Tag: Security

Phishing on the Rise: Don’t Fall for it.

I’ve noted a significant rise in the number of phishing and malware attacks I’ve received in the last few weeks. With open source phishing tools like GoPhish available to anyone for free, it’s more important than ever to train your employees and be more diligent about where you go online.

I’ve included two of the most recent messages I’ve received to remind you to be very diligent when you are going through your e-mail.

  1. The fake fax/purchase order – This attack sends an unexpected message that has an interesting title, like “Incoming fax message” or “purchase order” from an unexpected sender.  An example of one of these appears below.

Annotation 2018-11-30 101416

Note that this message is from a service I’ve never heard from, and the fax number of the sender (+1 659-802-3681) is from an area code that doesn’t exist, and the CSID (fax header) is from Massachusetts.  Also note that the attachment is an HTML file – and it probably has some bad stuff in it.

Lesson: If the message looks odd, verify its validity with the sender.  If you can’t determine the sender, don’t open it.

2. The portal login – This attack sends a message which purports to be from a portal, but the real objective here is to get you to visit a site you shouldn’t visit and make it look like a legitimate website you use.  In the screen capture below, I’m allegedly being sent a PDF file from a CPA firm in Washington State which is a “proposal”.  Since I don’t do business with the firm, I have to assume that it’s bogus, and I should ignore it.  It’s probably a bogus e-mail, linking to a bogus website, with a malware-laden file awaiting me.

Annotation 2018-11-30 100008

This kind of attack is easily perpetrated with free, open source software – because I’ve personally set up the software needed for this in Linux.  The application, GoPhish, is designed for security professionals to use when testing their employees, but can also easily be used by fraudsters trying to get access to your e-mail accounts.GophishDashboard.png

While I didn’t click on the link to the OneDrive site, I fully expect that it would have had malware on it or would have tried to trick me entering my legitimate username and password into a fake website.  There are a number of free tools which will help you set up fake websites in GoPhish, and it is trivial to use this tool to retrieve the credentials entered by victims.

The bottom line here is that the bad guys are getting better, and it’s becoming easier than ever for criminals, teenagers, and “script kiddies” to use open source software to gain access to your confidential data.

If you’re interested in training your employees and testing your vulnerability against phishing and other e-mail attacks, the following services offer employee training programs for a reasonable price:

You can also see reviews at the Gartner Group’s website online.


A CPA’s Guide to Address Spectre and Meltdown

There were two major security vulnerabilities announced in January of this year: Spectre and Meltdown.  Both affected, for all intents and purposes, every computer which has been sold in the US in the last 15 years.  Read more:

Original Article

Follow-up Article

What Accountants Need to Know About GDPR

pexels-photo-408503.jpegI recently wrote a piece on the European Union’s General Data Protection Regime (GDPR) for AccountingWeb.com.  A link to that piece is here.

It’s Time for Two Factor Authentication, SaaS Vendors. NOW, not later.

You’ve heard about the security issues at a number of organizations in the last few weeks.  Thankfully, there haven’t been any breaches at software companies who serve professional accountants (except maybe for Evernote – although I don’t know that I would put HIPAA or taxpayer data in that service).  One of the important things that is coming out of this is that major software vendors like Evernote and Google are planning to implement a security approach called “Two Factor Authentication”.  While I won’t go into much detail on how it works (although there’s a good Wikipedia article here), the basics are as follows:

Security tokens, like the RSA SecurID above, have a formula which generates a new six digit code every minute that is used as a one time password.

There are three basic ways to validate someone’s identity

  • Something they know (username, password, PIN, etc.)
  • Something they have (cell phone, RSA token, USB key, etc.)
  • Something they are (biometric identification like fingerprinting, face identification, or iris scans).

Historically, we’ve used only one factor of authentication – a username and password – to access most online systems.  While this is adequate for some information types, the sophistication of phishing attacks and other techniques used by the “bad guys” requires a more sophisticated approach to security.  Two factor authentication normally requires users to validate their credentials to two servers – one which controls the username and password, and a second which validates that they have a particular device or item through a one time password.

I’ve used a number of two factor authentication devices in my career, including:

All of the devices worked well, and I still use some of them to authenticate to many services.

One important point is that the use of factors other than passwords (something you know) is not a panacea.  Use of any of the items listed above in lieu of a password doesn’t accomplish anything.  The real benefit comes from using these tools in ADDITION to a username and a password.  Even if a person with bad intent knew your username and password, they would be screened out by the second factor, whether it is biometrics (fingerprint, iris, or face) or a device you have (token, cell phone, smart card, USB key).  Just like high security installations have more than one layer of security, you want the same layers of security verifying that you are really you online.

The ugly reality of the accounting profession is that a significant breach would undermine the confidence that others have in the profession, and could send us back to the ‘90s with some technologies used in business today.  It’s hard enough to be a small business in our economy without having to deal with concerns about security of data.

It’s time for two factor authentication with online services, people.  Ask your vendors about their support for it, and look for opportunities to protect your data with these types of authentication regimes.  It’s time for this technology – we can’t wait for some practitioner to lose their house over an online information breach to deal with this significant issue.