Defeating Cybercrime with Awareness and Good Habits

Image

Information security is a growing problem even in the protected, static environment of the business office. The challenges of securely accessing and storing data while traveling, however, are particularly acute, but they are manageable with (1) a high-level of awareness coupled with (2) a few good habits.

Awareness

Forget about hackers in the movies, forget script kiddies, and stop telling yourself that you are too small to matter. As reported here over a year ago, cybercrime is now more profitable than the drug trade. This is an important indicator of the changing environment in which we live and work, in both the real world and the cyber world. Once serious money is involved, the stakes change, as do the methods in which crimes are perpetrated. For example, thanks to research from Malwarebytes Lab last year, we know that cyber criminals bid on keywords in online advertising. Yes, crooks buy Google AdWords and have successfully planted malware in online advertisements from numerous third-party advertising networks. Cyber criminals also don't care how small you are. Have you ever thought that a criminal wouldn't bother stealing your purse or your car? Breaking into your house, even though it's small? Crime pays, and small crimes add up. Cyber criminals are clever and determined. They develop new ways to target victims. Added to this, the convergence of the real world and the cyber world has created an environment of skewed perspective where we often trust strangers on the Internet ("This restaurant got great reviews on Yelp!") more than the people in front of us. ("I ate there and hated it.") Let's take a look at some of the "magic tricks" used by cyber criminals to prey on us in all the worlds we inhabit.

The Man Behind the Curtain

In January of this year, The New York Times ran an interesting piece in which it wrote:

"Odds are good that when you search Google for someone to help you get into your home or car, results will include poorly trained subcontractors who will squeeze you for cash."

The article explains that there are a number of call centers nationwide disguised as locksmith companies that manage to show up high in Google Search results by gaming the algorithm to fool the search engine giant's own systems and processes. These companies operate multiple fake websites, even paying graphic designers to create photos of office buildings that do not exist with fake reviews and testimonials. They also list them in Google My Business and Google's Map Maker in order to create an air of legitimacy. While it may appear that this locksmith company has a half dozen locations near you, in fact, they have none at all. When you call one of these companies for help, your info is sent to a poorly-trained subcontractor whose primary goal is to wrest as much money from you as possible. According to this report, there are a number of groups that entice recent immigrants to become locksmiths as part of this nationwide scam. One man said, "A company in New Jersey ... hired him, gave him a week of training, and told him he could keep 40 percent of every job. His instructions were to size up each customer and ask for as much money as possible." These "locksmiths" are trained not only in opening locks but also in classic bait-and-switch tactics, turning that $19 onsite service to open your locked car into a $200 expense. If you are traveling and need a locksmith (or any other service), ask for a recommendation from your hotel concierge or waitress at a local restaurant rather than rely on online search results or reviews from faceless strangers on the Internet.

Did You Hear That?

The Telegraph reported last year on a trend of real-life criminals turning to cybercrime. "[A]nalogue crooks are going digital," the story said. A novel example appeared in The Guardian where criminals with wireless jamming devices stole vehicles by blocking the "lock" signal sent from the key fob as the car's owner is walking away. The criminal then gets in the unlocked car and drives off. Don't let your rental car disappear! Listen for the click of the locks engaging before walking away from the vehicle.

Pulling Rabbits Out of Hats

Brian Krebs recently published an analysis of boarding pass barcodes and the amount of information they contain, including your name, frequent flyer number and a variety of other personally identifiable information (PII) that an attacker may use for identity theft or to steal your air miles. (See "Dear Airline Carrier…Have you Seen my Miles?"). Barcodes often contain a wealth of personal information, and yet because they are unreadable by human eyes, we typically ignore them. That "empty hat" may contain a rabbit or something worse! If you can't read everything in a document, don't carelessly throw it away. Tuck it in your bag and shred when you return home.

Good Habits

Cyber criminals rely on our laziness and depend on our bad habits to make us vulnerable. Replacing bad habits with good habits isn't difficult; it's just a matter of re-training yourself. Here are a few good habits to adopt while traveling that can help you protect against cybercrime:

• Avoid unsecured wireless. Stay on the cellular network whenever possible. If you must use Wi-Fi, make sure it requires a password and check on the security. (WPA-2 is ideal.) Avoid public networks (airports, coffee shops, restaurants) that create many attack avenues.

• Use encryption whenever possible. Use full-disk encryption on your laptop to protect data in the event of theft or loss. The Ponemon Institute estimates that every week, 12,000 laptops are lost or stolen in U.S. airports alone! Use an encrypted virtual private network (VPN) to remotely access your office network. Only log into websites that are encrypted. (Look for the "s" in https://.)

• Bring your own tools. Don't use those business work centers available in hotels and convention centers for anything confidential (checking email, ordering online, accessing client documents, logging into extranet portals, etc.). Bring your own laptop and Internet hot spot. Be in control of your own security.

• Practice Selfie Awareness. Photos shared online can reveal a wealth of information. Landmarks or distinctive architectural features in the background can pinpoint a location, even if you have stripped geotagging data from the photo. A vehicle license plate, a security badge, a keypad (with dirty keys showing which ones are used in the code!), a company logo – these are all key pieces of information that are often ignored when framing a photo. We know that crooks of all kinds use social media to build profiles of potential victims, and the urge to take photos when traveling often overcomes our natural reticence about "oversharing."

The dangers of travel don't need to include the many new ways we are accessible due to technology. Be aware of potential dangers, and put your natural skepticism and good habits to work whether at home or on the road. Don't let those malicious magicians play a trick on you!  

Image

About the Author: Glenda R. Snodgrass has been lead consultant and project manager at The Net Effect since the company's inception in 1996.  Ms. Snodgrass is primarily engaged in cyber security training, threat analysis and mitigation for  commercial, non­profit and governmental organizations.   In addition to conducting security­related workshops, corporate training and delivering cyber security defense presentations at professional conferences and conventions, she spends time drafting network security protocols and developing employee security awareness training programs for clients.   An active member of the Gulf Coast Industrial Security Awareness Council, InfraGard, ASIS International, and Gulf Coast Technology Council, as well as numerous civic organization, Ms. Snodgrass holds a B.A. from the University of South Alabama (1986) and a ma î trise from Universit é de Paris I ­ Panth é on­Sorbonne in Paris, France (1989). Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.