Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: computer security

Ransomware. What is it and should you be concerned?

If you’ve been keeping an eye on cybersecurity or computer safety news lately, there is a good chance the term ransomware has crossed your vision. So we’ve got phishing (not the band), malware, viruses, worms, and now ransomware?

First, the primer: Ransomware is a form of malware, which in some circles is also considered a virus. Still confused? So am I.

Primer, even more basic version: Ransomware locks your computer unless you pay some bad guy.

Less basic primer: Ransomware is computer code which, once on your system, makes it so that you can’t access any of your files. The creator gives you an option to get the key, or program to unlock all your files, for a fee. This fee goes up the longer you wait, making it no less than a ransom demand. Hence, malware which asks for a ransom: Ransomware.

Who would do such a thing? There’s always people looking to cause mayhem and make a buck as a result. Some of them also happen to be skilled in computer programming. Sure, they’d serve the world better by designing code to help reduce poverty or hunger, but, crime is often easier.

Are you vulnerable to ransomware? Yes. Any computer, which, in a chain of connections, has a link to the Internet, can be infected. Yeah, it can spread from one computer to another in your network on its own. Then it deletes your backups. Even having all security updates installed isn’t enough (Macs tend to block them within 24 hours of discovery). Is no one safe?

How do you get ransomware? One of the more common ways is through an “evil” Word document. You think it’s an executive letter, invoice, or timetable, and you open the e-mail attachment. For you to get infected, Word then prompts that the file has a macro and asks if you’d like to run it. You, thinking it’s an essential aspect of the file, say yes (It bothers me that Office programs don’t display the file before this prompt). And your day just got really bad. Even NAFCU is warning credit unions about this infection strategy.

What can you do to avoid ransomware? The old computer security strategies hold true:

  • Don’t open e-mails from addresses you don’t recognize. If you do, definitely don’t open attachments in those messages. Also, ensure that HTML content isn’t set to automatically load when reading the message (Steps for Outlook 2010/2013, OS X MailiOS Mail).
  • When opening Office documents from those you know, always defer to No if it asks to run macros. If the file seems to need it, ask the sender to confirm.
  • If an e-mail file extension isn’t what you think it should be (JPG, PNG, GIF, PSD for images, as an example), ask the sender to confirm.
  • Ensure all computers within your workplace are current in security updates. And not just for the operating system, but software programs installed, too.
  • Avoid visiting questionable websites, but if you must, use an archaic computer (too old to be infected) or an obscure operating system (ie. BeOS).
    • On second thought, just avoid the suspicious sites. You can also check a reputation monitoring service like Web of Trust prior to visiting.
  • Be extremely careful when using USB drives to transfer data to more secure (ie. non-connected or connected with member data) computers.
  • Train your staff on computer safety…regularly. We can all get fooled. You know those, “A lost Saudi prince wants to share their $400,000,000 with you” e-mails? You still get them because people still fall for them.
  • If your password is “password” or “12345”, change it right now. I’ll wait.
  • Use common sense. If something seems off, your instincts are probably right.

As mentioned in the above article, one ransomware developer brought in a confirmed $45,000 after only 3 weeks of infections. It’s big business and is only going to grow further. Knowledge is power and sharing this information with your members can help them avoid costly headaches as well.

Image credit: http://hackwhiz.com/wp-content/uploads/2014/08/encryption-img.png

How can I tell if my car has been hacked?

  • When you drive, does your GPS talk back with more attitude than normal?
  • Do you find your car going on late-night ice cream runs?
  • Has your car strangled you or your family? More than once?
  • Will your car refuse to perform rolling stops or turn right on red?

If you can say “yes” to any of these, then your car may be hacked. But don’t panic! It’s equally likely your car has just been possessed by a hungry ghost.

We are all acclimated to the security risks on our computers and phones; you update often, avoid sketchy websites, and don’t download questionable software. However, the king of the open road has never dealt with these challenges. Our cars were a sanctuary. The only risk was of being involved in one of 10.8 million accidents per year. But hacking? Leave that to the computers!

Today, your car is a computer as well. In fact, it’s more computer than your computer. Besides the OBD2 service plug under your dashboard, it is a veritable treasure trove of calculating machines. Anti-lock brakes, stability control, airbags, roll compensation, variable headlights, lane guidance, and more all run computations hundreds of times per second. Not to mention the entertainment systems which are more tightly integrated into car operations each year.

News stories describing vehicle hacking sensationalize the event, making it difficult to know whether the problem uncovered is a true risk. Perhaps, then, we cannot blame people for being afraid of their next car being the victim of hackers. A recent survey conducted by Kelley Blue Book put numbers to the suspicions. Of note, nearly half (41%) would consider vehicle security provisions during their next purchase. Over half (58%) felt a permanent solution to the problem will never be found.

That group is correct. If computer code is more complex than “Hello, world!”, it has bugs. Just as your body has a variety of protections against sickness, from skin to an immune system, sometimes both our bodies’ and our computers’ code gets “colds”. The concern is in severity. A small rash might be an inconvenience, but the flu can put you out of commission for days. Same too with the computer. If the bug is serious enough, and a hacker (like a virus) can infect deeply into the system, then the system can be taken over.

The key to ensuring car hacking does not become a safety issue is in the ability to get fixes to the vehicles. Tesla designed their Model S (and all future vehicles) with a wireless update capability, much like your phone. When it’s plugged in and charging, it checks for updates, which can fix security and stability bugs, as well as add new features. Your next drive is then more secure. The Jeep Cherokee you heard was hacked (luckily by good guys) has no such feature, and must either be driven to a dealership or manually updated with a USB drive.

Luckily for Chrysler, people don’t yet see their cars as they do their phones. From a technical standpoint, they’re the same; Internet-connected devices that you depend upon to just work. In the aforementioned survey, 64% would elect to drive to a dealership for a security update to be installed. Would you drive to the Apple Store, wait in line, then wander around the mall for an hour while the latest update is set up on your phone? Of course not. You’d demand better. It’s only a matter of time until this migrates to cars.

Your credit union (you didn’t think I’d get to you, but I did!) has strong security features in place. Your members’ personal and financial information must never fall into the wrong hands, or any other hands, for that matter. But vulnerabilities exist and there are always those looking to exploit for their own ends. Does your IT team ensure both technical problems and human error cannot compromise your core LOS? What about your members? If your last security notice to them was a red bar on your website, they didn’t understand. In the same way you provide financial literacy education, help your members keep a safer digital life. Share the procedures in place at your own branches…does anyone use “password” as their password?

In today’s always-connected society, you are likely the most security-conscious entity your members directly encounter in their daily life. Help them be as great as you at conducting safe online practices. Consider yourself the wireless updates for your members’ security features.

But watch out for that moody GPS. Your delightful British accent isn’t fooling anyone!

Update: Another report has surfaced that the OBD2 port mentioned above connects to an inherently insecure platform, the CAN bus. It’s ok, it’s only on every car made in the last 20 years. However, devices that give the port wireless capabilities, like OnStar or insurance monitoring attachments, put your vehicle more at risk. Me? I’m keeping that port empty, especially given all the self-driving systems on my car. 

Image credit: http://blogthinkbig.com/wp-content/uploads/2014/01/hackers-new-cars1-620×413.jpg

© 2017 Credit Union Geek

Theme by Anders NorenUp ↑