Thursday, April 7, 2011

We live in interesting (security) times

You will all recognize this as the ancient Chinese curse.

Blogbrother PISSED emails about a serious (successful) attack (traveling now, so no link; the following was from the story he excerpted):
Most of you have probably already been receiving apology emails from
banks, hotels, airlines, etc. regarding this security breach. Epsilon
Data Management LLC, used by many large companies (JP Morgan, Best Buy,
Target, TiVo, Verizon, etc.) to manage their marketing campaigns,
admitted that hackers had accessed names and email addresses stored on
their systems for these companies.


So there's a reasonable chance that Bad Guys have your email Addresses. There are reports that people are being targeted by malware-laden SPAM.

I think we're at a historical inflection point, where people are realizing that cyber attack pays, and high value targets attract the smart Bad Guys.

Whether it's a database of marketing emails, or the secrets of two-factor authentication, or uranium enrichment factories, it's now clear that the attackers have the upper hand.

I'll post more on this when I have time (probably in a couple days), but in the meantime here is my recommendation to you:

1. Don't open email attachments, unless you're VERY sure that you know the sender, and you know the sender meant to send it to you.

2. Turn off HTML email. I'm not sure you can't be attacked by a pure text email, but it's a cold stone fact that you can be attacked via HTML email.

3. Update Adobe Reader. This is now perhaps the most popular target for malware. Traveling now and hard to get specific links, but this is a good place to start.

Interesting times.

8 comments:

libertyman said...

Once again, sir, your timely and sage advice is promptly taken. Thus my Mac muzzle is kept clean!

BS Footprint said...

As, if not more, important than disabling HTML mail: stop using Microsoft Outlook Express (Windows XP and earlier) or Windows Mail (in Vista/Win7). Switch to Mozilla Thunderbird or just about anything else. Please.

(The above public service announcement assumes that the viewer, like most users, are still using a Microsoft Windows OS. Those using Mac OSX or Linux or whatever else, please ignore.)

BS Footprint said...

4. Update Adobe Flash Player. It's notorious for its security holes.

5. Regarding #3: Consider switching from Adobe Reader to an alternative reader (I use Foxit Reader. Why switch? Because malware usually targets the most popular operating systems and applications, and the exploits probably won't affect the alternative software. I suppose it's a form of 'security through obscurity', but it has an added benefit of reducing bloat--Adobe Reader is a bloated mess these days.

Broken Andy said...

Honestly, I don't care what OS platform and mail reader you have, the training should be to never, ever click on a link in any unsolicited email, even if you have a business relationship with the purported sender.

Also, if you have to get a link out of some email, convert the email to text/plain before doing a cut&paste.

And if you write server software that sends email, send the email in text/plain and not HTML. If your marketing department suggests ask that their VP and senior staff be made to work all weekends and evening hours you will be working when, not if but when, the shit hits the fan.

The Czar of Muscovy said...

It's actually an American curse. There is no Chinese equivalent saying, ancient or modern.

Just saying.

Six said...

Amen. My e-mail got hacked recently and it was unpleasant. I should have been listening to you all along. I promise to do better and listen to the man in the future!

HankH said...

Thanks very much for the heads up. How do you turn of HTML email?

Thanks
HankH

Aaron C. de Bruyn said...

Bah! Open attachments brazenly. Browse dark corners of the web without fear. Insert random media from friends into your machine.

...but only if you run Linux. ;)