Once again, another year is behind us and not an uneventful one. As you may have noticed, in July I began doubling my posts here and I’m sure that contributed to the increase in readership of Security Corner over the past few months.
For that, I say thank you for being a valued reader. Knowing that you’re paying attention and that my thoughts and advice are useful is what keeps me going. The 14 Golden Rules of Computer Security seems to have been a popular series of posts based on comments I have received. I also have quite a bit of fun, especially with article series like the Hacking Skills Challenge. There will be more of those in 2010.
Unless you tell me otherwise, I will continue along in this manner in the new year. But don’t be shy; I welcome all comments, suggestions and feedback. If there is some particular aspect of security you’d like to see me put a spin on, let me know.
One more thing: I’m going to release “14 Golden Rules of Computer Security” in January. I will post a special link here to a free download. Keep an eye out for that.
Have a Happy and Prosperous New Year!
Ken “The Geek” Harthun
I know I don’t have to tell you, but if you drink, don’t drive, especially tonight. There are going to be plenty of revelers out there who don’t heed such advice. If you don’t have to go out, don’t. If you want to party hearty, do like my wife and I do every year and stay home, maybe with a few friends or family members who can spend the night.
That said, if you do plan to go out and party, leave your wallet or purse at home. Carry only your ID (driver’s license) and sufficient cash to get you through the night. Keep everything in your front pockets and rather than a large wad of bills, break it up into a couple of smaller batches. Drinking sensibly will keep you from doing something completely stupid. Better option is to carry cash for a cab ride home (or at least a tip–many cab companies will offer free cab rides tonight) and pay your bar tab with a credit card. You could lose all your cash; a credit card is replaceable.
Have fun. Celebrate. But be safe, okay?
In addition to Facebook, MySpace, or other social networks we use for personal interaction, many of us also maintain a professional presence on networks like LinkedIn. Makes sense; business is business, personal is personal, right? Wrong. There’s no way you can prevent those partying pictures from ending up in front of your colleagues on LinkedIn if one of your “friends” wants to post them. Heaven forbid your boss ever sees them.
Nothing is private on the socials; you have to consider everything public. What you write in posts on your own wall, others’ walls, comments, your tweets if you have them linked to your Facebook, is out there just like a 20-foot high billboard on a busy expressway. And the consequences of revealing things that are better kept private can range from mildly embarrassing to loss of professional reputation and employment. Employers often access the socials to conduct a pre-check on a prospective employee to find out how they function away from the work environment.
What to do? Here’s some advice:
- If you’d be embarrassed if someone found out about it, don’t post a photo or talk about it.
- If you hate your job, find a better one; don’t whine online. See “How To Lose a Job Via Facebook In 140 Characters or Less.”
- On Facebook, use the new privacy settings to be very choosy about who can see what.
- Be aware of the connections you have in common on both personal and professional networks.
If you’re on it, you’ve seen the Facebook messages: “You have a give a heart request;” or, “<name> sent you a hug;” or one of dozens of others. Most of these social networking applications are benign; nevertheless, there’s always a risk associated with them. Think about it; you’re allowing some third party software access to your profile and this is just one more attack vector for the social networking miscreants. You really have no way of knowing for sure that an application is safe until it’s too late. Case in point from The Seven Deadliest Social Networking Hacks:
A rogue application called “Secret Crush” was circulating around Facebook earlier this year, spreading spyware instead of love. (See ‘Secret Crush’ Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret “crush” on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their “crush” was.
This is an example of an application deliberately written as a weapon of attack, but as we all know even the best applications have security holes. Considering the social sites are under constant attack by crackers, those security holes can be exploited to compromise your profile, your pages, even your PC. So the next time someone wants to send you a virtual hug, heart or handshake, don’t just blindly accept it.
On the socials, spam is typically used for plain old advertising, click fraud and bot recruitment. The attackers hijack accounts and use their address books to spread spam, worms, or other malware. In my last post, I told you about how my Twitter account was hijacked to spread spam; fortunately, that spam was relatively innocuous, simply meant to recruit more victims whose accounts could be hijacked. However, it could have been intended for more nefarious purposes; I caught it before it got beyond a few spam tweets.
No one on the socials is immune to this, even security wonks like me. The other day, I fired up Skype and was immediately greeted by “Software Update” who informed me that “WINDOWS REQUIRES IMMEDIATE ATTENTION” and it provided me with a link. Of course, it’s bogus and had I clicked the link, I would probably have been infected with a bot or some other malware.
The same rules that apply to email spam apply to spam posts, comments, tweets, chats, even Skype contact requests. Let me refresh your memory on a few of the important ones:
- Don’t accept unsolicited messages from someone you don’t know.
- Never click on links in unsolicited messages.
- “Hot” girls or guys are NOT looking to meet you–that’s a ploy to get you to click. Don’t!
- Your bank will not notify you by email if there is a problem with your account.
- Neither will your credit card company.
Far too many people use weak passwords and then use the same weak passwords over and over again on the Web. Using a weak password is bad enough; using it in more than one place is lunacy. The worst place for a weak password is your electronic banking site, of course, but using one any Web 2.0 site can also put your personal information at risk. Let’s take Twitter, for example.
Most people probably wouldn’t think of Twitter as a sensitive site, but recall the previous article about impersonation. Compromise a Twitter password and you can easily pose as the account holder. You could then wreak all manner of havoc on the person’s reputation not only on Twitter, but on every site where the account is linked. Recently, someone managed to get hold of my Twitter password when I tried one of those “get follower” services that someone else recommended. Fortunately, all the thief did was spam messages about their “service,” but there were a few hours there where it appeared I was guilty of spamming. I lost quite a few followers and had to deal with a barrage of questions from my friends on other networks.
Twitter management is aware of the importance of strong passwords and will not allow you to set up an account with any of 370 commonly used weak ones. The list is right there in the source code of the sign up page if you care to look (view source and search for “banned passwords”); you can also see them in The Washington Post article “370 Passwords You Shouldn’t (And Can’t) Use On Twitter.” If you’re guilty of using any of those, change them immediately.
Here are some good policies to put in place:
- Use strong passwords on all Web 2.0 sites
- Do not use the same password more than once anywhere on the Web.
- Particularly on Twitter, do not input your password into any third party site you are not absolutely sure is trustworthy
- Periodically change your password
If you are active on the social networks, essentially putting youself “out there” for the world to see, you could become an easy target of impersonation or outright targeted personal attacks. Here’s an example of an actual case of impersonation posted in an online forum (no names used, for obvious reasons):
…a friend of my daughter found a Facebook site of a boy whom she did not know (stranger from another State). She took a copy of the boy’s photo and set up a second Facebook site – using the boy’s real (Facebook) name. She then proceeded to establish online romantic contacts with other strangers – most of whom were also out-of-state from her and the boy. The boy somehow found out about this impersonation and is now threatening legal action – he has contacted her (via her Facebook site) indicating he intends to ‘press charges’ for fraud, identity theft, extortion.
Legal action aside, the probable damage to the boy’s reputation–at least his online reputation–is already done. On top of that, things like this can lead to the other, darker side of things where someone who feels wronged by another mounts a vicious personal attack against the perceived wrongdoer. There are plenty of examples online where people have faced hate messages, death threats, profile defacements and the like.
How does one minimize the risk of such things? Here are some tips:
- Be careful who you allow into your personal circle. If you don’t know why you’re receiving that friend request, ignore it.
- Be personal, but not too personal. Especially on Twitter, where you don’t know your followers, don’t reveal that you are not at home or any other sensitive personal details.
- Build good relationships. Friendly, personable, and helpful are a few good watchwords.
- Never insult, ridicule, or post in anger–you will regret it later. If someone baits you, ignore it.
- At the first hint of unusual activity on your account, change your password and report it to the site administrators.
It is possible to build lasting and beneficial relationships on line. I’m a personal example of that, but you have to be vigilant.
With the stellar rise of social networking sites like Facebook, Twitter, MySpace, the Ning networks and the like, the bad guys have found yet another playground on the Web. Most security experts, including I, agree that Social networks are the next major attack venue. Their basic interactive/cooperative nature makes them easy targets for cybercriminals to exploit. Jilted ex-lovers or enemies can use social networks to wreak havoc on their victims’ personal lives. My own daughter was a victim of a vicious personal attack by someone whom she previously trusted. Even I have been a victim of a hacker when they hijacked my Twitter account and started using it to send spam. Spammers and bot herders use Web 2.0 sites to try to make a quick buck and steal personal information. Even corporate spies use them to attempt to ruin their competitors’ reputations.
Being very active on several social networks myself and given my security focus, I think it’s a good idea to address this phenomenon, its inherent security risks, and present good social network security practices. In the first set of articles, I’ll cover the seven deadliest social network networking hacks, citing real examples of actual cases where possible, and present my best advice on how to prevent and/or defend against the worst threats.
Here’s what I’ll cover in the first seven articles:
- 1) Impersonation and targeted personal attacks
- 2) Spam and bot infections
- 3) Weaponized OpenSocial and other social networking applications
- 4) Crossover of personal to professional online presence
- 5) XSS, CSRF attacks
- 6) Identity theft
- 7) Corporate espionage
While searching for some relevant security news this morning, I came across this site. I started following immediately. What’s is all about? Let me let them tell you:
What is ExecTweets?
ExecTweets is a resource to help you find and follow smart people on Twitter. Created by Federated Media, in partnership with Microsoft, ExecTweets is a platform that aggregates the tweets of top business execs and IT pros and empowers the community to surface the most insightful tweets.
ExecTweets is brought to you by Microsoft and powered by Twitter. ExecTweets IT is, as you would guess, the Information Technology guys and gals at work. Get a load of the categories list:
- All Things IT
- Business Processes
- Cloud Computing
- Decision Making
- Desktop Optimization
- Open Source
- Operating Systems
You join the conversation (have your tweets displayed) by nominating yourself using the “Nominate an IT Pro” button. After you’re approved, your tweets related to IT should start showing up in the feed and other IT Pros can reply and retweet just like on Twitter.
Watch for my Security related tweets if you join.
Spam email is not only a nuisance, it’s a security risk. Most of the viruses, worms, and trojans floating around these days are transmitted in one form or another via spam. The threat can be attached directly to the email or it can rely on some subterfuge to get a clueless victim to click on a link to a malicious website. No matter the method used, the bottom line is that if the spammer doesn’t have a proper email address, the spam won’t be delivered.
Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of firstname.lastname@example.org. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.)
Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “email@example.com” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site?
There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: firstname.lastname@example.org. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result.
So, I wrap up this book with Golden Rule #14: If your email address will be visible to the public, obfuscate it using one of the methods or tools above.