Weekly Security Roundup with Clinton Pownall

By Clinton Pownall
 President & CEO
 Computer Business

New Job for the New Year? Try Ethical Hacking. I’m always telling people interested in working within the computer industry to consider going into IT security, as demand here should be growing far into the future. CSO Online recently ran an excellent article about a growing subspecialty within IT security: Ethical Hacking. Companies will pay big money for ethical hackers to attempt to penetrate their applications or other elements of their IT infrastructure. This allows them to identify potential soft spots and fix them, before they can be exploited. The article mentions notorious former hacker Kevin Mitnick (now working as an ethical hacker) as saying that “He gets the exact same emotional thrill out of being paid to legally break into places as he did for all those years of illegal hacking.” And as a bonus, he no longer has to worry about being arrested. The article provides an excellent guide to ethical hacking classes and certification programs.

U.S. Government Agencies Warn of COVID-19 Fraud Schemes. With COVID-19 vaccines shipping, some U.S. government agencies are warning consumers against a host of vaccine-related scams. The Federal Bureau of Investigation (FBI), Department of Health and Human Services Office of Inspector General (HHS-OIG), and Centers for Medicare & Medicaid Services (CMS) are warning the public about several emerging fraud schemes related to COVID19 vaccines. The key point is: Beware of emails, social media sites, online ads, phone calls or other venues (electronic or otherwise) offering you a shortcut to getting a COVID-19 vaccine. Bad actors will be phishing for personally identifiable information (which they can use to perpetuate additional frauds) as well as seeking your money for goods that will never be delivered—or (even worse) delivering bogus ingredients masking as vaccine. Remember that anyone can grab an FDA logo and make it look like a seal of approval.  The notice also warns against social engineering, such as: “Unsolicited emails, telephone calls, or personal contact from someone claiming to be from a medical office, insurance company, or COVID-19 vaccine center requesting personal and/or medical information to determine recipients’ eligibility to participate in clinical vaccine trials or obtain the vaccine.”

Beware of Google’s Top Finds. “One in ten shopping ads promoted on Google potentially lead to phishing sites,” according to headline in a CyberNews. The publication conducted a study looking at the legitimacy of sites that pay Google to be placed in the top rankings. The article notes: “When you search for something on Google, certain results will be shown in top positions organically because their content is considered relevant or useful. Other results, however, will surface to the top as ads because an advertiser has paid Google to promote them. Unfortunately, not all Google ads are created by legitimate advertisers. Some are made by cybercriminals. Such ads will lead users to malicious phishing websites where they can be tricked into buying counterfeit or unsafe products, fall victim to financial scams, or worse.” The article explains the methodology used by CyberNews in detecting potentially unsafe websites, and takes Google to task for not doing a better job of screening its advertisers.

Bringing AI into Security. Some much appreciated optimism can be found in a recent VentureBeat article titled “What enterprise CISOs need to know about AI and cybersecurity.” The article points to the complexity of defending IT infrastructure with so many points of potential attack, and notes: “That complexity is why AI technologies such as deep learning and machine learning have emerged as game-changing defensive weapons in the enterprise’s arsenal over the past three years. There is no other technology that can keep up. It has the ability to rapidly analyze billions of data points, and glean patterns to help a company act intelligently and instantaneously to neutralize many potential threats.” While bad actors can also make use of AI, the article describes how the human element combined with AI can provide a more robust approach to defending IT resources.

Good News: Police Arrest 21 in the UK for Purchasing Stolen Data.  In the past we’ve noted that one of the tactics of ransomware attackers is to threaten to post stolen data onto the dark web where it can be purchased by other bad actors. So it was good to read about recent arrests in the UK, as investigators track down customers of a now-closed site “WeLeakInfo” that allowed bad actors to pay for access to stolen data. The Hacker News reports: “Launched in 2017, the service provided its users a search engine to access the personal information illegally obtained from over 10,000 data breaches and containing over 12 billion indexed stolen credentials, including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts. On top of that, WeLeakInfo offered subscription plans, allowing unlimited searches and access to the results of these data breaches during the subscription period that lasted anywhere from one day ($2), one week ($7), one month ($25), or three months ($70).”  

Using Puppies for Fraud. How low can a fraudster go? How about using cuddly photos of puppies for bait, along with phony letters from phony happy “customers.” Threatpost carries a story “Holiday Puppy Swindle Has Consumers Howling,” about fake online pet stores that ask for non-refundable deposits for non-existent puppies. As if that weren’t bad enough, the bad actors continue to milk their victims for shipping fees, and false documents requesting fees for COVID-19 quarantining, and on and on. The article quotes an FBI special agent in Pittsburgh as saying: “Unfortunately, the pandemic has created the perfect condition for unscrupulous pet sellers to thrive. This suspect exploited this website to sell puppies and capitalized on people looking for companion animals online during this difficult time.”

Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.