Hacking

Recent FBI vishing scam warning an old issue

Last Friday, the FBI issued a warning about a security vulnerability that could be used by cybercriminals to make vishing telephone scams.

Vishing (combining phishing and voice) uses Voice over IP (VoIP) features to gain access to company information. In this case, the flaw was found in a free and widely used open source toolkit – Asterisk.

According to a posting on the Internet Crime Complaint Center, hackers who gain access and exploit the Asterisk flaw can potentially auto-dial thousands of people in an hour.

Security risk news spreads like wildfire and the FBI vishing warning was no exception — bloggers everywhere began weighing in. It was quickly learned, however, that the security scuttlebutt was actually an old issue.

According to a Digium blog post, the bug was originally found in March (AST-2008-03, a SIP guest permissions problem) and was patched for 1.2 and 1.4 versions of the software (1.6 releases were not vulnerable). The bug did not allow the arbitrary setting of caller ID and would work in only a limited set of circumstances.

It sounds quite similar to the telephone scams already known, no VoIP hacking necessary! The Federal Communications Commission already warns us about everything from the Mexico Collect Call Scam to the 90# Telephone scam.

Just another reminder to keep your information safe by making your passwords safer … and do your homework before going off on new exploits.

Microsoft hosts midmarket CIOs – Vote for the biggest CIO challenge

A midmarket CIO’s challenges are many, and I’m always amazed by the stories I hear when I’m out on the road meeting many of you.

This week I touched down in Redmond for Microsoft’s US Midsize Business CIO Summit, an invitation-only event for about 400 midmarket CIOs. It’s a press-free conference, but I was privileged to be a speaker and thus join the technology glitterati on site.

My conversations covered a lot of topics, but what I’ll share with you here is a sampling of the folks I met. If you think your job is tough, consider those of these CIOs – then I’ll ask you to vote or share your story of trying circumstances.

- The CIO for a firm that conducts clinical trials. He has five staff in the U.S. and 25 in Europe. Based on the West Coast, he had just spent over a week on the road, first in London and then in Russia, then came directly to the conference. At home he’s on calls early in the morning and late in the evening, syncing up with staff around the world. Challenges? Language, culture. … He absolutely wasn’t griping about the travel or the hours (he didn’t even look tired!) and I know he’s hardly alone in living such a global lifestyle. But to me that seemed the most challenging part.

- The CIO who was hired to bring a food distributor into the 21st century. The company had all sorts of aging or aged systems – but the hard part was when this maverick CIO announced capabilities he wanted to roll out to the employee base. The CEO told him that sales reps were not going to use computers. Period.

- The CIO who had endured several offshoring contracts (some negotiated by his parent company), all with ill effects. In one case, employees at a provider hacked into his systems; in another, a key offshore contact left for another firm just after completing his Oracle training in the U.S. Meanwhile, he grappled with undeveloped infrastructure – he couldn’t get a switch for a new plant he was building — and bureaucrats who promised fixes and then didn’t deliver.

Do you relate to any of these experiences or have your own story of obstacles to share? Vote below for the one that seems most challenging and feel free to offer advice to the CIOs in question.

2009 cybersecurity threats revealed – wah waaah

You know that new iPhone you got? Or the Android order you put in? Well, not to get all Debbie Downer on you, but your sexy smartphone is a security threat.

The Georgia Tech Information Security Center (GTISC) announced the release of the Emerging Cyber Threats Report for 2009. A big help in our overall awareness and protection, the report outlines security concerns and risks for consumer and enterprise Internet users. So what’s your mobile device got to do with it? Cell phones will become members of botnets.

In the GTISC report, Patrick Traynor, an assistant professor of computer science at Georgia Tech and member of the GTISC, delves into the “digital wallet” smartphone concept (smartphones store personal identity and payment information). He says smartphones will be injected with malware — when this happens, “large cellular botnets could then be used to perpetrate a DoS attack against the core of the cellular network.” The good news? Traynor goes on to say it will provide an opportunity to design security properly for the quickly evolving mobile communications sector.

The overall threat areas to be aware of, according to the report, are malware, botnets, cyberwarfare, threats to VoIP and mobile devices and the evolution of the cybercrime economy. The driving force behind all the attacks? The data.

The cybercrime community (a mafia of sorts, if you will) will be utilizing our recent advancements in social networking to cloak malcode. One example given in the report: Facebook wall links posted by a friend prompting users to install Flash Player updates. When the unaware user clicks to install the update, a piece of malware is installed on the machine. And just like that, the computer is involved in a botnet.

Other stats to be aware of? Botnets have become worse in 2008 and GTISC researchers estimate 15% of online computers will be botnet-affected this year. Cyberwarfare and attempts to “subvert the US economy and infrastructure” will accompany military interaction more often. And the already vulnerable VoIP? Cybercriminals will look to engage in voice fraud, data theft and other scams.

Are we all too busy?

Do your users pay attention to dialog box pop-ups? If you’re thinking, “yes, of course,” read on.

A recent study by members of the psychology department at North Carolina State University shows most people do not pay any attention to these dialog boxes – even when presented with information indicating potential malware.

The authors created four fake dialog boxes – one of them was indistinguishable from standard Windows dialog systems. From subtle (moving the mouse over the “OK” button would cause the cursor to turn to a hand — typical of browser control) to blatant (alternating between black text and a white background to white text on a black background), the dialog boxes should have been a tip-off to users that something wasn’t right.

The study was conducted by loading a series of medical websites to a panel of 42 college students, who were told to watch the sites and expect questions to follow. The fake dialog boxes were loaded randomly and the responses of the users were tracked. The response time showed the users did not spend any time evaluating the fakes. During the follow-up questions, students found “any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs.”

Is there just no time for “dialog box speed bumps?” With the quick-answer Web-search service ChaCha growing in popularity, are we all too busy to even search for answers on the Web? Wasn’t that the point of the Web in the first place – a place to access information from all over the globe?

Are your users too busy to pay attention? Should you rethink the use of dialog boxes and consider another venue for that information?

Subway fail, Freedom fail

Two weeks ago three MIT students were forbidden by a judge to give a presentation on how susceptible Boston’s subway fare system is to fraud.

Now another judge has allowed them to give the presentation. The problem is said presentation was scheduled for a hacker convention held two weeks ago. Funny how that works out.

Last week I commended the three students for their work and blasted the Massachusetts Bay Transportation Administration for its consistent incompetence in all matters related to running a transportation system. Continued »