Sister CISA CISSP


January 9, 2010  3:14 AM

Anti-”Social Network” Phenomena



Posted by: Arian Eigen Heald
Add new tag, information, privacy on the web, Start Laughing Now, Stupid Technology

When I heard about some sort of site that was set up to promote a service called the “Web 2.0 Suicide Machine,” I just had to check it out:
From their website for Cyber-Suicide:

Tired of your Social Network?

Liberate your newbie friends with a Web2.0 suicide! This machine lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego…. Our service currently runs with Facebook, Myspace, Twitter and LinkedIn! Commit NOW!

I especially liked the illustration using a noose.

Yet another site, from Japan, titled Seppukoo promotes it’s service with the following slogans:

Discover what’s after your Facebook life. We assist your virtual identity suicide.
You are more than your virtual identity. Pass away and leave your ID behind.
Impress your friends, disconnect yourself. Join the world wide suicidal network

Interestingly enough, Facebook has pulled out the legal playbook and sent them both Cease & Desist nastygrams, claiming their services violate user privacy. The irony of that statement (almost) renders me speechless.

What a shame these services can’t erase all the dumb things your teenager and friends have previously posted, which are out there forever. When he’s applying for a job at age 30, they still will do an Internet Search and come up with the “Great pic of my new tats!” he posted 15 years ago when he belonged to a group called “tightpantstatts.” (I’m giving you the abbreviated version of their name, but they DO exist. And no doubt will continue to.)

I can certainly see the appeal of “unfriending” every person you don’t know (and some you wish you didn’t, that somehow snuck in). I also like the idea of a program that can clean you out of social networks that exist, all at once. But no “service” appears to be set up to get all of the social networks at once. Yet.

Now that Facebook is trying to shut two down, others will be springing up like weeds.

Consider, however, that you must give these “services,” your usernames and passwords for the social networks you belong to. You don’t use that username or password anywhere else, right?

January 1, 2010  1:47 AM

Better Late Than Never…..



Posted by: Arian Eigen Heald
ACH Fraud, Banking Fraud, Data Breaches, data security, information security, Tearing My Hair Out

The Federal authorities and the American Banking Association have issued an alert to small and medium-sized businesses to use a dedicated PC for banking.

“The alert advises businesses to dedicate a single computer for online banking activity that is never used for reading e-mail or surfing anywhere else on the web. Using a dedicated computer would lessen the chance of the computer being infected with malware that can help crooks drain a bank account through wire transfers and automated clearinghouse transfers.”

It’s grand that the government got around to stating the obvious. Clearly the only option, (given the pervasiveness of hacked websites and phishing emails) having a separate PC will add additional costs to small business. Especially if they don’t have adequate security (firewalls and AV) to begin with.

We discussed this in a post back in August. Now that the total is roughly $100 million in losses to business, the government and banking are taking notice.

I guess that’s good. Happy New Year!


December 29, 2009  7:58 PM

Just in Time for the Holidays…..



Posted by: Arian Eigen Heald
Automatic Theft Machines, cloud computing, Cloud Security, information security, SQL Injection, Start Laughing Now, TCM (Truly Clueless Management)

There are a bunch of year end studies coming out, predicting various sorts of rises and decreases in criminal activity on the Internet. (“cybercriminal” sounds way too glamorous for me.)

So I thought I’d offer up, in the spirit of the season, my two cents:

Under the Category of Bad Idea, we have:

1. Yahoo, Bing and Google are racing to integrate Twitter, Facebook and other social media to include up-to-the-minute postings from popular social networks atop search results.

Why, exactly, is this a good idea? When your teenager posts something numb on Facebook, will it will now appear in multiple search results?

2. “Cloud Computing.” Still has yet to prove itself secure, audit-able or a real cost savings in the long run. Losing real control of your data is going to be expensive.

3. Outsourcing overseas. Yes it’s cheaper, and so are the security measures. The laws are different, and will you travel to India to prosecute? This is what happens when the bottom line ignores common sense. See “cloud computing.”

For the Category of Internet Fraud:

1. Social Networks have become an increasingly rich mine of personal activity that can lead to malware and theft of personal information. Including, now the business networks, such as LinkedIn. Don’t personally know who invites you? Now what do you do with the people you accepted? “Unfriend” them?

2. Peer-to-peer part 1 – Pretty soon (if they haven’t already) they’ll figure out how to encode malware into audio and movie files. Watch a movie, get a Trojan!

3. Sql Injection – Is only getting worse, and it’s one of the few things we could fix.

In the Category of “We Knew This, Didn’t We???”

1. Peer-to-peer part 2 – Those networks are loaded with malware. Are your kids on one? Or two? Do they bring their laptops home from college loaded with them? Best hope they don’t do any banking or personal business on those machines. Wait, they’re kids! Kids think they’re invincible. Uh oh.

2. Millions of websites are unsecured and allowing i-frame malware and other code to run so that they can install Trojans, etc. We’re still surfing, and infection is rising. Solution, anyone? Other than having two computers?

3.The bad guys have already figured out banking’s “Is it your picture?!” attempt at cheap two-factor authentication. Get ready to have a keyring full of tokens – I have two already!

3. Leave your debit cards at home – how long do you want to spend hassling with the bank to get your money back?

4. Haven’t you encrypted all your laptops, yet?

And last, but not least, the category of “Bad Uses of Good Technology:”

1. People that break into cars and steal your GPS can use it to track back to your house for burglary purposes. Snopes says this is partially true. I suspect car burglars are not that bright, but, who knows? Especially if I am not bright enough to put my GPS away.

If they get your car registration and your garage opener, you’ll be much more vulnerable. They’ll just use the GPS for easy driving to your house.

2. ATMs continue to siphon enormous amounts of money from banks, businesses, payment card processors, etc. No end in sight. Who will pay for it, ultimately?

3. “Cloud computing” can be used to speed up decryption across multiple CPUs. A bad use of Bad Technology! Double winner!

Ho, ho, ho. Have a great holiday, get lots of presents, and try to think of it as job security. That’s what I’ll be doing.


December 22, 2009  7:09 PM

The Forest or The Trees – Part 2



Posted by: Arian Eigen Heald
Admins and Auditors, Tearing My Hair Out

In a previous article, I talked about the issues faced by IT Security and financial auditors, in trying to come together. Financial auditors only care about financial systems and overall IT Security as well as non-IT security practices. IT Security, on the other hand, is focused on secure IT practices. Why don’t they meet in the middle?

The focus is different for both groups; auditors want secure IT practices only on financial systems (which is where they are allowed to look). IT Security will often push back when they ask for more, saying things like “out of scope.”

IT Security is mostly focused on production systems and network devices. It’s a constantly changing environment, where you have to move quickly to combat threats and intrusions. They’re focused on actions, not documentation and procedures. They’re not thrilled, for the most part, with endless requests for policies and procedures, as well as documentation of what they’re actually doing. They’re darn busy with a lot of trees in the forest.

The problem is, they’re both right, and both wrong. IT sees documentation as unimportant (i.e, “I’ll get to it when I can”), auditors see non-financial systems as unimportant (“Firewall? They have one, they’re fine).

The real problems come with the trees neither one of them looks at. That’s Part 3.


December 18, 2009  2:30 PM

Second Annual “One More Acronym & I am Going To Scream”



Posted by: Arian Eigen Heald
Eigen's Rules of Thumb, Start Laughing Now, Stupid Technology

From the wilds of South Dakota, it seems like I have too much time to think. Once again, in time for the holiday season, the Ad campaigns (which is where so many of these things ((heck, where ALL of these things)) come from) spread the same acronyms like the “I Love You” virus.

Late last night (yes, I know, we geeks have no life) I was grinding my teeth over the Google Technology Ads, and starting once again making up MY OWN definitions, to wit:

GREEN – Gag Reflex Entirely Engaged Now

CLOUD – Calling Legacy Operations Utterly Dazzling

PCI – Pay Cash Instead

SaaS – Simply Awful Acronym Sizing

IPS – Inventing (a) Product Synonym

RSS – Really Stupid Software

Facebook and Twitter? Stay tuned, I’ll come up with something.

Wouldn’t it be great if we decided not to buy anything that has an acronym attached to it?


December 15, 2009  2:41 AM

iFrame Attack is Growing Very Fast



Posted by: Arian Eigen Heald
Add new tag, information security, SQL Injection, Web Security

According to Dark Reading, and the original article from a security researcher from Scan Safe an attack that started in November using SQL injection has compromised over 132,000 websites.

As if that were not bad enough, the hacked websites have injected hidden code in an iframe that calls another iframe to connect to a website named 318x. For the really technical details, check the blog post from Mary Landeman at ScanSafe.

318x(a dotcom) downloads particularly nasty malware to the victim, which includes banking trojans. As of this evening, (12/14/09) a Google scan for the script source now has 166,000 websites listed.

If you do the search on Google or Yahoo, all sorts of alerts will go off (which is why I didn’t link it here), but you get infected only if you click on one of the links with the embedded script.

Search your own site for this string of code! If you find it, your website has been compromised, and you’d better find out how. Your customers and users can get infected, and it could get back to your company.


December 8, 2009  8:21 PM

“Social Media” and Business



Posted by: Arian Eigen Heald
etc, information security, information security policy, TCM (Truly Clueless Management), Twitter

My sister-in-law asked me yesterday about getting her company on Twitter and other social media sites like Facebook. She said that they would need to disable blocking functions in the office firewall to make it work.

She also said that their IT department was very much against the idea, and she wanted some information to reassure them. Let’s hear it for the IT department!

Starting from today’s post on HelpSecurity.net describing social media as a “playground for cybercriminals,” a quick Google search will give you 16 million or so sites that are considering the issues (or trying to sell you something, as usual).

It seems that businesses have a common mis-perception about social media (it IS easier than saying Twitter, LinkedIn, Facebook, Friending and MySpace, but I really don’t like the phrase “social media.” It’s just a little too “marketing…”)

Business doesn’t yet understand that “attention” does not translate into “interest.” Social media is very transitory, and attention shifts constantly to the next new thing. I don’t really want to hear what a business is thinking four times or so a day. (Does a business think?) I’m not sure, actually, that writing a blog, as many businesses do, is a fab idea, either. People write blogs, not company presidents. But that’s just me.

The other issue, at least on Twitter, is trying to build up the “fan” base. Companies are pushing their employees to become “fans,” but that means that the company can see the Twitter profiles of their employees. This has already resulted in company policy changes for employees, telling them to behave themselves on Twitter (or other places). This turns an employee fun toy into a business process, and nobody I’ve talked to that is on Twitter likes it, not at all.


December 4, 2009  10:46 PM

The Forest or The Trees; Why Can’t We Have Both?



Posted by: Arian Eigen Heald
Admins and Auditors, Tearing My Hair Out

It often seems as if IT Security and auditors will never meet in the middle. As a person with one foot in either side of the fence, I’m often amazed how two groups with fundamentally the same goals can’t seem to agree.

Usually, when this happens, I’m an auditor sitting with IT Security people, or I’m an IT Security person sitting with a bunch of auditors. (Yes, we’re all a little – a little? – nuts, but who wouldn’t be with everything going on right now?)

I am a member of a public accounting firm; today I was sitting with a group of IT auditors listening to the latest requirements in performing “An Understanding of IT Controls” for a financial audit. (Good thing they didn’t use any numbers; I’d have been doomed.) Fundamentally, financial auditors, (not IT auditors) are not concerned about any IT systems except the IT financial systems. Those must have reasonable controls.

“Reasonable” meaning that the auditor can obtain reasonable assurance that the systems have effective controls in place. This applies to financial audits, SOX 404 audits and banking audits. No money in ‘em? Not interested.

So the “tree” in the “forest” has to be a money tree. The rest of the forest doesn’t really matter. Needless to say, I can’t agree with this stance, even though it makes perfect sense to the financial auditor. I can see where they are coming from; they can’t (nor do they know how) examine every system to find inoperative controls, etc. The things IT Security people find.

But if all the other trees around it are infected, will the money tree (I’m losing control of the metaphor here) still be OK?

Now, in the auditor’s mind, they are also testing the financial documentation, so there are a lot of “compensating controls” in the paperwork. But if the CFO is editing the database, the paperwork can look pretty good.

Of course, this all sounds rather black and white because there are times when IT Controls can report a ‘material weakness” if a number of IT controls are not in place, not effective, etc. But it is a financial auditor that makes that decision, and if it is outside the money tree, they tend to think that it is unimportant.

So how do we reconcile just looking at a few trees? Stay tuned.


November 30, 2009  8:17 PM

Consensus Audit Controls Released – That are Actually Useful!



Posted by: Arian Eigen Heald
Admins and Auditors, Tools for Auditing and Security

If you’re like me, if you see/or hear about one more “set of controls,” “baselines,” “standards” or “frameworks,” you’ll tear your hair out. And scream

For my money, the PCI data security standards have the most realistic set of sensible requirements around; requirements that actually speak to most business IT environments.

Standards and frameworks do not give concrete requirements and actual actions worth taking. Even ‘Best Practices” gives out only a limited amount of respect. After all, who is the “Best,” and how do we know the practices are really any good?

So I take a lot of announcements along these lines with a grain of salt and/or a delete button. But SANS has released “Twenty Critical Security Controls” that have been vetted by both the audit and the IT Security sides of the house – thus something useful for everyone. A lot of real practitioners have worked on this one, and it shows.

Check it out! http://www.sans.org/critical-security-controls/


November 23, 2009  5:39 PM

Buy Your OWN Automatic Theft Machine



Posted by: Arian Eigen Heald
Automatic Theft Machines, Data Breaches, Eigen's Rules of Thumb, Hardware & InfoSec, Identity theft, Stupid Technology

Is it really a surprise that ATMs can be bought on eBay or Craigslist? Given the amount of ATMs that pop-up at convenience stores, movie rentals, grocery stores and gas stations, it stands to reason that those machines have been bought, or rented, by the store owners. Who have, I’m sure, not gone through a check for their criminal history. And certainly want to find someone to buy their machines when, for some reason, they will not be using them anymore.

About a year ago, I wrote a post on how store ATMs actually keep a record of names, account numbers and amounts.

Turns out an enterprising security guy bought a machine on Craigslist from somebody going out of business, who didn’t bother to clear the last 1,000 transactions from the machine. Ooopsie.

He got a very nice (now on YouTube) video from one of the local news stations, which I highly recommend watching; you can see how skimmers and cameras are getting smaller and smaller.

Rule of Thumb? Don’t use any ATM that isn’t attached to a bank – and not very often, at that. Leave your debit card at home. You can lose too much money from your account and then have to fight with the bank to get it back. Use your credit cards and let the credit card companies and the bank duke it out.

(What’s wrong with cash?)


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: