Posts

Researcher Proves Your Friend Isn’t Your Friend

I’ve said numerous times that there’s too much trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

Computerworld reports, “Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named ‘Robin Sage,’ whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.”

Apparently, one of the easiest ways to gain acceptance as a trusted colleague is to be an attractive woman. I recently wrote about “Sandra Appiah,” a curvy lady who sent me a friend request. She had already friended two of my buddies, who accepted because they already had two friends in common. She had posted questionable photos of herself. Red flag? But my buds didn’t seem to see it the way I did.

The security researcher set up profiles on Facebook, LinkedIn and Twitter. “Then he established connections with some 300 men and women from the U.S. military, intelligence agencies, information security companies and government contractors.”

Steve Stasiukonis, another ethical hacker, took it to the next level. He used a similar technique and, with permission, infiltrated a company’s network to test their security. By creating a group on Facebook, he was able to access employees’ profiles.

He set up his own employee persona with a fake company badge, business cards, a shirt embroidered with the company logo, and a laptop. “Upon entering the building, he was immediately greeted by reception. Then displayed fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.”

Social media can and is being used as a smokescreen. The idea behind social media is that we are social creatures that thrive in community and want to connect. The problem is that this ideal is based on the mindset that we are all sheep and there are no wolves.

When mama told you to not talk to strangers, there was wisdom in that advice. When you friend people who you don’t know, you are friending a stranger and going against moms advice.

Robert Siciliano, personal security and identity theft expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Spies Among Us

The term “spy” conjures ideas about “foreign operatives,” “moles” and James Bond. You might envision forged IDs, fake passports and fraudulently issued government sponsored papers. When spies were recently exposed and caught in the United States, it was kind of surreal for me, since some of them lived right here in Boston.

Back in the day, spies used advanced covert technology, was always a hidden or shrunken version of something more common and accessible. Today, the same technology exists, and it’s cheap and mostly manufactured in China. Lighters, pens, just about any small, seemingly benign object you can think of can contain a video or audio recording device. Tiny flash or thumb drives are capable of storing gigabytes of data.

The eleven Russian spies who were recently nabbed used a lot of the same equipment that you and I use today, including laptops, flash memory cards, and cell phones, but with a twist. One of the spies would set up a laptop in a coffee shop on a regular basis, and the FBI noticed that on Wednesdays, a van driven by an official would go by. The FBI determined that when the van passed the coffee shop, there was a direct exchange of data via their wireless laptops. The discovery was made using commercially available WiFi sniffing technology. Apparently, the data was transferred in this way to avoid detection over the Internet.

The phones the spies used were prepaid mobile phones with no contract, which are often paid for with cash so the user can avoid detection. After a few uses they toss the phone and get a new number to avoid detection.

And the availability of fake identification makes it so easy to pose as someone else. Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID or passport. Or how easy it can be for someone else to obtain an ID that would allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, most of our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner, and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

In the end, the spies were caught with a combination of high tech surveillance and gumshoe police work. The Boston Globe reports that in 2005, FBI agents found a password written on a piece of paper while searching the home of one of the spies. This allowed agents to decode more than a hundred messages between the spies and their government.

Unless we effectively identify who is who, using secure documentation, it’s spy business as usual.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses Spies using fraudulent passports on Fox News. Disclosures

Privacy Laws for Kids Online

Numerous privacy groups are urging the FTC to update its Children’s Online Privacy Protection Act of 1998. The primary goal of the Children’s Online Privacy Protection Act, or COPPA, is to give parents control over what information is collected from their children online and how such information may be used.

Jeff Chester, Executive Director of the Center for Digital Democracy said, “The Commission should enact new rules for COPPA that draw upon its current investigations into behavioral marketing and other current digital advertising practices. It’s time for the FTC to do a better job of protecting the privacy of children online.”

The Internet today isn’t what is was in 1998. Back in the day, when dial up – the online equivalent of a horse and buggy – was the only means of getting around, the risks weren’t as great as they are now. The speed of technology has outpaced the security of information and the learning curve of users. Over time, many web operators conveniently forget the rules, chose to do things their own way, and then apologize when they are accused of doing something wrong.

The original COPPA was designed around websites that sell merchandise. Today, we have social media, Second Life, online gaming sites, and smartphones that can access the Internet anywhere, anytime.

The report states, “several start-ups…are experimenting with ways to use cell phones to bridge the digital and physical worlds and turn the tasks of everyday life, like buying coffee and running errands, into a game.” Many major companies are taking advantage of these applications for promotional purposes. A major fast food chain, for example, offers a soda and sandwich to people who “check in” three times. This company is also able to “use the data they collect from people’s cell phones to learn more about who their customers are and how they behave.”

Geolocation could pose a privacy threat. Information collected through geolocation is particularly sensitive, since it can allow a child to be physically contacted wherever he or she is, at any time. Parents need to be aware if there is misuse.

The descriptively named website PleaseRobMe.com aggregates real time location information that users have voluntarily shared on Twitter in order to bring attention to the potential problems with this type of sharing.

The risks are magnified for children, who will often fail to comprehend the significance of sharing personal information. And when a child’s location is collected automatically, neither the parent nor the child is aware that this information is being shared, nor are they given the opportunity to consent or refuse to consent to such data collection.

Kids are plugged in all day, which means it’s imperative that parents understand how these technologies are slowly infiltrating children’s’ lives in ways that we couldn’t possibly have imagined a decade ago. Hopefully, more transparency and oversight of the wild, wild web will keep new technologies in check, and your kids more secure. A great site to help educate you and your kids is www.WiredKids.org.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses child predators online on Fox News. Disclosures

Using Honeypots to Better Understand Security

When you think “honeypot,” images of that lovable furry bear, Winnie the Pooh, may come to mind. Pooh loved him some honey. And whenever he stumbled upon a pot of honey, he gorged himself on that sugary goodness until he passed out. Yum.

But in technology terms, a honeypot is a trap set to detect, deflect, or somehow counteract unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a larger network, but is actually isolated. (You may have seen reality shows where police set up a bicycle in front of a store and stake it out until someone steals the bike, then tackle and arrest the thief. A honeypot is similar, but without the tackling and arresting.)

Honeypots are tools used by researchers and security professionals to monitor the behaviors of criminal hackers and viruses, allowing the researchers to gather intelligence on how they operate. In this way, researchers can gain an understanding of the motivations and methods a hacker would use. This process helps developers think like the bad guy, giving them a better understanding of the necessary security needed to prevent and counter attacks.

When intuitive security professionals develop a honeypot mindset, they can anticipate the bad guy’s next move. They make numerous predictions about what he will do next and put redundant systems in place to prevent him from doing his job. This becomes second nature for some.

I’d recommend a similar strategy for your own personal security. When it comes to protecting yourself, think about your surroundings and what might make you a target. If you are processing a credit card transaction, think about how risky it may be and what to do in response to those risks. Before you leave your home, visualize the paths of least resistance into your house and what should be done to secure it.

Bad guys don’t play by the same rules we do. But if you understand their game and anticipate their next move, you can beat them.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures

Are Contactless Payment Methods Secure?

“Contactless,” in this context, refers to the use of a wireless device. A payment is contactless when, instead of inserting your credit or debit card, you hold your card or keychain device within a few inches of the terminal, and your payment information is sent and processed wirelessly.

Contactless payments offer a faster and more convenient alternative to cash for small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

Hackers, whether they’re black hat (bad guys) or white hat (security professionals), are always looking for vulnerabilities in technology. The bad guys’ intentions are to exploit these vulnerabilities for ill-gotten gain, and the security professionals’ are to make the technology more secure.

A white hat hacker demonstrated some of the vulnerabilities of early contactless technologies for Canada’s CBC News. However, these demonstrations took place in unrealistic settings, and the IT professional went to great lengths to concoct scenarios in which this payment processing method could lead to fraud. These scenarios encourage fear, uncertainty, and doubt, without providing any tangible testing value.

In response to the question of security in contactless technology, the Smart Card Alliance stated, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions. Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

A researcher can manipulate tests in a controlled environment and create a desired outcome that seems to establish vulnerability, but there’s a big difference between that type of demonstration and real world penetration testing. To date, there is no such thing as 100% perfect security, and my guess is that there will never be. With that in mind, it is essential that the good guys continue to work towards that goal, impossible as it may be, and to expose flaws that they find, but they should do it responsibly.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses on CNBC. Disclosures

Mobile Phone Spyware Resellers Arrested

Spyware is sold legally in the United States. This software records chats, emails, websites visited, usernames and passwords, and basically everything a person does on that PC. Some spyware programs can record everything in a video file that can then be accessed remotely.

This is all perfectly legal as long as the PC’s owner is the one to install the software. Installing spyware on a computer that is not your own is illegal. Spyware can be great if, for example, you have a twelve-year-old daughter who obsessively chats online, and you want to know with whom she’s chatting or if you have employees whose productivity is less than satisfactory, you may want to check if they’re watching YouTube all day.

Spyware also comes in the form of a virus, which essentially does the same thing. When you click a malicious link or install a program that is infected with malicious software, numerous types of spyware can be installed as well.

Mobile phone spyware is relatively new and is quickly grabbing headlines. As PCs shrink to the size of a smartphone, spyware continues to evolve with this trend.

Apparently, cell phone spyware is illegal in Romania, since the Romanian Directorate for Investigating Organized Crime and Terrorism recently arrested fifty individuals, including “businessmen, doctors, and engineers, in addition to a judge, government official, police officer, and former member of Parliament,” who have been accused of monitoring cell phone communications of their spouses and competitors, among others, using off-the-shelf software.

Spyware can be installed on your cell phone remotely or directly. To protect your phone, never click on links in texts or emails that could actually point toward malicious downloads. Always have your phone with you and never let it out of your sight or let anyone else use it. Make sure your phone requires a password to have access. If your phone is password-protected, it will be difficult to install spyware.

If your phone is behaving oddly or you have some other reason to suspect that it contains spyware, reinstall the phone’s operating system. Consult your user manual or call your carrier’s customer service for step-by-step help with this process.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. Disclosures

National Strategy for Online Identification

The Internet has become a fundamental aspect of most of our lives. It goes beyond social media, online shopping, and banking. Critical infrastructures like water, sewer, electricity, and even our roadways all rely on the Internet to some degree.

The Internet’s weak link is the difficulty in reliably identifying individuals. When online, our identities are determined by IP addresses, cookies, and various “keys” and passwords, most of which are susceptible to tampering and fraud. We need a better strategy.

Howard A. Schmidt, the Cybersecurity Coordinator and Special Assistant to the President, points to The National Strategy for Trusted Identities in Cyberspace (NSTIC), which was developed in response to one of the near term action items in the President’s Cyberspace Policy Review. The NSTIC calls for the creation of an online environment where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the infrastructure that facilitates the transaction.

The primary goal is to build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

The National Strategy for Trusted Identities in Cyberspace is a document released to the public for comment. The Department of Homeland Security has posted the draft at www.nstic.ideascale.com, and will be collecting comments from any interested members of the general public.

Offline, there are currently dozens of identification technologies in play that go beyond the simplicity of Social Security numbers, birth certificates, drivers licenses, and passports

These include smart cards, mobile phones, biometrics such as facial recognition, ear canal recognition, fingerprints, hand geometry, vein recognition, voice recognition, and dynamic biometrics among others. In a future post, we will go into more details on each. However, there is not a consistent standard in the United States to date. In the near future, we may be the adoption of some of these technologies to properly identify who is who.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses Social Security Numbers as National IDs on Fox News. Disclosures

Why You Need to Pay Attention to Credit Card Statements

Despite what silly James Bond-esque credit card commercials may imply, credit card companies don’t really protect you to the degree you expect. If a credit card company detects irregular spending on your credit card, they may freeze your account or call to verify your identity. While these measures do help secure your card to an extent, but they cannot prevent or detect all types of credit card fraud.

The Federal Trade Commission recently filed a lawsuit describing a criminal enterprise responsible for “micro charges,” fraudulent charges ranging from 20 cents to $10, to as many as one million credit cards since approximately 2006. Because the amounts were low, most of the fraud went unnoticed by cardholders. Money mules were used to divert the funds to Eastern European countries. (“Money mules” are typically individuals who are recruited to assist in a criminal enterprise via help wanted advertisements on job placement websites. In this case, the mules believed they were applying to be financial services managers.) These mules opened numerous LLCs and bank accounts. They also set up websites with toll free numbers, creating an apparently legitimate web presence. Thanks to this facade, the websites were granted merchant status, allowing them to process credit card orders.

The victims of this scam would see the fictional merchant’s name and toll free number on their credit card statements. If they attempted to dispute a charge, the toll free numbers would go to voicemail or be disconnected. Most frustrated consumers may not bother to take the additional step of disputing a 20 cent charge with the credit card company.

The money mules involved in this scam have been located, but the true scammers have yet to be identified.

If you fail to recognize and dispute unauthorized transactions on your credit card statements, you take responsibility for the fraudulent charges. While 20 cents may not seem worth the bother, these seemingly minor charges are certainly funding criminal activity, and perhaps even terrorism. So take the time to scrutinize those charges every since month.

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)

Giving Your Credit Card to a Hotel? Watch Your Statements.

Personally, I don’t particularly enjoy staying in hotels. Sure, after a long day of travel, the hotel is a relief, but in most cases, I’d much rather sleep in my own bed. Criminal hackers, on the other hand, love hotels.

According to a recent study, 38% of all credit card breaches occur in hotels. Despite several high profile breaches that recently affected payment processors and banks, the financial services industry only accounts for 19% of breaches. Retailers came in third at 14%, and restaurants fourth at 13%.

Over the past five years or so, I’ve noticed a trend in which criminals go after the most likely targets, and those victims beef up their defenses in response. So the bad guys move on to the next most likely target – one that hasn’t learned from others’ mistakes.

Hotels are easy targets because they are all credit card-based. It is possible to reserve a room without providing a credit card number, but they don’t make it easy. And hotels themselves certainly aren’t fortresses designed to keep bad guys out. They’re designed to be open and inviting, with, at best, a bellman whose focus is assisting guests rather than guarding the front door. Maybe that mentality exists in hotels’ IT security departments, too.

The root of the issue is the hotel industry’s insufficient security measures to prevent data breaches. Many rely on older point of sale terminals and outdated operating systems, which are more vulnerable to hackers. When the recession hit, many hotels cut back and decided to hold off on upgrades. While their defenses were down, hackers slithered into their networks to steal guests’ personal financial data. Once thieves have accessed this data, they can clone cards with the stolen numbers and use them to make unauthorized charges.

As a consumer, your only recourse is to pay close attention to every single penny charged to your credit card, and dispute any fraudulent or incorrect transactions, no matter how small. Check your statements frequently and be sure to dispute all unauthorized charges within two billing cycles, or 60 days.

Canada and Mexico have adopted smart cards, which use “chip and PIN” technology, making the credit card data useless to potential identity thieves. Eventually we may see the adoption of smart cards in the U.S., which would put an end to this madness.

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. (Disclosures)

Adobe a Target for Criminal Hackers

We all know and love Adobe products. Their PDFs have become as ubiquitous as .DOC, .TXT and .XLS. Most PCs include Adobe Reader as a bundled software. The Adobe Flash media player is the easiest most user friendly online video player on the planet and required for the most popular video site YouTube.

Brad Arkin, Adobe’s director for product security and privacy, recently commented, “We’re in the security spotlight right now. There’s no denying that the security community is really focused on ubiquitous third-party products like ours. We’re cross-platform, on all these different kinds of devices, so yes, we’re in the spotlight.”

Adobe, in response is doing everything a responsible software developer should do.

Adobe is the same boat today that Microsoft found itself in years ago. Ground zero. Hack central. Criminal hackers love it. Adobe’s software or files are used on almost every PC and across operating all systems. Every browser requires a program to open PDFs and many websites either have links with PDFs or incorporate Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged a Reader vulnerability.

While attention from the criminal hacking community has certainly been a burden to Adobe, the same attention is now being paid by the white hat hackers, the good guys. The security community is now actively involved in the reporting of bugs and vulnerabilities, which is helping Adobe tighten up. Fortunately, Adobe is learning from their current situation and is actively engaged in resolving these issues. They’ve created a better, more frequent software updating tool for each of their programs, including Flash and Adobe Reader. As difficult a situation as this may be, Adobe is handling it very well.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. Adobe’s process now includes their Secure Product Lifecycle (SPLC) to seek out and squash those issues. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them. Adobe however is beginning to turn the tide on the bad guys.

If you function in a Microsoft Windows environment, you should be aware of “Windows Update” and have it set to automatically download and update your operating system’s critical security patches. Updating Reader and Flash requires manual action, but Adobe’s built-in updater can also be set to automatic. I’d suggest that most users set this to automatic as well. If you have an older version of Reader, which may not include an automatic update option, you should head directly to Adobe.com to download the current software.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)