Malware Creators Adapt to New SHA-2 Certificate Technologies to Thwart Security Measures

Image of young businesswoman looking at laptop while working at her desk. Female web designer taking notes from internet.

It’s a constant battle between the good guys and bad guys. The good guys are transitioning to the stronger SHA-2 certificates on websites, so the bad guys are now using stolen SHA-1 and SHA-2 certificates.

Symantec noted in a recent blog that these stolen certificates are being used in an attempt to thwart the new browser technology that will indicate if a site is using the outdated SHA-1. In fact, they are using both versions so that older websites will detect the older certificate and newer ones will detect the newer certificate. That’s pretty crafty of them.

They are doing this so that the malware can bypass security measures put in place. Symantec found that a version of the Carberb.B Trojan was modified to use exactly this approach. This malware uses an infected attachment in email with a subject of ATTN 00890 and targets those who work in accounting departments. The macro embedded in the attachment downloads a malicious .exe file from a server in the island nation of Mauritius off the coast of Africa.


This scenario shows how malware creators are adapting and using legacy systems to wreak havoc. So, those who are still running the unsupported Windows XP in their organizations should make a serious effort to upgrade. In addition, make sure all patches are applied as soon as they are released. This should be part of a comprehensive security strategy.

However, because this effort by the malware creators is still new, US companies have been given a window of time to address this specific attack. The window is not big so action should be taken.

© Copyright 2016 Stickley on Security

Credit Monitoring vs Credit Freeze; What Is the Best for You?

Identification documents (social security driver license and credit cards) in hand of thief isolated on white.

Those who were victims of the massive Office of Personnel Management (OPM) breach of last year (21.5 million as of September 2015) were given the option of signing up for free credit monitoring services for a period of time; up to three years from the date of signup. Other companies who experience a data breach often offer up this service to victims. However, what does that really mean and is credit monitoring going to prevent identity theft?

The short answer is “no.” Credit monitoring and identity theft protection services (the term the OPM used to offer the service to its victims) will send an alert if credit is accessed, applied for, or an account is opened. In some cases, if identity theft does occur it will help you through the process of correcting it. It will not prevent any of this from happening.

On the other hand, a credit freeze will. It blocks any attempt to access credit and the credit bureaus will alert you if someone tries. A credit freeze is recommended to those who have had their social security numbers stolen and who are not applying for credit in the near term. For those who are planning to apply for a mortgage, credit card, car loan, etc., this may not be the right solution. Apply for the credit first, then put the freeze on the account.

That said, a credit freeze may be lifted and re-implemented if needed. Just make sure to check the fine print to find out how much lead time is needed to do this and if additional costs are involved. In some states, the bureaus are allowed to charge for freezing credit. However, it’s a relatively small cost and should be considered peace of mind.

An important detail about taking advantage of any credit monitoring service is that if there already is a freeze on your credit, the credit monitoring services will not work. This is because they need to access your credit so they can monitor it. Therefore, if you do sign up for this (and you should if you are offered it and want to keep your files accessible), sign up for the service first, then freeze your credit. Also, if you have already been an identity theft victim, these services can help you put your credit back together. However, don’t unfreeze it just to sign up. If the third party cannot access your file because it’s frozen, then the credit freeze is doing what it is supposed to do.

Don’t forget to monitor the credit of your children. Theoretically, children under 18 should not have a credit report. The reality is that one in 40 families with children under 18 had at least one child whose information was accessed in an unauthorized manner (from a 2012 study by the Identity Theft Assistance Center and the Javelin Strategy & Research group). If you find a report for your child on file with Equifax, Experian, or TransUnion, it means one of the following:
•A parent or guardian applied for credit with the minor’s social security number and it was approved,
•Someone used the minor’s information to get credit fraudulently, or
•The minor was listed as an authorized user or joint account holder on a credit account.

Unfortunately, the child victims of identity theft often know the thieves; 27% as reported in the aforementioned study. This makes it even more challenging for young victims to report it.

The company that the OPM is paying $133 million dollars to monitor the credit of its victims, requests more information than is needed to do the job. They recommend that bank account numbers, credit card numbers, passport details, medical information, and other sensitive information be entered into their forms so that they can watch over that too. However, even if they monitor all of that, it will not prevent identity theft and in fact, gives over a lot of very important information to yet another party leaving oneself open to even more risk of it being stolen. After all, the more that have it, the more risk of it being accessed by an unauthorized party.

© Copyright 2016 Stickley on Security

New Mobile Malware Bypasses Two Factor Authentication

KIEV UKRAINE - MAY 21 2014: Woman looking on health and fitness application such as Runtastic FitBit RunKeeper Moves Road Bike Nike Running and others apps on a brand new black Apple iPhone 5S.

We have heard of mobile apps that steal banking credentials before. We have even somewhat recently heard of one that targets large banks (Xbot). However, a newly discovered one that is making the rounds and is likely soon making a debut in the United States. It uses Flash Player to trick Android users and can even bypass multi-factor authentication methods.

The malware uses a very legitimate-looking Flash Player icon andflash targets a list of the largest 20 banks in the aforementioned countries. The servers it uses were registered in January and February of 2016 and the URL paths they are using are regenerated hourly. This is likely to avoid detection by anti-virus software products. However, some of these products are indeed catching them.

It is common advice now that everyone should install anti-malware apps on all devices that interact on the Internet in any way. This includes mobile devices, laptops, and desktop computers.  Remember to make sure they are updating regularly. If there is an option to do automatic updates, it is recommended that it is active. Even if they are known to miss some, they catch far more than they miss.

There are many products for this and some are inexpensive or even free. However, do research to make sure they are legitimate and from trusted companies before downloading anything. A good way to do this is to check reviews in the app store. Keep in mind that if there are only a few reviews and they are all good or glowing, it’s worth it to do extra reading elsewhere to make sure they are real reviews.

Avoid downloading apps from locations other than the official app stores. Doing this, otherwise known as sideloading, adds risk of executing malware of some type onto your device. Although it isn’t 100% guaranteed that you won’t get a bad app in the stores, the likelihood is significantly lower because in order to get apps into those stores, there are more stringent security requirements for the products.

This particular piece of malware will ask for administrator rights. Once they are provided the app communicates with a remote server about details of the device. If there are matches of the banking apps, the app launches a fake login screen and any data that is entered is sent off to the remote server. If multi-factor authentication security is active on the account, the text message gets intercepted by the remote server and is therefore thwarting that extra security check. However, it’s still advised to activate any multi-factor authentication offered by your financial institution. More often than not, this will prevent such malware from taking up residence on your devices.

One giveaway that this app is fake, is that it asks for administrator rights. Never give these. There are very few, if any apps that need this and Flash Player certainly does not. If this access is given to someone with ill intentions, they can do a lot of damage.  If in doubt, say “no.”

Also, Adobe no longer supports Flash Player development on Android, so if an app offers that functionality, you should question it.

Fortunately, this malware-infested app can be uninstalled. It may not be easy though and if the malware has configured the device to not allow deactivation of administrator rights, it can be a real headache.  This is an argument in favor of keeping regular backups of devices. Then, if something like this creeps in, you can wipe the device and restore from a backup that didn’t include the malware.

© Copyright 2016 Stickley on Security

Scam Alert: Official-Sounding Calls About An Email Hack


There’s a new twist on tech-support scams — you know, the one where crooks try to get access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, we’ve heard reports that people are getting calls from someone claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. They say they’ll have to take legal action against you, unless you let them fix the problem right away.

If you raise questions, the scammers turn up the pressure – but they’ve also given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers also have sent people to the actual website for the Global Privacy Enforcement Network. (It’s a real thing: it’s an organization that helps governments work together on cross-border privacy cooperation.)

Here are few things to remember if you get any kind of tech-support call, no matter who they say they are:
•Don’t give control of your computer to anyone who calls you offering to “fix” your computer.
•Never give out or confirm your financial or sensitive information to anyone who contacts you.
•Getting pressure to act immediately? That’s a sure sign of a scam. Hang up.
•If you have concerns, contact your security software company directly. Use contact information you know is right, not what the caller gives you.

If you spot a scam, tell the FTC.


by Andrew Johnson
Division of Consumer and Business Education, FTC

Monitoring Your Portfolio


You probably already know you need to monitor your investment portfolio and update it periodically. Even if you’ve chosen an asset allocation, market forces may quickly begin to tweak it. For example, if stock prices go up, you may eventually find yourself with a greater percentage of stocks in your portfolio than you want. If stock prices go down, you might worry that you won’t be able to reach your financial goals. The same is true for bonds and other investments.

Do you have a strategy for dealing with those changes? You’ll probably want to take a look at your individual investments, but you’ll also want to think about your asset allocation. Just like your initial investing strategy, your game plan for fine-tuning your portfolio periodically should reflect your investing personality.

The simplest choice is to set it and forget it–to make no changes and let whatever happens happen. If you’ve allocated wisely and chosen good investments, you could simply sit back and do nothing. But even if you’re happy with your overall returns and tell yourself, “if it’s not broken, don’t fix it,” remember that your circumstances will change over time. Those changes may affect how well your investments match your goals, especially if they’re unexpected. At a minimum, you should periodically review the reasons for your initial choices to make sure they’re still valid.

Even things out

To bring your asset allocation back to the original percentages you set for each type of investment, you’ll need to do something that may feel counterintuitive: sell some of what’s working well and use that money to buy investments in other sectors that now represent less of your portfolio. Typically, you’d buy enough to bring your percentages back into alignment. This keeps what’s called a “constant weighting” of the relative types of investments.

Let’s look at a hypothetical illustration. If stocks have risen, a portfolio that originally included only 50% in stocks might now have 70% in equities. Rebalancing would involve selling some of the stock and using the proceeds to buy enough of other asset classes to bring the percentage of stock in the portfolio back to 50. The same would be true if stocks have dropped and now represent less of your portfolio than they should; to rebalance, you would invest in stocks until they once again reach an appropriate percentage of your portfolio. This example doesn’t represent actual returns; it merely demonstrates how rebalancing works. Maintaining those relative percentages not only reminds you to take profits when a given asset class is doing well, but it also keeps your portfolio in line with your original risk tolerance.

When should you do this? One common rule of thumb is to rebalance your portfolio whenever one type of investment gets more than a certain percentage out of line–say, 5 to 10%. You could also set a regular date. For example, many people prefer tax time or the end of the year. To stick to this strategy, you’ll need to be comfortable with the fact that investing is cyclical and all investments generally go up and down in value from time to time.

Forecast the future

You could adjust your mix of investments to focus on what you think will do well in the future, or to cut back on what isn’t working. Unless you have an infallible crystal ball, it’s a trickier strategy than constant weighting. Even if you know when to cut back on or get out of one type of investment, are you sure you’ll know when to go back in?

Mix it up

You could also attempt some combination of strategies. For example, you could maintain your current asset allocation strategy with part of your portfolio. With another portion, you could try to take advantage of short-term opportunities, or test specific areas that you and your financial professional think might benefit from a more active investing approach. By monitoring your portfolio, you can always return to your original allocation.

Another possibility is to set a bottom line for your portfolio: a minimum dollar amount below which it cannot fall. If you want to explore actively managed or aggressive investments, you can do so–as long as your overall portfolio stays above your bottom line. If the portfolio’s value begins to drop toward that figure, you would switch to very conservative investments that protect that baseline amount. If you want to try unfamiliar asset classes and you’ve got a financial cushion, this strategy allows allocation shifts while helping to protect your core portfolio.

Points to consider

• Keep an eye on how different types of assets react to market conditions. Part of fine-tuning your game plan might involve putting part of your money into investments that behave very differently from the ones you have now. Diversification can have two benefits. Owning investments that go up when others go down might help to either lower the overall risk of your portfolio or improve your chances of achieving your target rate of return.

Asset allocation and diversification don’t guarantee a profit or insure against a possible loss, of course. But you owe it to your portfolio to see whether there are specialized investments that might help balance out the ones you have.

• Be disciplined about sticking to whatever strategy you choose for monitoring your portfolio. If your game plan is to rebalance whenever your investments have been so successful that they alter your asset allocation, make sure you aren’t tempted to simply coast and skip your review altogether. At a minimum, you should double-check with your financial professional if you’re thinking about deviating from your strategy for maintaining your portfolio. After all, you probably had good reasons for your original decision.

• Some investments don’t fit neatly into a stocks-bonds-cash asset allocation. You’ll probably need help to figure out how hedge funds, real estate, private equity, and commodities might balance the risk and returns of the rest of your portfolio. And new investment products are being introduced all the time; you may need to see if any of them meet your needs better than what you
have now.

Balance the costs against the benefits of rebalancing

Don’t forget that too-frequent rebalancing can have adverse tax consequences for taxable accounts. Since you’ll be paying capital gains taxes if you sell a stock that has appreciated, you’ll want to check on whether you’ve held it for at least one year. If not, you may want to consider whether the benefits of selling immediately will outweigh the higher tax rate you’ll pay on short-term gains. This doesn’t affect accounts such as 401(k)s or IRAs, of course. In taxable accounts, you can avoid or minimize taxes in another way. Instead of selling your portfolio winners, simply invest additional money in asset classes that have been outpaced by others. Doing so can return your portfolio to its original mix.

You’ll also want to think about transaction costs; make sure any changes are cost-effective. No matter what your strategy, work with your financial professional to keep your portfolio on track.


Broadridge Investor Communication Solutions, Inc. does not provide investment, tax, or legal advice. The information presented here is not specific to any individual’s personal circumstances.

To the extent that this material concerns tax matters, it is not intended or written to be used, and cannot be used, by a taxpayer for the purpose of avoiding penalties that may be imposed by law. Each taxpayer should seek independent advice from a tax professional based on his or her individual circumstances.

These materials are provided for general information and educational purposes based upon publicly available information from sources believed to be reliable—we cannot assure the accuracy or completeness of these materials. The information in these materials may change at any time and without notice.

Non-deposit investment products and services are offered through CUSO Financial Services, L.P. (“CFS”), a registered broker-dealer (Member FINRA/SIPC) and SEC Registered Investment Advisor. Products offered through CFS: are not NCUA/NCUSIF or otherwise federally insured, are not guarantees or obligations of the credit union, and may involve investment risk including possible loss of principal. Investment Representatives are registered through CFS. NASA Federal Credit Union has contracted with CFS to make non-deposit investment products and services available to credit union members.

Cherry Blossom Run 2016

nice runners line of volunteers

Team NASA Federal once again lit up the Credit Union Cherry Blossom 10-Mile Run on Sunday, April 3, 2016 with its overwhelming enthusiasm. As in years past, the event brought together credit unions from across the country in support of the Children’s Miracle Network. And once again, the highly spirited members of Team NASA Federal were there, making their support for the kids known in a big way.

Cherry Blossom typically raises around $500,000 each year, and 2016 was no exception, bringing the total amount raised to over $7 million since credit unions became the title sponsors in 2002. NASA Federal employees raised more than $3,100.

This year, the event hosted approximately 16,000 runners, of which 21 were NASA Federal employees and family members and 81 were NASA Federal-sponsored members. Runners were greeted by 91 NASA Federal volunteers, who handed them water and cheered passionately as they passed by the NASA Federal water station.

Thanks to all of the NASA Federal employees, volunteers and runners for their dedication and energy. They make the Cherry Blossom Run special year in and year out.