With the stellar rise of social networking sites like Facebook, Twitter, MySpace, the Ning networks and the like, the bad guys have found yet another playground on the Web. Most security experts, including I, agree that Social networks are the next major attack venue. Their basic interactive/cooperative nature makes them easy targets for cybercriminals to exploit. Jilted ex-lovers or enemies can use social networks to wreak havoc on their victims’ personal lives. My own daughter was a victim of a vicious personal attack by someone whom she previously trusted. Even I have been a victim of a hacker when they hijacked my Twitter account and started using it to send spam. Spammers and bot herders use Web 2.0 sites to try to make a quick buck and steal personal information. Even corporate spies use them to attempt to ruin their competitors’ reputations.
Being very active on several social networks myself and given my security focus, I think it’s a good idea to address this phenomenon, its inherent security risks, and present good social network security practices. In the first set of articles, I’ll cover the seven deadliest social network networking hacks, citing real examples of actual cases where possible, and present my best advice on how to prevent and/or defend against the worst threats.
Here’s what I’ll cover in the first seven articles:
- 1) Impersonation and targeted personal attacks
- 2) Spam and bot infections
- 3) Weaponized OpenSocial and other social networking applications
- 4) Crossover of personal to professional online presence
- 5) XSS, CSRF attacks
- 6) Identity theft
- 7) Corporate espionage
While searching for some relevant security news this morning, I came across this site. I started following immediately. What’s is all about? Let me let them tell you:
What is ExecTweets?
ExecTweets is a resource to help you find and follow smart people on Twitter. Created by Federated Media, in partnership with Microsoft, ExecTweets is a platform that aggregates the tweets of top business execs and IT pros and empowers the community to surface the most insightful tweets.
ExecTweets is brought to you by Microsoft and powered by Twitter. ExecTweets IT is, as you would guess, the Information Technology guys and gals at work. Get a load of the categories list:
- All Things IT
- Business Processes
- Cloud Computing
- Decision Making
- Desktop Optimization
- Open Source
- Operating Systems
You join the conversation (have your tweets displayed) by nominating yourself using the “Nominate an IT Pro” button. After you’re approved, your tweets related to IT should start showing up in the feed and other IT Pros can reply and retweet just like on Twitter.
Watch for my Security related tweets if you join.
Spam email is not only a nuisance, it’s a security risk. Most of the viruses, worms, and trojans floating around these days are transmitted in one form or another via spam. The threat can be attached directly to the email or it can rely on some subterfuge to get a clueless victim to click on a link to a malicious website. No matter the method used, the bottom line is that if the spammer doesn’t have a proper email address, the spam won’t be delivered.
Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of email@example.com. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.)
Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “firstname.lastname@example.org” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site?
There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: email@example.com. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result.
So, I wrap up this book with Golden Rule #14: If your email address will be visible to the public, obfuscate it using one of the methods or tools above.
It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:
1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure. While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.
2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.
3. Don’t rely solely MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network. That said, using MAC address filtering in conjunction with other measures can give an additional layer or safety.
So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA2 and WPA2-Enterprise. WPA2 relies on a pre-shared key (PSK), while WPA2-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA2 implements 256-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA2-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.
And that, my dear reader, is Golden Rule #13: When it comes to securing a WiFi network, the only way is WPA.
Golden Rule #12: Infected PC? Don’t Just Clean–Wipe and ReloadGolden Rule #12: Infected PC? Don’t Just Clean–Wipe and Reload
You’ve seen them: PCs with serious malware infections that seem to defy any and all attempts to clean them up. You persevere and eventually get rid of the files that regenerate upon deletion, clean up the autorun registry entries that keep the malware going, and kill all the malicious processes that keep showing up. You’re proud of yourself; you’ve conquered the beast, out-hacked the hackers. You’re the man: a real, live uber-geek! Pat yourself on the back–you earned it. Then, after you’ve finished congratulating yourself, nuke (as in Darik’s Boot and Nuke) the hard drive and reinstall the operating system–you can never trust that machine again unless you do.
There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.
It’s a matter of trust; it’s also a security maxim. So without further ado, I present Golden Rule #12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
I hope I’ve given you some valuable advice on how to secure your computer. If so, and if you’ve chosen to take my advice, you’re probably careful about what you do on the web. You certainly have strong passwords for all of your logins, all of them different, and you don’t go around telling people what they are or keeping them on sticky notes attached to the monitor at your workplace. But the web can be a dangerous place; make a mistake and you could be in trouble. There’s one common mistake that if you make it, you may as well paint your passwords in 10-foot tall letters on a lighted billboard next to a busy freeway and invite every hacker to drive by it.
I’m talking about entering your password — or any sensitive information — into any web page that’s not secure. All communication — including your username and password — between your browser and a web server is normally transmitted in clear text, easily read by anyone who cares to look. Your data is being sent in clear text if you enter anything onto a page that has the prefix http:// in its URL. That’s how you know the page isn’t secure. While not a totally reliable method of identifying a phishing site, it’s a pretty good bet that any financial site or one requesting personal information that displays http:// is suspect; steer clear and don’t enter your credentials.
How do you know a page is secure? It will use an encrypted connection, signified by the prefix https://. This page will use a technology known as Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). Any information you put into such a page is unreadable by anyone who might intercept it. Only your browser and the web server at the other end can decipher it. Most browsers show a lock icon to let you know it’s secure. TSL/SSL relies on cryptographic protocols and special security certificates issued by a trusted authority who has verified the identity of the website you are logging onto.
So, I present you with Golden Rule #11: Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
“Well, that’s a good thing,” I said. “Where do you keep your backups?”
“On my external USB drive.”
“That’s encrypted, right?” I asked.
He blinked and looked away. “No.”
Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend’s identity could be stolen. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords.
Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place.
And that is Golden Rule #10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
If you’ve done any coding at all, you probably have a good idea why software developers often run their untested code in a protected environment–a sandbox. If the software misbehaves, all you have to do is shut down the sandbox and everything returns to normal, no harm done.
A sandbox is also a great way to prevent viruses and other malware from infecting your machine while browsing the web. Confine your browser to its own little box and if any malicious software tries to run, it can’t get to your system, it stays within in the box’s boundaries. Kill the box and you kill the malware. The top, sandbox program for Windows–the one I use for secure surfing and testing– is Sandboxie. It runs only on Windows. Run Internet Explorer, Firefox, or any other program under Sandboxie and you should be safe.
You can also operate securely from inside a virtual machine. This is different from a sandbox in that you actually run an entire operating system, rather than a single program. Many people, this Geek included, use virtual machines to run alternative operating systems like Linux. In a virtual machine, you can do everything you do on a real machine and like the sandbox, if things go wrong, your computer won’t be harmed. A big advantage of the virtual machine over a sandbox is that you can examine the actual behavior of malware and any damage to the OS. Microsoft provides the free Virtual PC and VMware provides its free VMware Player and VMware Server. For the Mac, there’s Parallels (not free).
Golden Rule #9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
There’s no question that data security is senior to physical security. The real value in a stolen laptop or PC isn’t in the hardware, it’s in the data. Sure, some druggie might steal your laptop and sell it for a fix, but the real danger lies in the thief who knows the value of the files that are stored on it. If it’s a personal laptop, the passwords to your online banking site, credit card numbers, Social Security number–probably everything about your identity–may be stored on it. If it’s a corporate laptop, depending on who you work for, there could be valuable customer information complete with credit card numbers or other proprietary information that a thief or corporate spy could capitalize on.
But physical security is only slightly less important. Don’t get complacent thinking that you’re OK just because your data is secure. It’s an expensive proposition to replace that data, so you must take steps to prevent theft of your hardware.
Encrypting your data is analogous to hiding it. So hide your laptop. Chain down your PC. Make it as difficult as possible for a thief to steal it. I keep my PC in a locked room when I’m not nearby and I maintain the attitude that someone’s waiting around the next corner to steal my laptop. So, it’s always either in a secure area or with me–and I mean within a couple of feet of me. I rarely leave it in my car and if for some reason I must, I lock it up in the trunk. I never leave it overnight in the office. Out of sight, out of mind. There are other physical precautions you can take as this Security Focus article outlines.
And let’s not forget about removable and external storage devices; hide them, too. For now, I leave you with Golden Rule #8: Physical security is almost as important as data security. Make it as difficult as possible through any physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
We frequently hear news of a laptop holding sensitive information having been stolen. Bad in itself, but the reports often note that the information was unencrypted. Doubly bad. The news rarely focuses on personal laptop thefts, however because there’s no news value in reporting the loss of Joe Citizen’s personal files; nothing of value there, they think. But Joe’s entire life savings may soon be wiped out if he has ever used that laptop for on-line banking or other financial transactions.
Recently, a friend of mine (who shall remain nameless for security reasons) had his laptop stolen out of his car. Fortunately, he had just purchased it and there was nothing of value on it, but there could have been–he’s an oil company executive. Modern thieves know that if they can get their hands on a computer holding sensitive information — particularly bank or credit card information — they can sell that computer for tens or hundreds of times the value of the hardware. The hardware is virtually worthless to them. From the thief’s point of view, any laptop sitting on the seat or floor of a decent car or a desktop PC in a middle class home office could belong to someone who has access to valuable information.
But, if the data is encrypted, the thief is out of luck.
I’ll cover physical security later. For now, I present Golden Rule #7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the folders or drives where the information is stored and use an unguessable passphrase as the encryption key.