The IT Security Guy

Little Black Book Now on Kindle

2012-05-24T10:45:00.003-05:00

The Little Black Book of Computer Security, Second Edition, which I just released again as a reprint, is now available from Amazon on Kindle.

This is my first book on Kindle and, of course, my first experience with e-books. It should be interesting.

The Little Black Book Now Available Again

2012-05-09T12:44:00.002-05:00

I've just republished my book, The Little Black Book of Computer Security, Second Edition, which had gone out of print last year.

I also reduced the price to $14.95 and made the format a bit bigger -- but it's still a "little black book".

The book is available again on Amazon or CreateSpace.

Digital Pickpockets on TV

2011-11-04T10:21:00.003-05:00

I appeared on a TV program last night about so-called "digital pickpockets," who skim and clone credit cards. The program also had a demonstration of how card numbers can be sniffed from RFID cards right from people as they walk down the street.

Besides punching a hole in your credit card to remove the RFID chip, as the reporter dramatically showed at the end of the program, the best ways to protect your credit card are still the old-fashioned way -- frequently checking your credit card statements, keeping your card within eye sight and being careful where you use your card.

TV Appearance -- Again

2011-03-02T19:03:00.002-06:00

I was interviewed briefly on local television about ATM security. Thieves were allegedly using a master code to steal from ATM machines. The victim, in this case, was the machine, not individual accounts, since the alleged crooks used the code to pilfer the contents of the ATMs and not the accounts of individual credit or debit card holders.

My last television appearance was in 2009, also on a local station, about my book, The Little Black Book of Computer Security, Second Edition.

Remember Infected Floppies? Now They're USB Devices

2010-08-27T14:04:00.002-05:00

Remember the good old days when you could get virus infections through infected floppy disks? That was long before there was a Web, or an Internet, available to the average person. Well, now, those infected floppies, tossed away long ago in the trash, have been replaced by USB devices, according to Computer World.

Quoting the 2nd International Security Barometer report from Panda Security, a quarter of worm infections are spread through portable storage devices. The study of 10,000 small- and medium-sized businesses said 27% of attacks by malware were found to have originated from USB devices.

Among those victimized by USB-laden malware have been the U.S. military, which was hit when an infected USB drive was plugged into the U.S. Central Command's (CENTCOM) network, which is the regional command for the Middle East, including Iraq and Afghanistan.

Another USB thumb drive loaded with W32.SillyFDC, a low-risk worm, burrowed into both classified and non-classified military networks in 2008, in what is being described as the most significant breach of U.S. military computers.

In the private sector, the Stuxnet worm, which was aimed at PCs used in large-scale industrial control networks, was discovered in July to have also been spread by USB drives, according to a report from Computer World.

Protection can be found using Panda USB Vaccine, a free download for preventing infections on USB devices.

Cyberduped by Fake Sexy Cybergeek

2010-07-22T18:35:00.003-05:00

This is another one about the perils of not being careful when using social networks. A security researcher set up a series of fake Facebook, LinkedIn and Twitter accounts, bearing information and a seductive mug shot of a young lady, posing as a Navy cyberthreat analyst.

The fictitous flirty little Sage, as the dupe was called, established links with around 300 - mostly men, not surprisingly, but also some women - in the U.S. military, intelligence and information security communities. Some of her new found "friends" even considered offering her a job, according to this story in Computerworld.

Interestingly, the flesh honeypot wasn't able to attract any attention from either of the two top notch schools - MIT and St. Paul's, a New Hampshire prep school - listed on LinkedIn to demonstrate her high educational pedigree.

It seems the prep schools were a bit more choosy in who they friend. "One of the things I found was that MIT and St. Paul's [prep school] were very cliquey. If they don't remember seeing you, they are not going to click. You had less of a chance of penetrating those groups than the actual intel and security communities," Thomas Ryan, the real person behind the phony social networker, was quoted as saying.

The lesson is simple and obvious: If you don't know them personally, don't friend them. No matter how cute, knowledgeable or well-educated they appear. Matahari has now moved to cyberspace.

Hackers Hit YouTube XSS Flaw

2010-07-05T09:08:00.002-05:00

YouTube was attacked yesterday by hackers using a Cross-Site Scripting (XSS) vulnerability on its web site. Press reports indicate the flaw was fixed by Google, YouTube's owner, within a few hours.

The flaw apparently allowed the attackers to post JavaScript code in the comments section of videos. The attack redirected users looking for videos of Canadian singer Justin Bieber, alleging falsely that he was killed in a car accident. Twitter tweeted away that YouTube was hit by a virus.

Some more technical details were reported on Techie Buzz, and the Internet Storm Center at SANS mentioned the exploit could steal the cookies of YouTube users, which they said wouldn't be of much value.

iPad Security Breach Exposes 114,000 E-mail Addresses

2010-06-10T06:30:00.002-05:00

A security breach on AT&T's web site allowed a group of hackers to snarf up 114,000 e-mail addresses from unsuspecting iPad users, according to The New York Times. AT&T said that it has already closed the whole, but the question remains of why they stored such information on a publicly accessible web site in the first place.

While stolen e-mail addresses by themselves aren't of much use, other than to add to spam mailing lists, the hacking group, Goatse, was also able to get the ICC-ID of iPads. The ICC-ID is a unique identification number for the iPad. AT&T denied the ICC-ID could be used for anything other than getting an e-mail address, but some security experts cautioned it could still possibly lead to find the device's location.

Technical details of the breach were reported by Gawker, which said it involved spoofing the User-agent in the header to make AT&T's servers respond to a request from a PHP script for harvesting the data.

Never Met a Facebook Page I Liked

2010-06-01T14:54:00.002-05:00

If you like this Facebook page, as described in recent post on Graham Cluley's Sophos blog, you're going to get hit by a clickjacking Trojan. The Likejacking exploit, as Network World and Richard Cohen at Sophos calls it, attracts users by a suggestive message -- very similar to other social-engineering tricks -- and then redirects users to a page that downloads the Trojan, which replicates the suggestive messages to all the victim's friends.

According to Sophos, the Troj/IFrame Trojan just replicates virally through Facebook pages and doesn't appear to steal user credentials. It just forces users to "like" a Facebook page, as the social-networking site calls it, without the user's knowledge.

Interestingly, the blog post, which has technical details about the exploit, advises users to join the Sophos page on Facebook to get alerts about other security threats.

A Guide to Google Privacy

2010-05-27T14:55:00.002-05:00

This is an interesting guide to securely using Google from Computerworld. The so-called "smart paranoid's" guide can be basically boiled down to two general protections.

The first protection is a series of tips for cleaning up your Google history and other trails left while logged into your Google account, for example, to read your Gmail or use any of the growing range of Google applications.

I know what you're thinking. So, why not just log out of your Google account when browsing? That sounds pretty obvious. Won't that protect you from Big Brother Google? Not exactly. Even if you're searching without a saddle, Google can track your whereabouts with the usual suspects: IP address, browser settings and User-Agent settings, all sent by default over the Web.

The suggestions, in this case, are to use any of the commonly known proxies, such as Tor, or similar tools referenced in the article. Another suggestion is to use the private browsing features on Internet Explorer or Chrome, for example, and remove all cookies and caches after browsing.

Along the same lines, a sneaky phishing attack using the multiple tabs on browsers -- which the major browsers now, such as IF, Firefox and Chrome. This attack works behind the curtains while a user is browsing. The phisher changes the web site under an open tab, without changing the tab title, which redirects the user after the come back to the tab from another tab. Network World revealed a fix for what they called the "tabnapping" attack.

And, then Google just unveiled its brand new encrypted search feature.

CAPTCHA Cracking: Nice Work, If You Can Get It

2010-04-27T20:49:00.004-05:00

This story in The New York Times about people being paid to fill in CAPTCHAs is as much about IT security, as it is about working conditions in the developing world. According to the article, people in India, China and Bangladesh, among other developing countries, are being paid between the equivalent of 80 cents and US$1.20 for each 1,000 deciphered boxes.

CAPTCHAs are those funny sets of numbers and letters set every which way and embedded in an image in a box at the base of some e-mail, and login pages, to prevent automated bots and scripts from signing into accounts. The idea is that only humans should be able to recognize and enter the text from the embedded images.

That is, unless, the humans themselves are deliberately entering the text, opening the e-mail accounts, for example, and passing them along to spammers. Apparently, thousands of people in Asia, most part of sophisticated operations, are in on the act. And projects are even bid out online, and most employees have no idea who is hiring them.

The reaction of Google, one of the targets of these CAPTCHA crackers, glosses over the issue. Macduff Hughes, an engineering director at Google, said “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.”

Industrial Control Attacks: Mundane or Prophetic?

2010-04-20T20:44:00.003-05:00

This isn't exactly the sexiest part of IT security, but attacks on industrial control systems, such as utility, water and sewage treatment plants, are on the rise, according to data gathered by the Repository of Industrial Security Incidents (RISI). And with recent media attention on cyberwarfare, utilities would be a prime target to bring down for any potential cyberwarrior.

But besides cyberadversaries wanting to hit the US, a major source of infections is more mundane: employees bringing malware on infected laptops and USB keys, for example, according to the study.

Though only a fraction of these control systems connect directly to the Internet, they do connect to business networks, which in turn are connected to the Internet. It's the business networks, to which employees have access, that are the source of the malware.

Industry insiders are skeptical of the threat from employees, let alone foreign hackers engaging in potential cyberwarfare, which might seem even more far-fetched on the surface.

Although utilities and control systems are in private hands, their protection is crucial to any defense of critical infrastructure in times of war, cyber or not. And that defense will rely just as much on government and military, as it will on IT security professionals in the private sector, with they'll need to partner.

Another Adobe Attack Vector Expected

2010-04-09T17:14:00.002-05:00

The ubiquitous Adobe Acrobat is back in the security spotlight again with another attack vector discovered by a security researcher this week. The flaw was first discovered by Belgian security researcher Didier Stevens and can be exploited with the "/Launch" function built into the Adobe Reader.

Unlike the recent JavaScript flaw, this one requires a bit of social engineering. A user must be tricked into opening a malicious PDF file. Details with a proof-of-concept are on Stevens' blog.

Adobe is aware of the issue but it was discovered too late to be included in next week's patch cycle for security fixes. In the meantime, security experts are recommending turning off the Launch feature in Reader. This was the same approach given for the JavaScript security bug.

To turn off the potentially threatening feature in Adobe Reader 9.3, the most current version, Go to Edit > Preferences > Trust Manager and uncheck the box labeled "Allow opening of non-PDF file attachments with external applications".

Tips for Debit Card Security

2010-03-20T22:42:00.002-05:00

Debit cards look, act, feel and work like those other plastic payment cards called credit cards. But think twice before using them in some places, according to this little blurb from CreditCards.com.

Unlike credit cards, debit cards directly access your bank or checking account. That means, if maliciously used, they could be a siphon right into your bank account.

The top ten list are the following:

1) Online
2) Big-ticket items
3) Deposit required
4) Restaurants
5) You're a new customer
6) Buy now, take delivery later
7) Recurring payments
8) Future travel
9) Gas stations and hotels
10) Checkouts or ATMs that look "off"

The last two are particularly interesting. Gas stations are particularly vulnerable to skimming operations at pumps, and ATMs that don't look right can end up unexpectedly in some popular locations.

Remember the bogus ATM planted last year at Defcon right as you went down the hall before the entrance?

Should Users Reject IT Security Advice?

2010-03-17T15:58:00.004-05:00

Writing on the TechRepublic's IT Security blog, Michael Kassner has an interesting point here. There seems to be an endless drumbeat of security advice dumped on users, ranging from more frequent password resets to watching for phishing e-mails and invalid certificates.

But does the information sink in? And, if not, why? It doesn't catch not only because there are too many rules, and among those too many to follow to the letter, but because users don't see a cost benefit, or sometimes any tangible benefit, at all.

Kassner was quoting a paper by Microsoft researcher Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users".

Here some highlights of the recommendations from Herley's work:

We need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis.

User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. Thus the cost of any security advice should be in proportion to the victimization rate.

Retiring advice that is no longer compelling is necessary. Many of the instructions with which we burden users do little to address the current harms that they face.

We must prioritize advice. In trying to defend everything we end up defending nothing. When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves.

We must respect users’ time and effort. Viewing the user’s time as worth $2.6 billion an hour is a better starting point than valuing it at zero.

Identity Theft: Census Scams and Young People

2010-03-17T15:34:00.003-05:00

Here's something to think about for those of you in the United States. As those Census forms start arriving in the mail, just make sure they're legitimate and not phishing scams -- either by e-mail or paper mail -- looking to steal personal information.

According to the Better Business Bureau, fraudsters are taking advantage of the Census to steal financial information, like bank and credit card account numbers. Legitimate Census forms have 10 questions about your household and its inhabitants, not about your financial information.

The fraudsters are mailing out fake forms, sending phishing e-mails, pretending over the phone to be Census takers and even visiting homes. The BBB recommends you compare any Census form you get in the mail to the official version online. As for phishing e-mails, phone calls and visits to your door, the same rule applies: the questions should match the official form and not ask anything about personal finances or accounts.

Along the same lines, The Washington Post reported today that 18- to 24-year-olds are the most at risk for identity theft. The Millennial Generation is just too comfortable giving out personal information, whether online or in person, making them easier targets for identity theft than older, more discrete, generations more accustomed to a bit more privacy.

Seemingly anonymous information, such as movie preferences in Netflix, for example, can be misused to identify people. And, that's beside the information gathered from a photo of last night's party at a bar posted on a social networking site.

The Security Dangers of Social Networking

2010-03-10T14:47:00.003-06:00

You can try and lock them down, but no matter how you look at it, social networking sites remain security risks. But it's not just about application security, meaning the sites themselves as vectors for malware, but the information on them. They can be used for reconnaissance and intelligence about people for setting them up for spear phishing attacks.

Bruce Schneier had some interesting commentary on the subject recently, referencing research about using group membership on sites such as Facebook and LinkedIn to "de-anonymize" users. Even after locking down every possible piece of information on these sites, group memberships are often still visible.

As if that's not enough, posts by users after hours with information from their employers can lead to the leakage of inside information. The line between personal and professional lives, at least on social networking sites, is getting more blurred.

Defeating Online Bank Fraud Once and For All

2010-02-26T16:13:00.003-06:00

Is it possible to really defeat online banking fraud once and for all? Roel Schouwenberg thinks so in an interesting guest editorial on Kaspersky's Threat Post. Schouwenberg says the solution is already out there, and it's pretty simple: multi-factor authentication.

In an outstanding and detailed analysis he did back in 2008 of bank attacks, he noted that what he calls Man-in-the-Endpoint Banker Trojans, or Browser Trojans, have not improved much since 2007. The reason: they haven't had to.

Basically, what many banks are using for two-factor authentication -- secret questions next to passwords -- is neither true two-factor authentication nor secure. The Trojans of the past three years are just as adept at breaking such systems yesterday as they are today.

Many banks, particularly in the US, believe asking customers to use tokens, for example, would be a nuisance that would drive away business.

While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse, and social engineering.

Such authentication systems should also be combined with other systems, in a multi-layered defense, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behavior. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.

But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.

Dueling Botnets Fight Turf War in Cyberspace

2010-02-10T21:31:00.002-06:00

A new Russian botnet is on the loose, spreading a Trojan horse that not only steals data -- like any good Trojan -- but then deletes a rival Trojan from infected machines.

That's really sweet, but I wouldn't exactly call it the Good Samaritan Trojan either. The new Spy Eye toolkit, discovered by Ben Greenbaum, a senior security researcher at Symantec, began showing up on cybercrime sites in December.

Spy Eye is battling Zeus, a similar crimeware Trojan that steals online banking credentials, according to Symantec. Spy Eye has a feature, "kill Zeus," which is meant to disarm its close rival.

This sort of cyberspace equivalent of gangs slugging it out for territory isn't new, according to The Register, which has reported Trojan battles among Srizbi, Beagle, Netsky and Mydoom dating back to 2007.

Scary Facebook Security Glitch or Bad Software?

2010-01-15T18:01:00.005-06:00

As if there hasn't been enough publicity about the security evils of Facebook, this one is really off the wall. In this case, a woman from Georgia and her two daughters wound up in the account of some strangers when logging onto Facebook from their mobile phones.

All kinds of private information was exposed about the strangers. And, AT&T, the wireless provider for the family's mobile phones, said the glitch was due to a "routing problem," according to this news item two hours ago from the Associated Press.

The issue has far reaching implications beyond Facebook, since other sites, not just the famous social networking site, could be affected by such routing errors.

Basically, the issue wasn't due to problems with the Facebook web site, but possibly poorly configured network equipment and poorly coded network software. The issue might be hard for a hacker to exploit, since the routing error was random and one-off, something hard for a malicious user to engineer.

Interestingly enough, Facebook announced a partnership this week with McAfee to offer security software.

Summary of 2010 Security Predictions

2010-01-05T15:16:00.002-06:00

It's that time of year again, when everybody is out there with their annual predictions for IT security this year.

This little summary from Michael Kassner's post on Chad Perrin's IT Security blog at TechRepublic covers not only Kassner's own thoughts but also covers predictions from eWeek, Verizon, Help Net and IT PRO.

Then there was this from Andreas M. Antonopoulos posted at both Network World and Computer World, and from Larry Seltzer at PC Mag, who also cited reports from Symantec, F-Secure, Websense and Trend Micro.

Common themes? Well, it seems to run the gamut, but cloud computing, mobile security and malware were all common topics.

Adobe on Hacker Radar in 2010

2010-01-04T20:25:00.002-06:00

This should come as no surprise, but a recent report by McAfee, predicting threats for this year, says Adobe will be popular with hackers. In fact, according to the report, Adobe and Flash will beat out Microsoft software, finally, for the hacker attack vector of choice.

That's good news for Microsoft, which has been, until now, the favorite whipping boy for hackers.

Interestingly enough, the report also cites the tried-and-true oldest trick in the book, malicious e-mail attachments, as still another favorite attack vector. E-mail is also popular because it's a great way to burrow into corporate networks, past their finely tuned firewalls and DMZs. All an employee has to do at some company is click on the attachment and, well, the game is over.

And could one of those attachments be a malicious Adobe document? No way.

FBI Investigating Citibank Hack

2009-12-22T20:37:00.002-06:00

The FBI is looking into a breach at Citibank by a Russian cybergang, the Wall Street Journal reported today. The gang apparently began breaching Citibank over the summer and was uncovered by investigators in the US who noticed suspicious traffic from IP addresses used by the Russian Business Network.

Citibank denies any breach took place. The Russian Business Network is a well-known hacking group that has developed tools for breaching US government systems.

What concerns security experts is the potential for widespread damage to the banking system. They say that if hackers could get into one bank and manipulate data, they could easily get into others, creating chaos in banks and financial markets.

And, this is where hackers seeking financial gain -- the root of most hacking today -- might be crossing the line into cyber threats against national security. Supposedly, according to the Wall Street Journal article, this is what got the NSA and DHS in on the party, exchanging informaton with the FBI.

From the other side, as well, the attack may point to a revival of former members of the Russian Business Network, which has been quiet for the past two years. Investigators say a tool developed by a Russian hacker called Black Energy may have been used in the Citibank cyberheist.

White House Taps Schmidt for Cyber Security

2009-12-21T22:58:00.002-06:00

President Barack Obama has picked Howard Schmidt to be the national cybersecurity coordinator, according to the Associated Press. Schmidt has a 40-year career in cybersecurity, spanning law enforcement, private industry and even briefly in the Bush administration.

The announcement hasn't yet been public, according to the AP, quoting a senior White House official on condition of anonymity. Obama was personally involved in the search and picked Schmidt after an extensive search. Though he won't report directly to the president, he'll have regular and direct access.

Cybersecurity is a key issue facing Obama but has taken a back seat to his health care program and the war Afghanistan.

Schmidt wrote an interesting book, covering his long career, Patrolling Cyberspace, which I enjoyed immensely. It was a nice short book packed with a lot of history about the beginnings of hacking, much of which has been forgotten. He was definitely a visionary, seeing the problem long before law enforcement took it seriously.

The book also got a favorable review from M. E. Kabay in his regular Network World column.

Hollywood Burglars Used Internet Without Hacking

2009-11-15T21:45:00.003-06:00

These people aren't hackers by any stretch of the imagination. And their exploits weren't hi-tech. They were allegedly ordinary off-line thieves preying on Hollywood celebrities like Paris Hilton and Lindsay Lohan.

But what makes them different is their creative, yet simple, use of the Web to get information to commit their alleged crimes, according to The New York Times. They just took information off of ordinary web sites. No slick exploits. No cool hacks.

What's even more interesting is that they didn't snarf private information the stars might have unwisely posted on social networking sites. Instead they got information from common well-known sites about celebrities, such as TMZ to learn about their victim's comings and goings. When someone like Hilton might be at some gala, they knew that was their time to rob her house.

Granted, ordinary people who aren't celebrities don't have their every move publicized for the world to see on web sites. And, maybe well-known personalities can't do much to hide their movements or protect their addresses from online snoops. But this is still an interesting case of low-tech thievery using a hi-tech tool.