Category Archives: Security Awareness

How’s the security of your local city web site?

0
Filed under Security Awareness

I saw this news article tonight and had to laugh…

“We all recognize that the Web site is important to the community,” Mayor Roy Robinson said. “We’ve tried to save money to build our own Web site. We should be designating a certain amount of money to maintain and protect it in a professional manner.”

Yeah, you get what you pay for guys! Basically, the local city web site got hacked. The article tried unsuccessfully to say that the main page was hacked and users were redirected to spyware/malware web sites. Trojan horse in a database…huh? Have to love the media interpretation of technical issues.

This is nothing new right? Think about this though…how many other local communities do the same thing to cut corners and save some cash? Sure it’s expensive to build and maintain a web site with security in mind but these days, can you really afford not to? I found a local city web site with security issues (while the one I found was a bit more serious) several weeks ago as an example. Next time you get a chance to talk to your local community ward representative ask them when they last had a security assessment done on the city web site, especially if they are offering services vital to the community.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Online Social Networks: 5 threats and 5 ways to use them safely

3
Filed under Security Awareness

Last night I gave a talk at the Northeast Ohio Information Security Forum called “Online Social Networks: 5 threats and 5 ways to use them safely”. I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.

My talk went over the top 5 emerging threats to online social networks and I also talked about 5 ways you can use these sites safely. You can download my presentation here. Be safe out there! :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Honey Stick Project: Tracking Mobile Storage Devices

0
Filed under Security Awareness

<%image(20080319-honey_pot.jpg|99|110|Honey Pot!)%>

Here is a pretty cool project that I stumbled upon over at Security Catalyst. The concept is to have a “Honey Pot for mobile storage devices” but each mobile storage device (USB key, iPod, etc…) in reality becomes it’s own “Honey Stick” where the researcher can safely track how many people are plugging these devices into their computers. The hope is that by leaving these devices around in public areas, someone will pick them up..and plug them in. There is even a psychological aspect to this because the researcher, Scott Wright, is actually finding people that want to return these found devices to the owner!

While there may be some privacy concerns conducting this type of public experiment…Scott seems to have done his homework on this project thus far. I am looking forward to reading more about his results as the experiment continues. He has results for his first “stream” here. Check out the Honey Stick Project web site for full details and information.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Networks and Personal Information

0
Filed under Security Awareness

<%image(20080219-linkedin.jpg|137|43|LinkedIn)%>

Good post over at GNUCITIZEN today. They talk about how easy it would be for a hacker to social engineer their way into LinkedIn connections to get information about a potential business target, possibly even your company or business.

Social networking in general is very popular with security minded and non-security minded people. I use LinkedIn as well as many other security professionals because of the obvious career benefits. Even a gray hat/black hat hacker can use LinkedIn to further a legitimate career in the corporate world by getting a LinkedIn connection by doing a project for Hackers for Charity. It’s all about what you perceive your “personal risk” is associated with using a site like LinkedIn. The benefit may outweigh the risk in your case. Here are a few tips that you can do to help “minimize” your personal information exposure:

1. Do not make your LinkedIn profile public
2. Only accept connections from people you know and/or have personally worked with.

For example, if you own your own business you may want a public profile available to generate business. Again, this all depends on your personal risk assessment of your personal information.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Awareness and Social Engineering

0
Filed under Security Awareness

Good blog posts over at Episteme and Andy’s blog about employee awareness and social engineering. Teaching your employees not to trust people is a tall request that’s for sure! Most businesses are built by having employees trust each other…like Andy mentions, you have to teach them to “trust, but verify”.

I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.

One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.

How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

UK’s Biggest Data Breach Ever: HMRC

Filed under Security Awareness

As I am sure all of you are already aware…the UK recently had their biggest data breach ever. 25 million (close to half of the population in the UK) personal records which include names of children, the equivalent of the SSN in the US, address, and certain bank info. Interesting read about this incident over at IT Security Expert who was personally affected by this HMRC breach (actually this is the second time for him now). I personally feel just like he does as I had my personal information (SSN and more) compromised by the US government twice this year already. I recently just received my “one year” of free credit monitoring from a third-party service. I could blog about how worthless one year of this service is (one year is not enough by the way) and the problems I have already had with this service but I will leave that for later. Not sure if the UK government will give them the same type of service but I hope it is a hell of a lot better then when the US government has given out.

Sad how you as a citizen of a country could do everything you can to protect your identity. We buy shredders, check our credit reports, etc…but it’s the government of your country (who you assume to trust the most) who loses your personal data and all you get is one crappy year of credit monitoring service.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Craigslist and your anonymity

Filed under Security Awareness

Stumbled upon a very good social experiment by another blogger today in which he researched the identity of a “anonymous” Craigslist poster. While Craigslist does have a decent system for providing anonymous postings it goes to show you that there is always going to be human error..or just plain stupidity. (Note the last link…this was a “sex baiting prank” which goes to show you that people will gladly give out their personal information to complete strangers.)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Help protect your identity with RFID credit/debit card shields

Filed under Security Awareness
<%image(20071010-cc_rfidtag.JPG|200|78|RFID tag in a debit card)%>

While checking out some security blogs the other day I came across a very good article over at the IT Security Expert blog about 15 tips to help reduce the risk of identity theft and fraud. One thing to add to that list is to use an RFID shield for your RFID enabled credit/debit cards.

RFID or “contactless” payment cards are being issued by more banks and are starting to be accepted at more merchants. I actually noticed recently that you can use your MasterCard Paypass RFID card at Sheets gas stations and also at the local movie theater.

There have been several vulnerabilities (good paper here) and other security concerns regarding RFID especially focused on privacy.

One example I saw when I was at the Blackhat conference in Las Vegas this past year. I was walking by one of the entrances to the conference areas and noticed a gentleman sitting with a laptop and a long range wireless antenna (looks like a Pringles can). On the antenna was a sticker that said “Your RF is showing”. I observed that he would also smirk when conference attendees passed him and to me I took that he was getting at least “some” identifying information from RFID enabled cards people had on them. In addition, I saw a great (but scary) presentation at Blackhat from Adam Laurie entitled “RFIDIOts!!! Practical RFID Hacking (Without Soldering Irons or Patent Attorneys)“. These two examples made me think that I should probably use some sort of protection while carrying these cards around.

The solution?
Yes, wrapping your cards in tin foil supposedly works but its not as sexy as a sleeve shield to put your cards in. A company called Identity Stronghold makes “Secure Sleeve” shields for ISO 14443/15693 and EPC Gen 1/Gen 2 contactless smart cards and RFID tags (which most cards issued by banks are). You can check them out here. Also there is a company that makes RFID blocking wallets which protect your entire wallet.

I highly recommend you check out Adam Laurie’s website which has really good technical information about different types of RFID tags as well as software (written in Python) to read them. You can even buy the hardware needed to read RFID tags directly from his site.

If you ever get a chance to see Adam speak..do so..he is one of the leading RFID security researchers and a great presenter as well.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Would you answer these questions?

0
Filed under Security Awareness

Interesting post on the F-Secure Weblog about a recent Paypal phish. Take a look at the questions being asked? Do you think someone would fall for this? You bet! It is amazing to me that people will still give all of this sensitive information when asked (click on the link below for a screen shot).

There is no cure for human stupidity except more education. :)

<%popup(20071009-SP32-20071009-102407.gif|713|711|Questions asked in a PayPal Phish)%>

How Gullible Can You Get? – F-Secure Weblog : News from the Lab

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Phishing victims learn online security lesson

Filed under Security Awareness

Here is a good article about some research that was done at Carnegie Mellon University. They basically explain that by sending users phishing type emails in a controlled environment, these same users that are tricked into clicking on links in these emails are more receptive to learn about online security.

“…phishing is often successful because many people ignore educational material that might otherwise help them recognize such frauds.”

This is so true, especially in the corporate world. How many of your users actually read the propaganda that your IT security department sends out?

“…initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating users to protect themselves.”

I am a strong advocate of testing your own employees using the same tactics as the phishers. One idea that you can use for your organization….send your employees an email that looks like a phish, when they click on the link it takes the user to an awareness page that explains phishing techniques to them. This can easily be setup with a internal web server and an internal SMTP gateway. I am starting to put together a more detailed article on some ideas to increase security awareness about phishing. If you have some ideas, lets talk about them in the security forums (click below).

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS