Information Risk

More than 30 percent of Facebook & Twitter users have posted their holiday plans or if they’ll be away for weekend.

In support of the report, an experiment was conducted to see how many U.K. social media users would accept a “friend” invitation from a complete stranger. Of 100 “friend” or “follow” requests issued to strangers selected at random, 13 percent were accepted on Facebook and 92 percent on Twitter, without any checks. This reaction could result in a complete stranger potentially being able to learn about a person’s interests, location, and movements in and out of their home.

Gosh, its going to be busy season for burglars.

We know WPA encryption could be broken, but the Japanese researchers have taken the attack to a new level – by breaking in about one minute.

The earlier attack, developed by researchers Martin Beck and Erik Tews, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

But Computer scientists in Japan say they’ve developed a way to break the WPA encryption system used in wireless routers in about one minute. The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system.

These types of data theft could be prevented by implementing better data protection and content monitoring controls e.g., locking USBs, monitoring emails, blocking websites and outbound ports, and most importantly — restricting access to code, etc.

He said that he had inadvertently downloaded a portion of [Company’s] proprietary code while trying to take files of open source software — programs that are not proprietary and can be used freely by anyone. He said he had not used the [Company's] code at his new job or distributed it to anyone else, and the criminal complaint offers no evidence that he has.

Why he downloaded the open source software from Goldman, rather than getting it elsewhere, and how he could at the same time have inadvertently downloaded some of the firm’s most confidential software, is not yet clear.

Microsoft Researchers will soon show a way to remove the shield of anonymity from shadowy attackers, even when the host’s IP address changed frequently.

Tracing the origins of messages–a key task for tracking spam and other kinds of Internet attack–involved reconstructing relationships between account IDs and the hosts from which users connected to the e-mail service. To do this, the researchers clumped together all the IDs accessed from different hosts over a certain time period. The HostTracker software then combed through this data to resolve any conflicts. For example, sometimes more than one user appeared to originate from the same IP address or a single user had multiple ID addresses during overlapping periods of time.

A new technique, called highly predictive blacklisting, uses data from past attacks to block potential attackers in future.

In the same way that Amazon can recommend a book by comparing your past reading habits to many other individuals, it is possible to predict how you will be targeted by malicious internet activity by comparing your history of attacks with other webusers.

The Irvine team have tested their algorithm on a dataset of 1 month’s worth of logs consisting of 100s of millions of security logs from 100s of networks. The team claims that the strike rate of its predictive blacklists is up to 70 per cent better than the state-of-the-art systems and that further improvements are well within reach.

My take – Amazon.com can recommend books because the Users (readers) have a specific taste and reading interest but in case of attackers – I do not think its as easy to draw the pattern, except the fact that professional hackers circle around the sites and databases with customer PIIs (Personally Identifiable Information).

Here is a good example of being “in compliance” but not taking the control implementation seriously.

A recent physical security audit I performed involved two server rooms that both had keypads on the door. After talking with the head sysadmin, I learned that the keypads weren’t even being used–which was obvious after a bit of recon where I could see that every one who entered had used a key. The keypads were there because of a checklist that was being followed when the server rooms were installed. The funny thing is that I don’t think they’ve ever been programmed, but I’ve not confirmed that–yet.

I am not a big fan of compliance based security – Controls should be chosen based upon risk, not compliance – but here we see an example where controls are placed to mislead auditors. Worse!!!

The USAA’s new iPhone app (called Deposit@Mobile) will let Users snap a picture of the check and deposit via the iPhone camera! I think there are missing something here. The account holder will be able to eat the cake and still have it.

The only remaining reason for many of us to visit bank branch offices, wait in line and interact with a teller is to deposit checks. That’s about to change.

The United Services Automobile Association, a financial services company for members of the U.S. military and veterans, plans to launch a free iPhone app that lets you deposit checks via your iPhone camera. The service will be called USAA Deposit@Mobile. To make a deposit, you use the app to log onto your account, enter the amount of the check, snap a picture of the front and back of the check, then touch the “Send” button.

Here is an easy way to unprotect your network! Don’t deactivate access to the network and vital services upon termination of employment!This is what happened at a United Way office after the employee left in December 2007 and continued to have access until December 2008.

The former IT admin for a Florida-based charity stands accused of ransacking the organization’s servers and phone systems last Christmas eve, more than a year after his employment there ended.

Recently, a Colorado Technical University Professor showed the Defcon attendees, how an iPod Touch can be converted into a portable and stealthy penetration testing or attack tool.

“Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn’t before,” Wilhelm says. “If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect],” he says.

Though, it not as easy it sounds but certainly, in extreme scenarios, new generation phones (especially, apple brands because of Unix based OS and networking capabilities) can be used to exploit the networks.

Not a good idea to computerize parking meters in tech savvy bay area! Unless City can afford to not get paid for parking.

To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.

Guess, city missed the story of NY subway Metrocard hack, which involved destroying a small amount of data on the card but not interfering with the M.T.A.’s computer system.

At the Blackhat security conference former Google VP of Engineering Douglas said he wants users to dictate enterprise security needs.

The same happens with security in the enterprise. Companies will try to control employees by restricting IM use, by forcing Gmail through a proxy.

….

He said that twenty years ago everyone wanted to work in enterprise software; not today. Today there are better, more user-friendly tools such as IM. And rather than fight the needs of the employees, security officers should work to secure the networks that use them.

My take: This strategy might work well in small size companies but not in large organizations — especially where employees have access to customer data.

As new frauds are emerging, phishing’s new siblings – Vishing (voice phishing) and Smishing (SMS phishing) are taking birth. Though, Vishing sounds like twin sister of “Social Engineering”.

Phishing scams, where criminals attempt to elicit payments or personal details by e-mail, are now well known, so practitioners are turning to telephone-based variants. The principal method is “vishing” (voice phishing), where the perpetrators call victims posing as their bank and ask them to verify their identities by divulging personal details, often using an automated system. In the most convincing version, the target is not asked for details on the spot, but told to call the bank’s “fraud department” on a specified security number. “Smishing” (SMS phishing) is the latest adaptatation, where initial contact is made by text message.

The times article also discusses other emerging frauds and how people fall victim of them.

CMU researchers published another paper on predicting individual SSNs simply from publicly available data.

Since SSNs are predictable from public data, identity theft could occur even without events such as data breaches. Some of the implications are that 1) the SSA should randomize the entire SSN assignment process; 2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as “confidential information” – however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective; 3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

This is the first time wardirving (process of searching for open wireless networks using a laptop or handheld in a moving vehicle) technique is used by Police to warn users.

Many home networks can be accessed by anyone within range because strong security settings are often not enabled and passwords are rarely changed from the default setting.

—-

Detective Superintendent Hay said it was important for police to get “ahead of the game” as crooks were now sharing information on satellite maps showing vulnerable areas with large numbers of unsecured networks.

Should the user data associated with any service available online be subjected to the jurisdiction of all countries?

In March of this year, a Belgian court entered judgment in a criminal case against Yahoo! and fined the company for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.

The catch? Yahoo! has no subsidiary, employees or localized website in Belgium. The request — sent via email by a Belgian prosecutor to Yahoo!’s U.S. offices — was for user data held in the U.S. and associated with Yahoo! Mail accounts.

I dont know “most” but it’ll certainly be more secure. Per Google, its redesigning the underlying security architecture of OS so users don’t have to deal with viruses, malware, security updates.

But there’s another side to this story. The Chrome OS will be far more Web-centric than Windows, which means that many–if not most–of its applications will be running over the Internet. What’s more, people’s data will be stored “in the cloud,” much of it on servers run by Google. So while Google may help reduce Microsoft’s potential as a single point of failure, it increases its own. If hackers were successful in launching an attack on Google, that would affect not only people’s ability to use Google apps, but the integrity of their data.

How to communicate privately over Internet? Use Darknet! No, its not a shady net. The term was first invented by DARPA and been long used by the agency. HP is just making it easy to use and bringing it to you and me.

HP won’t give the specifics of its implementation, but here’s how the idea works: Someone navigates to a Web site that serves up some JavaScript code that runs in the user’s browser. That code uses the local storage capacity built into the latest version of browsers like Google Chrome and Internet Explorer. As a result, each user gives up some local storage that holds redundant, encrypted slices of data that together are coordinated and shared by the darknet. As a whole, the information exists so long as the darknet exists.

Using statistical patterns, CMU Researchers predicted the first five digits of a Social Security number 44% of the time.

Researchers leveraged publicly available info for first 5 digits (this information is available at SSN’s official website). How hard is it to Social Engineer the last 4 digits?

IT governance does include regulations and policies, but they are just a subset and shouldn’t be seen as control over IT initiatives.

After end-to-end encryption, Heartland is now focusing on Info Sharing! The Result = PPISC (Payment Processing Information Sharing Council). I dont think forming new associations or groups is a solution. The focus should be on identifying leading risk indicators and designing controls so no threat could exploit those vulnerabilties. Anyway, here is Carr’s introductory statement (I like his dedication, though!)

Robert O. Carr, chairman and chief executive officer of Heartland Payment Systems^TM, one of the nation’s largest payments processors and a new member organization of FS-ISAC, believes formation of the PPISC is the most effective way to foster communication among payments processors. Carr, a strong advocate of industry collaboration, has been talking to many payments processing leaders about working together to fight cyber criminals and encouraged the formation of PPISC.