Typosquatters

Man typing

Of all the myriad of ways that we can be duped, scammed, or otherwise taken advantage of on the internet, “typosquatting” remains one of the easiest to stumble into.

Perpetrators of this scam will purchase site domain names that are very similar to popular pages that people visit, usually by changing the .com part of the web address to .cm. This preys on people who make typos, which is, suffice to say it – all of us.

These duped sites can range from being pop-up laden cesspools riddled with viruses or malware, to near-replicas designed to fool users into inputting login information that can be manipulated later.

So, who is doing this? While these types of tricks can occasionally be tied down to lone actors (given how easy it is to obtain a domain name), KrebsOnSecurity identified the marketing firm Media Breakaway LLC to be behind more than 1500 of these false .cm domains. The company is headed by one Scott Richter – a convicted felon who has been the target of several successful lawsuits for illegal spamming. Other companies related to Richter include Dynamic Dolphin and affiliate[dot]com, also related to email spam.

Just how many people are falling victim to these scams? More than 12 million in a 3 month time frame – amounting to a potential of 50 million per year, according to an analysis conducted by Matthew Chambers. Several of these visitors additionally were found to be coming from .gov and .mil sites in the USA, which are the official federal government and military domains. Many popular news sites, social media, banking, and music streaming sites have these malicious doppelgangers.

The actionable item to protect yourself in this situation ultimately boils down to a matter of double-checking the web address before you hit enter, or bookmark your most commonly visited sites.

For more information on this subject, feel free to reach out to us @CentryLTD on Twitter or any of our other social platforms.

Supply Chain Security Introductory Guide

architecture-bay-boat-326410

Having a secure logistics supply chain can save your company millions in terms of assets and reputation, and here at Centry, we have the know-how to help you. Two of the biggest certifications that we offer consultation on in our supply chain security program include the Authorized Economic Operator (AEO) authorization and compliance with security standards of the Transported Asset Protection Association (TAPA).

What is AEO?

The Authorized Economic Operator (AEO) Program is an initiative of the European Union geared toward securing logistic supply chains against trafficking and financial fraud. Being an Authorized Economic Operator is beneficial – it is an open declaration that your company has a lower risk and threat evaluation.

Basically, traders who meet the criterion of the program are entitled to enjoy benefits of trade in international supply chains. Some of these benefits include things like easier admittance to customs simplification programs, fewer physical and document-based controls, priority treatment if selected for control, and reputational advantages such as recognition as a safe and secure business partner, improved relations with customs and gov’t authorities, and reduced theft and losses.

What is TAPA?

When you become a member of TAPA, you are taking a stance for your company with an internationally recognized leader of the fight against cargo crime. TAPA is a worldwide coalition of manufacturers, shippers, carriers, insurers, service providers, law enforcement, and government agencies. It is inclusive of every type of organization or company facing the problem of cargo crime within the transportation supply chain.

TAPA security requirements have expanded to global recognition as the industry standard for cargo facility and transport security, notably:

  • FSR (Freight Security Requirements)
  • TSR (Trucking Security Requirements)

These standards exist to help TAPA members reduce losses, and to provide a platform for more uniform conformance with state of the art security. Carrier hubs and depots that are TAPA certified guarantee with minimum security standards for manufacturers, and they are suitable for inclusion in contractual agreements.

Centry was recently appointed to be the TAPA Service Center in Thailand, becoming the main TAPA service provider in the country, supplying our services also to the general region of South East Asia.

Our supply chain security team supports organizations that are interested in enhancing the resilience of their supply chains by applying for international certificates and authorizations.

Who Can Benefit from this? ​

Our program is suitable for both organizations who are just beginning the journey toward a more secure supply chain, and organizations that have an established security resilience culture, but wish to improve it with objective knowledge. In order to ensure that the efforts of the organization receive the recognition they deserve, we support our customers in complying with the requirements of AEO, C-TPAT, ISO 28000, TAPA FSR and TSR certificates and authorizations.

Where to Begin

For businesses looking to begin the journey toward securing their supply chains, we provide our full spectrum of services that are aimed at guiding the customer through the whole process of certification and security– from preliminary discussions to the maintenance phase of the security management system.

Our primary objective is to support the creation of a system that suits the existing culture and processes of the organization. This begins with determining the desired outcome for the program, followed by examining the operations to understand the business and pinpoint the critical areas. When the key areas have been identified, we provide our expert knowledge to comply with the requirements of the certificate or authorization. This includes system upgrades, creation of documents, training of staff and third parties, inspections of third parties and ensuring compliance with internal requirements.

How to Extend Your Knowledge

For an organization with established security resilience culture, we provide objective and up-to-date knowledge and services regarding supply chain security. The service can be directed to specific issues or give an overarching view of the whole organization. It ensures that the team tasked to ensure supply chain resilience has the up-to-date information regarding key topics and solutions required to enhance the main business. The services we provide include: site and system assessments to ensure compliance with requirements, workshops and training sessions for key stakeholders, classroom sessions for larger crowds, e-learning solutions to ensure global coverage and intelligence services to clarify the opportunity and threat profiles for business objectives and areas.

As global supply chains involve long subcontracting chains, we provide third-party monitoring solutions. We conduct assessments and investigations on behalf of the organization to their third parties for an objective compliance evaluation against any security requirements.

All of these services can be included with Centry’s Security Manager as a Service -package. With it, the organization has the up-to-date knowledge available, when it is required.

If you have any questions or comments, feel free to contact us at info@centry.global.

Valid Concern or Tap Anxiety? An Evaluation of Amazon’s Alexa Recording

406213-amazon-echo

Alexa’s Infamous Recording

A couple weeks ago, a family from Portland, Oregon reached out to Amazon to investigate after they said that their home assistant device, “Alexa”, had apparently recorded audio of a conversation the couple was having and sent it to an acquaintance of the family who’s phone number was in their contact list. The acquaintance, a work colleague, immediately contacted the family to let them know that he received the recording, and told them to turn off their devices.

This led to a media frenzy, where countless sources questioned the security of home assistant devices, likening them to Orwellian wire-taps.

So, how did this happen?

When the family contacted Amazon concerning the incident, an engineer investigated the logs of the device and was able to confirm the recording and subsequent sending. The engineer suggested that the entire issue was a result of the device misinterpreting the sounds of the distant conversation as commands to record and then send the message.

The company’s official statement was:

“Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customer’s contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”

Is this something to be genuinely concerned about?

In short, not really: the coverage of this situation was greatly sensationalized.

If you have ever “butt-dialed” someone from your mobile phone, this is not very much different of a circumstance. Accidental activation leads to a call or command.

Anyone who has one of these devices has probably heard it pipe up unprompted, whether it was from a distant conversation, the TV, radio, computer, etc. It’s important to remember that home assistant devices like Amazon Echo and Google Home are still first generation pieces of technology – they are learning on the go, and there is bound to be a few hiccups along the way. Human speech interpretation is very hard.

Both devices have large, easy to see indicators of when they are listening for the keyword. Alexa has a bright blue circle that illuminates on the top, and Google Home also lights up.

However, if you are still worried, here are a few steps you can take:

  1. Turn on command tones in the app. This makes the device “ding” when it hears the keyword, letting you know that it’s actively listening.
  2. Don’t ignore it when it speaks– tell it to stop. Otherwise, it could continue mishearing commands.
  3. Protect your WiFi network. These devices are only as secure as the network they connect to.
  4. Check in the app to see if there are any stored recordings, and delete them.

If you have any questions or comments, feel free to reach out to us on any of our social media profiles. For more content like this, subscribe to Centry Blog for weekly articles!

GDPR: Day One

The European Union’s General Data Protection Regulation (GDPR) officially went into effect today. The new regulation exists to give citizens of the EU control over how their data is used. It’s extensive and comes with the promise of harsh fines if non-compliant companies experience a data breach.

Centry’s GDPR Guide, shown on the popular webcast This Week in Law, breaks down the who/what/when/where and why of GDPR for those who want a quick briefing of what this means and why it’s important.

Now, on day one, we are observing the first ripples in the pond of this new policy. Already, BBC has reported that some US-based news websites are unavailable in Europe as the new regulations have come into effect. Some of these include the New York Daily News, LA Times, Chicago Tribune, Orlando Sentinel, and Baltimore Sun.

The above news sites are part of the Tronc media publishing group. Others under Lee Enterprises have been similarly affected. Freelance developer Owen Williams created a blog called GDPR Hall of Shame to provide a tongue-in-cheek illustration of the blunders some companies have made as they have taken the first steps of navigating the ruling.

One of the worst offenders is the social media/micro-blogging platform Tumblr, which requires users to manually deselect more than 300 boxes to prevent each entity from utilizing their data. There is no available option currently for mass selection.

Others are taking the change to data regulation in full stride. Microsoft has expanded their GDPR-compliant policy to protect all of their users, not just the ones based out of the EU.

If you have any questions or comments about GDPR, feel free to contact us on any of our social platforms!

For more content like this, subscribe to Centry Blog for weekly updates related to the security industry, cyber security, risk management, compliance, and global affairs.

What to Pack in a Grab-Bag

One of the ways that you can prepare yourself for an emergency is to stock a grab-bag. That is, a bag containing a handful of supplies that could make all the difference in recovering after an emergency, whether it’s a natural disaster or hostile threat.  The idea is that you need only to take this single bag with you as you respond to a crisis, ensuring that you have what you need for immediate survival following the contingency.

The exact necessities that you pack will be impacted by your geographical location and the regional-specific risks therein, but here are a few ideas to get you started:

Information & Documentation

This should include your passport and/or visa, and any other important documents related to your identity. This is especially important if you are travelling abroad, particularly if the contingency requires you to leave the country. Even if it is for a home-emergency, being able to have at least a couple identifying documents will assist you in the recovery of other important documents after the fact.

Food & Water

A stock of high energy, non-perishable food items and as much water as you can feasibly carry.

Communications

A spare mobile phone with a charger.

Health & Safety

Basic first aid kit and any essential medications that you may require day-to-day.

Other

Some other items to include in your grab bag are money, a change of clothing, candles, matches, a flashlight/torch, and spare batteries.

Keep in mind that the general advised contents of this grab bag address the needs of the average individual whether they are at home or traveling. Family and/or group kits will vary, especially if there are pets involved. 

If you have any questions or would like expanded detail of this, please don’t hesitate to contact us at info@centry.global! Remember to subscribe for weekly updates on Centry Blog, and follow us on Twitter @CentryLTD for more content like this.

GDPR & Consent

GDPR and Consent (1)

The deadline for compliance with the General Data Protection Regulation (GDPR) is approaching fast: May 25th, 2018 is when enforcement will begin.

Be sure to read Centry’s GDPR Guide for a concise, easy-to-read breakdown of what GDPR is and important details of what you need to know about it.

For any questions or comments, feel free to contact us at info@centry.global or on any of our social media outlets. We’re here to help you!

 

Orbitz Data Breach

pexels-photo-91217

If you made travel plans with Orbitz or Amex Travel between 2016 to 2017, you might want to keep a close eye on your card statements.

This week, the Expedia-owned travel planning company, Orbitz, announced that it had discovered a potential data breach that may have compromised information tied to 880,000 credit cards. Hackers may have been able to access consumer data submitted between Jan. 1, 2016 to June 22, 2016 on the company’s legacy platform.

Partner platform Amextravel.com was also affected, linked to purchases made between Jan. 1, 2016, and Dec. 22, 2017.

The compromised data includes names, dates of birth, postal and email addresses, gender, and payment card information of customers who submitted such information in those specified time periods. Orbitz stated that they do not yet have any “direct evidence” that this information was stolen, but it was certainly put at risk. The company has said that it has been notifying customers who may have been impacted by the breach, and it is offering a free year of credit monitoring to affected U.S. customers.

In a statement, Orbitz described working with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered, on March 1st, in order to “eliminate and prevent unauthorized access to the platform.”

In the meantime, Orbitz has set up a website for US customers to find out more about the breach and whether their information may have been compromised. Individuals that enter their name and email address into the form requesting additional protection will be directed to a confirmation page and emailed a redemption code from orbitz@allclearid.com. Orbitz asserts that the AllClearID website will be the company’s primary platform for communication on the protective services they are offering.  

If you are worried about your information being compromised, ensure that you review payment card statements carefully and call your bank if there are any suspicious transactions. Similarly, be aware of phone calls or emails that offer identity theft protection – these may be phishing scams to steal your information while you’re vulnerable.

For more content like this, follow us on Twitter @CentryLTD!