Thursday, May 17, 2018

Confessions of a Star Wars Fan

I have a confession to make. I'm not really a fan of science fiction. There are exceptions, of course. Star Wars: A New Hope jumps to the top of my list. I'm a HUGE fan. So are most of my peers in the cyber crime fighting world. Including those who, like me, may not be the biggest sci-fi fans. It occurs to me the exceptions – the sci-fi books and movies I enjoy – often have a hacker theme. Even Star Wars.

What? I hear you ask. Star Wars is a hacker movie?

Yes, yes it is.

Some parts are obvious. Like Princess Leia saying, in reference to the stolen Death Star plans, "I only hope that when the data's analyzed, a weakness can be found." That's classic reverse engineering.

There are other hacker-y scenes, too.

Luke triggering the hologram, for instance. It was meant for Obi Wan's eyes only but Luke accidentally made R2D2 play a snippet. In other words, he inadvertently exploited a vulnerability in the droid.

When Luke and Han pose as storm troopers with Chewbacca in handcuffs to trick their way into the detention area, that's an example of social engineering.

R2D2 plugging into the port to find Leia in the first, place, that's penetration testing. Once R2 has that digital foothold, the droid turns off the trash compactor. This is an example of lateral movement within a now-compromised network.

Obi Wan gets in on the vuln exploitation by finding and shutting down the tractor beam holding the Millennium Falcon. Sure, he does it manually, but, hey, it worked.

And when our heroes get away, Leia says, "They're tracking us." There are several ways that could be cross-referenced to cybersecurity. For years, content providers have used tracking pixels on web pages as a way to combat lookalike phishing pages. Honeypots have been around for ages, too, which are computers or virtual computers intended to be hacked so the good guys could watch and see what the bad guys do. More recently, canary tokens/files have gained popularity, named for "canary in a coal mine." Like honeypots, these are lures to attract miscreants to see who might be stealing data and where the stolen data ends up.

Maybe it's a perspective thing. Or maybe it was intentional on George Lucas' part. Either way, to me, the first Star Wars movie, A New Hope, isn't what I think of as typical science fiction. It's one of my favorite hacker flicks.

May the Force be with you.

Friday, February 9, 2018

What's a Security Freeze and Why Should I Care?

In light of the billions (with a "B") of personally identifiable information records now leaked, dumped and being sold in the criminal underground, identity fraud is at an all time high. These records contain information as innocuous as your email address and password used on a website that got breached, or highly detailed information about you exposed by the accidental leak of the database containing all registered US voters.

I've talked about 2-factor authentication in a past blog post. This time, we'll take a deep dive into protecting the information criminals use to monetize leaked and stolen data, your credit reports.

What's a credit report? It's basically your financial life as recorded by debt and linked to your Social Security Number. A credit report contains your bill pay history (also know as credit history), your credit card issuers (past and present), your debt history (car loans, rent/mortgage holders past and present thus your past and current addresses), all the information that goes into the makeup of your credit score. Credit reporting agencies sell this information to insurers, employers (for background checks) and loan application evaluators (mortgage lenders, landlords, banks/personal loan issuers, etc.).

How do bad guys leverage credit reports? The most obvious way is identity theft - opening lines of credit, credit cards or other types of loans in your name. They get the credit card or money, you get the bills. Other forms of fraud are cobbled together identities - one person's name, another's address, a third person's SSN, and so on. This makes it harder to both catch and repair the damage to all victims' financial well being.

In order to accomplish these forms of fraud the credit issuers first run a credit check of the requestor (real or criminal). Thus, access to this information is critical. That's where a security freeze comes in. Also known as a credit freeze, it's a service that "locks" your credit report against credit/loan application access requests until you explicitly allow an agency to respond. This differs from fraud alerts, which are reactive and most often temporary. That is, you get alerted that someone accessed your credit report after the fact. A security freeze is prevention against fraudsters and thieves impersonating you, regardless of the how much information they have to verify your identity. What they won't have is the secret to temporarily unlock the credit report. That secret is either a PIN or a password the credit agencies mail to you and that you need to supply to the credit agency when you apply for new credit cards, loans, or submit to a background check. A handy tip I've learned is you can specify the agency to be queried when a credit check is needed. You don't have to unlock them all.

Security freezes are relatively easy to set up. The caveat is that you need to set a freeze at each of the credit reporting agencies: Experian, TransUnion and Equifax. Two smaller reporting outlets have emerged and those should be included: Innovis and ChexSystems. These two aren't as comprehensive in the overall services they provide but they can be inroads for criminals who can't get past freezes at the Big 3. All told, it takes roughly an hour out of your life to lock out the bad guys.

We're at the mercy of data brokers to protect our information. Security freezes offer peace of mind when they fall down on the job.