“We all recognize that the Web site is important to the community,” Mayor Roy Robinson said. “We’ve tried to save money to build our own Web site. We should be designating a certain amount of money to maintain and protect it in a professional manner.”

Yeah, you get what you pay for guys! Basically, the local city web site got hacked. The article tried unsuccessfully to say that the main page was hacked and users were redirected to spyware/malware web sites. Trojan horse in a database…huh? Have to love the media interpretation of technical issues.

This is nothing new right? Think about this though…how many other local communities do the same thing to cut corners and save some cash? Sure it’s expensive to build and maintain a web site with security in mind but these days, can you really afford not to? I found a local city web site with security issues (while the one I found was a bit more serious) several weeks ago as an example. Next time you get a chance to talk to your local community ward representative ask them when they last had a security assessment done on the city web site, especially if they are offering services vital to the community.

My talk went over the top 5 emerging threats to online social networks and I also talked about 5 ways you can use these sites safely. You can download my presentation here. Be safe out there!

Here is a pretty cool project that I stumbled upon over at Security Catalyst. The concept is to have a “Honey Pot for mobile storage devices” but each mobile storage device (USB key, iPod, etc…) in reality becomes it’s own “Honey Stick” where the researcher can safely track how many people are plugging these devices into their computers. The hope is that by leaving these devices around in public areas, someone will pick them up..and plug them in. There is even a psychological aspect to this because the researcher, Scott Wright, is actually finding people that want to return these found devices to the owner!

While there may be some privacy concerns conducting this type of public experiment…Scott seems to have done his homework on this project thus far. I am looking forward to reading more about his results as the experiment continues. He has results for his first “stream” here. Check out the Honey Stick Project web site for full details and information.

Good post over at GNUCITIZEN today. They talk about how easy it would be for a hacker to social engineer their way into LinkedIn connections to get information about a potential business target, possibly even your company or business.

Social networking in general is very popular with security minded and non-security minded people. I use LinkedIn as well as many other security professionals because of the obvious career benefits. Even a gray hat/black hat hacker can use LinkedIn to further a legitimate career in the corporate world by getting a LinkedIn connection by doing a project for Hackers for Charity. It’s all about what you perceive your “personal risk” is associated with using a site like LinkedIn. The benefit may outweigh the risk in your case. Here are a few tips that you can do to help “minimize” your personal information exposure:

1. Do not make your LinkedIn profile public
2. Only accept connections from people you know and/or have personally worked with.

For example, if you own your own business you may want a public profile available to generate business. Again, this all depends on your personal risk assessment of your personal information.

I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.

One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.

How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.

Sad how you as a citizen of a country could do everything you can to protect your identity. We buy shredders, check our credit reports, etc…but it’s the government of your country (who you assume to trust the most) who loses your personal data and all you get is one crappy year of credit monitoring service.

While checking out some security blogs the other day I came across a very good article over at the IT Security Expert blog about 15 tips to help reduce the risk of identity theft and fraud. One thing to add to that list is to use an RFID shield for your RFID enabled credit/debit cards.

RFID or “contactless” payment cards are being issued by more banks and are starting to be accepted at more merchants. I actually noticed recently that you can use your MasterCard Paypass RFID card at Sheets gas stations and also at the local movie theater.

There have been several vulnerabilities (good paper here) and other security concerns regarding RFID especially focused on privacy.

One example I saw when I was at the Blackhat conference in Las Vegas this past year. I was walking by one of the entrances to the conference areas and noticed a gentleman sitting with a laptop and a long range wireless antenna (looks like a Pringles can). On the antenna was a sticker that said “Your RF is showing”. I observed that he would also smirk when conference attendees passed him and to me I took that he was getting at least “some” identifying information from RFID enabled cards people had on them. In addition, I saw a great (but scary) presentation at Blackhat from Adam Laurie entitled “RFIDIOts!!! Practical RFID Hacking (Without Soldering Irons or Patent Attorneys)“. These two examples made me think that I should probably use some sort of protection while carrying these cards around.

The solution?
Yes, wrapping your cards in tin foil supposedly works but its not as sexy as a sleeve shield to put your cards in. A company called Identity Stronghold makes “Secure Sleeve” shields for ISO 14443/15693 and EPC Gen 1/Gen 2 contactless smart cards and RFID tags (which most cards issued by banks are). You can check them out here. Also there is a company that makes RFID blocking wallets which protect your entire wallet.

I highly recommend you check out Adam Laurie’s website which has really good technical information about different types of RFID tags as well as software (written in Python) to read them. You can even buy the hardware needed to read RFID tags directly from his site.

If you ever get a chance to see Adam speak..do so..he is one of the leading RFID security researchers and a great presenter as well.

There is no cure for human stupidity except more education.

<%popup(20071009-SP32-20071009-102407.gif|713|711|Questions asked in a PayPal Phish)%>

How Gullible Can You Get? – F-Secure Weblog : News from the Lab

“…phishing is often successful because many people ignore educational material that might otherwise help them recognize such frauds.”

This is so true, especially in the corporate world. How many of your users actually read the propaganda that your IT security department sends out?

“…initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating users to protect themselves.”

I am a strong advocate of testing your own employees using the same tactics as the phishers. One idea that you can use for your organization….send your employees an email that looks like a phish, when they click on the link it takes the user to an awareness page that explains phishing techniques to them. This can easily be setup with a internal web server and an internal SMTP gateway. I am starting to put together a more detailed article on some ideas to increase security awareness about phishing. If you have some ideas, lets talk about them in the security forums (click below).