So I finally decided to join the new millennium and try Twitter.  I have managed to resist the social networking technologies so far (other than this blog).  I don’t do Facebook, nor Myspace (I have serious privacy concerns with them) and most of the other technologies struck me as inane or huge time wasters.   Well through the constant nagging of a friend, I’m on twitter now and I can attest that I was right.  It is a huge time sink.. but it is lots of fun!  And potentially very addictive.  I’ve already had my wrist slapped and been told that more than 3 tweets a day is Ashton Kutcher territory and I am no Ashton (in so many ways!).   Anyways, after my initial barrage, I’ve got it down to a dull roar and will be using it to “tweet” the Blackhat and Defcon Conferences in a few weeks.  It should be fun to be able to immediately communicate thoughts on the latest technologies or hacks as they are announced/demo’ed.  And it should be great for making catty comments on the booth personnel, presenters or attendees (I’m allowed, being a veteran speaker of the show myself and having plenty of catty comments made of me).   Anyways, if you can’t make it but want a play by play of the two biggest security conferences in the industry, just log onto Twitter and follow “FearlesSecurity” for updates (its not a typo, they only allow 15 character nicks) .  Some updates will also be re-tweeted here on the magazine accounts.  So join me fellow twits as we tweet our way into the future….


- posted by Tony Howlett

[7/3/2009]

Social War Dialing - The New Identity Theft Menace
POST A COMMENT

Just when you thought that the hackers had thought of everything.... A new IT theft method that is being directed at the nation’s banks is called Social War Dialing, also known as “vishing.” Like its cousin phishing, this con attempts to talk unsuspecting victims out of their account numbers, passwords, etc. However, instead of using email or the computer, which many of us have been trained to not trust, they use the good ole telephone. The way that this attack works is that an entire phone exchange, usually for a small town with only one or two banks, is dialed by automation. Those picking up the phone hear a prerecorded message from their friendly local community bank that their account has been compromised. They need to change their PIN code immediately to avoid any unauthorized charges. They are directed via a menu to enter their account number, their old PIN, and a new PIN. Of course, this isn’t the bank calling but rather a sophisticated overseas ID theft gang using VOIP technology. Caller ID shows the name of the bank, giving further credibility to the attacker. Once they have the card number and PIN, they can quickly generate a fake ATM or debit card and start either withdrawing cash or making purchases.

Small-town bank customers have been taken for tens of thousands of dollars in a couple of hours using this method. Older and non-technical customers are particularly vulnerable to this scam.With cheap or free VOIP calls, and automated voice software, thousands of numbers can be dialed in a short period for little or no cost. Templates can be easily changed for different town or bank names. This attack has already evolved into using text messages on cell phones. It has also moved on to other financial industry companies such as credit cards, merchant charge cards, etc. So if you get a call purporting to be from your bank, credit card company, or any other financial institution asking you to put in personal information, hang up and call their main number, which is usually written on your card, to verify the request. Don’t take caller ID’s word for it as this is easy to forge. The ID thieves out there continue to grow more sophisticated and wily in their efforts to get your financial information. What will they think of next?


- posted by Tony Howlett

[1/12/2009]

Top Ten Infosec "Oops!" of 2008
POST A COMMENT

Sorry I am a week late in posting this, but 2009 snuck up on me. So here, without further ado, is my list of Top Ten Infosec Oops! of 2008. They are my personal choices, not necessarily the ones that got the most headlines or hype--so if you don’t like them, make your own and post it to this list. Enjoy.

1. 11,348,196 Private Records Compromised--In 687 separate incidents over the year, per Privacy Rights Clearinghouse (www.privacyrights.org). Whether it was an outside hacker, an inside job, or just plain “Oops!” (an accidental release), it still amounts to huge whopping mistakes on the part of government and private industry. One which we will all pay for, either directly in terms of the cost of an ID theft or indirectly via higher fees and costs for goods and services to pay for all this cleanup. And remember, these are just the ones that are discovered and reported. Most likely it is the tip of the iceberg. When are these entities going to learn that is always cheaper to spend the money up front to prevent these incidents rather than to deal with them afterwards? Is it wishful thinking to hope it will be better in 2009?
2. DNS Hack Discovered by Dan Kaminsky--http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky. This huge gaping hole was discovered in the most basic Internet services, DNS. I have long posited that this is the biggest area of vulnerability on the net (DNS, not the specific vulnerability. I’m not that brilliant). Kaminsky proved it and it was a big one. As he said when he first discovered it, “Oops, I broke the Internet.”
3. Dan’s Flubbing of the Release of the DNS Exploit--Dan had good intentions. He wanted to let all the affected companies know before he went public with the information so they could develop patches and release them, which is considered the ethical thing to do. Unfortunately, he also set up a keynote address to announce it publicly at Blackhat, one of the biggest Infosec conferences in the world. And the word got out. Some very smart people figured it out from his vague press release and by the time he gave his speech, the cat was already out of the bag and systems were getting exploited. While he may have had good intentions to begin with, it ended up looking like a publicity stunt. Nice try Dan, but next time. Either go public or keep it totally quiet till you are ready. And next time, don’t trust hackers.
4. The Hacking of Sarah Palin's Email--As if dear Sarah needed anything else to make her look more like a boob (no pun intended). Getting her Yahoo email hacked, which she was using for official state of Alaska business, was the cherry on the sundae for us Infosec types. The silver lining is that it's been a highly visible cautionary tale to use in my security awareness trainings. Now maybe company employees will stop using their free mail accounts for sensitive business. Naww....
5. Microsoft’s Crashing the Zune at Christmas Time!--Just imagine, it's Christmas morning, you just got a brand new Zune player (because your parents hate you), and you are all ready to start jamming. What does good ole grinchy MS do? It crashes your Zune. Apparently the result of some leap year bug. Didn’t we fix all these things before Y2K? Not the best way to build a rep and catch up with market leader, iPod. Time to throw another has-been piece of wannabe tech on the trash heap.
6. Spores Oppressive DRM--What a great game concept! Evolve from a simple Amoeba to a Galactic Civilization. Unfortunately your PC can only go through three evolutions before the game no longer installs. There was a huge outcry and even a lawsuit. Do you really own that software? Or do you just own three installs of it?
7. Microsoft’s Non-Scheduled Patch Releases--First they got us going on regular patch releases. And then proceeded to regularly have to release patches out of cycle. I understand that some necessitate not waiting for the next release date, but if you are having that many out of cycle, why bother with the planned release schedule?
8. Apple Exploits--2008 was the year Apple finally lost its halo of being the system that never gets hacked. Maybe its success is finally catching up to it. Greater numbers of users equals a bigger target. Or maybe now that they are basing their system on Intel and a BSD like OS, its just easier to hack. Either way, this year saw the release of a number of high-profile apple hacks. So you can no longer ignore security if you own a Mac.
9. RIAA Lawyers Withdraw from the Field--Years ago, when the music recording industry could have turned the tide, instead of pursuing a technical or artistic solution, they opted for a legal one. I bet they spent more on high-dollar legal beagles than they ever recovered from suing grandmas and 13 year olds. Nice way to ingratiate yourself to a whole generation of kids who have grown up with “free” music and ubiquitous broadband. At the end of 2008, they finally admitted it was a failed approach and called off the dogs (not in as many words). Next brilliant plan: marketing CDs as drink coasters.
10. MD5 Hash Being Hacked--Time will tell whether this is a major break in the underlying Internet infrastructure or a sophisticated, limited-application exploit; however, it strikes at the underpinning of the Internet. MD5 hashes are used on most certificates used for ecommerce. Let’s hope it stays esoteric and academic (though these things rarely do).

That’s it till next year. Let’s hope there are fewer “Oops” moments in 2009. Coming up next, the positive side, things to look forward to in Infosec in 2009.

 


- posted by Tony Howlett

[10/26/2008]

Top Ten Net-Surfing Risks at Work
POST A COMMENT

Sometimes, the biggest threat to your network security can come from within, either intentionally or unintentionally. In fact, many breaches comes from someone on the inside doing something unintentionally that "invites" some external exploit in. Here is my list of the top ten list of dangerous activities to be doing on the Internet at work. Share these with your employees and let them know that their Internet excursions could bring risk to the company:

1.  Opening forwarded emails with jokes, videos, pictures, etc.

These are emerging as the biggest new threat to internal network security. Many people do not realize that these emails are merely attachments and often have been forwarded hundred or thousands of times, often originating overseas. Crackers and identity thieves are starting to use these innocuous looking emails as payloads for their malicious code because people will gladly click on them even though they have been trained to not click on attachments from unknown parties. Do not click on these emails nor should you forward them to any others. You quite possibly can be helping to infect your friends and family with spyware or worse.

In addition to tying up your companies bandwidth, you could expose your bank to lawsuits for copyrighted material on your work computer. The penalty for possessing copyrighted materials is up to $125,000 per incident (read this as per FILE!). Also these programs often share out your hard drive without your knowledge so other downloaders can get what you have, opening up your computer and network to attack. Finally, many of have been reported to have numerous security flaws and holes allowing remote attack.

Similar to the comments above, the materials on these sites are often copyrighted and posted without the owners consent. Additionally these sites are often rife with spyware and pop-up adds.

Unless it’s the manufacturer's site (like Microsoft) or a legitimate reseller (like Newegg), don’t go there to download software. Claims of a FREE Antivirus or Anti-spyware program are often spyware themselves. Do not load any programs off the web without the consent of your network administrator.

These sites present as special problem for employers and employees alike since it is usually against federal law to use such sites. Some sites have been raided and they have traced bets back to individual bettors. Also such sites are often run from overseas by less than scrupulous individuals.

You have probably heard the news stories about pedophiles and other criminals that prey on children (and adults) on these sites. Identity thieves have now figured out that they can use such profiles to “case” individuals for “social engineering” attacks. They submit random requests to become your “friend’ or be added to your site and then collect personal data. They are a gold mine for such criminals, often containing birthdays, family member or friend names, addresses or other personal information. System administrators, company execs, or people in valuable or high profile positions are particularly sought out.

Using online personal sites has become the new way to date in the 21st century. While there are some benefits to these sites (allowing busy professionals or particularly shy people meet mates), there are also dangers. Again, having your personal information available for review by anonymous browsers can be a lure for identity thieves who often attempt to develop a rapport or friendship with their marks by appearing to know their social circle. Also, posters to such sites often misrepresent themselves in minor or even major ways. A recent study of one of the major dating sites found that over 30% of the applicants were already married.

While it can be fun to chat or IM with people all around the world, keep in mind that using such programs at work can be a security risk as well as a productivity drain. These programs often have flaws that allow for files to be downloaded off your computer and some of them even allow remote control of your computer.

Many people use these free services as their primary or secondary email source. However, they should never be used for work purposes or especially not sensitive company business. The email is unsecured as it passes over the Internet, opening up your correspondence to eavesdroppers. Also, these sites are notoriously insecure and cracking into someone’s hotmail or gmail is a trivial task for any neophyte hacker. Because almost all of the sites allow for password resetting by email, hackers can request a password reset and then intercept the response or just guess your challenge questions which are often easy to discern via public information searches. Freemail sites are not held to the same security standard as your IT systems so you should not use them from work computers.

Watching CNN or ESPN via the Net can be a great way to get news right away or catch that game while you work. And while watching major, reputable sites is a not a danger other than being a productivity and bandwidth drain, some of the lesser sites (such as youtube.com) can have copyrighted and/or obscene materials on them without warning. Remember you can be held liable for anything downloaded or watched on your computer so think before you click.