Jul 08

robin sage ain’t your friend…

By alberg best practices, online security, worst practices Comments Off

Wanna be friends?

You can never have too many friends – or CAN you?  (Hint: you can).   A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks.  Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles.  “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words).  The result?  In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization.  Trust me – I have seen this happen.  You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex.  I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info.  For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on.  Sigh…

  • Share/Bookmark
Jul 05

porn and malware redux

By alberg best practices, online security Comments Off

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography.  Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one.  Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.”  Not sure what this says about London.  I guess the morals of the story are:  for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty.  Have you updated your antivirus and plugins lately?

  • Share/Bookmark
Jul 05

photo kiosks dispense prints and extra bonus virii

By alberg best practices, worst practices Comments Off

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks.  It seems that some kiosks at “Big W” stores run Windows.  And they don’t run anti virus.  And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print.  You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers.   The company is aware of the issue and is “currently testing” installing anti virus on the kiosks.  Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

  • Share/Bookmark
Jun 30

truecrypt (and good passwords) 1, fbi 0

By alberg Paranoid Peeps, best practices, hacks, useful stuff Comments Off

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

  • Share/Bookmark
Jun 29

babies – can’t trust them

By alberg worst practices Comments Off

Got my nose? Well give it back, punk!

Anyone who knows me knows that I am not a “kid person.”  To me, all babies (except for YOURS, of course) look like the offspring of Winston Churchill and a lizard.  And they all (except YOURS) seem to emit a plethora of unpleasant sounds, odors, and substances.  My wife reminds me every once in a while, that I, too entered the world as a baby, but I am becoming more and more convinced of the impossibility of this.

Well, it seems that my antipathy towards babies has been vindicated, folks – it turns out that today’s babies could grow up to be next generation of terrorists!  According to Rep. Louie Gohmert (R, TX), those wily terrorists have been sending women to the US in order to have babies, which are then whisked back to Al Qaeda run Gymborees (complete with US citizenship) where they would be trained to wreak terroristic havoc on their (legal) return to the US in oh, 20 years and destroy our way of life.  I knew it!  I’m glad that there are courageous Americans like Rep. Gohmert who understand where the real threat to our nation lies – in cribs!

  • Share/Bookmark
Jun 28

slicing the salami in the 21st century

By alberg hacks, online security Comments Off

Lotsa slices = a big salamiAccording to an interesting story at Wired’s Danger Room blog, the FTC has filed a lawsuit against a number of “John Doe” defendants who stole more than $10 million dollars from 1.3 million credit card holders since 2006.  Using a variety of shell companies and money mules recruited via online advertising for work at home jobs, the unidentified defendants made small (20 cents to 10 dollar) charges to victims’ credit cards.  Each card was charged only once, but at 1.3 million cards, we’re talking some serious coin here.  In addition to being evil, this scheme was pretty smart – since the charges were so small, most people (90% in this case) never bothered to dispute them – after all, how much time are you willing to spend disputing a charge for a couple of bucks?   While the FTC has identified some of the mules, the ringleaders remain unknown. 

In the old days, this type of scam was called “salami slicing” – stealing just a little bit (one slice of salami) from a lot of people adds up to a big salami.   Mmmmmm…. salami…. 

This is a really hard type of fraud to fight… since so few of the charges were contested, it took 4 years for and credit card issuers and feds to find a pattern.  In the mean time, all of the victims suffered very small losses.  The ringleaders got their millions and are still on the lam (eating salami and caviar sandwiches, I assume).

  • Share/Bookmark
Jun 20

public enemy #1 – the sun?

By alberg systemic risk Comments Off

Wanted - for destruction of society as we know it?

The subtitle of this blog promises reading to keep you up at night… so, here goes…  aside from creating hot weather and giving us skin cancer, our Sun threatens our technological society in yet another, even scarier way.  Solar activity can have a real effect on the Earth’s magnetic field, which in turn, can wreak havoc with such technological niceties such as GPS, radio communications, transpolar air travel and, the electrical grid which makes our way of life possible.

And depending on whom you ask, the Sun may be preparing to get pissed… or maybe not… but if it is, we could all be affected.  Read on if you dare…

Continue reading »

  • Share/Bookmark
Jun 15

what happens in vegas gets blogged in vegas

By alberg Paranoid Peeps Comments Off

End of July?  Vegas?   Security folk and shady folk in one place?   Stifling heat?  You know I’m there… (If anyone points out that “it’s a dry heat” I reserve the right to throw something heavy and possibly explosive).

I’m planning a Vegas double header this July, attending both Security B-Sides and DefCon.  I’m planning to blog/tweet during the festivities and would love to meet up with any of my readers… dm me (@alberg) when you are there… and if you are not planning to attend, consider it – both of these events are great places to learn security-fu, meet your peers (as well as many people whom you would not typically meet up with), and for the corporate types amongst us (myself included), they are very cost effective uses of your training budget dollars.

Nickel slot machines, here I come!

  • Share/Bookmark
Jun 13

porn, economics, and security (but mostly porn)

By alberg online security Comments Off

As we all know, the Internet is a series of tubes invented by Al Gore to allow us to exchange cute cat pictures and pornography. This past week, a paper presented at the Ninth Workshop on the Economics of Information Security provided some really interesting insight into both the economics of the Internet pornography industry and more importantly, how those economics translate into security considerations.

The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara.  A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia.  We should let kids know about this so that they stay in school!

Continue reading »

  • Share/Bookmark
Jun 03

iFail – Apple drops the security ball – again

By alberg hacks, worst practices Comments Off

Apple, you're killing me!

If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices.   Well, my stubborness has been vindicated twice over…

First a security researcher found that connecting a stock iPhone 3GS to a system running Ubuntu Linux provides access to get read and write access to much of the content on the phone without having to enter the 4 digit phone PIN.

Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users.   I guess that the Apple version of AES just happens to replave every character with the same exact character…

This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system.  The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself.  When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device.  Not good.

Continue reading »

  • Share/Bookmark
Previous Entries Next Entries
preload preload preload