemic findings."
Two
You may be thinking...well, I don't have any vulnerable IoT devices around my house or office.
Think again. Here are the devices they examined:
"Out of over a half a billion IoT device transactions, 553 different devices from 212 manufacturers were identified, 65 percent of which fell into three categories: set-top boxes (29 percent), smart TVs (20 percent), and smartwatches (15 percent)."
Three
Here's the part that just absolutely kicked me in the head:
"[The Zscaler team] saw 76 percent of these devices still communicating on unencrypted plain text channels, meaning that a majority of IoT transactions pose great risk to the business.β
What the actual heck.
So what can you do?
- Understand all your network devices - scan for and map them all
- Change all default passwords - make boss-ass passwords in a flash
- Update and patch your devices regularly
- Isolate IoT networks at work and at home.
Thanks!
I love writing this thing for y'all and I want to keep doing it. And I want it to get better weekly. So let's make it happen already.
Have a good'un, Good Lookin'.
~Jon "Boss-Ass Passwords" Fedor