I got this message from Twitter saying that @Cayovaofficial had started following me.
Cayovaofficial? Never heard of him, her or them – but it’s always nice when you get a new follower, so I went and looked.
I’m puzzled. Now I know that I simply don’t understand modern networking, but really…
How on earth to you accumulate 32,640 Twitter followers when you have never produced a single tweet to follow? No, really, how do you do that?
I know I’m missing something, but for the life of me I don’t know what. Incidentally, I didn’t become the 32,641st follower.
It is with some irony that The Pirate Bay (TPB) came to the defense of Virgin Media (TalkTalk was also disrupted) after the ISP’s website was taken down by Anonymous.
11 May 2012
BeyondTrust acquires vulnerability management company eEye Digital Security
BeyondTrust, a company that provides privilege delegation and authorization systems with its PowerBroker suite of products, has acquired eEye Digital Security, developer of the Blink and Retina vulnerability management tools.
11 May 2012
Member and spokesperson for TeaMp0isoN arrested in Newcastle
A 17-year old has been arrested in Newcastle by the Police Central eCrime Unit (PCeU) and local Northumbrian Police officers for alleged offenses under the Computer Misuse Act.
11 May 2012
Winners and losers in European card fraud
FICO has produced an interactive map of Europe, showing the evolving European fraud landscape between 2006 and 2011.
10 May 2012
DigiNinja analyzes the Twitter hack, and offers password advice to web services
Yesterday we reported that 55,000 Twitter accounts have been leaked on Pastebin. Security researchers Anders Nilsson and Robin Wood have separately analyzed the dump.
10 May 2012
Queen’s Speech announces ‘measures… to access vital communications data’
As expected, the Queen’s Speech yesterday announced the intention of the UK Government to bring forward (during the current parliamentary session) measures to allow law enforcement and intelligence agencies access to ‘vital communications data’.
10 May 2012
Net neutrality becomes law in The Netherlands
The net neutrality provisions approved by the Dutch Parliament last June as part of its implementation of the European telecommunications package became law yesterday.
09 May 2012
False Facebook account leads to Principal’s resignation
Louise Losos, principal of Clayton High School, Missouri, has resigned following accusations that she created a false persona on Facebook and befriended hundreds of her own students.
09 May 2012
Twitter fights two information security battles
Twitter is in the unenviable position of being ‘attacked’ on all sides: while it tries to fight a subpoena demanding the account details of Occupy protestor Malcolm Harris, hackers release thousands of user logon details on Pastebin.
09 May 2012
Analysis shows social networks increasingly used to spread malware
In its latest monthly analysis of the most prevalent malware, GFI describes how social networks remain the most popular breeding ground for infections.
08 May 2012
“Good on ya’ Mozilla”, says Sophos about Firefox
Firefox is developing a new feature called ‘click-to-play’ designed to provide additional protection for web browsing – but not everyone thinks this is necessarily useful.
08 May 2012
Syrian activists targeted with RATs
There have been several recent examples of Syrian activists being tricked into downloading and installing remote access tools (RATs) that secretly hand control of their computers to a third party.
08 May 2012
PandaLabs malware report – and the balance between law enforcement and user
Almost one-in-four computers in the UK is infected – and the UK is one of the least infected countries in the world, says the new PandaLabs report released today.
07 May 2012
My news stories on Infosecurity Magazine for Thursday 8 March and Friday 9 March…
Rogue anti-virus up and Kelihos botnet is back
GFI Software’s report for February highlights two main issues: the incidence of rogue anti-virus is continuing to increase; and the Kelihos botnet ‘taken down’ last year is resurgent.
09 March 2012
Today’s #FFF hack by Anonymous is a police equipment store
Anonymous has vowed to do a hack every Friday, calling it the #FFF campaign. Today AntiSec defaced the New York Ironworks, a police equipment supplier that describes itself as ‘NYC’s finest police equipment & tactical op’s gear store.’
09 March 2012
Vatican website DDoS’d by Anonymous
Following the AntiSec attack on PandaLabs on Tuesday, Anonymous ‘besieged’ Vatican websites on Wednesday – probably with a DDoS attack.
09 March 2012
CPA may help local authorities reduce data loss
Becrypt’s DISK Protect full-disk encryption product is the first commercial product to be granted CPA certification. By encrypting local authority laptops, it may help prevent the continuous leakage of personal data.
08 March 2012
Fake social network profiles take advantage of social ‘face bragging’
Most people have a desire to demonstrate that their own friend list is bigger than their friends’ friend lists – and it’s exposing them to fake friends.
08 March 2012
EDPS delivers Opinion on the EU data protection reforms
The European Data Protection Supervisor Peter Hustinx has delivered his formal Opinion on the current EU data protection reforms; and finds them wanting. He starts with the “EDPS applauds…” and ends with “but…”
08 March 2012
Eighteen months ago we had news of a sophisticated attack against Google. It became known as the Aurora attack and it spawned a new term: advanced persistent threat, or APT. It may or may not have had the direction, connivance or knowledge of the Chinese government. But it made us rethink the threat landscape.
A year ago we heard about Stuxnet, a new intricate attack originally targeting the Iranian nuclear programme. This too may or may not have had government direction, connivance or knowledge. But again, we had to rethink the landscape: the unhackable, computers not even attached to the internet, had become hackable.
A few months ago, one of the world’s leading security companies, RSA, was breached and SecurID tokens were compromised. A while later, Lockheed Martin and Northrop Grumann, two leading US defence companies, were both attacked with the stolen RSA data. Another new development – the implication is that the RSA attack was a planned precursor of the defence attacks – and once again the finger has been pointed at China.
What can we conclude from all this? That cybercrime has been taken over by government cyber warfare agencies? Well, yes and no. Cybercrime today is a PPP, a public/private partnership, with freelance cybercriminals employed by and selling to government agencies. And these same criminals also work for highly organized criminal gangs.
Do we deduce, then, that our security industry has failed us? Again, yes and no. The security industry failed in these and many more instances. But without that industry, without the anti-malware companies, without our firewalls and filters and intrusion prevention, it would be chaos. The security industry stops far more than it lets through.
But what does get through is now so sophisticated that many security experts privately admit that there is no defence against a determined, targeted attack. And if the big companies, and even security companies, cannot defend themselves, what hope is there for the rest of us? Dr Kevin Curran, a lecturer in computer science and senior member of the I Tripple E told me in a conversation about the recent Sony hacks, “There’s nothing we can do to stop a targeted attack. We’re all vulnerable.”
So, do we load ourselves up with layers of cyber defences, and then just hope? Do we have to accept that if our name is on the bullet, that’s it? That if a foreign government wants our inventions for its own industry we have to accept it? That if a criminal gang wants our card details for themselves they will take them?
No, we don’t have to, and shouldn’t, just give up. There is a common factor, a common weak link exploited by all hackers; and if we strengthen that link, we will do much to prevent the attacks. What is this weak link? It’s you. It’s me. It’s all of us. It’s Joe User.
Joe User is both the cause and the solution. We have to change our behaviour. Consider these details from the Spanish anti-malware company Panda Labs.
It shows the type of successful malware attack currently out there. Similar graphs could be drawn for the different types of email scam or spam. Others could be drawn for categories of phish attacks. Endless graphs could be drawn to help us understand the threats we face from the e-criminals. But there is one statistic always left off. 100% of all these attacks depend upon just one element. Joe User.
If we were to include Joe User’s involvement in these attack graphs, he would always stand at 100%. Think about this. Not one single successful hack from the nerd in his bedroom to the Russian Mafia to the secretive government cyberwarfare agency has ever succeeded without the conscious or unconscious connivance of Joe. Joe, of course, is the single user at his desk in the corner, or working on the train going home – but he is equally the body corporate. It may be that he doesn’t do what he should, or does do something he shouldn’t; he might do it willingly or unwillingly or in ignorance – but if that act of collusion doesn’t happen, then the hacker can’t get in.
The hacker is like a vampire at the door. If Joe doesn’t invite him in, he can’t get in. But if Joe does let him in, he’ll own you, and he’ll bleed you dry. And the good hacker won’t even leave a shadow while he’s doing it.
We can illustrate this with a reconstruction of the way in which the Aurora attack was probably perpetrated. The attackers first chose their target. How? Possibly by using a business network like LinkedIn. Try it yourself. Choose any company and check it on LinkedIn. You’ll get a list of many of the internet-active employees, and probably which department they work in or what they do. Choose the person most likely to have good access to the corporate network or have direct knowledge of the company information you want to steal. Then switch to Facebook. See if he is there – probably he, or she, is. You already know what Joe does; now you can find out what he likes. Who his friends are. What interests him outside of work.
Now you have to hack one of those friends. It’s not as hard as you would hope. For example, there are long lists of stolen passwords available to the criminal. Maybe an innocuous gaming site was hacked, and user details stolen. From Sony, perhaps. Sony seems to have stored Joe’s password in plaintext. If you can find your friend-target on one of these lists, the chances are, because we all do it, don’t we, he’s using the same password throughout the internet.
So now we can own Joe User’s friend’s Facebook account. We already know what Joe does, and we now know what interests him – and we’re his friend.
The next step is to forge a personal message from the friend, based around something of mutual interest to both parties. The intent is to get Joe to visit a particular site that we have already compromised. Again, that’s not too difficult – drive-by downloading from compromised sites is one of the cybercriminals’ current weapons of choice. But this is where the hacker might play his trump card – the use of a zero-day vulnerability in Joe’s browser.
The problem with zero-day vulnerabilities is that the security industry doesn’t know anything about them. We don’t even know how many there are. In this instance it was an unknown vulnerability in the old browser (IE6) that Joe was still using; and it was just one of a string of doors left open. This open door allowed the hacker to install a Trojan on Joe’s network – a Trojan designed to find and quietly steal information.
Joe left the doors open – an open invitation to the hacker – and the hacker quietly slipped in. And we all do it, all of the time. We do the wrong things. We click on bad links in emails we receive, we open attachments and we respond to spam. On the internet we get carried away and visit dubious sites using old and unpatched browsers, and we allow scripts to run willy-nilly rather than blocking them with something like a combination of the latest version of Firefox and NoScript. In short, we trust the internet to do us no harm; when we really shouldn’t.
And then there’s social networking, a Pandora’s Box of goodies for the hacker. Where there are privacy options, we ignore them, and upload vast amounts of personal and sensitive and often embarrassing information. We indulge in ‘my Friend List is bigger than your Friend List’, becoming a friend or contact or follow of any stranger that asks – and then, because it’s a social network, we trust those strangers as if they really are long-lost buddies from school.
But it’s not just a case of actively doing the wrong thing.
We also fail to do the right thing. Too many of us are still not using adequate and up-to-date anti-malware and firewall defences. We forget to patch or update our software when the supplier issues an update to solve a vulnerability, leaving that software vulnerable to the hacker. In short, we behave with insufficient paranoia about the internet. Paranoia is the best security defence.
Joe Corporate is no better. He often fails to develop and enforce a strict security policy. He forgets the importance of adequate provisioning and deprovisioning procedures – sometimes giving Joe User greater privileges than necessary, and not taking them away again fast enough; allowing disaffected Joe User to become Joe Hacker. He almost invariably fails to encrypt sensitive data, and once again fails the paranoia test.
So are we saying that all cybercrime could be stopped if every Joe only did the right thing? Yes, we are. Are we saying it will ever happen? No. It won’t. But the fact remains that e-crime would be dramatically reduced if more of us users were less inviting to the criminals. We need to take a leaf out of physical policing and architecture: crime prevention through environmental design, known as CPTED. We make our systems so difficult to penetrate that the criminals go elsewhere. And if there’s nowhere else to go, they give up. That’s the theory. But if Joe continually opens or leaves open the doors, then no amount of other defences will help.
Security is a partnership – a partnership between the company defences supplied by the security industry, and Joe’s personal practices. We need anti-virus products, and firewalls and intrusion detection and content filters; but more than anything we need Joe User to behave in a responsible manner. Cybercrime, whether it emanates from the lone computer nerd in his bedroom or a nation state’s cyberwarfare agency, can only be defeated if Joe User closes the door in the face of hackers.
That means we need to take security awareness more seriously. The message is simple: to defeat cybercrime companies need to spend as much time, effort and money on educating Joe User as they do on buying security products. It’s not an either or situation. We need both. But at the moment, Joe User is the weakest link.
Chilling words from the Prime Minister today:
Mr Speaker, everyone watching these horrific actions will be stuck by how they were organised via social media.
Free flow of information can be used for good [eg, Egypt and the Arab Spring?]. But it can also be used for ill [eg, London?].
And when people are using social media for violence we need to stop them.
So we are working with the Police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality.
Despite the long history of Europe, it seems that we have yet to learn that killing the messenger doesn’t solve the problem.
Here’s a puzzle. How do you change ‘CAMERON’ to ‘BLAIR’?
Here’s a clue. It can only be done by reducing Cameron.
Today is, I understand, Safer Internet Day.
I have to admit to being very confused about all of this. Yes, we as parents and adults, need to protect innocent children. But I can’t help thinking we sometimes take this too far. Today, Kaspersky Labs has released data compiled by a YouGov survey. The provided headlines include:
As many as 43% of people have online ‘friends’ that they have never met…
I believe that most adults (and this particular statistic talks about ‘people’, not ‘children’) use social networking at least as much for business networking as for personal networking. Consider LinkedIn. I have hundreds of ‘contacts’ (the equivalent of Facebook’s ‘friends’) whom I value exceedingly, but whom I have never actually met in real life. So I am absolutely amazed that as few as “43% of people have online ‘friends’ that they have never met” – I would have expected the figure to be well above 90%.
Around half (49 per cent) of parents with children under 18 who have internet-enabled mobile devices don’t monitor their children’s mobile web habits
Well, from the age of 12 to 18 at least every second thought I had was of a sexual nature. In those days it was called ‘growing up’. And from the age of 14 onwards (and probably a bit earlier) there would have been hell to pay if I had suspected that my parents were ‘spying’ on me. Let’s face it, you can get married without parental consent, on your sixteenth birthday in Scotland. So we have this strange anomaly, where for commercial reasons the industry, and for political reasons the government, have to hype up the dangers of the internet; who then say ‘we can solve the problem for you, by selling you restrictive software (industry) and limiting your freedoms (government).’ But in doing so, they remove responsibility from parents, who then don’t bother teaching their children; and they remove liberty from all of us until we accept the Nanny State.
Surely the solution has to be in talking and explaining and educating; and not in monitoring and spying and distrust. In fairness, Kaspersky is aware of the dangers:
…With young people generally regarding their mobile phone as personal and private, for the 51 per cent of parents who do supervise their children’s mobile phone habits, there is the risk of such behaviour being seen as upsetting and invasive by their children.
“We also believe that technology alone is not the answer, which is why our dedicated website http://www.kaspersky.co.uk/safer contains advice and guidance for parents, guardians and children. Protecting young people online means talking to them about the dangers and giving them the confidence and control they need to surf safely,” said Malcolm Tuck, managing director of Kaspersky Lab UK.
I would say absolutely that the function of the security industry (where children are concerned) is to educate both children and parents. It must never be to take the place of parental responsibility.
I had a Direct Message tweet from a friend and work colleague. It didn’t ring true – see for yourself:
If anyone offers you a free iPhone, RUN!
But curiosity is a wonderful, if dangerous, thing. I had a look. First warning came from Bit.Ly. Multiple shortenings are things bad guys sometimes do to fool us:
But I persisted. I went there anyway (protected by NoScript) and asked both Web of Trust (WOT) and McAfee TrustedSource for their opinion. WOT was not very reassuring:
And McAfee was positively damning:
…specifically associating the website with phishing attempts. I’m sure glad I didn’t tread in it!
But what it does mean is that my friend and colleague has been hacked. And when I think about it, I know very little about Twitter hacks. So I asked Kaspersky’s Ram Herkanaidu to explain things to me.
“This type of attack is nothing new,” he said. “The criminals know the potential of Twitter as an infection vector, and social networks in general are an increasingly effective way for cybercriminals to deliver malware. In this instance, the account used for spamming would have had its password stolen, and the victim will not know anything about it until the criminals starts using it.”
OK; but how do the criminals go about stealing Twitter credentials?
“This is typically done using malware; many spy or password stealing Trojans can get this information,” he explained. “There are also numerous offers on the black market for stolen Twitter accounts. Another way is to use Twitter’s trending topics. They monitor the latest buzz words and use that to get people to click on the links. These lead to sites which host malware. A typical way is tell the user that they do not have the right codec (converter) to play a video. By clicking ‘Yes’ to install the codec it actually downloads the malware.”
In other words, apart from standard spyware, a common way to steal Twitter credentials is to use Twitter! So how do we defend ourselves. I asked Ram Herkanaidu for his top tips; and he said:
- Don’t respond to trending topics especially if it has a short URL.
- Use preview extension to see what the real URL is.
- Pay special attention to any tweets coming with 2 or more trending topics in the body, since these are highly likely to be malicious.
- Use a good Internet security suite.
- Use ‘https’, i.e. an encrypted connection, to log in to Twitter.
- Try to avoid logging in from open (not encrypted) WiFi networks.
- Don’t log in from a public PC available at airports, Internet cafés and elsewhere.
Banning social networks at work is a mistake on three counts:
- it misses a trick on staff morale
- it misses several tricks on free marketing
- prohibition doesn’t work anyway
The solution is to mitigate the dangers and control the use rather than prohibit it completely. The problem is: how?
Well it requires some pretty sophisticated monitoring and control over a large number of loose ends on a wide range of social systems. Enter FaceTime’s new Socialite, a system that provides an extended set of feature and content controls for more than 1,000 social networks. In the three leading social networks, Facebook, LinkedIn and Twitter, Socialite provides control for 95 distinct activity and content features, and can also moderate and archive content to ensure that only pre-approved content is shared.
The rapid growth in social media has moved business communications beyond the corporate firewall and into the public domain. The control and management of collaborative communications is now a priority for many organisations as they struggle to come to grips with tightening regulatory and compliance standards, particularly in the financial services sector. Socialite addresses these challenges by offering comprehensive control and management over the wide variety of social media channels, integrating seamlessly with existing IT infrastructures.
Nick Sears, VP EMEA, FaceTime Communications
- Identity Management: the ability to establish a single corporate identity and track users across multiple social media platforms e.g. @SarahFaceTime on Twitter and Sarah Louise Carter on LinkedIn
- Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently
- Granular Application Control: enabling the access to Facebook and its thousands of “applets” by category or individual application
- Activity control: the ability to manage access to features, such as who can read, like, comment upon or access 95 distinct features on Facebook, LinkedIn or Twitter
- Moderator control: can be applied to Facebook, LinkedIn and Twitter where content is required to be pre-approved by a corporate communications officer or other third-party
- Log conversation and content: capture all posts, messages and commentary made to Facebook, LinkedIn and Twitter in context, as well as exporting to an archive of choice for eDiscovery
Code 9 was first noticed a few years ago. It is simply a silent warning that “I cannot speak freely, I’m not alone”. But PandaLabs is warning that it is back on Facebook; and it is simplicity itself. If you cannot speak freely because an adult or guardian is nearby, just type or mention the number ’9′, followed by ’99′ when the coast is clear.
Interestingly, when you visit the profiles and pages created to spread ‘Code 9’ and you look at the followers and friends, there are hardly any youngsters, in fact quite the opposite, which gives an indication as to the sort of people who are interested in distributing this type of information.
Luis Corrons, Technical Director of PandaLabs
So what can you do? Basically you have two options: you can use legal spyware to spy on your kids and check up on what they’re doing on the internet, or you can develop a trusted relationship with your kids. Luis Corrons is of the latter opinion: “We always advise that the best way to achieve this is for parents and children to have a relationship based on trust, so it is not necessary to be constantly monitoring kids while they’re on social networks and the like.”
But if you want my opinion you can find it here:
- More legal spyware to spy on your kids
- Spy on your kids: show them how much you trust them
- Targeted advertising has got a long way to go
Is there a silly season for security bloggers? You’d expect not, since most are not reliant on advertising (mainly because they can’t get any); nor do cybercriminals tend adhere to any summer recess. You would expect, therefore, that the quantity and quality of security blogs would remain constant throughout the year.
But what if there were a silly season? What would we talk about? I know! Facebook and the dangers of social networking. That’s always good for a few paragraphs, even if we’ve said it all before, and just yesterday. I certainly said it yesterday as part of the article, the art of social engineering (a few paragraphs near the end).
And this afternoon, Trend Micro is saying it in a special whitepaper called Security Guide to Social Networks by David Sancho.
This document will cover the most common areas of attack using social networks and will recommend ways of minimizing risks. The goal of this paper is not to stop you from participating in social networks but to enable you to use them more safely.
Sancho then discusses the vast caverns of data that can be mined, the huge networks of contacts that can be developed, and the seemingly unending stream of software flaws that can be exploited on social networks. He concludes with two primary pieces of advice:
- you should only publish information that you are perfectly comfortable with, depending on what you want to accomplish.
- [you should] add only people you trust to your contact list.
The silly thing about this advice is that it is so damn obvious and so damn ignored!
And this evening, Lancope is also saying it. “IT administrators should be aware of the following productivity and security issues associated with social networking sites such as Facebook…” It then goes on to list
- Workplace Productivity Issues – Facebook Chat and games such as Mafia Wars and Farmville can add up to huge losses in worker productivity…
- Phishing – Attackers can leverage personal information found on social networking sites…
- Flash-based Vulnerabilities in Games – Web 2.0 technology has led to an amazingly rich and unfortunately fragile world of games…
- Information Leakage – Corporations need to reinforce their policies on proprietary information disclosure…
- Network Impact – Organizations with large concentrations of users can see a significant network impact…
It must be the silly season because we’re beginning to say the same things over and over again. But the really silly thing is that we still need to.
I would like to apologise for the occasional adverts that appear at the end of some of my posts. They have nothing to do with me, and are certainly not endorsed by me.
The all-time most popular stories on this site
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010