Friday, October 6, 2017
@securityguy23:
If you're only listening to respond and not to comprehend -- you're missing (at least) half of the conversation. . .
Thursday, October 5, 2017
Thursday, September 28, 2017
@securityguy23:
The best way to gauge the effectiveness of an organization's approach to risk management and response all too often comes down to three simple canary questions:
1) When the building caught fire, why did they respond by pointing the hose at the parking lot?
2) Were they surprised when the building still burned down?
3) Did they learn from the mistake and change the approach before somebody brought in the next box of matches?
1) When the building caught fire, why did they respond by pointing the hose at the parking lot?
2) Were they surprised when the building still burned down?
3) Did they learn from the mistake and change the approach before somebody brought in the next box of matches?
Friday, August 11, 2017
@securityguy23:
Now Heptaconta Certified with Certified Information Privacy Professional / Canada (CIPP/C) Goodness. . .
Thursday, August 3, 2017
@securityguy23:
Monitoring is vastly different than just logging.
And if you're doing only the latter despite claiming the former -- you've neither got security, nor a remotely defensible position when the auditors and lawyers come-a calling. . .
And if you're doing only the latter despite claiming the former -- you've neither got security, nor a remotely defensible position when the auditors and lawyers come-a calling. . .
Tuesday, August 1, 2017
Monday, July 31, 2017
No, I Do Not Have a FedEx Package Pending Delivery
Had my new office line for only 245 days, and usually don't have a reason to give it out since I just use the cel for convenience. . .
But still got tagged by the FedEx Delivery Scam today on the office line this morning claiming that [I] "had a package ready to be delivered to [Our Seattle Corporate Address] and needed to confirm delivery information".
Specific flags:
1) FedEx doesn't do this
2) Foreign accent with broken english on unsolicited call
3) Caller ID popped up a Sri Lanka phone number (+94 90161370) (I assume is bogus)
4) Call logs show it was forwarded out of a San Jose, California number (1-408-907-1818) (Marked as unsafe/spam call in online searching)
5) When I asked for the tracking number, they gave me a 10 digit number (FedEx Track numbers are 12 or 14 digits)
6) When I asked for the sender info, they said it was a bank (could not understand the name due to accent)
7) Said details would be in the email they would send me
8) When I asked for a call back number, they said I could go by my local FedEx Office
Good times
But still got tagged by the FedEx Delivery Scam today on the office line this morning claiming that [I] "had a package ready to be delivered to [Our Seattle Corporate Address] and needed to confirm delivery information".
Specific flags:
1) FedEx doesn't do this
2) Foreign accent with broken english on unsolicited call
3) Caller ID popped up a Sri Lanka phone number (+94 90161370) (I assume is bogus)
4) Call logs show it was forwarded out of a San Jose, California number (1-408-907-1818) (Marked as unsafe/spam call in online searching)
5) When I asked for the tracking number, they gave me a 10 digit number (FedEx Track numbers are 12 or 14 digits)
6) When I asked for the sender info, they said it was a bank (could not understand the name due to accent)
7) Said details would be in the email they would send me
8) When I asked for a call back number, they said I could go by my local FedEx Office
Good times
Friday, July 14, 2017
@securityguy23:
Now Nonahexaconta Certified with GIAC Advanced Smartphone Forensics (GASF) Goodness. . .
Monday, April 24, 2017
@securityguy23:
Back from Paternity Leave -- returning to regularly scheduled programming, already in progress. . .
Wednesday, March 8, 2017
A Teachable Moment about Usernames, Passwords, Whiteboards, and Live Television
(Update 6:25P)
The later live shot went out of their way to not show the section of the whiteboard with the usernames and passwords. What was shown had the wifi password erased clean without any after image.
Good on them.
Bad security to have the info posted in the first place.
But the Organization reacted quickly to minimize the security incident. That's the right next move to be sure.
Hopefully, they are also (at a minimum):
1) Immediately changing all the affected passwords to new complex equivalents (while masked in my screenshot, the original passwords did not appear to follow such standards)
2) Establish/maintain a formal policy prohibiting the sharing of usernames and passwords in open mediums (post-it notes, whiteboards, etc)
3) Require unique usernames and passwords be assigned and used by all authorized individuals (as activity on shared accounts cannot be tracked/monitored without repudiation to a specific offender)
4) Establish/maintain a password expiration mechanism that forces all users to reset their passwords every 60-90 days (at a maximum)
5) Codify mandatory username and password lifecycle management requirements and limitations within a formal Access Control Policy (if it hasn't already been)
6) Include username and password requirements and limitations within Awareness Training and Acceptable Use Policy (AUP) provided to all organization stakeholders
Bonus points if they are also (at a minimum):
7) Creating new accounts replacing those which were wrongly shown to the live tv audience
8) Disabling and removing all assigned privileges from the existing now replaced accounts (including any remote access abilities)
9) (Regardless of points 6 and 7 are followed) Monitoring all accounts, both the newly established and the replaced disabled, for any misuse attempts
10) Establish/maintain a policy which reviews an internal/restricted area for confidential information -- removing/masking any identified -- prior to being accessible by the public (whether onsite, via a recorded video, or during a live TV shot)
(Original Post 4:38P)
Clearly no nefarious act here with the company or the news station. . . but. . .
If you're going to let a local news crew into your office to do a live shot praising your service - please remember to remove your admin and wifi passwords from the whiteboard in the background.
Or just don't put them there to begin with. That's a far better plan.
And also please only use complex passwords and accounts tied to an individual user so the activity can be fully tracked.
So much badness here. Not good times.
The later live shot went out of their way to not show the section of the whiteboard with the usernames and passwords. What was shown had the wifi password erased clean without any after image.
Good on them.
Bad security to have the info posted in the first place.
But the Organization reacted quickly to minimize the security incident. That's the right next move to be sure.
Hopefully, they are also (at a minimum):
1) Immediately changing all the affected passwords to new complex equivalents (while masked in my screenshot, the original passwords did not appear to follow such standards)
2) Establish/maintain a formal policy prohibiting the sharing of usernames and passwords in open mediums (post-it notes, whiteboards, etc)
3) Require unique usernames and passwords be assigned and used by all authorized individuals (as activity on shared accounts cannot be tracked/monitored without repudiation to a specific offender)
4) Establish/maintain a password expiration mechanism that forces all users to reset their passwords every 60-90 days (at a maximum)
5) Codify mandatory username and password lifecycle management requirements and limitations within a formal Access Control Policy (if it hasn't already been)
6) Include username and password requirements and limitations within Awareness Training and Acceptable Use Policy (AUP) provided to all organization stakeholders
Bonus points if they are also (at a minimum):
7) Creating new accounts replacing those which were wrongly shown to the live tv audience
8) Disabling and removing all assigned privileges from the existing now replaced accounts (including any remote access abilities)
9) (Regardless of points 6 and 7 are followed) Monitoring all accounts, both the newly established and the replaced disabled, for any misuse attempts
10) Establish/maintain a policy which reviews an internal/restricted area for confidential information -- removing/masking any identified -- prior to being accessible by the public (whether onsite, via a recorded video, or during a live TV shot)
(Original Post 4:38P)
Clearly no nefarious act here with the company or the news station. . . but. . .
If you're going to let a local news crew into your office to do a live shot praising your service - please remember to remove your admin and wifi passwords from the whiteboard in the background.
Or just don't put them there to begin with. That's a far better plan.
And also please only use complex passwords and accounts tied to an individual user so the activity can be fully tracked.
So much badness here. Not good times.
Wednesday, February 15, 2017
@securityguy23:
Gotten more email asking if I'm at RSA this year than I ever recall before. . . Wondering if I'm missing something really good. Like free puppy giveaway good.
For the record, if anybody I know is there *and* they're giving away puppies, please feel free to take mine and give him/her a good home. I ask only that you name them 'Puddles' and treat them with a kind playful heart (even if they live up to their moniker).
For the record, if anybody I know is there *and* they're giving away puppies, please feel free to take mine and give him/her a good home. I ask only that you name them 'Puddles' and treat them with a kind playful heart (even if they live up to their moniker).
Tuesday, January 17, 2017
Sunday, January 1, 2017
@securityguy23:
Now a member of the International Association of Privacy Professionals (IAPP) Advisory Board for CIPT Exam Development. . .
Monday, December 19, 2016
@christoperj:
Back from team meetings in Seattle -- returning to regularly scheduled programming, already in progress. . .
Sunday, November 20, 2016
Yes, I Have In Fact Resigned from SHI. . .
Just a quick post to address some rumors, now that I'm back from closing out my final services project.
I am leaving SHI at the end of November to pursue a Security Services role with Avanade. This decision was made several weeks ago. Kept quiet only as so it would not be distracting to a handful of open customer facing engagements. But it is official.
When I started all those days, months, and years ago, I was very excited for the opportunity to contribute to the SHI Security Practice and what the team was trying to do. My role was intended to be that of DLP pre- and post-sales delivery architect. A position, admittedly, I was never able to actually do given various marketspace realities mixed with the inherent internal challenges typical of any Organization.
But those hurdles made the position, in fact, better. A well diverse team of Security Peers along with frequent pivots in direction allowed me to evolve my skillsets. Kept me interested. Kept me busy. Kept me growing. Made me a far more seasoned security and privacy nerd leaving the building than thought I would ever be when I came in. For that I am deeply thankful.
This moment, this day, however, it's time to move on to something different. My new Avanade role is that. With my new team, I'll be focused on aiding sales and pre-sales efforts regarding all things security. I'll be collaborating with customers and internal sales teams to help craft security services messaging, proposal responses, and deal solutioning of enterprise engagements. And all in all, just being a 'trusted advisor' to whoever has a security and privacy challenge, question, or concern.
I've never ever wanted to be the smartest guy in any building. Just be a member of a smart team doing smart security. And I will continue to enjoy that benefit in my new role.
It's also important to note I neither went looking for this opening nor made my decision in response to any particular circumstance or frustration. Avanade approached me directly, and I responded in courtesy. We talked in depth about their goals and vision. And as we did, it became very apparent very quickly this was something I needed to give serious consideration.
The rest is what it is. And I feel as I am leaving SHI in the positive way I always intended.
As always, if you want to keep in touch – I would welcome it.
The best way to do it (other than email) is via Facebook or LinkedIn depending on your pleasure. I still like to keep things simple, so the below links will forward to the full profile pages.
For Facebook – www.facebook.com/christoperj
For LinkedIn – www.linkedin.com/in/securityguy23
I’m elsewhere, too if you want to find me on other sites – but primarily in these. (Everyplace else simply syncs the info down in one way or another).
My cel phone number will also remain the same if you care to call or text.
For those waiting for LinkedIn Recommendations -- I know I’m behind in pending requests. Sorry. Time continues to be getting away from me the last few weeks as I work towards the smooth turnover of everything. I’ll be catching up on those queued in the next few days through the holiday week and next month once I get settled into my new role. If you want to be added to the list, just send me a request through the site. And if you want to submit one for me, I certainly won’t complain.
If you have any questions, please do not hesitate to contact me directly. All updates will also be posted out here @ www.christoperj.com
Goodbye and take care
I am leaving SHI at the end of November to pursue a Security Services role with Avanade. This decision was made several weeks ago. Kept quiet only as so it would not be distracting to a handful of open customer facing engagements. But it is official.
When I started all those days, months, and years ago, I was very excited for the opportunity to contribute to the SHI Security Practice and what the team was trying to do. My role was intended to be that of DLP pre- and post-sales delivery architect. A position, admittedly, I was never able to actually do given various marketspace realities mixed with the inherent internal challenges typical of any Organization.
But those hurdles made the position, in fact, better. A well diverse team of Security Peers along with frequent pivots in direction allowed me to evolve my skillsets. Kept me interested. Kept me busy. Kept me growing. Made me a far more seasoned security and privacy nerd leaving the building than thought I would ever be when I came in. For that I am deeply thankful.
This moment, this day, however, it's time to move on to something different. My new Avanade role is that. With my new team, I'll be focused on aiding sales and pre-sales efforts regarding all things security. I'll be collaborating with customers and internal sales teams to help craft security services messaging, proposal responses, and deal solutioning of enterprise engagements. And all in all, just being a 'trusted advisor' to whoever has a security and privacy challenge, question, or concern.
I've never ever wanted to be the smartest guy in any building. Just be a member of a smart team doing smart security. And I will continue to enjoy that benefit in my new role.
It's also important to note I neither went looking for this opening nor made my decision in response to any particular circumstance or frustration. Avanade approached me directly, and I responded in courtesy. We talked in depth about their goals and vision. And as we did, it became very apparent very quickly this was something I needed to give serious consideration.
The rest is what it is. And I feel as I am leaving SHI in the positive way I always intended.
As always, if you want to keep in touch – I would welcome it.
The best way to do it (other than email) is via Facebook or LinkedIn depending on your pleasure. I still like to keep things simple, so the below links will forward to the full profile pages.
For Facebook – www.facebook.com/christoperj
For LinkedIn – www.linkedin.com/in/securityguy23
I’m elsewhere, too if you want to find me on other sites – but primarily in these. (Everyplace else simply syncs the info down in one way or another).
My cel phone number will also remain the same if you care to call or text.
For those waiting for LinkedIn Recommendations -- I know I’m behind in pending requests. Sorry. Time continues to be getting away from me the last few weeks as I work towards the smooth turnover of everything. I’ll be catching up on those queued in the next few days through the holiday week and next month once I get settled into my new role. If you want to be added to the list, just send me a request through the site. And if you want to submit one for me, I certainly won’t complain.
If you have any questions, please do not hesitate to contact me directly. All updates will also be posted out here @ www.christoperj.com
Goodbye and take care
@securityguy23:
Back from Arkansas, presenting HIPAA security program and policy remediation recommendations on my final SHI customer engagement -- returning to regularly scheduled programming, already in progress. . .
Wednesday, November 9, 2016
@securityguy23:
(To the random support team I just spoke with)
I appreciate your quick service when I had to call in so you could manually make the needed minor tweak.
But claiming that my call in was necessary 'for security reasons' in one breath -- while not doing anything to remotely validate my identity before executing this account impacting change -- you're very much doing it oh so wrong.
I appreciate your quick service when I had to call in so you could manually make the needed minor tweak.
But claiming that my call in was necessary 'for security reasons' in one breath -- while not doing anything to remotely validate my identity before executing this account impacting change -- you're very much doing it oh so wrong.
Thursday, September 29, 2016
[UPDATED] No, Microsoft Will Not Call You Direct to Offer a Refund for Anything
Update -- September 30th
The scammer called back a few moments ago from a "Private Number"
Picked up the phone without saying anything and heard him speaking (what sounded like, but I'm not sure) Hindi or some other Indian region language to somebody in the background.
He started out without saying hello, but just jumping again claiming that he was the "Microsoft Helpdesk" and that he "sent me an email yesterday about the refund".
I asked him what email he sent it to as I have received nothing. He said marcinko@aol.com -- which might be a legitimate email, but not one of mine. Weirdly, he seemed perplexed about my response, pausing and fumbling through a couple of words I couldn't understand.
I then noted that I tried to call him back at the number he gave me, but the people who answered didn't know anything about what he was talking about. And then he hung up on me without any other comment.
Still expect better customer service from my scammers. . .
Original Post -- September 29th
Got a call from somebody claiming they are Microsoft helpdesk -- typical scam
New derivative though, this guy wasn't claiming the usual "your machine is infected with a virus" or otherwise was "reporting errors and logs" and what not. He was instead claiming that I was due a refund for Microsoft Support for which I had previously paid. And that all I needed to do was 'register' it on some internet website he wanted me to login to.
At that point, I said I wasn't anywhere near my PC and asked if there was a number I could call him back at in 20 minutes. He gave one, then said he would call me back in twenty, and then hung up without saying goodbye.
I expect better customer service from my scammers.
Whatever the case, there's a new/old game in town.
Call Info:
That call back number does work, but when calling it direct it answers with an automated voice:
That inbound message in itself seems very shady to me. Doesn't identify itself in any regard. Message seems designed to be to be overly vague/cheap/fly-by-night. Just enough to answer the call. But also flexible enough to be changed at a moment's notice when needed to avoid a negative reputation or legal inquiry.
I donno.
Spoke to somebody on the other end, and after they asked for my zip code -- they said they were an inbound call center run by a company named Alorica.
When I asked why they needed my zip code, they gave me a vague doubletalk response. Explained that I got this number from somebody who called me, and the person on the other end said that they didn't have any information about that. She hung up on me after I asked her to spell her company's name to make sure I got it.
Called back, got somebody else. Told them that somebody had called me and tried to claim they were working for Microsoft -- and also claiming that they were from this number.
While she was much more polite, she also said that they didn't make outbound phone calls. And within the product/company list she had in her system, Microsoft was not listed. I got the sense she had also not heard of the "Microsoft" scam. And she wasn't able to give any additional info.
So recapping:
Good times
The scammer called back a few moments ago from a "Private Number"
Picked up the phone without saying anything and heard him speaking (what sounded like, but I'm not sure) Hindi or some other Indian region language to somebody in the background.
He started out without saying hello, but just jumping again claiming that he was the "Microsoft Helpdesk" and that he "sent me an email yesterday about the refund".
I asked him what email he sent it to as I have received nothing. He said marcinko@aol.com -- which might be a legitimate email, but not one of mine. Weirdly, he seemed perplexed about my response, pausing and fumbling through a couple of words I couldn't understand.
I then noted that I tried to call him back at the number he gave me, but the people who answered didn't know anything about what he was talking about. And then he hung up on me without any other comment.
Still expect better customer service from my scammers. . .
Original Post -- September 29th
Got a call from somebody claiming they are Microsoft helpdesk -- typical scam
New derivative though, this guy wasn't claiming the usual "your machine is infected with a virus" or otherwise was "reporting errors and logs" and what not. He was instead claiming that I was due a refund for Microsoft Support for which I had previously paid. And that all I needed to do was 'register' it on some internet website he wanted me to login to.
At that point, I said I wasn't anywhere near my PC and asked if there was a number I could call him back at in 20 minutes. He gave one, then said he would call me back in twenty, and then hung up without saying goodbye.
I expect better customer service from my scammers.
Whatever the case, there's a new/old game in town.
Call Info:
- Caller ID -- Unavailable Name / Out of Area Number
- Guy on the Other End -- Heavy Middle Eastern accent, using a common western name
- Background Noise -- Didn't sound like a crowded area, coffee shop, or room with other scammers
- Number Given for Callback -- 800-492-3939
That call back number does work, but when calling it direct it answers with an automated voice:
"You have reached a national telemarketing company. They number you dialed is (changes to choppy phonetic voice) 1-8-0-0-4-9-2-3-9-3-9
(Changes back to normal automated voice) Again the number you have reached is (changes back to choppy phonetic voice) 1-8-0-0-4-9-2-3-9-3-9
(Changes back to normal automated voice) If you believe you have dialed the correct number, please press 1 and I will transfer to an agent
Ok, I'll transfer you now. Please stand on the line to continue. To ensure proper handling, call may be recorded" (and so on)
That inbound message in itself seems very shady to me. Doesn't identify itself in any regard. Message seems designed to be to be overly vague/cheap/fly-by-night. Just enough to answer the call. But also flexible enough to be changed at a moment's notice when needed to avoid a negative reputation or legal inquiry.
I donno.
Spoke to somebody on the other end, and after they asked for my zip code -- they said they were an inbound call center run by a company named Alorica.
When I asked why they needed my zip code, they gave me a vague doubletalk response. Explained that I got this number from somebody who called me, and the person on the other end said that they didn't have any information about that. She hung up on me after I asked her to spell her company's name to make sure I got it.
Called back, got somebody else. Told them that somebody had called me and tried to claim they were working for Microsoft -- and also claiming that they were from this number.
While she was much more polite, she also said that they didn't make outbound phone calls. And within the product/company list she had in her system, Microsoft was not listed. I got the sense she had also not heard of the "Microsoft" scam. And she wasn't able to give any additional info.
So recapping:
- Got a scam call from somebody claiming to work for Microsoft
(Microsoft would never EVER do this) - Scammer claimed I was due a refund for support services I had previously paid
(And support services I never paid for) - All I had to do was register my PC
(By connecting with it to their website) - Scammer gave me a callback number of 800-492-3939 for what appears to be a different company
(Wasn't expecting that) - Different company in itself seemed very very VERY shady in their own right
(WTF?!?) - And by the time I write this, it's been 25 minutes -- so I gather the Scammer isn't calling back
(Chicken)
Good times
Saturday, September 24, 2016
@securityguy23:
Back from executing a HIPAA Risk Assessment in Tampa -- Returning to regularly scheduled programming, already in progress. . .