25 Random Things...
02.11.2010 10:48:00 AM
Posted by Linda Rodrigue
Of course, nobody would go quite that far. But do they even have to?
There is a spate of quizzes going around the social networking sites - “How Well Do You Know Me?”, “25 Firsts”, “One-Word Answers”—that can potentially give away some valuable personal information.
You were probably asked to give answers to three “secret” questions anytime you registered online with a password. Most of us set those questions up long ago and have answered so many that we probably don't even remember which questions were asked when.
And then along came social networking and the above-mentioned quizzes. How many of our “secret” answers do we voluntarily give away?
Part of the problem lies in the questions themselves. We are relying on companies to put security measures in place that will keep us...well, secure. Those companies need to recognize the deficiencies that social networking has caused and adapt to the changing web environment.
But until that happens, we must ask ourselves “How well do strangers know me?”
Read more about it at
http://geekswithblogs.net/james/archive/2009/09/23/how-to-pick-a-really-good-security-question.aspx
The Talking Stain
02.03.2010 10:56:00 AM
Posted by Wes Mallory
Do you remember that commercial that came out during last year's SuperBowl? The one for Tide to Go? It has the guy sitting down for an interview, but he has a ridiculous blabbering stain on his otherwise crisp and clean white shirt. If you haven't seen it, you need to stop what you're doing and watch it now. Go ahead, it's SFW. (http://www.youtube.com/watch?v=X2cs8gnb42A)
Well, I had an experience like this recently at a client's site. A customer who had recently been the victim of pretexting contacted RocketReady. They were interested in learning more about how social engineering could impact their company and customers. RocketReady performed a full assessment of this company's security posture related to social engineering: pretexting, phishing, dumpster diving…the whole package. My job?Perform an assessment of their facilities to see how they physically protected sensitive information. As usual, before beginning a thorough analysis, I had the project sponsor take me around the company's campus and show me the basics…mailroom, various entrances, smoking areas, etc. Usually, these walkthroughs allow me to make a map of the facilities and take notes so I can find my way around later when I do my own thing..
This walkthrough was different. It was a "talking stain" experience. I usually have to do a little bit of digging to find weaknesses in employee information security practices. I usually have to stretch a bit and social-engineer my way through closed doors. Not here. The problems were so obvious that I couldn't help but stop and stare and think about what I was seeing, even before the real assessment began.
Let's back up a step. I should have guessed it might be this way based on my arrival. I went to the main entrance and told the security guard who I was there to see. He sent me to another building, unescorted and undocumented. Keep in mind that the sign said "All visitors must sign in and be escorted at all times." He told me what floor to go to. I made my way to the other building, walked directly past the security desk with the two security guards and the sign that said "All visitors must sign in and be escorted at all times" and to the elevators. As I got off the elevator, I walked directly into the executive floor and asked the receptionist to see the project sponsor. She went to find said person and I wandered around the entire floor, uncontested. A few minutes later, my appointment arrived. We started the tour. Almost immediately, I noticed a whole laundry list of items that needed to be addressed. Too much, in fact. These things were such a distraction that I couldn't even hear what was probably interesting and useful information about the company.
I'm a Mac, and I'm safe. Aren't I?
01.15.2010 11:58:00 AM
Posted by Linda Rodrigue
Alternate Title: Get that smug look off your face.
For my first IT job, I was a DB Admin working on a Unix platform. It was back in the days when a wave of worms was going through various Windows products and causing quite a stir, back before most companies had IT Security in their budgets. But there I was, working away on my Unix box, smug in the knowledge that I was safe. Viruses and worms were being deployed to attack Windows vulnerabilities, not Unix.
I imagine this is how Mac users have been feeling for a while now. They sit back and watch all the PCs hit with virus after virus, worm after worm, and feel warm and cozy and safe while the rest of us are in a panic about what to do with that email attachment that might be something cute/funny/interesting but also might bring down our company's entire international network. I'm a Mac, and I'm safe, they think.
But not anymore. With the recent boom in Mac and other i-product sales, more and more malware is being targeted to OS X. It stands to reason that, as users adopt an increasing number of Apple products, it will be more lucrative for malware producers to aim in that direction. And it isn't like they'll have to start from square one. They can learn from their Windows counterparts and hit the ground running.
As companies begin to incorporate a greater number of Macs into their networks, they will have new security challenges to face. While most are well versed with Windows, will they be ready to protect the Macs?
Read more about it at http://blogs.zdnet.com/security/?p=4024
Wait, How Are We Related Again?
01.08.2010 09:32:00 AM
Posted by Linda Rodrigue
There is a war waging in my family. Well, maybe not exactly a war. It's more like an ongoing heated discussion. It goes like this:
Grandparent is proud and wants to brag about every accomplishment of every grandchild in every possible venue, including online family-tree sites. Grandchild prefers very strongly that her personal information be kept private unless grandparent has her express consent.
This argument has been going on ever since my grandmother joined Ancestry.com. My sister does not want her information on the web. My grandmother just wants everyone to know how great her grandkids are. I recently asked my sister “What's the big deal?,” and her explanation was not what I expected. She is concerned that someone could pretend to be either a long-lost relative or an old friend of a deceased family member. An imposter could sound very legitimate just by using information found online. Those among us who are on the more cautious side (read: paranoid) might not be fooled. But some...well, lets just say there are those who might be taken in by such a ploy.
This got me thinking—it's not hard to imagine something like this happening in a business setting. Think about this: your company might be developing some new technology, or gathering sensitive information, or researching some scientific breakthrough. A secretary gets a phone call from someone saying that he is her third cousin on Aunt Betty's side, and how is Uncle Bob doing? Is it so far-fetched to think this is a ploy that might be used to gain access to all that your company is seeking to keep secret?
Think about it...
Would YOU Drink From a Bottle Labeled “Drink Me”?
11.27.2009 09:17:00 AM
Posted by Linda Rodrigue
I had been out of the office for a week-long vacation. It was so nice to get away, but I was inevitably coming back to hundreds of emails, most of which were no longer relevant. There was also the pile of hard mail—mostly junk—but I did find something that gave me pause.
Amid various advertisements for seminars promising to make me a better manager/organizer/planner/speaker was a particularly eye-catching, intricately-folded mailing. Its high-color graphics and edgy fonts enticed me. And it promised that if I looked inside, I would not be disappointed.
What I found was the basic sales pitch in a glossier package. But this one had another twist: a free sample, the first few chapters of a life-changing book on CD. Just pop this into your computer and you will be on your way to realizing the awesome power of the life-altering time management system being advertised.
Of course, I ignored the flashy marketing and threw it away—and not just because it was junk mail. For me, putting a CD in a drive without knowing ahead of time what's on it is about as prudent as eating something unrecognizable I found on the sidewalk. There could be all sorts of nasties on there, and who knows how—or if—I would be able to reverse the damage.
But that's me. What if a mailing like this had gotten to one of my less tech-savvy coworkers? How many of them would have loaded the CD and all of its self-extracting mischief? How quickly would our carefully guarded network been compromised because of simple curiosity?
As I thought more about this, I realized that my company—and yours—can't wait until something like this happens to address this type of issue. By then, it will be too late. Most of our employees are used to hearing that they shouldn't open any unexpected email attachment. Now it's time to remind them that hi-tech threats can come via low-tech deliveries.
Spear-Phishing or Spear-Phaking?
11.23.2009 10:29:00 AM
Posted by Linda Rodrigue
Though I have been out of school for many, many years, I am amazed at the number of new words I learn every day. Today's word is spear-phishing. Phishing is nothing new—a wide-net attack disguised as correspondence from a legitimate source attempting to gain personal, financial, login, or other sensitive information from a broad range of computer users.
Spear-phishing is different. It is a more specialized attack specifically designed with a certain target in mind. In this method, the correspondence appears to be generated by an entity that would legitimately be contacting the recipient, such as an employer or partner agency.
This was the method used in a recent “attack” on credit unions and banks in which CDs plagued with malware were mailed along with a letter purporting to be from the National Credit Union Administration. The letter explained all about this kind of attack and prompted the user to refer to the information contained on the CDs— which, of course, instead contained malicious software. Read the letter here: http://www.ncua.gov/news/press_releases/2009
The “attack” turned out to be false. The spear-phishing expedition was “part of an authorized pen test,” as reported on the SANS Internet Storm Center.
Read more about it at http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=219500323
The Crimes, They Are a-Changin'
11.20.2009 10:20:00 AM
Posted by Linda Rodrigue
There is a home security commercial running lately that has got my attention. What I find interesting is not the product being sold, but the tactics being used to sell it. In this particular spot, a woman and a man are saying goodnight at her door. Cut to someone in a car watching as the man leaves and the woman enters the house. Suddenly, a brute kicks in the door—turns out, it is a violent ex-boyfriend. *Thankfully* the ear-piercing siren has scared him off. Alarm companies of yore tapped in to the need to protect your stuff, but this one realizes that the nature of personal security has changed. Yes, your stuff still needs protecting—but so do you.
It isn’t just physical security that has shifted. The need for cyber-security has exploded over the past decade. Gone are the days when a hefty password was all you needed to be secure. Criminals now find chinks in the most hearty armor—and the weakest link might surprise you. "People are currently the biggest flaws in cyber-security," said Joseph J. Schwerha, associate professor of business law at California University of Pennsylvania, who co-wrote an article with Brenner on cyber-crime. "Because information has to be available for people to use it, people are frankly the weak link in the chain."
But what to do? According to Chandler Harris, writer for Government Technology, “individuals working for organizations are often the cause of security threats. The increasing use of portable technologies -- such as laptop computers, PDAs, BlackBerrys, phones and flash media -- containing sensitive information has made many organizations vulnerable to cyber-security threats.” So it would seem that the first and biggest step is training. For the crimes, they are a-changin’.
Read more about this at http://www.govtech.com/gt/articles/714308?id=714308&full=1&story_pg=1
Who You Callin' Koobface?
11.18.2009 11:06:00 AM
Posted by Linda Rodrigue
A new variant of the Koobface worm is making its rounds on Facebook, MySpace, and other popular social networking sites. The recent improvements are allowing the botnet to slip past security screens and attack even more unsuspecting users. According to Techtree.com, Koobface then “uses the infected machine to target other systems and distribute additional malware, generate 'pay per click' advertising revenue and steal sensitive data.”
What makes Koobface spread so easily is its genuine look, which is even more accurate in this new variant. A victim might see a simple message like “My home video :)” followed by a URL link to an eerily accurate-looking Facebook page. When the user clicks play, he is asked to run a Flash Player update—which is actually the Koobface virus.
Another new twist is the use of random URLs and bit.ly addresses—the method of URL shortening used most often by Twitter. Each time the Koobface link is tweeted, it is with a different URL. This makes it almost impossible for Twitter's filters to detect the virus. Throw a string component like LOL, OMG, or WOW into the mix and you've got yourself a pretty nasty (and sneaky) virus.
Read more about Koobface at http://news.softpedia.com/news/Koobface-Gets-a-New-Update-118674.shtm
Is Your Anti-virus Up to Date? Or Is It Fake?
10.30.2009 09:19:00 AM
Posted by Linda Rodrigue
You're sitting at your computer, catching up on the latest viral video offerings. Suddenly, a window pops up telling you that your anti-virus software has expired. Or worse, that your computer has been infected. And, for a mere $50, you can update and clean your machine. What would you do?
I know that I would close such a window. I would know it's a fake. But what about my mom? What about my grandmother? Would they know? Probably not. They might be just what the distributors of anti-virus "rogueware" are looking for. Tech saavy? No. Expendable income? Yes.
Researchers at PandaLabs recently released findings at the BlackHat conference in Vegas that show this type of rogueware attack is on the rise—big time. How big? In 2008, there were a total of 92,000 fake antivirus attacks. In just the first half of 2009, there were close to half a million!
Why so many? "The barrier here is that you eventually have real AV detecting them as a virus," [Luis] Correll [of PandaLabs] says, This forces attackers to crank out new samples quickly to evade detection. "It's a bit of a cat-and-mouse game."
Read more about it at http://www.darkreading.com/security/antivirus/showArticle.jhtml?articleID=218700073&cid=nl_DR_WEEKLY_T
Password Security
10.23.2009 11:55:00 AM
Posted by Chuck Snapp
So you heeded the words of all those security experts and never use your pet's or child's name. You use a mixture of words and numbers to make it even more secure. You may have even taken the extraordinary step of making up a nonsense word with numerical characters to secure all your password protected accounts. Unfortunately, despite your precautions, that password can still be hacked with very little effort. So where is the weak link? What more could you have done? Here are a few tips and tricks that may save you money and hassle.
First, create complex passwords. There are hackers out there who will manually type in random passwords (or use a program that does it for them) until they crack yours. Social networking sites give criminals all the help they need to obtain your personal information, and hackers will try pet names, child names, nicknames, birthdays, anniversaries, and any other common passwords.
Complex passwords are the first and best way to protect your online accounts. Nonsense words with numbers are the easiest and most secure way to make it harder for them. Can't think of a sixteen-digit word that is easy to remember? Try a combination of syllables and numbers that make sense to you.
Once you think up the best password you can, you still should not feel fully secure. Work on your security question, which is just as easy to hack as a weak password. For example, your mother is your online “friend”. She includes her maiden name in her social networking account. Voila—the hackers know your online security question. Example two: you put a picture of your pet on your social networking site. You include Fluffy's name. Ta da! They now have your pet's name, have changed your password, and have locked you out of your account. Use the most obscure security question available and maybe go the extra mile and add a password for your security question.
Finally, change your password often. Passwords and security questions are never good forever, and this is just another step to take in protecting what you have worked so hard to obtain.
Online transactions and accounts make life simpler but they open up more avenues for criminals to rob you blind. Take a few extra steps and protect your accounts just like the wallet in your back pocket.
Pardon Me, Your Pod is Slurping
10.16.2009 9:55:00 AM
Posted by Linda Rodrigue
I learned a new term today: pod slurping. And, apparently, it's something I've been doing for a while without realizing it.
Pod slurping is Wiki-defined as “the act of using a portable data storage device such as an iPod digital audio player to illicitly download large quantities of confidential data by directly plugging it into a computer where the data is held, and which may be on the inside of a firewall.”
I, of course, am not doing this maliciously. I'm doing it to circumvent a system that won't allow me to email certain data. I have to find some way to move it from one domain to another. And since both domains are under the same umbrella, it's not really so bad. Or is it?
Pod slurping is just one of a number of tools used by low-tech hackers to steal data—along with impersonating, dumpster diving, shoulder surfing, eavesdropping, and more. Social engineers exploit the natural tendencies of employees to be helpful, non-confrontational, and curious. And, until all employees understand how wide and varied social engineering attacks can be, your business could be vulnerable.
Read more about it at http://www.itbusinessedge.com/cm/blogs/defrangesco/social-engineering-threat-still-a-concern/?cs=34335
Breaking Up is Hard to Do
10.14.2009 12:20:00 PM
Posted by Linda Rodrigue
Ever leave a job? Whether you quit or get fired, there are a slew of steps that must be taken to terminate your employment. First, there's paperwork—loads and loads of paperwork. There are company keys and cell phones that must be turned in. Desks to be cleared out. After you are escorted from the building with a box of your personal belongings, there are alarm codes to disable, voice- and e-mails to redirect, log-ins to delete. An entire bureaucracy has been built up around transforming an employee into a former employee.
And if that employee is connected to the IT department, there is one step that is arguably the most important but also most often overlooked: changing the administrative passwords.
Why is this step so often the last to be done or not done at all? Because when Joe Schmoe leaves his job, the focus goes on Joe Schmoe's access. There is most likely a checklist somewhere indicating that Joe must be denied access to the building, the voice mail, the email, the network. So Joe's log-ins and passwords and passcodes are removed. All too often, the fact that Joe might have had administrator access is not considered.
Which is exactly what happened when Lesmany Nunez ceased working for Miami-based Quantum Technology Partners. Three months after his employment ended, Nunez was able to access their network using an admin password, and create over $30,000 worth of mischief. And what did he get for his efforts? Nunez was sentenced to a year and a day in prison.
When's the last time you changed your admin password?
Read more about it at http://www.darkreading.com/blog/archives/2009/07/it_admin_jailed.html
Kids, the Internet, and Security
10.06.2009 1:23:00 PM
Posted by Chuck Snapp
I recently spent sometime with my teenage niece and nephew on a short family vacation. I was struck by how much they used modern technology and I began wondering just how secure they were. They mostly communicate with friends about all those things that teenagers think are important. Sometimes they play a good, old-fashioned MMOG (Massive Multiplayer On-line Game). And since encyclopedias and other reference material are going the way of the dodo, the internet is a must for educational material. This seems harmless enough. Right?
Unfortunately, like many things they do, kids just don’t think about the consequences of their actions. They post personal information on social networking sites, like pictures or the time and date of their next group activity. These things can compromise their safety and the safety of their families. And online games have become a new avenue for hackers to penetrate the defenses of computer security.
So, what steps can you take to protect your child's computer? Start with virus protection. A solid virus protection software package is a must for any computer. Make sure to turn on the automatic updates and virus scans and run a manual virus scan from time to time just to make sure.
And think about getting a “net-nanny.” These programs monitor internet access when you can't be there and block inappropriate sites. They monitor which social networking sites your children use and block gaming access based on ESRB ratings.
These programs can help protect your children and information, but the best protection is to have a talk with your kids about responsible internet usage. A little instruction can go a long way towards influencing your child's internet habits and safety practices.
When is Anonymous Not Anonymous?
10.02.2009 11:31:00 PM
Posted by Linda Rodrigue
Anymore…always.
“Don’t put it in writing if you don’t want people to know about it.” This is my rule of thumb, and the rule that I’ve lived by since I started keeping my first diary in the 7th grade. Although, looking back at what I wrote in those diaries, I must not have cared too much what people knew about me. In a word, shocking! But I digress. It was an easy motto to uphold. If it was something that I didn’t want anyone to know about me, I just didn’t write it. Anywhere. Not in my diary, not in my journal, not in a letter, and never in a note passed in class. Spoken words could be forgotten. Written words are permanent.
And then I started blogging. Somehow, I felt that the anonymity of the web made it okay to blog about things that were somewhat delicate. Of course, I did what I could to disguise my identity. I blogged under an alias. In fact, I had several. Some I shared with lots of people, some I shared with one or two, and some I didn’t share at all. Some I forgot about days after posting. But one day, I found that the blog site I was using had compiled all my ‘anonymous’ blogs into a neat little list. All my private thoughts that I had taken pains to keep hidden became suddenly available to anyone who looked at my profile—my co-workers, my boss, my mom.
That was my own fault. I didn’t follow my rule. I put it in writing and there it all was, permanent and OUT THERE. For me, this is the big security issue in social networking. That anonymous isn’t.
There are other, greater threats to our security out there, waiting to snatch up whatever we offer and use it against us. There are headlines every day telling us there is no privacy—not anymore in Web 2.0. Yet we still post. We still blog. We still trust. Why is that?
Read More: http://www.theglobeandmail.com/news/technology/article709699.ece
Think you're safe? Guess again.
09.25.2009 9:48:00 PM
Posted by Linda Rodrigue
You'd never give your bank account information to a social engineer—but your credit card company might.
A month ago, I didn't know much about Social Engineering. I'd heard the phrase tossed around like so many of the latest buzz words—greenwashing, smishing, Rpattz—but I wasn't really clear on the concept. So I did some studying. I looked it up on Wikipedia, read some books, even watched some YouTubes. And through the whole process, I had one resounding thought: That wouldn't be me. I wouldn't fall for it.
No matter how clever the ruse and no matter how elaborate the pretext, I put myself in whatever situation I was reading about. I knew, without question, that I would NEVER be a victim of Social Engineering. Not me. After all, I'm paranoid. It'll take more than some cunning fast-talk to trip me up (knock on wood).
And then... I got a new shredder. It had been a while since my old one had confetti-cut its last unsolicited credit card “check,” and the" To Be Destroyed" pile was quite large. So I sat in front of the TV with my new diamond cut shredder and went to work.
And there they were. Not one, but two letters that shattered my confidence. One was from a credit card company and the other was from my credit union. The details were not identical, but the message was the same: We are writing to inform you … information compromised ... security breach … closely monitoring ... we apologize.
It hit me out of left field. Somebody out there had my data. I, the ultra-suspicious, privacy-mongering, keeper of secrets. I was a victim of Social Engineering, albeit via a third party.
So, what's the point? Well, you know the drill: create strong passwords and change them routinely. Shred everything. Don't click that link or open that attachment. Don't Facebook everything about yourself and don't share information with others just because they sound official or legitimate. But once you've done all of that, just hope that your bank, doctor's office, credit card companies, and everyone else who has even the tiniest bit of information about you does the same.
The Dark Side
09.22.2009 11:00:00 AM
Posted by Todd Snapp
My office was quieter than usual when my cell phone rang...er, buzzed. I had been feeling phantom vibrations from my hip all morning and I had to confirm that this one was, in fact, real. After awkwardly wrangling my phone from its belt clip, I saw it was my mother. We speak frequently, so it was no surprise for her to call. Nevertheless, calling mid-morning on a Thursday was not common.
"Hello Mother, how's it going?"
"Well…" she said in a cracking voice. "Not too good."
I could hear her sniffling and dabbing her nose with a Kleenex. As with everything in my life, I labored to hide any shock at her response. In reality, my blood ran cold and I immediately began to rattle through all of the unpleasant possibilities as to the purpose of this call. I feared the worst: a death in the family or some terminal disease. But I wasn't even close.
"Really? What's wrong?"
"Uh…well…your sister was arrested this morning."
Once again I masked my utter astonishment.
"What? What happened?... For what?"
"They said it was for check fraud…some stolen checks written years ago and traced back to her."
"What? No, I don't understand."
Now at this point you need to know more about my sister, Ashley. She is a sharp, self-confident, resourceful young woman, but her most dominant characteristic is her tender heart. This is a girl who was rarely reprimanded by our parents growing up (and for good reason) and has not received so much as a parking ticket in her adult life. She doesn't smoke, drink, take drugs, and would probably be fairly uncomfortable around people who did. Ashley is thoughtful and considerate and has always rushed to the aid of less fortunate people in trouble.
First thing that morning, a knock came at Ashley's door. Her oldest child, who turned 5 that day, was the only one awake with her. Her 2-year-old daughter and still-nursing infant were asleep. Her husband had left early for work. At the door were two stern-looking uniformed police officers.
"Hello miss, are you Ashley Marie Spencer?"
"Yes, can I help you?"
"We have a warrant for your arrest."
Ashley gasped with shock.
"For what? I am sorry...there must be some mistake"
Ashley did not have the slightest clue what they were there for. She sat at the kitchen table pleading with them until our parents came. The officers were nice enough, but they had a warrant and there was no persuading them to ignore it. Ashley's baby was anxious to nurse and her 5-year-old sat in another bedroom with his grandmother, largely worried about his birthday party.
"Why are they doing this?" he mumbled through his tears.
"They are not bad men" our mother whispered "they are just doing their job."
"But they are ruining everything!"
"I know, boy, I am sorry, but police officers are good men…do you want to go meet them?"
"No…" he gained his composure for a moment "…that would just be weird."
After a litany of confused questions and exasperated ponderings, all the family knew was that the charges were for some fraudulent checks written over 7 years ago and that Ashley was on her way to jail. They led her to the car alone and in tears while her husband, who had now arrived, tended to the distraught toddlers and a hungry baby.
Ashley spent the entire day in county jail with no additional information about her plight. Unfortunately, the family was not able to gather much more either. All they really knew was that some checks were forged and her driver's license number was written on them.
To this day, Ashley remains in litigation and her financial situation becomes more dire. Before all is said and done, the lawyer has prepared her for the fact that it could cost upwards of $20,000 and she should not expect to get a penny of it back.
All of this mayhem stemmed from one simple event: her driver's license number got into the wrong hands. It is this realization that helped me better understand the indelible connection between corporate security and personal impact. More on that another time.
By the way, her son had an excellent Star Wars themed birthday party the next day.
What do you mean, “password” isn't a good password?
09.18.2009 09:38:00 AM
Posted by Linda Rodrigue
I got my first checking account when I was 18 and, along with it, my first PIN. I chose something clever and pithy, something that I would always remember, something significant to me. Over a decade later, when I immersed myself into the world wide web, I used that pin either alone or with supplemental characters as my password. Every login, every account, all had passwords based on that original 4-digit numerical PIN. And then a friend watched me log in to AIM and quoted back to me not only my password, but the password I used everywhere. Oh the horror! That evening, I began the arduous task of changing them all. Lesson learned: don't use a universal password.
So then I was using passwords unique to each site/program/login. I would create them based on whatever was going on in the background when I was setting up the account: TV shows, songs, various pets, actors. But with over 100 logins, it was impossible to remember them all. Then I started reading about hacker programs that can iterate through word lists in several languages to guess your password. Darn! I need to be more clever! Lesson learned: don't use a simple password.
A little later, I read a nifty blog posted on the F-Secure website that suggested a clever way to create a complex two-part password by combining part of the URL with random characters and a PIN. Part one is a combination of part of whatever you're logging into, followed by a series of randomly chosen characters including capital and lowercase letters, numbers, and punctuation. This you can write down and carry with you. Part two is a PIN to tack onto the end. For example, I might have part one be the first 5 characters of the site, plus the random characters 1Q@w and my PIN is 1234. To make this into a Facebook password, I would use the first 5 of facebook, followed by the randoms, followed by my PIN: faceb1Q@w1234. Simple, right? So it would seem... until I forgot my PIN! Lesson learned: don't be too clever for your own good!
But seriously, compromised passwords can open a floodgate to stolen information. Keep them secure, keep them complex, and keep them unique.
Read more about the F-Secure password solution at http://www.f-secure.com/weblog/archives/00001691.html
Who's Handling Security?
09.15.2009 1:03:00 PM
Posted by Linda Rodrigue
Based on my very informal research, many companies are concerned enough about the security of their information to allocate a large portion of their budget to InfoSec: hardware, software, pen tests, training,and payroll. For companies that are serious about security, no expense is too great.
But a company only has control over its own. What about third-party collaborators? It is often more cost-effective to outsource aspects of business operations to firms that specialize in those areas. Beyond cost, contracting out to “experts” usually produces better results. And with third-party involvement comes third-party security.
But what if that's not secure enough?
Mozilla recently found itself in that very situation. In a statement released on the Mozilla Store website, the company disclosed "Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the back end of the Mozilla Store, suffered a security breach." Its domestic and international online stores have been closed since late Tuesday. However, Mozilla has not released any information regarding how many accounts were compromised or how the breach occurred. There has been very little reporting on the breach and even less about GatewayCDI's role in preventing such lapses in security.
Companies often have to find a balance between the cost savings of outsourcing against the price of placing security in the hands of a third party. Mozilla is learning the hard way just how important that balance is.
Read more about the Mozilla breach at http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=219100155
Facebook not as Private as I Thought it Was.
09.11.2009 11:30:00 AM
Posted by Chuck Snapp
I really enjoy Facebook. It allows me to catch up with friends that I have lost over time and also stay in touch with friends and family around the world. It is easy to use and allows me to say something once and let it out to all of my friends. Yet, a recent string of news articles is causing me to rethink the safety of Facebook. What I thought was a harmless way to share information with those I care about seems to be a way to share information with advertisers and other companies. A recent article on MSNBC told the story of a man who saw an ad for a dating site on his Facebook page that had a picture of his wife. The picture was lifted from a friend's page and used as a “personal” ad for him.
The impression that I got from Facebook was that only my “friends” were able to see what I had posted. The truth is that Facebook allows advertisers to target you with your own information— including, it seems, the pictures that you post on Facebook. According to the article, the ad in question was outside the lines of Facebook's policy, but the information was still shared with the company in question. Although it is still my impression that your information will only be used for Facebook “friends,” I am rethinking the cost of social networking.
I have always been one of those people who doesn’t hide from myself. I leave everything out there and people can take it or leave it as they please. But this is now being tested with Facebook's policies. A picture that I put up on my page with another friend in it will be seen not only by my friends but their friends as well. So when I think I am sharing information with my friends, I may actually be sharing with people I have never met.
There is a way to opt out of this advertising sharing. Settings=>Privacy=>News Feed and Wall=>Facebook Ads. Then selecting "No one" will let you share info with others while not being used for ads. But this still doesn’t seem to stop them from letting advertisers see my information.
So now I'm rethinking what I put on Facebook—and maybe you should too.
Read More: http://redtape.msnbc.com/2009/07/hey-peter-the-ad-said-hot-singles-are-waiting-for-you-he-might-have-dismissed-the-advertisement-which-appeared-on-his-fa.html
Social Burn? Engineering Notice?
09.07.2009 09:31:00 AM
Posted by Linda Rodrigue
Some recommended reading and viewing…
So I've been doing two new things the past month or so. New to me, that is. One, I've been learning about the exciting world of Social Engineering. Two, I've been watching a lot of Burn Notice. And in a strange way I hadn't expected, the two have become entangled.
And that's where Burn Notice comes in. Ever watched the show? The main character, Michael Weston, is an ex-government spook who now freelances in sunny Miami. And as he's scheming, his voiceover is explaining. And what I'm hearing is not spy-thriller, 007 gadget-speak. I'm hearing how to social engineer a situation.
Entertaining? Indeed. Educational? Sure... but I'm not sure I want to know who is being educated.
Must Read – The Art of Deception by Kevin Mitnick: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124
More About Burn Notice: http://www.usanetwork.com/series/burnnotice/
I Got Fooled by a Virus
09.04.2009 09:02:00 AM
Posted by Chuck Snapp
About a week or so ago, I was getting on the internet to check my email and Facebook and such when a window popped up to tell me that I had a virus and that the XP Virus Protection would get rid of it for me. I was redirected to a webpage that wanted my credit card information to purchase XP Virus Protection.
I have virus protection. I don’t want Microsoft’s XP virus protection. So I closed the window and went on my way. The window popped up again. And again. And again! I nearly called Microsoft to tell them to get their stupid window off my system. I don’t want your virus protection software, ok? But I decided to look up the program before I called and got stuck listening to bad on-hold music for the next half hour. What did I discover? I was fooled the whole time. The pop-up window was the virus. There is no legitimate thing called XP Virus Protection—it's a scam (and so is Vista Virus Protection). I was mad and ashamed and awed all at the same time. This was not like the easily decipherable scam emails that we all frequently get telling us how we are “oh so lucky to be winning the lottery today.” This looked professional and really had me fooled. But, ten easy-to-follow steps later, I had removed the problematic program from my PC and was on my way to enjoy pictures of friends and family in Facebook-land.
How I got the virus is still a mystery, but its effect on me was powerful. They are getting smarter and sneakier with these scams. I am sure even more people will get taken by this one than by the horribly-written “I need much help to get million of dollars out of probation” emails.
Always remember that almost no legitimate company will email you without you permission or pop-up a window that you do not ask for. Never, never, ever give your credit card info out unless you initiated the purchase yourself. Someone more clever than you is out to separate you from your money.
Virtual STDs
09.03.2009 09:41:00 PM
Posted by Linda Rodrigue
In the spirit of mea culpa, I want to state outright that until yesterday, I had never heard of Erin Andrews. And currently, if I had to pick her out of a line-up, I'm fairly certain that I would fail. That being said…
By now you must have heard about the infamous video and the ensuing legal discussions. Personally, I find it disgusting. To be caught on a hidden camera in a hotel room sends shivers down my spine. It could have been anyone. And while channel surfing late last night, I learned from one of the news outlets that "video voyeurism is on the rise." Peepholes are all around us! And then there are those celebrity sex videos that get leaked: Pam Anderson, Paris Hilton, Leighton Meister are among many in a long list of exploitees. It is despicable what people will do for a cheap thrill.
But there is another aspect to this that is just as deplorable. Voyeurism is now being used to spread viruses. Since the Erin Andrews video has been pulled by reputable sites (after risk of legal action), you can now find obscure sites promising a downloadable copy. But instead of the voyeuristic footage, the user ends up with a Trojan horse. And it isn't just Ms. Andrews' video. Over the years, the number of cyberporn-related malware distributions has continued to rise.
There was a time that those so inclined could find a nontoxic alternative to the indiscriminate tryst in the virtual world. But now, not even virtual sex is safe.
Read More: http://www.msnbc.msn.com/id/32011728/ns/technology_and_science-security/
Spend More, Protect Less
08.27.2009 04:41:00 PM
Posted by Linda Rodrigue
How much money have you spent protecting your network against attacks? How much safety do you think that buys you?
At the Black Hat USA security conference in Las Vegas, WhiteHat Security highlighted the lesser reported high-dollar scams involving little or no tech. According to CTO Jeremiah Grossman:
"While the security industry spends most of its energy and resources on malware- and vulnerability-based methods of attack, a lesser-known and more lucrative world of hacking is going on right under our noses that rarely comes to light unless it makes the general news. These are the low-tech and no-tech attacks and scams that don't require malware or scanners, and they are rarely reported because they don't typically involve reporting stolen credit cards or other personal information."
The reality is that scams that exploit business logic flaws are fast becoming the most lucrative hacks out there, and the most expensive tech solutions won't see them coming.
Read more about it at http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=218501663
Personally....
08.19.2009 04:36:00 PM
Posted by Linda Rodrigue
In an attempt to wrap my head around the kinds of SNS security issues the average user is coming up against, I have decided to a.) start simple and work my way up, and b.) ask around. In keeping with that, I posted a survey over the weekend asking about how people disclose personal information.
Personally, I try to post as little possible. I'm wary of strangers, verging on paranoid. I use fake names, one-time-use email addresses, inaccurate birthdays. But is that all necessary? Is it enough?
There are two schools of thought. One advises to keep all personal information private. The other rationalizes that it is unlikely that identity thieves are trolling SNS for victims. I say there's no harm in being overly-cautious. Things like social security numbers, credit card numbers, and bank account info are obvious. But what about the seemingly innocuous hometown and birthdate? It’s nice to get birthday greetings on Facebook. And how will our childhood friends find us unless we post the city where we grew up? According to my survey, most of us don’t consider this information sensitive and therefore post it in our profile. Unfortunately, scammers can even use this information to exploit us.
And with Facebook appealing to multiple generations, how hard is it really to find out your mother's maiden name? Web 2.0 opened up a whole new arena of ways that undesirables can learn more about us than we want them to. Look at your public profile—how much of that information would you offer to a stranger on the street?
Read More:
http://news.cnet.com/8301-1009_3-10280614-83.html?tag=newsEditorsPicksArea.0
http://www.darkreading.com/security/app-security/showArticle.jhtml;jsessionid=2OHJJ2C11LGAYQSNDLOSKHSCJUNN2JVN?articleID=211201065&pgno=1&queryText=&isPrev=
Being Passive About Passwords
08.11.2009 01:31:00 PM
Posted by Wesley Mallory
Is it really that hard to have a good password? No…not really.
Our company is regularly called in to assess the security posture of an organization's employees. A lot of organizations want to know the truth, the whole truth, and nothing but the truth about their employees' password management practices. Without divulging all of our top-secret methods, I will say that one way we do this is through phishing emails. Our emails link to a page we create that requires the user to login—and sometimes login and then change their password.
The first time we did a project like this, I was shocked at the results. Really…I could NOT believe what I was witnessing. I could not believe:
For Sale Cheap: Sense of Security and Personal Safety
08.07.2009 02:06:00 PM
Posted by Linda Rodrigue
The downside of a great deal on Craigslist…
My 94-year-old grandmother is a regular Internet user. I find this quaint and interesting for the most part. But recently, she sent a shudder down my spine when she said, “I'm looking for a camera on Craigslist.” I promptly climbed on my soapbox and demanded that she stop immediately and never do it again. Ever.
Paranoid, am I? Maybe. But a Google news search of “Craigslist robbery” yielded 165 results. There is definitely some truth in my neurosis.
When meeting someone for the first time, please remember to:
And why is that? Is it because we want something so badly that we throw common sense out the window when we find it cheap? Or is it because the criminals find ways to exploit our basic human nature, using social engineering tactics to lure us into feeling that they are the good guys and we can trust them.
Call me paranoid, but I'm not buying.
Sources:
http://www.myfoxhouston.com/dpp/news/local/090707_craigslist_robbery
http://cbs3.com/local/Craigslist.Robbery.Suspect.2.1075862.html
How Secure is Your Social Security Number?
07.27.2009 01:33:00 PM
Posted by Linda Rodrigue
Not very...
A computer containing the names and Social Security Numbers of over 45,000 people was stolen earlier this month from Cornell University. The data was used to troubleshoot file processing errors. Cornell states that, according to policy, the computer should have been kept in a secure location and that the employee who was issued the computer violated this policy.
So, the first question is "Why are you using live SSNs to perform troubleshooting?" And then, just as a matter of interest, "Is it possible that the person responsible for the theft might have engineered the transmission errors?" That would be pretty elaborate—but not unheard of for a social engineer.
I am disturbed by the use of SSNs as identifiers, especially in schools. How often did my professors post test results on a department bulletin board with my SSN on display for all to see? How does a Registrar verify that everyone requesting secure information is actually who they say they are and using the data appropriately?
And what about the doctor's office? My sister once refused to give her SSN on a new patient form at a physician's office and was subsequently asked to pay up front rather than have her insurance billed.
Both educational and medical offices routinely collect all the information an identity thief would need. And, for the most part, we readily hand it over. But do we ever think about the consequences? How many college students are really thinking about protection of personal information? Not many. If anything, this generation is perhaps too open about themselves, thanks to MySpace and Facebook. And how many moms of sick kids are going to make a stand about personally identifiable information when their kids is puking and crying at the doctor's office? Zero.
But how do these institutions treat our data? How secure is the information that we so readily place in their custody? How well do they monitor access? Poorly. Academic institutions and medical facilities are the worst offenders when it comes to protecting your personal information. Sure, they have Privacy Notices, and signs saying that they must protect your information due to HIPAA or FERPA regulations. But the reality is that they don't do it well.
Bottom line: be vigilant with your private information. Never share more than is necessary. Many places just assume they need it and you'll give it. Once your information is in their hands, you'd better hope they take good care of it. And if you have any reason to believe they don’t, then take your information back.
Source:
http://cornellsun.com/node/37474
Tagged or Too Much Information?
07.24.2009 11:25:00 AM
Posted by Linda Rodrigue
Live by the FaceBook, die by the FaceBook – even when it's not your fault!
It was reported over the weekend that the new head of Britain's MI6 was caught in a social networking conundrum when his wife posted private information about him and his family on her Facebook page— including his codename, "C."
C's wife "posted family pictures and exposed details of where the couple live and take their holidays and who their friends and relatives are."
One report said an investigation was underway to determine if national security had been compromised, but it has been concluded that this wasn't a threat to the nation—just this family's privacy.
There are cautionary tales everyday, reminding us why we should be careful with the information we make available online. Too much information results in lost jobs, ruined marriages, stalking, and more. We are warned not to put anything on Facebook that could be used against us. We are careful to guard our own privacy. But what about the privacy of others?
I don't know about you, but there are things about me that I don't want out there in the big wide Web 2.0. I know that I don't post these things because they aren't anyone else's business. Things like my home address, cell phone number, pictures of me doing embarrassing things when I was young and reckless.
I'm careful, but what about my friends? Are they going to be as discerning as I would?
Google Maps is blurring out license plates and faces from their StreetView option, but what about my neighbor who innocently snaps a shot of me standing in my driveway during our 4th of July street party, and then just as innocently uploads that to FaceBook and tags me and my license plate?
Just something to think about...
Sources:
http://www.abc.net.au/news/stories/2009/07/05/2617180.htm
http://www.timesonline.co.uk/tol/news/uk/article6639521.ece
Mom's Laptop
07.22.2009 12:11:00 PM
Posted by Chuck Snapp
Some advice on helping your older and/or computer illiterate family members and friends safely navigate the Net…
About a year ago, I helped my retired mother purchase a laptop. Now, every time I visit, it's my job to go through all her programs and update them to the latest version. I also take this opportunity to do the regular maintenance: defrag, delete temporary folders, and so on. It gives me something to do while we watch the back-to-back episodes of NCIS.
Not long ago during a riveting two-parter, I noticed that the subscription on her virus protection suite was up and needed to be renewed. I asked my mother for her credit card to subscribe to another year of protection updates.
"Do I really need all that?"
Well, does she really need all that? First, I asked what she uses the laptop for. For one, she surfs the net: shops on eBay, searches for vacation deals, checks how much the neighbor's home sold for, and so on. She isn't visiting dangerous sites, so maybe she could get away without it...
"What else do you use this for besides eBay and vacations and such?" I asked. And then, the magic words: "Well, I do pay my bills online." There's our answer: yes, you need to purchase the updates for the protection suite. Now, to be fair, she could probably get some sort of free virus protection through her ISP. And, of course, there are other free versions – most notably AVG. This software is adequate, but it does not have some of the bells and whistles that make paid protection suites what they are, such as password protection, full-time browser protection, and more frequent updates.
Another tip I gave my mother: purchase a prepaid credit card for online purchases. She will add a dollar or two to each purchase she makes online, but there is no way for someone to get access to the credit/debit card that is connected to her bank accounts. She just adds funds to the card so only that money could be lost. And it also makes her think twice about those impulse buys.
Of course, some the oldest security tips are still relevant. Don't fall for the scams in your email inbox. Remember: if it's too good to be true, then it's probably not true. Nobody legitimate will ask you for a username or password via email or over the phone. Never click on links or open attachments you aren't expecting.
In the end, I sleep better knowing one of her connections to the world is safe. And hey—at least I don't have a teenager to worry about. Happy computing.
18 People Indicted in an Identity Theft and Bank Fraud Scheme
07.20.2009 08:05:00 AM
Posted by Linda Rodrigue
The Manhattan District Attorney's Office has indicted 18 people for their involvement in a massive identity theft and bank fraud scheme. The indictment alleges that, between October 2007 and February 2009, more than 1000 counterfeit checks were cashed. Close to 350 accounts were compromised and millions of dollars were stolen.
Sounds like a sophisticated technical hack, doesn't it? Think again. According to the article:
The defendants, according to the indictment, used information obtained from bank employees, often tellers, who had access to bank computer systems and to checks processed during legitimate customer transactions. The purloined information included names, Social Security numbers, account numbers and account balances of nearly 500 identity theft victims.
The 227-count indictment goes on to allege that the defendants used the information obtained from bank employees to create fake checks. The checks were deposited and funds promptly withdrawn.
Once again, it seems that the easiest path to protected information is through an organization's employees. Why bother hacking the bank's systems when you can just hack their employees? A little motivation, a few incentives, and voila! A hacker's best tool is an employee with legitimate access to all the information he could dream of. Scary.
Source: http://www.scmagazineus.com/Identity-theft-ring-busted-in-New-York/article/137621/
Cuckoo's Egg
07.19.2009 09:16:00 AM
Posted by Chuck Snapp
Time for some recommended reading…
In a time that seems like several lifetimes ago, I spent a few years in the United States Air Force. I spent most of my time stationed at Ramstien Air Base in Germany—an absolutely beautiful spot if you are into evergreen forest and mountains.
As a first stop after computer training, I was assigned to a computer security detail. This was at a time when we marveled at one gigabyte hard drives and wondered what kind of super program would ever use up ONE GIGABYTE of storage space. Little did we know...
After getting my bearings for a couple of weeks, the head of the detail sat me down to see what I knew about computer security. The short story: I knew very little. I couldn't conceive of how someone would "break in" to a computer. It was at this meeting that I received my first assignment: read this book. It was a wrinkled paperback called "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" by Clifford Stoll. Sure, ok. I had spent the last few months reading text books on programming languages that I and no one else would ever use, so what was one more book? But this was no textbook. This was the true story of how a perpetual Stanford astronomy grad student helped catch the Manheim hacker. This book gave the reader a chance to look into the mind of a hacker and see how he broke into some of the most secure sites in the world.
The book's technology is a little dated, of course. The story is told from the early days of Unix mainframes and the infancy of packet switching. Regardless, the principles are still the same. It's funny and relevant for those who are very familiar with Internet security and those who haven't even heard of "Internet Security for Dummies." Our hero lets you learn right along with him.
I'll leave it at that, so as to not spoil the story for you computer security geeks or spy novel enthusiasts. But, just one more tidbit: sometimes the simplest tricks are the best.
Buy the Book: http://www.amazon.com/Cuckoos-Egg-Clifford-Stoll/dp/0671726889
02.11.2010 10:48:00 AM
Posted by Linda Rodrigue
- I grew up in Boston, but I was born in Providence.
- My first pet was a goldfish named Blueberry.
- I love love love the New Orleans Saints.
- Mrs. Kitchner was my favorite teacher.
- My father's middle name is Marion.
- My mother's maiden name is Schliffenhoffer.
- My social security number is...
Of course, nobody would go quite that far. But do they even have to?
There is a spate of quizzes going around the social networking sites - “How Well Do You Know Me?”, “25 Firsts”, “One-Word Answers”—that can potentially give away some valuable personal information.
You were probably asked to give answers to three “secret” questions anytime you registered online with a password. Most of us set those questions up long ago and have answered so many that we probably don't even remember which questions were asked when.
And then along came social networking and the above-mentioned quizzes. How many of our “secret” answers do we voluntarily give away?
Part of the problem lies in the questions themselves. We are relying on companies to put security measures in place that will keep us...well, secure. Those companies need to recognize the deficiencies that social networking has caused and adapt to the changing web environment.
But until that happens, we must ask ourselves “How well do strangers know me?”
Read more about it at
http://geekswithblogs.net/james/archive/2009/09/23/how-to-pick-a-really-good-security-question.aspx
The Talking Stain
02.03.2010 10:56:00 AM
Posted by Wes Mallory
Do you remember that commercial that came out during last year's SuperBowl? The one for Tide to Go? It has the guy sitting down for an interview, but he has a ridiculous blabbering stain on his otherwise crisp and clean white shirt. If you haven't seen it, you need to stop what you're doing and watch it now. Go ahead, it's SFW. (http://www.youtube.com/watch?v=X2cs8gnb42A)
Well, I had an experience like this recently at a client's site. A customer who had recently been the victim of pretexting contacted RocketReady. They were interested in learning more about how social engineering could impact their company and customers. RocketReady performed a full assessment of this company's security posture related to social engineering: pretexting, phishing, dumpster diving…the whole package. My job?Perform an assessment of their facilities to see how they physically protected sensitive information. As usual, before beginning a thorough analysis, I had the project sponsor take me around the company's campus and show me the basics…mailroom, various entrances, smoking areas, etc. Usually, these walkthroughs allow me to make a map of the facilities and take notes so I can find my way around later when I do my own thing..
This walkthrough was different. It was a "talking stain" experience. I usually have to do a little bit of digging to find weaknesses in employee information security practices. I usually have to stretch a bit and social-engineer my way through closed doors. Not here. The problems were so obvious that I couldn't help but stop and stare and think about what I was seeing, even before the real assessment began.
Let's back up a step. I should have guessed it might be this way based on my arrival. I went to the main entrance and told the security guard who I was there to see. He sent me to another building, unescorted and undocumented. Keep in mind that the sign said "All visitors must sign in and be escorted at all times." He told me what floor to go to. I made my way to the other building, walked directly past the security desk with the two security guards and the sign that said "All visitors must sign in and be escorted at all times" and to the elevators. As I got off the elevator, I walked directly into the executive floor and asked the receptionist to see the project sponsor. She went to find said person and I wandered around the entire floor, uncontested. A few minutes later, my appointment arrived. We started the tour. Almost immediately, I noticed a whole laundry list of items that needed to be addressed. Too much, in fact. These things were such a distraction that I couldn't even hear what was probably interesting and useful information about the company.
Talking Stain 1: As we walked past one area of cubicles, I noticed that computer after computer was sitting there completely unlocked. I took note that many had customer management programs running—lots of private data about consumers who have accounts with them.
Talking Stain 2: On another desk, I found a customer check sitting right out in the open. [Sigh].
Talking Stain 3: My client was pleased as punch to point out their giant community shred bin in which all sensitive documents are placed to be shredded later. I didn't point out that it was unlocked.
Talking Stains 4 and 5: A few minutes later, we walked right past the original security guards, sans credentials, to the wide open mail room. The beauty of this mail room was that a person could not only barge right in the front door, but the back door to the outside was also propped wide open. "It's hot in here," was the reply from the mailroom employee when I made this observation.
Talking Stain 6: Finally, I arrived at the desk of the project sponsor's #2 to start digging a little deeper. This person's title contained words like "Director," "Information," and "Security." This person was preoccupied with lots of actual work to be done, but was gracious enough to give me 30 minutes or so. At least 4 or 5 times during our appointment, this person had to log in to something. The conversation each time went:
- Client: "Uggh. What was my login for this one?"
- Me: "Are you asking me?"
- Client: "No – I just can't remember. I have so many stupid things to login to." [Rummaging through the desk.]
- Me: "Yeah – that makes it tough doesn't it?"
- Client: "Ah ha! Found it!"
- Me: What's that?
- Client: "I just write all of my logins on this business card."
- Me: "Hmm. That could be dangerous if…you know… it got in the wrong hands."
- Client: "What do you mean?"
- Me: "Well, I mean, you are an important person, with access to a lot of stuff. Hope nobody would find that card and, you know…use it. Just sayin'."
- Client: "Who's going to come into my office and do that?"
- Me: ………
- Client: ………
- Me: "You're probably right."
I'm a Mac, and I'm safe. Aren't I?
01.15.2010 11:58:00 AM
Posted by Linda Rodrigue
Alternate Title: Get that smug look off your face.
For my first IT job, I was a DB Admin working on a Unix platform. It was back in the days when a wave of worms was going through various Windows products and causing quite a stir, back before most companies had IT Security in their budgets. But there I was, working away on my Unix box, smug in the knowledge that I was safe. Viruses and worms were being deployed to attack Windows vulnerabilities, not Unix.
I imagine this is how Mac users have been feeling for a while now. They sit back and watch all the PCs hit with virus after virus, worm after worm, and feel warm and cozy and safe while the rest of us are in a panic about what to do with that email attachment that might be something cute/funny/interesting but also might bring down our company's entire international network. I'm a Mac, and I'm safe, they think.
But not anymore. With the recent boom in Mac and other i-product sales, more and more malware is being targeted to OS X. It stands to reason that, as users adopt an increasing number of Apple products, it will be more lucrative for malware producers to aim in that direction. And it isn't like they'll have to start from square one. They can learn from their Windows counterparts and hit the ground running.
As companies begin to incorporate a greater number of Macs into their networks, they will have new security challenges to face. While most are well versed with Windows, will they be ready to protect the Macs?
Read more about it at http://blogs.zdnet.com/security/?p=4024
Wait, How Are We Related Again?
01.08.2010 09:32:00 AM
Posted by Linda Rodrigue
There is a war waging in my family. Well, maybe not exactly a war. It's more like an ongoing heated discussion. It goes like this:
Grandparent is proud and wants to brag about every accomplishment of every grandchild in every possible venue, including online family-tree sites. Grandchild prefers very strongly that her personal information be kept private unless grandparent has her express consent.
This argument has been going on ever since my grandmother joined Ancestry.com. My sister does not want her information on the web. My grandmother just wants everyone to know how great her grandkids are. I recently asked my sister “What's the big deal?,” and her explanation was not what I expected. She is concerned that someone could pretend to be either a long-lost relative or an old friend of a deceased family member. An imposter could sound very legitimate just by using information found online. Those among us who are on the more cautious side (read: paranoid) might not be fooled. But some...well, lets just say there are those who might be taken in by such a ploy.
This got me thinking—it's not hard to imagine something like this happening in a business setting. Think about this: your company might be developing some new technology, or gathering sensitive information, or researching some scientific breakthrough. A secretary gets a phone call from someone saying that he is her third cousin on Aunt Betty's side, and how is Uncle Bob doing? Is it so far-fetched to think this is a ploy that might be used to gain access to all that your company is seeking to keep secret?
Think about it...
Would YOU Drink From a Bottle Labeled “Drink Me”?
11.27.2009 09:17:00 AM
Posted by Linda Rodrigue
I had been out of the office for a week-long vacation. It was so nice to get away, but I was inevitably coming back to hundreds of emails, most of which were no longer relevant. There was also the pile of hard mail—mostly junk—but I did find something that gave me pause.
Amid various advertisements for seminars promising to make me a better manager/organizer/planner/speaker was a particularly eye-catching, intricately-folded mailing. Its high-color graphics and edgy fonts enticed me. And it promised that if I looked inside, I would not be disappointed.
What I found was the basic sales pitch in a glossier package. But this one had another twist: a free sample, the first few chapters of a life-changing book on CD. Just pop this into your computer and you will be on your way to realizing the awesome power of the life-altering time management system being advertised.
Of course, I ignored the flashy marketing and threw it away—and not just because it was junk mail. For me, putting a CD in a drive without knowing ahead of time what's on it is about as prudent as eating something unrecognizable I found on the sidewalk. There could be all sorts of nasties on there, and who knows how—or if—I would be able to reverse the damage.
But that's me. What if a mailing like this had gotten to one of my less tech-savvy coworkers? How many of them would have loaded the CD and all of its self-extracting mischief? How quickly would our carefully guarded network been compromised because of simple curiosity?
As I thought more about this, I realized that my company—and yours—can't wait until something like this happens to address this type of issue. By then, it will be too late. Most of our employees are used to hearing that they shouldn't open any unexpected email attachment. Now it's time to remind them that hi-tech threats can come via low-tech deliveries.
Spear-Phishing or Spear-Phaking?
11.23.2009 10:29:00 AM
Posted by Linda Rodrigue
Though I have been out of school for many, many years, I am amazed at the number of new words I learn every day. Today's word is spear-phishing. Phishing is nothing new—a wide-net attack disguised as correspondence from a legitimate source attempting to gain personal, financial, login, or other sensitive information from a broad range of computer users.
Spear-phishing is different. It is a more specialized attack specifically designed with a certain target in mind. In this method, the correspondence appears to be generated by an entity that would legitimately be contacting the recipient, such as an employer or partner agency.
This was the method used in a recent “attack” on credit unions and banks in which CDs plagued with malware were mailed along with a letter purporting to be from the National Credit Union Administration. The letter explained all about this kind of attack and prompted the user to refer to the information contained on the CDs— which, of course, instead contained malicious software. Read the letter here: http://www.ncua.gov/news/press_releases/2009
The “attack” turned out to be false. The spear-phishing expedition was “part of an authorized pen test,” as reported on the SANS Internet Storm Center.
Read more about it at http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=219500323
The Crimes, They Are a-Changin'
11.20.2009 10:20:00 AM
Posted by Linda Rodrigue
There is a home security commercial running lately that has got my attention. What I find interesting is not the product being sold, but the tactics being used to sell it. In this particular spot, a woman and a man are saying goodnight at her door. Cut to someone in a car watching as the man leaves and the woman enters the house. Suddenly, a brute kicks in the door—turns out, it is a violent ex-boyfriend. *Thankfully* the ear-piercing siren has scared him off. Alarm companies of yore tapped in to the need to protect your stuff, but this one realizes that the nature of personal security has changed. Yes, your stuff still needs protecting—but so do you.
It isn’t just physical security that has shifted. The need for cyber-security has exploded over the past decade. Gone are the days when a hefty password was all you needed to be secure. Criminals now find chinks in the most hearty armor—and the weakest link might surprise you. "People are currently the biggest flaws in cyber-security," said Joseph J. Schwerha, associate professor of business law at California University of Pennsylvania, who co-wrote an article with Brenner on cyber-crime. "Because information has to be available for people to use it, people are frankly the weak link in the chain."
But what to do? According to Chandler Harris, writer for Government Technology, “individuals working for organizations are often the cause of security threats. The increasing use of portable technologies -- such as laptop computers, PDAs, BlackBerrys, phones and flash media -- containing sensitive information has made many organizations vulnerable to cyber-security threats.” So it would seem that the first and biggest step is training. For the crimes, they are a-changin’.
Read more about this at http://www.govtech.com/gt/articles/714308?id=714308&full=1&story_pg=1
Who You Callin' Koobface?
11.18.2009 11:06:00 AM
Posted by Linda Rodrigue
A new variant of the Koobface worm is making its rounds on Facebook, MySpace, and other popular social networking sites. The recent improvements are allowing the botnet to slip past security screens and attack even more unsuspecting users. According to Techtree.com, Koobface then “uses the infected machine to target other systems and distribute additional malware, generate 'pay per click' advertising revenue and steal sensitive data.”
What makes Koobface spread so easily is its genuine look, which is even more accurate in this new variant. A victim might see a simple message like “My home video :)” followed by a URL link to an eerily accurate-looking Facebook page. When the user clicks play, he is asked to run a Flash Player update—which is actually the Koobface virus.
Another new twist is the use of random URLs and bit.ly addresses—the method of URL shortening used most often by Twitter. Each time the Koobface link is tweeted, it is with a different URL. This makes it almost impossible for Twitter's filters to detect the virus. Throw a string component like LOL, OMG, or WOW into the mix and you've got yourself a pretty nasty (and sneaky) virus.
Read more about Koobface at http://news.softpedia.com/news/Koobface-Gets-a-New-Update-118674.shtm
Is Your Anti-virus Up to Date? Or Is It Fake?
10.30.2009 09:19:00 AM
Posted by Linda Rodrigue
You're sitting at your computer, catching up on the latest viral video offerings. Suddenly, a window pops up telling you that your anti-virus software has expired. Or worse, that your computer has been infected. And, for a mere $50, you can update and clean your machine. What would you do?
I know that I would close such a window. I would know it's a fake. But what about my mom? What about my grandmother? Would they know? Probably not. They might be just what the distributors of anti-virus "rogueware" are looking for. Tech saavy? No. Expendable income? Yes.
Researchers at PandaLabs recently released findings at the BlackHat conference in Vegas that show this type of rogueware attack is on the rise—big time. How big? In 2008, there were a total of 92,000 fake antivirus attacks. In just the first half of 2009, there were close to half a million!
Why so many? "The barrier here is that you eventually have real AV detecting them as a virus," [Luis] Correll [of PandaLabs] says, This forces attackers to crank out new samples quickly to evade detection. "It's a bit of a cat-and-mouse game."
Read more about it at http://www.darkreading.com/security/antivirus/showArticle.jhtml?articleID=218700073&cid=nl_DR_WEEKLY_T
Password Security
10.23.2009 11:55:00 AM
Posted by Chuck Snapp
So you heeded the words of all those security experts and never use your pet's or child's name. You use a mixture of words and numbers to make it even more secure. You may have even taken the extraordinary step of making up a nonsense word with numerical characters to secure all your password protected accounts. Unfortunately, despite your precautions, that password can still be hacked with very little effort. So where is the weak link? What more could you have done? Here are a few tips and tricks that may save you money and hassle.
First, create complex passwords. There are hackers out there who will manually type in random passwords (or use a program that does it for them) until they crack yours. Social networking sites give criminals all the help they need to obtain your personal information, and hackers will try pet names, child names, nicknames, birthdays, anniversaries, and any other common passwords.
Complex passwords are the first and best way to protect your online accounts. Nonsense words with numbers are the easiest and most secure way to make it harder for them. Can't think of a sixteen-digit word that is easy to remember? Try a combination of syllables and numbers that make sense to you.
Once you think up the best password you can, you still should not feel fully secure. Work on your security question, which is just as easy to hack as a weak password. For example, your mother is your online “friend”. She includes her maiden name in her social networking account. Voila—the hackers know your online security question. Example two: you put a picture of your pet on your social networking site. You include Fluffy's name. Ta da! They now have your pet's name, have changed your password, and have locked you out of your account. Use the most obscure security question available and maybe go the extra mile and add a password for your security question.
Finally, change your password often. Passwords and security questions are never good forever, and this is just another step to take in protecting what you have worked so hard to obtain.
Online transactions and accounts make life simpler but they open up more avenues for criminals to rob you blind. Take a few extra steps and protect your accounts just like the wallet in your back pocket.
Pardon Me, Your Pod is Slurping
10.16.2009 9:55:00 AM
Posted by Linda Rodrigue
I learned a new term today: pod slurping. And, apparently, it's something I've been doing for a while without realizing it.
Pod slurping is Wiki-defined as “the act of using a portable data storage device such as an iPod digital audio player to illicitly download large quantities of confidential data by directly plugging it into a computer where the data is held, and which may be on the inside of a firewall.”
I, of course, am not doing this maliciously. I'm doing it to circumvent a system that won't allow me to email certain data. I have to find some way to move it from one domain to another. And since both domains are under the same umbrella, it's not really so bad. Or is it?
Pod slurping is just one of a number of tools used by low-tech hackers to steal data—along with impersonating, dumpster diving, shoulder surfing, eavesdropping, and more. Social engineers exploit the natural tendencies of employees to be helpful, non-confrontational, and curious. And, until all employees understand how wide and varied social engineering attacks can be, your business could be vulnerable.
Read more about it at http://www.itbusinessedge.com/cm/blogs/defrangesco/social-engineering-threat-still-a-concern/?cs=34335
Breaking Up is Hard to Do
10.14.2009 12:20:00 PM
Posted by Linda Rodrigue
Ever leave a job? Whether you quit or get fired, there are a slew of steps that must be taken to terminate your employment. First, there's paperwork—loads and loads of paperwork. There are company keys and cell phones that must be turned in. Desks to be cleared out. After you are escorted from the building with a box of your personal belongings, there are alarm codes to disable, voice- and e-mails to redirect, log-ins to delete. An entire bureaucracy has been built up around transforming an employee into a former employee.
And if that employee is connected to the IT department, there is one step that is arguably the most important but also most often overlooked: changing the administrative passwords.
Why is this step so often the last to be done or not done at all? Because when Joe Schmoe leaves his job, the focus goes on Joe Schmoe's access. There is most likely a checklist somewhere indicating that Joe must be denied access to the building, the voice mail, the email, the network. So Joe's log-ins and passwords and passcodes are removed. All too often, the fact that Joe might have had administrator access is not considered.
Which is exactly what happened when Lesmany Nunez ceased working for Miami-based Quantum Technology Partners. Three months after his employment ended, Nunez was able to access their network using an admin password, and create over $30,000 worth of mischief. And what did he get for his efforts? Nunez was sentenced to a year and a day in prison.
When's the last time you changed your admin password?
Read more about it at http://www.darkreading.com/blog/archives/2009/07/it_admin_jailed.html
Kids, the Internet, and Security
10.06.2009 1:23:00 PM
Posted by Chuck Snapp
I recently spent sometime with my teenage niece and nephew on a short family vacation. I was struck by how much they used modern technology and I began wondering just how secure they were. They mostly communicate with friends about all those things that teenagers think are important. Sometimes they play a good, old-fashioned MMOG (Massive Multiplayer On-line Game). And since encyclopedias and other reference material are going the way of the dodo, the internet is a must for educational material. This seems harmless enough. Right?
Unfortunately, like many things they do, kids just don’t think about the consequences of their actions. They post personal information on social networking sites, like pictures or the time and date of their next group activity. These things can compromise their safety and the safety of their families. And online games have become a new avenue for hackers to penetrate the defenses of computer security.
So, what steps can you take to protect your child's computer? Start with virus protection. A solid virus protection software package is a must for any computer. Make sure to turn on the automatic updates and virus scans and run a manual virus scan from time to time just to make sure.
And think about getting a “net-nanny.” These programs monitor internet access when you can't be there and block inappropriate sites. They monitor which social networking sites your children use and block gaming access based on ESRB ratings.
These programs can help protect your children and information, but the best protection is to have a talk with your kids about responsible internet usage. A little instruction can go a long way towards influencing your child's internet habits and safety practices.
When is Anonymous Not Anonymous?
10.02.2009 11:31:00 PM
Posted by Linda Rodrigue
Anymore…always.
“Don’t put it in writing if you don’t want people to know about it.” This is my rule of thumb, and the rule that I’ve lived by since I started keeping my first diary in the 7th grade. Although, looking back at what I wrote in those diaries, I must not have cared too much what people knew about me. In a word, shocking! But I digress. It was an easy motto to uphold. If it was something that I didn’t want anyone to know about me, I just didn’t write it. Anywhere. Not in my diary, not in my journal, not in a letter, and never in a note passed in class. Spoken words could be forgotten. Written words are permanent.
And then I started blogging. Somehow, I felt that the anonymity of the web made it okay to blog about things that were somewhat delicate. Of course, I did what I could to disguise my identity. I blogged under an alias. In fact, I had several. Some I shared with lots of people, some I shared with one or two, and some I didn’t share at all. Some I forgot about days after posting. But one day, I found that the blog site I was using had compiled all my ‘anonymous’ blogs into a neat little list. All my private thoughts that I had taken pains to keep hidden became suddenly available to anyone who looked at my profile—my co-workers, my boss, my mom.
That was my own fault. I didn’t follow my rule. I put it in writing and there it all was, permanent and OUT THERE. For me, this is the big security issue in social networking. That anonymous isn’t.
There are other, greater threats to our security out there, waiting to snatch up whatever we offer and use it against us. There are headlines every day telling us there is no privacy—not anymore in Web 2.0. Yet we still post. We still blog. We still trust. Why is that?
Read More: http://www.theglobeandmail.com/news/technology/article709699.ece
Think you're safe? Guess again.
09.25.2009 9:48:00 PM
Posted by Linda Rodrigue
You'd never give your bank account information to a social engineer—but your credit card company might.
A month ago, I didn't know much about Social Engineering. I'd heard the phrase tossed around like so many of the latest buzz words—greenwashing, smishing, Rpattz—but I wasn't really clear on the concept. So I did some studying. I looked it up on Wikipedia, read some books, even watched some YouTubes. And through the whole process, I had one resounding thought: That wouldn't be me. I wouldn't fall for it.
No matter how clever the ruse and no matter how elaborate the pretext, I put myself in whatever situation I was reading about. I knew, without question, that I would NEVER be a victim of Social Engineering. Not me. After all, I'm paranoid. It'll take more than some cunning fast-talk to trip me up (knock on wood).
And then... I got a new shredder. It had been a while since my old one had confetti-cut its last unsolicited credit card “check,” and the" To Be Destroyed" pile was quite large. So I sat in front of the TV with my new diamond cut shredder and went to work.
And there they were. Not one, but two letters that shattered my confidence. One was from a credit card company and the other was from my credit union. The details were not identical, but the message was the same: We are writing to inform you … information compromised ... security breach … closely monitoring ... we apologize.
It hit me out of left field. Somebody out there had my data. I, the ultra-suspicious, privacy-mongering, keeper of secrets. I was a victim of Social Engineering, albeit via a third party.
So, what's the point? Well, you know the drill: create strong passwords and change them routinely. Shred everything. Don't click that link or open that attachment. Don't Facebook everything about yourself and don't share information with others just because they sound official or legitimate. But once you've done all of that, just hope that your bank, doctor's office, credit card companies, and everyone else who has even the tiniest bit of information about you does the same.
The Dark Side
09.22.2009 11:00:00 AM
Posted by Todd Snapp
My office was quieter than usual when my cell phone rang...er, buzzed. I had been feeling phantom vibrations from my hip all morning and I had to confirm that this one was, in fact, real. After awkwardly wrangling my phone from its belt clip, I saw it was my mother. We speak frequently, so it was no surprise for her to call. Nevertheless, calling mid-morning on a Thursday was not common.
"Hello Mother, how's it going?"
"Well…" she said in a cracking voice. "Not too good."
I could hear her sniffling and dabbing her nose with a Kleenex. As with everything in my life, I labored to hide any shock at her response. In reality, my blood ran cold and I immediately began to rattle through all of the unpleasant possibilities as to the purpose of this call. I feared the worst: a death in the family or some terminal disease. But I wasn't even close.
"Really? What's wrong?"
"Uh…well…your sister was arrested this morning."
Once again I masked my utter astonishment.
"What? What happened?... For what?"
"They said it was for check fraud…some stolen checks written years ago and traced back to her."
"What? No, I don't understand."
Now at this point you need to know more about my sister, Ashley. She is a sharp, self-confident, resourceful young woman, but her most dominant characteristic is her tender heart. This is a girl who was rarely reprimanded by our parents growing up (and for good reason) and has not received so much as a parking ticket in her adult life. She doesn't smoke, drink, take drugs, and would probably be fairly uncomfortable around people who did. Ashley is thoughtful and considerate and has always rushed to the aid of less fortunate people in trouble.
First thing that morning, a knock came at Ashley's door. Her oldest child, who turned 5 that day, was the only one awake with her. Her 2-year-old daughter and still-nursing infant were asleep. Her husband had left early for work. At the door were two stern-looking uniformed police officers.
"Hello miss, are you Ashley Marie Spencer?"
"Yes, can I help you?"
"We have a warrant for your arrest."
Ashley gasped with shock.
"For what? I am sorry...there must be some mistake"
Ashley did not have the slightest clue what they were there for. She sat at the kitchen table pleading with them until our parents came. The officers were nice enough, but they had a warrant and there was no persuading them to ignore it. Ashley's baby was anxious to nurse and her 5-year-old sat in another bedroom with his grandmother, largely worried about his birthday party.
"Why are they doing this?" he mumbled through his tears.
"They are not bad men" our mother whispered "they are just doing their job."
"But they are ruining everything!"
"I know, boy, I am sorry, but police officers are good men…do you want to go meet them?"
"No…" he gained his composure for a moment "…that would just be weird."
After a litany of confused questions and exasperated ponderings, all the family knew was that the charges were for some fraudulent checks written over 7 years ago and that Ashley was on her way to jail. They led her to the car alone and in tears while her husband, who had now arrived, tended to the distraught toddlers and a hungry baby.
Ashley spent the entire day in county jail with no additional information about her plight. Unfortunately, the family was not able to gather much more either. All they really knew was that some checks were forged and her driver's license number was written on them.
To this day, Ashley remains in litigation and her financial situation becomes more dire. Before all is said and done, the lawyer has prepared her for the fact that it could cost upwards of $20,000 and she should not expect to get a penny of it back.
All of this mayhem stemmed from one simple event: her driver's license number got into the wrong hands. It is this realization that helped me better understand the indelible connection between corporate security and personal impact. More on that another time.
By the way, her son had an excellent Star Wars themed birthday party the next day.
What do you mean, “password” isn't a good password?
09.18.2009 09:38:00 AM
Posted by Linda Rodrigue
I got my first checking account when I was 18 and, along with it, my first PIN. I chose something clever and pithy, something that I would always remember, something significant to me. Over a decade later, when I immersed myself into the world wide web, I used that pin either alone or with supplemental characters as my password. Every login, every account, all had passwords based on that original 4-digit numerical PIN. And then a friend watched me log in to AIM and quoted back to me not only my password, but the password I used everywhere. Oh the horror! That evening, I began the arduous task of changing them all. Lesson learned: don't use a universal password.
So then I was using passwords unique to each site/program/login. I would create them based on whatever was going on in the background when I was setting up the account: TV shows, songs, various pets, actors. But with over 100 logins, it was impossible to remember them all. Then I started reading about hacker programs that can iterate through word lists in several languages to guess your password. Darn! I need to be more clever! Lesson learned: don't use a simple password.
A little later, I read a nifty blog posted on the F-Secure website that suggested a clever way to create a complex two-part password by combining part of the URL with random characters and a PIN. Part one is a combination of part of whatever you're logging into, followed by a series of randomly chosen characters including capital and lowercase letters, numbers, and punctuation. This you can write down and carry with you. Part two is a PIN to tack onto the end. For example, I might have part one be the first 5 characters of the site, plus the random characters 1Q@w and my PIN is 1234. To make this into a Facebook password, I would use the first 5 of facebook, followed by the randoms, followed by my PIN: faceb1Q@w1234. Simple, right? So it would seem... until I forgot my PIN! Lesson learned: don't be too clever for your own good!
But seriously, compromised passwords can open a floodgate to stolen information. Keep them secure, keep them complex, and keep them unique.
Read more about the F-Secure password solution at http://www.f-secure.com/weblog/archives/00001691.html
Who's Handling Security?
09.15.2009 1:03:00 PM
Posted by Linda Rodrigue
Based on my very informal research, many companies are concerned enough about the security of their information to allocate a large portion of their budget to InfoSec: hardware, software, pen tests, training,and payroll. For companies that are serious about security, no expense is too great.
But a company only has control over its own. What about third-party collaborators? It is often more cost-effective to outsource aspects of business operations to firms that specialize in those areas. Beyond cost, contracting out to “experts” usually produces better results. And with third-party involvement comes third-party security.
But what if that's not secure enough?
Mozilla recently found itself in that very situation. In a statement released on the Mozilla Store website, the company disclosed "Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the back end of the Mozilla Store, suffered a security breach." Its domestic and international online stores have been closed since late Tuesday. However, Mozilla has not released any information regarding how many accounts were compromised or how the breach occurred. There has been very little reporting on the breach and even less about GatewayCDI's role in preventing such lapses in security.
Companies often have to find a balance between the cost savings of outsourcing against the price of placing security in the hands of a third party. Mozilla is learning the hard way just how important that balance is.
Read more about the Mozilla breach at http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=219100155
Facebook not as Private as I Thought it Was.
09.11.2009 11:30:00 AM
Posted by Chuck Snapp
I really enjoy Facebook. It allows me to catch up with friends that I have lost over time and also stay in touch with friends and family around the world. It is easy to use and allows me to say something once and let it out to all of my friends. Yet, a recent string of news articles is causing me to rethink the safety of Facebook. What I thought was a harmless way to share information with those I care about seems to be a way to share information with advertisers and other companies. A recent article on MSNBC told the story of a man who saw an ad for a dating site on his Facebook page that had a picture of his wife. The picture was lifted from a friend's page and used as a “personal” ad for him.
The impression that I got from Facebook was that only my “friends” were able to see what I had posted. The truth is that Facebook allows advertisers to target you with your own information— including, it seems, the pictures that you post on Facebook. According to the article, the ad in question was outside the lines of Facebook's policy, but the information was still shared with the company in question. Although it is still my impression that your information will only be used for Facebook “friends,” I am rethinking the cost of social networking.
I have always been one of those people who doesn’t hide from myself. I leave everything out there and people can take it or leave it as they please. But this is now being tested with Facebook's policies. A picture that I put up on my page with another friend in it will be seen not only by my friends but their friends as well. So when I think I am sharing information with my friends, I may actually be sharing with people I have never met.
There is a way to opt out of this advertising sharing. Settings=>Privacy=>News Feed and Wall=>Facebook Ads. Then selecting "No one" will let you share info with others while not being used for ads. But this still doesn’t seem to stop them from letting advertisers see my information.
So now I'm rethinking what I put on Facebook—and maybe you should too.
Read More: http://redtape.msnbc.com/2009/07/hey-peter-the-ad-said-hot-singles-are-waiting-for-you-he-might-have-dismissed-the-advertisement-which-appeared-on-his-fa.html
Social Burn? Engineering Notice?
09.07.2009 09:31:00 AM
Posted by Linda Rodrigue
Some recommended reading and viewing…
So I've been doing two new things the past month or so. New to me, that is. One, I've been learning about the exciting world of Social Engineering. Two, I've been watching a lot of Burn Notice. And in a strange way I hadn't expected, the two have become entangled.
And that's where Burn Notice comes in. Ever watched the show? The main character, Michael Weston, is an ex-government spook who now freelances in sunny Miami. And as he's scheming, his voiceover is explaining. And what I'm hearing is not spy-thriller, 007 gadget-speak. I'm hearing how to social engineer a situation.
Entertaining? Indeed. Educational? Sure... but I'm not sure I want to know who is being educated.
Must Read – The Art of Deception by Kevin Mitnick: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124
More About Burn Notice: http://www.usanetwork.com/series/burnnotice/
I Got Fooled by a Virus
09.04.2009 09:02:00 AM
Posted by Chuck Snapp
About a week or so ago, I was getting on the internet to check my email and Facebook and such when a window popped up to tell me that I had a virus and that the XP Virus Protection would get rid of it for me. I was redirected to a webpage that wanted my credit card information to purchase XP Virus Protection.
I have virus protection. I don’t want Microsoft’s XP virus protection. So I closed the window and went on my way. The window popped up again. And again. And again! I nearly called Microsoft to tell them to get their stupid window off my system. I don’t want your virus protection software, ok? But I decided to look up the program before I called and got stuck listening to bad on-hold music for the next half hour. What did I discover? I was fooled the whole time. The pop-up window was the virus. There is no legitimate thing called XP Virus Protection—it's a scam (and so is Vista Virus Protection). I was mad and ashamed and awed all at the same time. This was not like the easily decipherable scam emails that we all frequently get telling us how we are “oh so lucky to be winning the lottery today.” This looked professional and really had me fooled. But, ten easy-to-follow steps later, I had removed the problematic program from my PC and was on my way to enjoy pictures of friends and family in Facebook-land.
How I got the virus is still a mystery, but its effect on me was powerful. They are getting smarter and sneakier with these scams. I am sure even more people will get taken by this one than by the horribly-written “I need much help to get million of dollars out of probation” emails.
Always remember that almost no legitimate company will email you without you permission or pop-up a window that you do not ask for. Never, never, ever give your credit card info out unless you initiated the purchase yourself. Someone more clever than you is out to separate you from your money.
Virtual STDs
09.03.2009 09:41:00 PM
Posted by Linda Rodrigue
In the spirit of mea culpa, I want to state outright that until yesterday, I had never heard of Erin Andrews. And currently, if I had to pick her out of a line-up, I'm fairly certain that I would fail. That being said…
By now you must have heard about the infamous video and the ensuing legal discussions. Personally, I find it disgusting. To be caught on a hidden camera in a hotel room sends shivers down my spine. It could have been anyone. And while channel surfing late last night, I learned from one of the news outlets that "video voyeurism is on the rise." Peepholes are all around us! And then there are those celebrity sex videos that get leaked: Pam Anderson, Paris Hilton, Leighton Meister are among many in a long list of exploitees. It is despicable what people will do for a cheap thrill.
But there is another aspect to this that is just as deplorable. Voyeurism is now being used to spread viruses. Since the Erin Andrews video has been pulled by reputable sites (after risk of legal action), you can now find obscure sites promising a downloadable copy. But instead of the voyeuristic footage, the user ends up with a Trojan horse. And it isn't just Ms. Andrews' video. Over the years, the number of cyberporn-related malware distributions has continued to rise.
There was a time that those so inclined could find a nontoxic alternative to the indiscriminate tryst in the virtual world. But now, not even virtual sex is safe.
Read More: http://www.msnbc.msn.com/id/32011728/ns/technology_and_science-security/
Spend More, Protect Less
08.27.2009 04:41:00 PM
Posted by Linda Rodrigue
How much money have you spent protecting your network against attacks? How much safety do you think that buys you?
At the Black Hat USA security conference in Las Vegas, WhiteHat Security highlighted the lesser reported high-dollar scams involving little or no tech. According to CTO Jeremiah Grossman:
"While the security industry spends most of its energy and resources on malware- and vulnerability-based methods of attack, a lesser-known and more lucrative world of hacking is going on right under our noses that rarely comes to light unless it makes the general news. These are the low-tech and no-tech attacks and scams that don't require malware or scanners, and they are rarely reported because they don't typically involve reporting stolen credit cards or other personal information."
The reality is that scams that exploit business logic flaws are fast becoming the most lucrative hacks out there, and the most expensive tech solutions won't see them coming.
Read more about it at http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=218501663
Personally....
08.19.2009 04:36:00 PM
Posted by Linda Rodrigue
In an attempt to wrap my head around the kinds of SNS security issues the average user is coming up against, I have decided to a.) start simple and work my way up, and b.) ask around. In keeping with that, I posted a survey over the weekend asking about how people disclose personal information.
Personally, I try to post as little possible. I'm wary of strangers, verging on paranoid. I use fake names, one-time-use email addresses, inaccurate birthdays. But is that all necessary? Is it enough?
There are two schools of thought. One advises to keep all personal information private. The other rationalizes that it is unlikely that identity thieves are trolling SNS for victims. I say there's no harm in being overly-cautious. Things like social security numbers, credit card numbers, and bank account info are obvious. But what about the seemingly innocuous hometown and birthdate? It’s nice to get birthday greetings on Facebook. And how will our childhood friends find us unless we post the city where we grew up? According to my survey, most of us don’t consider this information sensitive and therefore post it in our profile. Unfortunately, scammers can even use this information to exploit us.
And with Facebook appealing to multiple generations, how hard is it really to find out your mother's maiden name? Web 2.0 opened up a whole new arena of ways that undesirables can learn more about us than we want them to. Look at your public profile—how much of that information would you offer to a stranger on the street?
Read More:
http://news.cnet.com/8301-1009_3-10280614-83.html?tag=newsEditorsPicksArea.0
http://www.darkreading.com/security/app-security/showArticle.jhtml;jsessionid=2OHJJ2C11LGAYQSNDLOSKHSCJUNN2JVN?articleID=211201065&pgno=1&queryText=&isPrev=
Being Passive About Passwords
08.11.2009 01:31:00 PM
Posted by Wesley Mallory
Is it really that hard to have a good password? No…not really.
Our company is regularly called in to assess the security posture of an organization's employees. A lot of organizations want to know the truth, the whole truth, and nothing but the truth about their employees' password management practices. Without divulging all of our top-secret methods, I will say that one way we do this is through phishing emails. Our emails link to a page we create that requires the user to login—and sometimes login and then change their password.
The first time we did a project like this, I was shocked at the results. Really…I could NOT believe what I was witnessing. I could not believe:
- how many spam emails got through,
- how many people clicked on links that led to fraudulent websites,
- how many people entered credentials and/or changed login credentials,
- how many people emailed us back when they were having problems with our fake websites and login screens,
- the terrible and obvious passwords that were used, and
- what the terrible passwords were changed to.
This is just a prediction based on years of experience with thousands of employees. You can expect that folks at your organization might have some issues with their passwords, such as:
- using the word "password" as their password,
- using their UserID (e.g. "jsmith") as their password,
- using what appears to be a pet's name as their password,
- using the season and year as their password (e.g. "Summer2009")
- updating their password to the current season and year (e.g. "Fall2009")
- updating by adding a digit to their password, such as going from "password1" to "password2" or "jsmith223" to "jsmith224."
Indeed, it seems unlikely that anyone might guess that "drichardson's" password
is "captainfluffy." The galleries of pictures of him and Captain Fluffy posted
on his FaceBook account can't possibly be an indication that it gives him sheer
joy to type “captainfluffy” on a daily basis.
Anyone can see the danger in having such poor password management practices—even
those who create the passwords. It all boils down to laziness and unwillingness
to have a password that is actually strong.
More on passwords, their strength, and how to manage them better later on.
In the meantime, Microsoft has some good information on password security:
http://www.microsoft.com/protect/yourself/password/create.mspx
For Sale Cheap: Sense of Security and Personal Safety
08.07.2009 02:06:00 PM
Posted by Linda Rodrigue
The downside of a great deal on Craigslist…
My 94-year-old grandmother is a regular Internet user. I find this quaint and interesting for the most part. But recently, she sent a shudder down my spine when she said, “I'm looking for a camera on Craigslist.” I promptly climbed on my soapbox and demanded that she stop immediately and never do it again. Ever.
Paranoid, am I? Maybe. But a Google news search of “Craigslist robbery” yielded 165 results. There is definitely some truth in my neurosis.
In Houston, a man was robbed at gunpoint after meeting a seller named “Bill” who advertised iPhones. They met at a shopping center, but the buyer allowed “Bill” to get into his car.
- Philadelphia police have reported three separate robberies, all perpetrated after “sellers” lured buyers to vacant businesses or homes and robbed them.
- The Kansas City twist is that the seller is robbed when the buyer takes off with the item – without paying.
- A similar scheme in Indiana found a legitimate seller being robbed at gunpoint by the three men that had just bought his rims. Their demands to have their money returned ended in a shootout.
When meeting someone for the first time, please remember to:
- Insist on a public meeting place like a cafe
- Tell a friend or family member where you're going
- Take your cell phone along if you have one
- Consider having a friend accompany you
- Trust your instincts
I would add to that list:
- Don't share ANY personal information—other than first name via Craigslist or with prospective buyers / sellers.
- Anything that can be made anonymous should be made so.
- Things that are too good to be true should be avoided at all costs.
- Trust your instincts and go with them. You know when something is fishy. Don't go with it just to get a good deal on a weed eater.
And why is that? Is it because we want something so badly that we throw common sense out the window when we find it cheap? Or is it because the criminals find ways to exploit our basic human nature, using social engineering tactics to lure us into feeling that they are the good guys and we can trust them.
Call me paranoid, but I'm not buying.
Sources:
http://www.myfoxhouston.com/dpp/news/local/090707_craigslist_robbery
http://cbs3.com/local/Craigslist.Robbery.Suspect.2.1075862.html
How Secure is Your Social Security Number?
07.27.2009 01:33:00 PM
Posted by Linda Rodrigue
Not very...
A computer containing the names and Social Security Numbers of over 45,000 people was stolen earlier this month from Cornell University. The data was used to troubleshoot file processing errors. Cornell states that, according to policy, the computer should have been kept in a secure location and that the employee who was issued the computer violated this policy.
So, the first question is "Why are you using live SSNs to perform troubleshooting?" And then, just as a matter of interest, "Is it possible that the person responsible for the theft might have engineered the transmission errors?" That would be pretty elaborate—but not unheard of for a social engineer.
I am disturbed by the use of SSNs as identifiers, especially in schools. How often did my professors post test results on a department bulletin board with my SSN on display for all to see? How does a Registrar verify that everyone requesting secure information is actually who they say they are and using the data appropriately?
And what about the doctor's office? My sister once refused to give her SSN on a new patient form at a physician's office and was subsequently asked to pay up front rather than have her insurance billed.
Both educational and medical offices routinely collect all the information an identity thief would need. And, for the most part, we readily hand it over. But do we ever think about the consequences? How many college students are really thinking about protection of personal information? Not many. If anything, this generation is perhaps too open about themselves, thanks to MySpace and Facebook. And how many moms of sick kids are going to make a stand about personally identifiable information when their kids is puking and crying at the doctor's office? Zero.
But how do these institutions treat our data? How secure is the information that we so readily place in their custody? How well do they monitor access? Poorly. Academic institutions and medical facilities are the worst offenders when it comes to protecting your personal information. Sure, they have Privacy Notices, and signs saying that they must protect your information due to HIPAA or FERPA regulations. But the reality is that they don't do it well.
Bottom line: be vigilant with your private information. Never share more than is necessary. Many places just assume they need it and you'll give it. Once your information is in their hands, you'd better hope they take good care of it. And if you have any reason to believe they don’t, then take your information back.
Source:
http://cornellsun.com/node/37474
Tagged or Too Much Information?
07.24.2009 11:25:00 AM
Posted by Linda Rodrigue
Live by the FaceBook, die by the FaceBook – even when it's not your fault!
It was reported over the weekend that the new head of Britain's MI6 was caught in a social networking conundrum when his wife posted private information about him and his family on her Facebook page— including his codename, "C."
C's wife "posted family pictures and exposed details of where the couple live and take their holidays and who their friends and relatives are."
One report said an investigation was underway to determine if national security had been compromised, but it has been concluded that this wasn't a threat to the nation—just this family's privacy.
There are cautionary tales everyday, reminding us why we should be careful with the information we make available online. Too much information results in lost jobs, ruined marriages, stalking, and more. We are warned not to put anything on Facebook that could be used against us. We are careful to guard our own privacy. But what about the privacy of others?
I don't know about you, but there are things about me that I don't want out there in the big wide Web 2.0. I know that I don't post these things because they aren't anyone else's business. Things like my home address, cell phone number, pictures of me doing embarrassing things when I was young and reckless.
I'm careful, but what about my friends? Are they going to be as discerning as I would?
Google Maps is blurring out license plates and faces from their StreetView option, but what about my neighbor who innocently snaps a shot of me standing in my driveway during our 4th of July street party, and then just as innocently uploads that to FaceBook and tags me and my license plate?
Just something to think about...
Sources:
http://www.abc.net.au/news/stories/2009/07/05/2617180.htm
http://www.timesonline.co.uk/tol/news/uk/article6639521.ece
Mom's Laptop
07.22.2009 12:11:00 PM
Posted by Chuck Snapp
Some advice on helping your older and/or computer illiterate family members and friends safely navigate the Net…
About a year ago, I helped my retired mother purchase a laptop. Now, every time I visit, it's my job to go through all her programs and update them to the latest version. I also take this opportunity to do the regular maintenance: defrag, delete temporary folders, and so on. It gives me something to do while we watch the back-to-back episodes of NCIS.
Not long ago during a riveting two-parter, I noticed that the subscription on her virus protection suite was up and needed to be renewed. I asked my mother for her credit card to subscribe to another year of protection updates.
"Do I really need all that?"
Well, does she really need all that? First, I asked what she uses the laptop for. For one, she surfs the net: shops on eBay, searches for vacation deals, checks how much the neighbor's home sold for, and so on. She isn't visiting dangerous sites, so maybe she could get away without it...
"What else do you use this for besides eBay and vacations and such?" I asked. And then, the magic words: "Well, I do pay my bills online." There's our answer: yes, you need to purchase the updates for the protection suite. Now, to be fair, she could probably get some sort of free virus protection through her ISP. And, of course, there are other free versions – most notably AVG. This software is adequate, but it does not have some of the bells and whistles that make paid protection suites what they are, such as password protection, full-time browser protection, and more frequent updates.
Another tip I gave my mother: purchase a prepaid credit card for online purchases. She will add a dollar or two to each purchase she makes online, but there is no way for someone to get access to the credit/debit card that is connected to her bank accounts. She just adds funds to the card so only that money could be lost. And it also makes her think twice about those impulse buys.
Of course, some the oldest security tips are still relevant. Don't fall for the scams in your email inbox. Remember: if it's too good to be true, then it's probably not true. Nobody legitimate will ask you for a username or password via email or over the phone. Never click on links or open attachments you aren't expecting.
In the end, I sleep better knowing one of her connections to the world is safe. And hey—at least I don't have a teenager to worry about. Happy computing.
18 People Indicted in an Identity Theft and Bank Fraud Scheme
07.20.2009 08:05:00 AM
Posted by Linda Rodrigue
The Manhattan District Attorney's Office has indicted 18 people for their involvement in a massive identity theft and bank fraud scheme. The indictment alleges that, between October 2007 and February 2009, more than 1000 counterfeit checks were cashed. Close to 350 accounts were compromised and millions of dollars were stolen.
Sounds like a sophisticated technical hack, doesn't it? Think again. According to the article:
The defendants, according to the indictment, used information obtained from bank employees, often tellers, who had access to bank computer systems and to checks processed during legitimate customer transactions. The purloined information included names, Social Security numbers, account numbers and account balances of nearly 500 identity theft victims.
The 227-count indictment goes on to allege that the defendants used the information obtained from bank employees to create fake checks. The checks were deposited and funds promptly withdrawn.
Once again, it seems that the easiest path to protected information is through an organization's employees. Why bother hacking the bank's systems when you can just hack their employees? A little motivation, a few incentives, and voila! A hacker's best tool is an employee with legitimate access to all the information he could dream of. Scary.
Source: http://www.scmagazineus.com/Identity-theft-ring-busted-in-New-York/article/137621/
Cuckoo's Egg
07.19.2009 09:16:00 AM
Posted by Chuck Snapp
Time for some recommended reading…
In a time that seems like several lifetimes ago, I spent a few years in the United States Air Force. I spent most of my time stationed at Ramstien Air Base in Germany—an absolutely beautiful spot if you are into evergreen forest and mountains.
As a first stop after computer training, I was assigned to a computer security detail. This was at a time when we marveled at one gigabyte hard drives and wondered what kind of super program would ever use up ONE GIGABYTE of storage space. Little did we know...
After getting my bearings for a couple of weeks, the head of the detail sat me down to see what I knew about computer security. The short story: I knew very little. I couldn't conceive of how someone would "break in" to a computer. It was at this meeting that I received my first assignment: read this book. It was a wrinkled paperback called "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" by Clifford Stoll. Sure, ok. I had spent the last few months reading text books on programming languages that I and no one else would ever use, so what was one more book? But this was no textbook. This was the true story of how a perpetual Stanford astronomy grad student helped catch the Manheim hacker. This book gave the reader a chance to look into the mind of a hacker and see how he broke into some of the most secure sites in the world.
The book's technology is a little dated, of course. The story is told from the early days of Unix mainframes and the infancy of packet switching. Regardless, the principles are still the same. It's funny and relevant for those who are very familiar with Internet security and those who haven't even heard of "Internet Security for Dummies." Our hero lets you learn right along with him.
I'll leave it at that, so as to not spoil the story for you computer security geeks or spy novel enthusiasts. But, just one more tidbit: sometimes the simplest tricks are the best.
Buy the Book: http://www.amazon.com/Cuckoos-Egg-Clifford-Stoll/dp/0671726889
