Three Lessons from the NFL Draft

It should have been a great night for Laremy Tunsil, the offensive lineman from Ole Miss. He was drafted #13 by the Miami Dolphins in the 2016 NFL Draft.

Unfortunately, his Twitter and Instagram accounts where “hacked”.  Looks to me like somebody got access to his iPhone. Three possible lessons from an information security perspective:

  1. Make sure you have a passcode or biometric security on your phone. Nobody should know your code; not your best friend, not your girlfriend, not your kids, maybe your spouse.
  2. Strong, unique passwords and two factor authentication can prevent somebody who discovers one password (like Twitter), from logging into other accounts (like Instagram). Of course this doesn’t matter if a mean person has your unlocked phone.
  3. Never post anything to social media unless you’d be happy to see it on the front page of the NY Daily News.

http://www.nydailynews.com/sports/football/laremy-tunsil-twitter-shows-man-smoking-bong-nfl-draft-article-1.2618248

There are lots of other lessons to be gleaned from this incident. I’ll leave that to the sports writers.  However, I hope the media shines a spotlight on the system and not just a kid who accidentally disclosed the realities of high stakes college athletics.

Two Factor Auth is Necessary

I just read that Facebook employees can login to their internal systems with only a username and password.  See:

http://www.mirror.co.uk/tech/facebook-hacked-security-researcher-stumbles-7829312

Cyber criminals have so many tools that we need an additional layer of protection.  If Facebook can have hackers lurking inside their network for months, what makes you so sure your network is safe?

I’m advising all my clients and companies to enable 2-Factor Authentication on all systems.  This and strong unique passwords gives me piece of mind that a compromise of my username and password does not expose me to cascading risks in other systems.

Free Security Training

I just got an announcement from Heimdahl Security that they are offering a 7 week, FREE information security course for small businesses. Read more about it here:

Just Launched: Cyber Security for Small Business Owners in Partnership with the London Digital Security Centre

I’ve been following these guys for a while and it seems like they are doing a really good job. I don’t use their products, but the information they provide has been useful.

CryptXXX Ransomware – scary stuff

I’m always watching the boards and blogs for news about new security threats. Today, I read about CryptXXX and it is really scary. This ransomeware is transmitted by drive-by-download but look for phishing scams soon.

Here are the highlights: CryptXXX infects your computer, steals information (potentially BitCoins too), and starts doing industrial strength encryption of your local files AND mounted network shares.

Recommendations:

  1. Have backups and don’t keep them mounted all the time. It would suck to have both your machine and the backups encrypted by ransomware.
  2. Keep everything patched. Disable Flash if you can stand it.
  3. Use an ad blocker to prevent infection from Malvertisting.

See more about CryptXXX here:

https://blog.knowbe4.com/scary-new-cryptxxx-ransomware-also-steals-your-bitcoins