This past week was eventful for Facebook and for Mark Zuckerberg. The Facebook page was hacked as first reported by Techcrunch ““Let The Hacking Begin” Declares Person Who Hacked Zuckerberg’s Facebook Fan Page”  (http://techcrunch.com/2011/01/25/zuckerberg-fan-page-hack/) . The message left on the page was: “Let the hacking begin. If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011” Facebook then said it was a “bug” as reported by the BBC “Facebook blames bug for Zuckerberg ‘hacking’” (http://www.bbc.co.uk/news/technology-12286377). Well I guess they can speak to Microsoft about “bugs” and letting their software be hackable. Not much more was explained. One other interesting event that was also news with Facebook was the launch of their encrypted login process as reported by the Huffingtonpost “What Facebook’s New Security Features Mean For You”. This has actually been around for a while but not published. What does this mean? Well when you go to Facebook.com now, just go to https://www.facebook.com.  The “https” will allow you to have your login encrypted so the guy sitting next to you in Starbuck and capture your traffic on the wireless network and steal your login ID and password by running Firesheep or other sniffing program. You can also do this with many social networking sites even though they do not publicize it. To turn on this feature automatically go to “Accounts” -> “Account Setting” -> “Account Security” -> “Change” and select “Browse Facebook on a secure connection (https) whenever possible”. If you have never played with the Privacy Setting you should probably check those out as well. Stop sharing everything about yourself with “Everyone”!
Facebook privacy settings

Facebook privacy settings

Gary Bahadur CEO KRAA Security, baha@kraasecurity.com http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Vulnerability Management *Compliance & Police Development *PGP Security *Free Website Security Test
Enhanced by Zemanta
Facebook, Inc.
Image via Wikipedia
One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements.  This is really encouraging people to do things that are not security conscious activities. Social media encourages:
  • Lack of privacy
  • Encouraging information sharing
  • Giving away answers to security questions
  • Social engineering
As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably recieved a 100 requests to be my friend on Facebook from people who I do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering.  Relationship building is easier through social media which can easily lead to phishing attacks. With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware. What does the Social Media user to protect their information? No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address or your mothers middle name or any really personal data. Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users.  Remember you can’t retract information you put out there.  Don’t trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with. Trust no Profile – People lie, it’s sad but true. So profiles lie, they might say they went to your college or high school.  They might be interested in your groups, so don’t take anyone at their word. Restrict your privacy – There are some configuration setting in all the social media applications that can allow you to turn on some restrictions on your privacy. Take a minute to actually look at them. One easy example is in Facebook you can create groups that you can place friend in; you don’t want business people seeing what your friends are posting. Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically. Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users. Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there. Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity Address: 200 Se 1st St #601 Miami FL 33131 *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test 
Reblog this post [with Zemanta]

Stolen laptop with employee information- yet again

The Associated Press reported that a Williams Cos. Inc. laptop containing personal and compensation information was stopen from a workers vehicle. The laptop had over 4,400 current and former employees records. Information like names, birth dates, Social Security numbers and compensation data was on it. How many times have wee seen this story? They said the laptop was password protected. Well then lets not worry eh? A password, run for Ze Hillz! They did not say whether other security measures like application security risk assessment and network security audit tools were used in place other than the PGP Whole Disk encryption , or of any kind of remote wiping utility was in place or even if a hard disk password was used. The people with stolen data can only hope this might be the case. So not we have the hoke pokey dance of checking credit, getting free one year membership to credit monitoring, buring down the barn now that the horse was stolen, all that good stuff. Here is a list fo some recent thefts
records date organizations
1,084 2009-08-06 Colorado Department of Corrections
131,000 2009-08-04 United States Army National Guard
1,000 2009-08-04 New Hampshire Department of Corrections
4,400 2009-07-31 Williams Companies, Inc.
766 2009-07-28 University of Colorado CO Springs
573,928 2009-07-25 Network Solutions
900 2009-07-24 Hampton Redevelopment and Housing Authority
1,000 2009-07-23 American International Group (AIG), American Life Insurance Co Japan
180,000 2009-07-22 HSBC Holdings plc, HSBC Life
1,917 2009-07-22 HSBC Holdings plc, HSBC Actuaries
The main problem with these events is that the user is uneducated when it comes to security and don’t bother to go for a  security penetration test or information security risk assessment.  No matter what kind of technology you put in place, the user can find a way around it to compromise your security. First educate them, then worry about technology to protect them from their own stupidity. Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity o:888-KRAA-911,  c: 917-568-7917, f: 866-633-6601 Address: 20801 Biscayne Blvd, Suite 403, Aventura, FL 33180 *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test
Reblog this post [with Zemanta]
I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments. When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet. Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide. So what are some things you can do to protect your website? 1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application. 2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port. 3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised 4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access 5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++++++++++++++
The Channel Wire
May 06, 2009