Tag: Cybersecurity

It Starts With a Simple Question

0

Today, a family friend asked me, “Is it okay if I email a copy of my passport to this small business? They need it for registration.” A few weeks ago, another friend reached out—this time, asking whether it was safe to send their Social Security Number and driver’s license via email for some ‘official paperwork.’

These are not isolated incidents. These are smart, thoughtful people, just trying to get things done—sign up for a program, submit documents, move life forward. But they’re also unknowingly exposing themselves to serious risks.

That’s when it hit me: this problem is everywhere. From small businesses to afterschool activities, visa agents to insurance brokers, people are regularly asked to send highly sensitive documents over insecure channels. And most of the time, they do it, because they don’t want to delay the process or seem difficult.

This article is for them and for all of us. It’s time we talk about why sending your SSN, passport, or ID over email or WhatsApp can be a terrible mistake, and what safer alternatives look like.

How We Got Here
We’ve normalized risky communication habits without realizing the potential consequences.

  • Emails for Everything: Schools, doctors, after-school programs, and visa agents regularly ask for SSNs, IDs, and documents over email.
  • Messaging Apps as a Crutch: WhatsApp and Facebook Messenger are often used to exchange documents—but they aren’t truly secure for sensitive data.
  • Shared Email Accounts: Small businesses (especially local gyms, afterschool programs, and mom-and-pop shops) may use a single shared email account—leaving your personal documents open to whoever logs in.

Why It’s Dangerous
What feels like a simple action could expose your most personal information to attackers.

  • Man-in-the-Middle (MITM) Attacks: If you’re on public Wi-Fi or a compromised network, your email or WhatsApp message can be intercepted.
  • Email Account Compromises: If the receiver’s inbox is hacked, your SSN and ID documents are exposed.
  • Reused Credentials: Many small businesses and agents don’t follow security best practices and often reuse passwords across accounts.

Real-World Consequences
When your data lands in the wrong hands, the damage isn’t just digital—it’s personal and financial.

  • Identity Theft: SSNs are gold for cybercriminals—they can open credit lines, file false tax returns, and more.
  • Medical Fraud: Using your SSN and personal details, someone could receive healthcare under your name.
  • Immigration Scams: Agents asking for passport and visa information via email have been known to sell or mishandle documents.

Industries That Have Secure Guidelines (But Still Fail)
Even regulated industries fall short when individuals or agents take shortcuts.

  • Medical (HIPAA): Health providers are supposed to use secure portals—but many still ask patients to email records.
  • Finance (PCI-DSS): Credit card processors are bound by standards, yet small tax offices may ask for full details over email.
  • Immigration & Legal: Agencies know better but commission-based agents often bypass safeguards to close a deal quickly.

Why “WE” Still Do It (possibly)?

Even when we know better, we often give in—because getting things done feels more urgent than staying secure. We want to move forward quickly: book the ticket, start the class, submit the paperwork, or get approved without delay. The person asking for our documents may seem professional enough, or we assume “everyone else is doing it, so it must be fine.” On top of that, there’s often a subtle pressure to not be the difficult one—so we stay quiet, comply, and send off highly sensitive information without a second thought. Unfortunately, that’s exactly what bad actors and poor systems rely on.

So What Can You Do Instead?

You have safer options, you just need to know how to ask for and use them. Most organizations today have secure systems in place, even if the person you’re dealing with doesn’t mention it upfront. Always ask for a secure portal or encrypted submission method. Many institutions offer these but rely on the user to request them.

If no portal is available, consider sending your documents using encrypted file-sharing services like ProtonMail, SecureDrop, or cloud-based services like OneDrive or Google Drive with restricted permissions. For added protection, you can use password-protected ZIP files—but share the password through a separate channel, like a phone call or text message.

Also, be cautious about the network you use. Avoid shared or public Wi-Fi when sending sensitive documents, and always use a secure, trusted device. Most importantly, don’t be afraid to demand better. Whether you’re dealing with a tutor, immigration agent, or afterschool program—politely ask for a secure alternative. Your personal information is worth protecting.

How to Push Back (Respectfully)

It’s absolutely okay to ask for better—doing so not only protects you but also helps raise the standard for everyone. If someone asks you to email your SSN or ID, you can simply say:

“For security reasons, I don’t share my SSN or personal documents via email or WhatsApp. Do you have a secure portal or alternative method for document submission?”

This small statement is powerful. It signals that you’re aware of the risks and encourages the person or business to rethink how they handle sensitive data. And remember, if they mishandle your personal information, it could become a legal or reputational liability for them too. By speaking up, you’re not being difficult—you’re being responsible.

Categories , Tags , , , , , , , , , , , ,

Packt Publishing Ltd: Book Release by Durgesh Kalya – July 2025 Pre Order Available Now.

0

Originally intended as a personal documentation of my knowledge and research on the often-overlooked yet vital area of incident management, this book has grown into a comprehensive resource aimed at elevating awareness and preparedness for cyber threats in industrial control systems (ICS) and critical infrastructure. It simplifies complex ICS challenges, emphasizes the importance of coordinated incident response, and equips professionals with practical tools, techniques, and training exercises for real-world application. Designed to empower both new and seasoned professionals, this book also highlights the collective efforts in the field of ICS cybersecurity, offering a structured approach to safeguarding organizations against evolving threats. Pre-order now to secure your copy and enhance your ICS cybersecurity skills ahead of its July 2025 release.

Categories Tags , ,

iSMG – govinfosecurity.com on Robust Incident Management for Critical Infrastructure

0

Full Interview: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373

In an interview at the Cyber Security for Critical Assets USA Summit, Kalya addressed the importance of robust incident management frameworks, collaboration between organizations and ICS vendors, and the need for understanding and segmenting systems to mitigate ransomware risks. To view the video and the original excerpt of the interview with Tom Field, check out the link: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373

Ensuring the security of critical infrastructure necessitates managing both legacy systems and emerging cyberthreats. Durgesh Kalya, an OT network security expert at Covestro LLC, emphasized the necessity of integrating the incident command system—initially developed by the Federal Emergency Management Agency and the Department of Homeland Security—with industrial automation systems. This integration promotes active participation and collaboration among industry stakeholders.

“Essentially, everyone is a cybersecurity engineer because they work on computer systems. It’s not possible to update software on hardware that is decades old; modern hardware and equipment are required,” Kalya explained.
Field, T. (2024) Robust incident management for critical infrastructure, Government Information Security. Available at: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373 (Accessed: 02 June 2024).

Categories Tags , , , , , , , , ,

Don’t pay that Ransom yet. Call OFAC first.

0

Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?

Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.

While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.

Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.

2019

  • Park DuValle Community Health Center, Kentucky, USA
    Amount paid: $70,000
  • La Porte County, Indiana, USA
    Amount paid: $130,000
  • Jackson County, Georgia, USA
    Amount paid: $400,000
  • Lake City, Florida, USA
    Amount paid: $500,000

    There are many more…

Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.

The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,

The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.

Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/

Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.

Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.

* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.

Let us look at a few highlights of this Advisory:

OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.

Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.

So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.

So what should an organization that actively dealing with a ransomware attack do?

The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:

  • U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
  • Financial Crimes Enforcement Network (FinCEN)
  • Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
  • Homeland Security Investigations Field Office (ice.gov)
  • Federal Bureau of Investigation Cyber Task Force (fbi.gov)
  • U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)

In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.

Looking for the OFAC’s Ransomware Advisory, check out this page: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001




DK

Categories Tags , , , , , ,

The Social Engineering Case of the Twitter Hack

0

Post Views: 800
 

This is Episode 1 of Security Bits.

On July 17, Billions of people woke up checking their favorite NEWS sources and social applications but about 400 of them fell for a scam on twitter. Famous people like Elon Musk, Jeff Bezos, Bill Gates and companies like The Cash App, Apple and several others including some politicians, they woke up with their personal or private twitter account being used by the attackers who had left a tweet on their behalf. Which basically claimed that these individuals or companies were feeling generous and were going to double your donation through Bitcoin transactions.

I want to speak a little more detail into how the attackers hacked these accounts, then discuss what was the result of such a attack and how significant it is for a company like Apple, Shell, Etc and also how it impacts you, your co-workers, your family and friends.

Prior to the attack on the 17th, the attackers had already infiltrated the Twitters internal systems by using a technique called Social Engineering. So, what is Social Engineering? It is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The key words here are “use of deception to manipulate individuals”. An example would be calling you and manipulating you to provide your social security number.

So the Twitter employees were trciked into providing their administrative crentials for twitters internal system such as their usernams and passwords.

After which the attackers disabled the protections on the Twitter Accounts such as 2 Factor Authentication, changed the owners email address on file to their own email address and simply reset the passwords and then logged into the accounts. Then sent a tweet and also downloaded their personal Twitter Account Data.

A total of 130 Twitter accounts were affected and this resulted in 400 induviduals sending bitcoins worth a total of $121,000 USD to three seperate Bitcoin accounts in less than 5 hours before Twitter locked down the accounts and deleted the tweets.

So what are the lessons learned from this attack?

  • Hacks does not have to be complex or technical.
  • Insider Threat is still one of top security risks in any industry.
  • While this attack did not cause any harm to human lives, there are other platforms which can affect and touch our basic needs such as Emergency services, Utilities etc.

I will leave you with couple of thoughts.
Smartphones and Cloud Applications have created tremondous possibiliies but unable to control these can set us back both financially and mentally.

Remember, even if you have not been on twitter or Facebook or LinkedIn or maps, your apps are constantly capturing anything that is useful from within your phones, your GPS Coordinates or your conversations and create a valuable resource for them to sell and if bad guys get hold of it then they can do the same.
You are not the customer, you are the product.

DK

Categories Tags , , , , , ,