Employees are consciously breaking the rules. With social media security measures almost non-existent in most organizations, activity such as posting confidential information to social media sites, sharing confidential location information, sharing customer data and allowing unauthorized access through apps can be occurring without IT having any clue that its going on.
When a company does discover young employees are breaking the rules, what should happen? Firing is probably the last option; education should be the first step. Users are generally resistant to security activities which can be inconvenient but a company can demonstrate the values and benefits of the IT policies and procedures. There is a risk threshold companies have to accept but every option should be used to make young employees aware of the dangers of social media and data leakage through social media platforms.

Non-compliance with any company policy has to have consequences. If the risks and the consequences are part of orienting new employees, then employees can’t complain when it does get to the point of termination. Enacting social media policies, training and consistent tools to track and monitoring social media usage is essential in managing the employees coming out of college today.

Social media has taken the world by storm, but there are many instances when it has been used inappropriately to abuse privacy. Hospitals, especially, are in danger of this – the privacy levels required in a hospital are high and social media breaks down all barriers of privacy. Social websites like Facebook and Twitter, video websites like YouTube and even blogs have made it easy to pass on information, and since there is no one policing the information, boundaries are crossed easily. The HIPAA Security Rule can be easily broken.

Imagine a situation where someone is ill and has to stay in the hospital for a few days. Or where someone is diagnosed with something that people treat as particularly embarrassing, or that holds the threat of death. All it takes is for one person to post a message or a picture taken in the hospital of the patient, and in minutes, the whole world will be able to access the information. If malicious things are said about this patient and they get to hear about it, it might harm their health further.

Hospital employees in particular need to be extra careful, because they can easily break the HIPAA Security Rules and get into legal trouble. Blogs where hospital employees meet are a great idea for them to discuss their work, but these same blogs can easily cross boundaries and find themselves discussing a particular patient. The hospital employee can be fired and sued. The hospital itself is in particular danger of being sued.

Social media has changed the way we communicate but we need to know when it’s appropriate and when it is not. In hospitals, in can be especially damaging if used in the wrong way. To stay out of trouble, hospitals need to have a clear policy on social media and how their employees use it.

Facebook has become a worldwide phenomenon. With more than 800 million users, it has become the biggest social network man has ever produced on the internet. Of course, given this number of users, protecting the privacy and personal information of each user can become a daunting task and here, Facebook development has some challenges.

Let’s face it, the current status of Facebook security and privacy issues is dreary. To top it off, even Facebook co-founder, president and CEO Mark Zuckerberg has recently had his Facebook fan page hacked.

Now, that’s not very encouraging. If a man of such status in Facebook can have his fan page hacked, how much more are other company’s and individual’s fan pages? Then again, what dangers are actually posed by these fan pages?

Dissecting Facebook Fan Pages

For businesses who want to advertise their brand, products and services online, Facebook fan pages are one of the best options because of the exposure that can be generated when Facebook users “like” their pages. What most users do not realize, however, is the fact that when these pages are “liked” or applications are authorized, the developer of the application or of the page can have access to all the private information of their fans including their name, friends list, location, and any other content that is marked available to everyone. Of course, this can pose real security threats especially when these accounts are hacked by dissolute individuals who want to make quick bucks out of other people’s personal information.

For instance, people who grants authorization to a particular company’s application or fan page is actually allowing this company to access their personal email. When these are shared, spammers, identity theft criminals and hackers can now come into play through various strategies and techniques to gain access to more personal information.

Trust Issues: Should Companies Trust Facebook

Given the current Facebook privacy settings and security, the decision to trust Facebook to secure their fan pages should be left on the discretion of the company. A lot of critics are campaigning against Facebook, offering advices as extreme as not opening an account with the popular social networking site or closing down any account any user currently has. Fan pages can boost a company’s revenue and companies should rally for tightened security and if possible, incorporation of a tighter security measures like anti-virus software to protect not only the company’s fan page but of their “fans” as well.

Be careful who you “fan”.

For more help on Social Media security issues, read the book “Securing the Clicks: Network Security in the Age of Social Media”

We all know about hackers these days. Many people think of hackers breaking into their bank accounts or breaking into some big corporation and stealing data. We are even more aware of the virus and malware that can be sent in an Email. At this point does anyone click on some random link from a stranger in email? We hope not.

So most companies know how to protect themselves from hacker attacks, well theoretically. If you don’t run a firewall or an antivirus program you are just asking to be hacked. But what if you do all these security measures, follow best practices and then find out someone else who you have entrusted your data to has been hacked? And you data is stolen? When you have no control of the company hosting your data what are you supposed to do?

In this recent article, a very popular company Zappos, was hacked, “Hackers swipe Zappos data; customers should change password (http://www.usatoday.com/tech/news/story/2012-01-16/zappos-security-breach/52605292/1)”. Many of you are probably customers of Zappos. You bought a great pair of shoes from them and got your data stolen in return. All of the ecommerce sites have your data. Whether it is personal information such as with Zappos or corporate data as with companies like Dropbox.com and Carbonite.com; you are trusting third party security measures. But what can you do?

That’s a hard question. You can’t really enforce security on a third party company (unless you are a huge company and that third party is much smaller!).

A couple of things you should consider when using these third party companies is:
1) How valuable is the data you are sharing? There may be a valuation point where it’s not worth the problems that could occur if you store data with a third party company.
2) In your industry, know the applicable laws that could impact you were you to loose data.
3) Research the company and see if they have published a SAS70 or any other kind of proof that they have gone through security testing.
4) Research that company, have they had security problems in the past or is their type of service plagued with security problems.
5) Review your contracts carefully to understand liability and what they actually say they will do in the event of a breach.
As most services move to the cloud and third party providers, security will be increasingly out of your control. Be cognizant of the risks you face and understand what your level of risk acceptance is.

Gary Bahadur
www.garybahadur.com
Author: Securing the Clicks: Network Security in the Age of Social Media

The proliferation of “Apps” is probably a good thing overal. One of my favorite Apps is “AroundMe”, which does what is says, finds stuf around me when I am out and about. But thats not the subject of this post.

Security apps for the mobile devices is starting to get more sophisiticated. There are a number of Apps available for the different platforms. Since I have an iPhone, I will just mention a few that have come across my path,

I will take the lazy way out and get you the brief description from ITunes of several Apps.

1) Portscan - Security Scanner By Tommy Kammerer
Description: Finally Portscan, the essential network utility is now available for the iPhone and iPod Touch. Portscan allows you to search a network host for open ports/running services. This app uses TCP connect() to scan, because everything else would require root privilege.

2) iPortScan Pro by Whiteside Solutions
Description: It does not feature any network discovery however this tool is useful for sysadmins checking what services are listening on a known system.

3) Nessus App for iPhone
Description: The Nessus App for iPhone is a great way to keep tabs on running Nessus scans, initiate new scans, and quickly review vulnerability scanning results. The app is available for free in the iTunes store and works with Nessus server versions 4.2 or later and the Nessus PerimeterService.

4) Net Pro by Mesh Software
Description: Net Pro is deigned to be the complete mobile solution for all your essential networking utilities.

5) IP Scanner by 10base-T interactive
Description: IP Scanner for iOS uses a suite of probes and scans to ascertain the identities of devices on yoru wireless network.

6) SNMPMon by TTrix Software Design
Description: SNMPmon allows you to monitor SNMP-capable devices. Simple Network Management Protocol (SNMP) is used in network management systems to monitor network-attached devices. SNMP is one of the most widely used, if not the most widely-used network management protocol. Several routers, WiFi access points, switches, printers, ip cameras, ip phones support SNMP. Computers running Windows, MacOSX, Aix, Solaris, HP-UX, Linux, VMware ESX also support SNMP but usually the service needs to be configured and enabled.

7) Snap by 9Bit Labs
Description: Do you ever wonder what else is on the network with your iPhone? Now you can easily find out with Snap! Snap quickly scans the network around your phone and discovers nearby servers, routers, even other iPhones! When Snap finds a device, it shows you the manufacturer of the device, any name information it could discover from the device, as well as the device’s MAC and IP addresses. For each device that Snap finds, you can also scan it for common services such as HTTP, remote login, AppleTalk, Microsoft networking, and many others. It even links directly to Safari for any HTTP services it finds, enabling you to easily explore devices on the network around you.

8. ) Wfi Network Scanner by Goonbee
Ever wondered who was using your home wifi network? Was maybe someone stealing it? Ever needed to know the IP address of a machine on it? Or perhaps the MAC address? Or maybe you were just curious whose computer in your house was swiched on? Perhaps you wanted to test the connection latency to each machine to diagnose network problems? Well wonder no more and get Wifi Scanner.

9) iNetwork Mapper By Foo-Bang Chan
Description: A simple yet comprehensive and sophisticated network security, administration and analysis tools that assist you (system or network administrator, security professional or security penetration tester and security passion engineer) in discovering,fingerprinting, analysing and assess systems surrounding your networks.

10) WPA Tester by Paolo Arduin
Description: WPA Tester is a useful application that allows you to test the security of your home Wi-Fi. If you left the default settings on your private line, WPA Tester will test the actual security, creating the possible default passwords. If your default password is one of those found by the application, you should get into the router settings and enter a personal password in order to prevent attackers can abuse your internet connection!

Of course there are many more out there. This initial list might be a bit to easy and simple, but… If you use Cyndia http://cydia.saurik.com/ and Jailbreak, you can get more complex tools. Some others you can look into include WLAN Audit, Wfi Analyzer, Pirni and iWep Pro. This is an interesting start to the toolkit.

But what has been interesting over the past several years is the continuing evolution of hackers. Take for example the “Anonymous” group. Some would say they are Hacktivists doing some social justice but if you ask Sony or Mastercard, they would say “Anonymous” was a group of attackers put to destroy the corporate world. The same can be said for Wikileaks. The companies and governments who lost data to Wikileaks would call Julian Asange a bad guy but there was talk of him up for the Nobel Peace Prize  (http://abcnews.go.com/Politics/wikileaks-julian-assange-nominated-nobel-peace-prize/story?id=12825383)

The continuing evolution of Hacker has started to back to a positive reference. We are seeing a lot of Hackathons that are geared at positive results, creating new tools and software and changing the way the world works.  This week at TechCruch Disrupt (http://techcrunch.com/disrupt/),  the Hackathon brings together people worldwide to create something new.

Another positive force is the Hackathon for Occupy Wall Street,  (http://mashable.com/2011/10/19/occupy-wall-street-hackathons-2/) As the article says “Groups of programmers gathered in three cities this weekend to build digital tools for the Occupy Wall Street movement. Several of those tools have already launched, and in many cases they’re being maintained by activists who’ve never held a sign in a park.”

I hope this type of hacking continues and we see changes for the better out of these types of Hackathons.

Gary Bahadur

KRAA Security

www.kraasecurity.com

The next step in the evolution of the social web really is on the mobile device. It seems as if every company that has a web application and website is now porting everything to the mobile device. With the apps for iOS, Andriod and WebOS, they availability is use apps covers just about everyone. With this purchase of Motorola Mobility, Google is setting up more vertical integration of the app development process. As they say, they will keep the Andriod platform open, and we should be able to count on that from Google. As Andy Rubin, Senior Vice President of Mobile at Google, said, “We expect that this combination will enable us to break new ground for the Android ecosystem. However, our vision for Android is unchanged and Google remains firmly committed to Android as an open platform and a vibrant open source community. We will continue to work with all of our valued Android partners to develop and distribute innovative Android-powered devices.”

As companies move into the mobile space, there a number of threats that they will probably never have seen before. Are they prepared for a different threat landscape that is not the traditional things like virus’, malware and worms? Make no mistake, these traditional threats are occurring in mobile, but the new ones will be just as great. A key part of the new risk model for mobile is the data being ported between the social web applications and your phone. The Motorola Mobility platform if going to more integrated with Google we can expect, but this may just open your data to hackers through a different platform that does not have a 20 year history of address security threats.

Some of the key threats to mobile we can expect include:

1. Social network data theft, leveraging your mobile applications to steal data through poor coding techniques
2. Trojans applications, pretending to be legitimate applications that can steal data
3. Man in the middle attacks, using the mobile application to launch further attacks and stay disguised
4. In-app theft, using installed apps to break into your connected bank accounts or PayPal accounts

We do not know what the future holds for the Motorola Mobility purchase by Google, but I think we can safely assume the Google stock price will rise!

Gary Bahadur

CEO KRAA Security

www.kraasecurity.com

Its been a pretty exciting month for hacking. We are getting news of some new hacked site every other day. And these are not small inconsequential sites for the most part. Here are a couple you may not have come across.

News: THE CRAZIES Hackers Leaks Server Certificates of Defense Information Systems Agency (DISA)
What happened: HE CRAZIES Hackers steal the Several Certificate revocation lists (CRLs) from Server of Defense Information Systems Agency (DISA) – http://disa.mil/ and leak the Certificates at :

http://www.mediafire.com/?dvli58a9logojld

http://www.mediafire.com/?k8z168aazj6s1k8

Impact: To be determined

News: EC-Council Academy Hacked by GaySec (Malaysian hackers)
What happened: The server hosting the EC-Ccouncil Academy (Not the Ec-Council!) was rooted.
Impact: Not important enough to matter.

News: Pakistani Website Songs.pk Hacked By Indian Hackers In Response To The 2011 Mumbai Bomb Blast
What Happened: The attack seems to be in retaliation for the recent Mumbai bomb blasts.
Impact: No real impact

News: Pentagon Admits 24,000 Files Were Hacked, Declares Cyberspace A Theater Of War
What happened: The Pentagon admits that a “foreign intelligence service” stole 24,000 Defense Department files.
Impact: We will probably never know

News:  Hacking collective redirect Sun website to fake story claiming Rupert Murdoch had been found dead – before redirecting site to the LulzSec Twitter accoun
What Happened: The group LulzSec hacked the website and redirected it to a fake story.
Impact: Rupert Murdoch is not dead.

News:  School District’s Website Hacked, Conroe Independent School District Investigating Incident
What happened: Hacker broken into the website of the largest school district in Texas. It is unclear of student data was stolen.
Impact: Changed grades?

News:  Lady Gaga website hacked
What happened: The hackers were able to break into the British website wand download names and email addresses.
Impact: Little Monsters will be getting an extra dose of spam.

News:  PBS website hacked for second time in a month
What happened: PBS said the hacked revealed “a very small number” of PBS employees’ user names and encrypted passwords. Well those passwords could not have been that well encrypted.
Impact: Donations for new security tools?

Gary Bahadur
www.kraasecurity.com
www.razient.com
Social Media Security
Website Security Testing
Vulnerability Analysis
HIPAA Security Assessment

Startup Challenge
The challenge is doing all of this on a budget. You do not even know if you will make money so putting a lot of money into upfront costs might not be feasible. I have faced these same challenges in the several companies I have worked on. But the wonderful thing about this whole “cloud economy” me we are living in is that there is a site that can help you with just about everything you need, and for a reasonable price.

When I someone told me about Fiverr (www.fiverr.com) I thought it was pretty funny idea. What will people do for $5? I thought about what I would do for $5 and the list is probably too long for this post and might scare the faint of heart. My first foray into the site was fun. You can have a guy dance around in gorilla costume for $5.

Or you can have a guy scream like a psychopath. I am sure someone will find that valuable.

startup company with fiverr

But as you delve into www.Fiverr.com there are a lot of great services for $5. (Btw, I have no other interest in Fiverr other than I think it’s a great service.)  You can have some write your press release and have someone else distribute it to 10 press release sites for $5 each. It would take at least 30 minutes to write a good press release and another 30 to distribute it to multiple sites. So $10 for an hour of work is probably not a bad deal.

You can find some very valuable services in just about every area you need to build your business. For a limited budget, its a pretty good start.

There are some other great sites you can use to get your company off the ground including Odesk (www.odesk.com), Elance (www.elance.com), Guru (www.guru.com) and TenBux (www.tenbux.com) among others. Save your money where you can when starting a company and good luck!

Gary Bahadur

www.kraasecurity.com

www.razient.com

Social Media Security

Website Security Testing

Vulnerability Analysis

HIPAA Security Assessment

Its amazing that this continues to happen and there isn’t a stronger tie between the credit reporting agencies and the hacked banks to help consumer manage their credit and not be responsible to follow up on a data loss. The consumer is the one who has to bear all the burden. And the banks will probably just add another fee to cover their costs to managing the security breach.

These banks should really be more proactive in conducting vulnerability scans daily, conducting website security testing and implement intrusion detection and prevention systems. We do not know if Citibank had a IDS system in ploace but you would think that with a good prevention system in place, this hack should have been immediately identified and stoped before the data breach could occur?

Gary Bahadur

www.kraasecurity.com

Social Media Security

Website Security Testing

Security Policy Development

Related articles

• City Bank Gets Hacked….. (cybersecurityhacking.wordpress.com)
• Citibank Hack Affects 210,000 Customers (mashable.com)
• 360 000 Accounts Hacked with Citibank (telecomcanadaen.wordpress.com)
• Massive Data Theft in Citibank Hack (ghacks.net)