8 Steps to Control Cybersecurity Risk in a Work From Home Environment

During the COVID-19 pandemic and response, workers are heading home in record numbers. In this short 23-min. webinar, CI Security CTO Mike Simon covers the the critical work-from-home cybersecurity risks that employees need help with now.


The material is geared toward InfoSec and IT professionals, technical users, and team managers.

Top 8 Work From Home (WFH) Cybersecurity Priorities...
Step 1: Control the WFH Environment
Step 2: Control the WFH Computer
Step 3: Up Your Phishing Game
Step 4: Worry About Sensitive Documents and Regulated Data
Step 5: Watch for Cyber-Threats
Step 6: Expanding VPN
Step 7: Say No to Split-Tunnels
Step 8: Keep Great Records

Spybuster Tip #632: Fortify Your Two-factor Authentication

Two-factor authentication is a must, but don't settle for the SMS version. Use a more secure authenticator app instead.

 The most popular authenticator apps are Google Authenticator and Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you're heavy into Microsoft's ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use. more

Your Smart TV is Spying on You — How to stop it...

Those smart TVs that sold for unheard of low prices over the holidays come with a catch. The price is super low, but the manufacturers get to monitor what you're watching and report back to third parties, for a fee.

 Or, in some cases, companies like Amazon (with its Fire TV branded sets from Toshiba and Insignia) and TCL, with its branded Roku sets, look to throw those same personalized, targeted ads at you that you get when visiting Facebook and Google.

It doesn't have to be this way. You have the controls to opt out. Within just a few clicks, you can stop the manufacturers from snooping on you in the living room... more and a bonus sing-a-long!

• He tried to stop smart devices spying on him. Here's why he failed. 
  
• Is Your Smart TV Spying on You? Warning From FBI

Spybuster Tip #734: Don't Store Incriminating Photos on Your Android Phone

This time around, a team of security researchers found a terrifying flaw with the Android camera apps that could let malicious apps completely take control over a phone’s camera to spy on users without their knowledge.

It doesn’t take a genius to know that photos and videos can contain extremely sensitive information, and therefore, you should think twice about giving an app permission to use a camera...

Android camera apps often store photos and videos to an SD card, granting an app permission to storage gives it access to the entire contents of that card, according to the researchers. And the truly terrifying thing is that attackers wouldn’t even need to request access to the camera.

To demonstrate the vulnerability, the team at Checkmarx recorded a proof-of-concept video. Using a mockup Weather app, the team was able to not only take photo and video from a Pixel 2 XL and Pixel 3, it also was able to glean GPS data from those photos.


The team was able to detect when the phone was face down and could then remotely direct the rear camera to take photos and video. Another creepy bit is that attackers could potentially enact a “stealth mode,” where camera shutter noises are silenced and after taking photos, return the phone to its lock screen like nothing happened.

But perhaps most disturbingly, the video demonstrates a scenario where attackers could start recording a video while someone was in the middle of call, record two-way audio, and take photos or video of the victim’s surroundings—all without the target knowing. more

The New York Times Reports: "Bugging Epidemic"

With surveillance gear cheaper and easier to use, security experts say checking your environment for cameras and microphones is not a crazy idea...

A growing array of so-called smart surveillance products have made it easy to secretly live-stream or record what other people are saying or doing. Consumer spending on surveillance cameras in the United States will reach $4 billion in 2023, up from $2.1 billion in 2018, according to the technology market research firm Strategy Analytics. Unit sales of consumer surveillance devices are expected to more than double from last year.

The problem is all that gear is not necessarily being used to fight burglars or keep an eye on the dog while she’s home alone. Tiny cameras have been found in places where they shouldn’t be, like Airbnb rentals, public bathrooms and gym locker rooms. So often, in fact, that security experts warn that we are in the throes of a “bugging epidemic.” more

Spybuster Tip #621: Conduct your own sweeps for covert spycams. Learn how.

How People Turn iPhones into Bluetooth Bugs

With iOS 12, Apple added a feature, called Live Listen, which essentially turns your AirPods into on-demand hearing aids. 

There's a bit of setup you'll need to do, but once it's done, you can place your phone on a table closer to the person you're talking to and it will send audio to your AirPods.

On your iPhone go to Settings > Control Center > Customize Controls and tap on the green "+" symbol next to the Hearing option. Then, when you need to use the feature put in your AirPods and open Control Center on your iPhone and select the Hearing icon followed by Live Listen. Turn off the feature by repeating those final steps in Control Center. more

Corporate Espionage Alert: If a person excuses themselves from a business meeting to go to the restroom (or other excuse)... NEVER continue the discussion thinking they won't know. They may be using this trick to listen in to what you are saying. More sage corporate counterespionage advice here.

Why Do CIA Spies Stop at Every Yellow Light?

After spending years in the CIA fighting to prevent nuclear terrorism and other catastrophes, some old habits just will not go away for the ex-spy Amaryllis Fox...

...a former CIA clandestine-service officer and author of the new book "Life Undercover: Coming of Age in the CIA"...

...CIA spies learn to master skills regular people do not, and they stick with you...

...But there is one old habit, she said, that drives her husband a little bit crazy — stopping at every yellow light when she drives. more

5 Cheap Things to Beef Up Your Security
by Rob Kleeger, Digital4nx Group

Here are a few simple things to prevent and keep most of your private information as safe as possible from hacks or negligence.

1. Invest in a Password Manager:  If you are like me, most people can’t remember the login details for the dozens of online services they use, so many people end up using the same password — or some variation of one — everywhere. If you are one of those people, this means that if just one site on which you use your password gets hacked, someone could gain access to all your accounts.
2.  Use a virtual private network (VPN) service: When connected to any internet-connected device, it helps to keep most of your browsing private from your internet service provider; it reduces some online tracking; and it secures your connections when you use public Wi-Fi.
3. Turn on MFA (2FA) on everything: Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication doesn’t guarantee security, and it is vulnerable to hacking attacks like phishing attempts that spoof a login page.
4. Backup: Have a backup plan. All too often, SMB leadership says they backup, but the backup is saved on the server, which if gets encrypted, serves no purpose...neither does attaching a NAS to the same network. Have a cloud-based or offline based backup plan. Confirm backups run regularly and periodically test those backups to do a full restore. 
5. Don't forget about the paper:  In many ways, people are so focused on cybersecurity, they forget about the basics. Use a cross-cutting paper shredder.  Wirecutter recommends the AmazonBasics 15-Sheet Cross-Cut Shredder for most people, though serious privacy mavens should step up to the AmazonBasics 12-Sheet High-Security Micro-Cut Shredder, which runs a little slower but produces confetti half the size of a cross-cut shredder’s pieces.

Carrie's on-the-Lam Comment via a Leaked Recording

The embattled leader of Hong Kong was caught on a leaked audio recording reportedly saying she would “quit” if she could after causing “unforgivable havoc,” but on Tuesday reiterated that she hasn’t resigned because it would be the easy way out.

In a press conference, Carrie Lam slammed the audio, recorded during a private meeting with a group of businesspeople, saying it was “unacceptable.”

The recording was published Monday by Reuters. In it, she is heard apparently blaming herself for igniting Hong Kong’s political crisis. more

Kevin's Tips for Management

• Assume your discussions are being recorded.
• Before proceeding, ask if they are recording.
• Be professional. If you would not say it in a courtroom, don’t say it.
• Red Flag – When an employee tries to recreate a previous conversation with you.
• Have an independent sweep team conduct periodic due diligence debugging inspections.

Create a Workplace Recording Policy

Spy Tip: How to Break Out of Automated Phone Trees

Tired of Talking to a Voice Robot?
Want to Talk with a Human?
Skip the cue.
Try...

1. Dial O, or try multiple zeros.
2. You can add the # key or the * key before and after a 0.
3. Dial multiples of other numbers 1111, 2222, 3333, 4444, etc.
4. Being silent sometimes works (believe it or not some people still have rotary phones).
5. Speak non-sensible phrases to confuse computer.
6. Try speaking and repeating "Operator" or "Customer Service".
7. If there is a company directory, press just one letter and then try to connect to that person and then may transfer you or give you an inside phone number.
8. Make sure once you get a human, ask for the direct line to call.

 More listings here.

Information Security: Privacy Tips for Business Travelers

The Basics...

• Beware of shoulder surfers. Get one of these.
• Know when to shut your mouth. Don't give strangers any confidential information.
• Use a Virtual Private Network (VPN).
• Change any passwords you used while on your tip.
• Keep your device with you to reduce info-suck opportunities.
• Avoid using public charging stations (unless you have one of these).
•  Read Murray Associates' Guide to Off-Site Meeting Information Security.

Security Director Tips: You Don't Have to be an IT Dude to Protect Your Company Online

The Top 6 things you can do to better than the IT department. (Go ahead. Take back some turf.)

1. Establish a cyber incident response plan.
2. Regularly rehearse the response plan using a range of different scenarios.
3. Monitor and manage the risk posed from the supply chain.
4. Ensure the company understands the terms of their insurance and what is covered.
5. Understand what 'normal' looks like for the business, in terms of application usage, so the company can identify any unfamiliar patterns.
6. Investing in regular training and raising their people's awareness of cyber security. more

FREE - Security Message Screen Savers

Security Message Screen Savers

• Reminders work.
• Put your idle computer screens to work.
• Three backgrounds to choose from, or commission custom screens.
  

Kieffer Ramirez Shares His Favorite Niche Investigations Resources (most are free)

SpyDialer

Cost: Free
Search people via their phone number, name, address, and/or e-mail address by using SpyDialer which contains billions of phone numbers obtained using social media and user-contributed address books.

Concerned about your information showing up on SpyDialer?!?! Check and see. If you appear there, you have the option of deleting your information... anonymously.

The 17 other resources appear here.

Summer Travel - Passport Safety Tips

There is more to protecting it than you think...

by Kevin Coffey, Travel Safety Expert
Your passport is your key to proving citizenship and is the document that the US and other countries use to recognize you and to let you enter the country, therefore you must safeguard this critical document.

Anyone traveling abroad, especially for the first time, should take a few minutes to read up on important passport security tips. more

Travel Security Tip from Smart Mexicans - Dummy Phones & Wallets

Armed robberies have gotten so common aboard buses in Mexico City that commuters have come up with a clever if disheartening solution: Many are buying fake cellphones, to hand over to thieves instead of their real smartphones.

Costing 300 to 500 pesos apiece — the equivalent of $15 to $25 — the "dummies" are sophisticated fakes: They have a startup screen and bodies that are dead ringers for the originals, and inside there is a piece of metal to give the phone the heft of the real article.

There were an average of 70 reported violent muggings every day in Mexico City in the first four months of 2019. About two-thirds were committed against pedestrians, with the rest split almost evenly between bus passengers and assaults on motorists stopped at lights or caught in traffic jams. Between 2017 and 2018, such assaults rose by about 22 percent. more

41 Smartphone Security Tips

How to make a fake mugger's wallet. 

Fake cell phone

Click to enlarge.

Make your fake cell phone look real...

Click to enlarge.

Snapple "Real Fact" #726 – Polar Bears v. Infrared Cameras v. TSCM

I had a Snapple tea the other day and found this "Real Fact" #726 under the cap.

We use infrared cameras in our work, and know how they work. This "Real Fact" struck all of us here as odd. An IR camera would not detect a polar bear because its fur was transparent?!?!

Oxymoron? No, just sensationalism. The mixing of two unrelated facts to manufacture an unexpected outcome designed to surprise... aka Fake News.

The real "Real Fact" reason... 

• Yes, a polar bear's fur is mostly transparent, and hollow too! 
• Yes, IR cameras would have a difficult time detecting a polar bear.

Polar bears live in a cold climate. Retaining body heat is important. Fur and a thick layer of fat provide insulation. Insulation prevents heat from escaping their bodies, and heat is what IR cameras detect.

Insulation is the "Real Fact"
It's not that the fur is mostly transparent, or that polar bears alone have super-powers. IR invisibility is also true for the Arctic fox and other mammals living in cold environments.

The Technical Surveillance Countermeasures field (TSCM) is also riddled with "Real Facts", like inflated bug-find claims, and pervasive laser beam eavesdropping fearmongering.

It always pays to scratch the surface.
Examine the science.
Apply some common sense.
Visit us for the Real Facts about TSCM. ~Kevin

“Son, go for it...I will kick your (expletive) (expletive).” An Extortionogrphy Win

FL - The president of Wichita’s teacher union has lost his defamation lawsuit against the makers of hidden-camera videos that captured him admitting to threatening a student with physical violence. 

A federal judge in Florida ruled against Steve Wentz, president of United Teachers of Wichita, and in favor of Project Veritas in connection to videos that were secretly recorded at a Florida hotel bar and a Panera restaurant in Kansas. Project Veritas describes its work as non-profit journalism that investigates and exposes corruption.

In the video, Wentz describes an episode with a former student in which he asked the student to stay after class, locked the door and pulled the shades down.

“You want to kick my (expletive)? You really think I’m a (expletive)?” Wentz says in the video. “Son, go for it. I’ll give you the first shot. But be sure to finish what you start because if you don’t, I guarantee you, I will kick your (expletive) (expletive).” more 

Corporate Security Alert:
Extortionography can be as devastating as audio eavesdropping, especially when targeted against private sector businesses. 

Tip: Conduct searches for electronic surveillance devices (Technical Surveillance Countermeasures, aka TSCM) on a regular basis. At the very least, have a written Recording in the Workplace Policy in effect.

How to Stop Acoustical Leakage Eavesdropping

Acoustical leakage often occurs even when specific steps are taken to keep conversations private, like closing an office or conference room door. But, as sure as sound wants to migrate, outsiders want to hear...

Aside from structural requirements, walls are built to provide privacy, primarily visual privacy. Little thought is given to privacy from acoustical leakage.

Thin walls and loose fitting doors are the biggest leakers, with open air plenum ceilings and duct work doing their share of leaking as well.

Ideally, acoustical leakage mitigation should be addressed by the architect and installed during the initial construction phase of the building project. Even when they do, a common misconception among contractors is that soundproofing means throwing up another layer of drywall. Wrongo.

Acoustical leakage can be mitigated two ways... more

Spybuster Tip #471 - Block People Who Track You via Email

Ugly Email is a Gmail / Firefox plug-in. When a tracker is detected, it shows the icon of an eyeball in the subject line to alert you that a tracker is hidden inside the email.

Blocked trackers include:

• MailChimp
• SendGrid
• Drip
• Mailgun
• Streak
• Bananatag
• Yesware
• Postmark
• Sidekick
• TinyLetter
• MixMax
• MailTrack
• toutapp
• Litmus
• Boomerang
• ContactMonkey
• Cirrus Insight
• Polymail
• YAMM
• GetResponse
• phpList
• Close.io
• Constant Contact
• Marketo
• Return Path
• Outreach
• Intercom
• Mailjet
• Nethunt

...and Ulgy Email is soliciting suggestions for other email spies to add to the list. Ugly Email claims it does not store, transfer, transmit or save any of your data.