PSA: If You’re Using Gmail, Consider Getting a U2F Security Key to Secure Your Account

Posted: 1:38 am ET
[twitter-follow screen_name=’Diplopundit’]

 

The private email of a State Department official working in the Office of Analysis for Russia and Eurasia (INR/REA) was reportedly hacked. FP reported a few days ago that the throve of emails include at least two years’ worth of personal emails from the private Gmail account, as well as personal information.

Whether you’ve been using Gmail for years, or have recently moved from Hotmail to Gmail, you need to consider getting a Universal 2nd Factor (U2F) security key to secure your private email account. You can start with FIDO U2F from Yubico if you want to check it out. It is  pretty straightforward to set-up. Note that you can only use the key with Gmail when using the Chrome browser (or Opera) at this time. We’re not on FB or Dropbox but you can reportedly use this key to secure those accounts, too.

For folks who must regularly update wills and prepare “go-bags” (pdf), here is one more thing to consider:

#

Advertisements

Pro-ISIS Hackers Post Alleged “Kill” List With 43 Names Including @StateDept Names

Updated: 2:58 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

In August last year, we blogged about the Purported ISIS ‘Hit List’ With 1,482 Targets including State Department names. Now, according to  Vocativ, hackers with a pro-ISIS group calling themselves the United Cyber Caliphate have distributed a “kill” list on Monday that appears to include dozens of U.S. government personnel.

The list features 43 names of people linked to the State Department, the Department of Homeland Security and the departments of defense, energy, commerce and health and services. It also identifies the U.S. embassies in Santiago and Kathmandu—as well as the Department of the Navy in Gulfport, Mississippi—as targets.

The purported “hit list” last year reportedly included personnel data of more than 1,482 members of the U.S. military, NASA, the FBI, the Port Authority of New York and New Jersey, and the State Department.  Technology security expert, Troy Hunt,  wrote at that time that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and had taken a closer look with an analysis here.  How many of these names are from “pastes” that have been reproduced or recycled or new? Whatever the answer, this is a trend that will probably continue into the foreseeable future. Reports like this should be a periodic reminder to review your/your family members privacy settings and digital footprint regularly.

 

#

PSA: Know the Risk #Raise Your Shield Campaign: Spear Phishing

Posted: 4:02 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The National Counterintelligence and Security Center (NCSC) is responsible for leading the counterintelligence and security mission across the USG. It is putting out the campaign focusing on spear phishing. It will reportedly be targeting social media, human targeting, and travel awareness. You can learn more at http://www.ncsc.gov but fair warning, the website is slow and cumbersome, hard to navigate and not terribly user-friendly.

Via the Office of the Director of National Intelligence:


.

Here’s the Don’t Be THIS Guy: Spear Phishing video:

#

State Dept Responds to Purported ISIS ‘Hit List’ — This Gives Me A Sad

Posted: 3:18 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

On August 16, we blogged this: Purported ISIS ‘Hit List’ With 1,482 Targets Includes State Department Names.  We asked the State Department about this over the weekend. We wanted to know if the agency has been able to confirmed the affected State personnel. The State Department, on background, told us this:

We acknowledge the reports. While we will not comment on or confirm the specifics of this particular assertion, we know that malicious actors often target email accounts of government and business leaders across the United States.

We’ve also inquired about its response, or guidance to personnel , if any, and the State Department, still on background, would only say this:

We believe it is important for not only government and private sector companies but also individuals to improve their cybersecurity practices. That is why this Administration is working hard to raise our cyber defenses across the board.

Yikes! ¯\_(ツ)_/¯  

Well, we hope they’re talking to employees behind the firewall with more substance than this two-sentence practically useless response.

*

We have not been able to find anything State Department related-response/guidance on this on the public net, but DOD has some useful reminders posted on the wide-web, no logons required. The first set of slides below is actually a social networking cybersecurity awareness briefing by Diplomatic Security. The slide set appears dated a few years back (uses 2009 examples) and is not available, as far as we can tell, from state.gov. We found this set posted on the slideshare site maintained by the Defense Department. The other two set of slides are on opsec for families and one on geotagging safety for those who posts photos online. both from the DOD site.

Social Networking Cybersecurity Awareness


.

Social Media Cyber Security Awareness Briefing | OPSEC For Families

.

Social Media Roundup/Geotagging Safety

#