Information Security: Are we Evolving Fast Enough?

In the last two decades, we have seen a lot of changes around us. We have moved from standard definition to high definition content, dial-up internet to high speed broadband communication and our mode of interaction with devices are also changing with touch and voice input becoming more common. We have also changed our way of communicating and storing data. A lot of our data is stored online in the cloud and most of the communication is online through Twitter, Facebook etc.

Along with the aforementioned changes, our security policies are also changing. With us trusting more and more of our data with technology companies, it is vital for us to ruminate about their security procedures. In the early nineties, the security policies were framed based on the core principles known as CIA – confidentiality, integrity and availability. But times have changed and so have the bad guys. We can no longer rely on the old principles alone. Our security policies have to evolve and that too fast. But are we moving fast enough? Let’s take a look.

Just a few weeks ago, WIRED editor, Mat Honan’s iCloud account was compromised along with his Amazon account. Using the hacked iCloud account, the hacker remotely wiped data from his iPhone, iPad and MacBook. How was the hacker able to do it? Shockingly, just by calling Apple customer support! The hacker was able to get all of the information required to take control of an account from the internet and Amazon using social engineering. You can read the entire story here.

This is just one example. You can find a number of incidents like this. Interestingly, most of today’s attacks use social engineering as the preferred method. But have the technology sectorw evolved enough to protect themselves and customers from these type of attacks? The truth is, while certain companies are trying their best, most or a lot of companies do not think outside the box. In a SANS white paper titled “A Multi-Level Defense Against Social Engineering”, David Gragg quotes Keith A. Rhodes, chief technologist at the U.S. General Accounting Office as follows.

He notes, “Very few companies are worried about this. Every one of them should be.”

Considering that a large number of attacks in 2011 were using social engineering, we can easily conclude that his words are very much true. Still, the unfortunate truth is that companies are not training its staff on detecting social engineering tactics. For example, a large number of tech companies rely on personal information to reset password. At the current age of social network, that information is fairly easy to obtain as shown by the Mat Honan incident. By not taking our current technological ecosystem into consideration, these companies are effectively creating a loophole that the hackers can make use of.

But every time a data breach occurs, can we blame the company or the client? Ted Claypoole, author of ‘Protecting Your Internet Identity: Are You Naked Online?’ says that at certain levels, preventing hacking is just impossible.

“Everyone is hacked.  Sometimes a company has a big loss, and other times smaller losses. But professional criminals are testing weaknesses all the time, technology changes constantly, and all businesses have been a victim, or will be a victim. Some never know it.

There is no such thing as impenetrable security.  For a thing to have value, you must be able to use it.  And if you can reach it to use it, then so can a bad guy.  Sometimes they impersonate the account holder.  Sometimes they take jobs inside the company and become the security flaw.  Sometimes they exploit the technology.  But every company has “insufficient security policies” by your measure, because every company is vulnerable. Anyone who tells you that their major company has never been breached is either lying, naïve or both.

Last year a hacker, probably foreign government sponsored, broke into RSA, one of our very top security companies, and took information that could allow the hackers to hack defense contractors (like Lockheed Martin).

Our financial protection from harm lies not in company security policies, but in the system itself.  This is why we have a $50 fraud limit on our credit cards, and why, when someone breaks in to steal up to $100,0000 of your money from the bank, they did not just steal your money – they either stole the bank’s money or the government’s money, and yours will be returned.  The system eats billions in fraud each year and we all pay a little bit for it, so that the losses are not as unevenly distributed if it happens to you. So I question your assumption that companies who are hacked have insufficient security policies.  Resources are limited. We can all spend only so much time and money on security.  Sometimes you can have the top security in the world, and the bad guys are simply better.”

And that is certainly true. At times, the bad guys are just too good for us to prevent an incident. But that shouldn’t deter us from creating strong security policies and training our staff to prevent incidents such as the one that happened to Mat. The truth is that most of the time, the data breach would have been completely avoidable (96% of breaches in 2011 were avoidable according to Verizon Business Data Breach Investigations Report, 2011). For example, Microsoft India’s online store was hacked last year and password and credit card data was stolen. Apparently, the company that managed the store on behalf of Microsoft didn’t even bother to encrypt the passwords making the hacker’s job a walk in the park.

So what can we do to improve our current security infrastructure? What we need is a holistic approach in dealing with creation of new security policies considering the latest trends and method of attacks.  The policies should evolve fast enough as the attack vectors evolve. Now this is not an easy thing to do but it has to be done in order to safeguard our data. We could have an internationally valid security certification process similar to the ISO  270001 certification which analyses the security policies and practices of a company and rates the company on behalf of their policies. This will help customers in selecting the best in terms of security and will give the companies a necessary ‘push’ in framing the right policies.

Furthermore, the government can pass laws that prioritize the safeguard of consumer data. Unfortunately, there is no solid law in the US that focuses on protection of consumer data, says Ted. “Lawmakers in the United States are doing very little to force protection of user’s data. Other industrialized nations believe that data privacy and data security is a human right that their citizen’s hold.  This country does not yet acknowledge any such right.  We have laws protecting certain specific classes of information in certain circumstances – some health care data, financial data, and children’s information – but our data protection laws are confused and disjointed.”

While Senators are trying to pass laws such as SOPA for the benefit of the entertainment industry, it would be nice if they could spend a little bit of their valuable time in making solid laws to protect our data and as well as our identity online. Only effective security policies along with strong laws can bring about durable changes in the security infrastructure so that we can sleep tight without worrying about our data.

Patch Tuesday: Microsoft and Adobe Releases Critical Patches

It’s that day of the month when you have to fire up Windows Update and install all of those very precious security updates. Both Microsoft and Adobe has released a number of updates which are available for download right now.

The new updates consists of nine bulletins, out of which five updates are rated critical, the highest severity rating. Rest of the updates are rated important by Microsoft. These updates fix 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. You can either use Windows Update or download the updates from Download Center. If you have automatic updates enabled (as you should), you will probably have these installed already.

Adobe on the other hand has released three security bulletins for Reader, Acrobat, Shockwave and Flash. The updates for Adobe and Acrobat fix about 20 vulnerabilities for both Windows and Mac OS X versions of their software. The Flash Player update, which is touted as the most important among the updates, fixes vulnerability (CVE-2012-1535) which according to Adobe has been used in the wild in a limited manner. The update for Shockwave Player addresses five memory corruption vulnerabilities that could lead to code execution.

For more information on the updates from Microsoft, visit MSRC . To download updates for Adobe products, visit their security bulletins and advisories section.

Make sure to have these updates installed on your PC as soon as possible, for better protection from online threats.

Review: Create instant Infographics Using Infogr.am

I’m sure you might have heard of the saying ‘a picture speaks a thousand words’. It is much easier to express your ideas using pictures/infographic. But the problem with infographic is that it takes a lot of time and effort to create a good looking and information rich infographic.

Well, that’s where the web app called Infogr.am comes into play. Infogr.am tries to make the infographic creation effortless and simple.

Their homepage is really simple and elegant. When you click the huge ‘Start Now’ button, you will be taken to the login page. You will have to login or register before you can start creating your infographic. Like most new web apps, Infogr.am allows you to login using either Twitter or Facebook account. You can also register using the traditional email based sign up process. Once you login, you can instantly start building your infographic.

There are options to create basic charts or infographics. Currently there are only about 5 templates for both infographic and charts. But all of them are pretty neat, elegant and quite different from one another. Hopefully they will add more templates soon. Along with textual data, Infogr.am also allows you to add your own images to your chart or infographic which is pretty cool.

Once you select a template, simply enter the data through an interface that reminds of Excel and within minutes you will have your chart or infographic for download. You have the option to save your work to their online library as well for future retrieval.

What I liked about infogr.am is their design. It is extremely simple and it doesn’t take any effort to create stunning graphics. I just felt that it would be better if they could provide a few more templates for us to use. Their website says that they will be adding a store section soon. So we can expect premium templates in the future.

All in all, Infogr.am is an excellent service that delivers what it promises. If you are a person who wants to create charts or infographic without using any image editors, you should definitely check this one out.

 

How to Get your Outlook.com Email Address

Microsoft has just announced Outlook email service which will be replacing Hotmail soon. While you can keep using your current email id, you also have an option of creating a new [email protected] email alias that you can use alongside your current email address. This a tutorial on how to do that (if you have a generic name, you better hurry up before someone else gets it).

To upgrade to Outlook from Hotmail, login to Hotmail. Click  Options and select Upgrade to Outlook.com .

You will be automatically upgraded to the new Outlook. You will find a welcome mail with a link to get a new alias as shown below.

Alternately, you can also create an alias from the settings page.

Once you are in the new Outlook, click on the gear icon on the top right corner of Outlook and select More Setting option. You will be taken to the Settings page.

Now click Create your Outlook alias from under Managing your account section.

After entering your desired alias, click Create alias button and you are done.

You can now send and receive emails using your new outlook mail id.

Fake New York Times Op-Ed Fools the Twitterati

A fake op-ed written by someone masquerading as Bill Keller of New York Times has managed to fool thousands of people including some of New York Time’s own staff writers.

I came to notice the incident via a tweet by security researcher Christopher Soghoian who identified it as a fake New York Times URL. But interestingly, some of New York Time’s own writers such as Nick Bilton was fooled by the article and ended up sharing the story on Twitter. Adding insult to the injury, it looks like Bill Keller himself re-tweeted the fake op-ed. Now I’m not sure if his account was compromised and the tweet was sent by someone other than him. But as you can clearly see from the screenshot below, he retweeted a tweet by @journalismfest with the fake URL.

Bill Keller later tweeted as follows,

THERE IS A FAKE OP-ED GOING AROUND UNDER MY NAME, ABOUT WIKILEAKS. EMPHASIS ON “FAKE.”AS IN, NOT MINE.

Nick Belton has also deleted his tweet and posted a clarification.

 

The other high profile accounts fooled by the article include WikiLeaks as well, about whom the fake article was about. WikiLeaks later tweeted wondering whether NYT had been hacked whereas in fact it was just a matter of a hoax page.

Spam Wave hits Dropbox Users

Posts of frustrated users are pouring in at the Dropbox forum about receiving spams at email accounts connected to Dropbox.  Posts such as the following have been coming in since yesterday.

since today, I receive spam from [website link clipped] to an email address, that is in use at dropbox only ([email protected]).

So I guess you have a security problem with your useraccount data. And this sucks a lot.

Although it is possible for spamming software to randomly select email addresses to send spams, the number of affected users indicates some kind of breach on Dropbox’s side.

The initial reply from the Dropbox support was as follows,

Generally, it is possible that these email addresses got released to the general population when you either shared a folder or sent a referral invite. When you send these to other people, your email is attached in the reply-to field and it is possible that a compromised referral could have gotten their address book stolen by spammers. This is the most likely scenario.

But, apparently, users who haven’t used the referral system have also been receiving spams. This spam wave might be a result of a compromise of Dropbox’s mail server, but we can’t be certain of it yet. Last year, a security glitch had allowed anyone to login to any Dropbox account with an incorrect password.

We have contacted Dropbox to know more about the situation, but haven’t heard from them yet.

UPDATE: A spokesperson for Dropbox has sent us the following statement.

We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.

Yahoo Voice Hacked; 450000 Account Data Stolen

Reports are coming in that hackers have managed to hack into a Yahoo service and steal sensitive data of more than 453000 of its customers. According to a security firm, Trustedsec, who first reported the incident, the service that was compromised was Yahoo Voice.

The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).

The hackers have posted the database containing the email ids and passwords as a proof. According to the dump, the hackers used a method called union based SQL injection to hack the database. It is a method, where one enter codes to improperly protected text boxes which treat them as commands.

The most scary part, according to TrustedSec, is that the passwords were stored as plain text without any kind of encryption. If this was indeed the case, it would have been a highly irresponsible action on Yahoo’s part.

The hackers posted the following statement along with the dump,

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.

If you are a Yahoo Voice customer, I recommend you change your password immediately and if you are using the same passwords for any other service (which is a bad practice), it is better to change that as well.

Internet Shuts Down for those Infected with DNSChanger on July 9

The final deadline for those affected by the DNSChanger to reset their DNS servers is getting nearer. But reports suggest that there are still more than 500000 computers that use the rogue servers. And, as the date reaches July 9th, all of the computers that still use the rogue settings will be cut off from the internet, as the FBI shuts down the temporary servers that were allowing them to connect to the internet until now.

For those unaware, DNSChanger malware was used to alter the DNS settings of the infected system to certain rogue servers that redirected the infected users to rogue websites.  The FBI had raided those responsible and had obtained control of their rogue servers in an operation called Operation Ghost Click that we had reported earlier.

Even though the malware has been removed, many still use the same DNS settings. Up until now, the FBI had been using temporary DNS servers to let the infected users remain connected to the internet, by replacing the rogue servers with the temporary ones. The deadline to shut down these temporary servers had been extended once, in order to give ISPs more time to help their customers to remove the rogue settings. But apparently, a large number of computers are still using the same settings as mentioned before.

There are various ways to check if your computer is infected with DNSChanger. All major anti-virus vendors will detect it and will warn you. Also, sites such as dns-changer.eu and www.dns-ok.us have been setup to help anyone infected with the removal process.

Startup Review: Aggregate your Social Feed using RebelMouse

Most people today use more than one social network. You either have a Twitter account or Facebook account or both. Wouldn’t it be awesome if there were a service that would aggregate all your social content into a single webpage?

Well, RebelMouse does exactly that! It’s a service that allows you to aggregate your social feeds from Twitter and Facebook and is created by Huffington Post’s former CTO Paul Berry.

Signing up for RebelMouse is a pretty straightforward process. You can either use your Twitter or Facebook account to sign up. Once signed up, you will be taken to the RebelMouse dashboard. Here you can configure your Facebook and Twitter settings. You can include your profile, the Facebook pages you administer and apps you own. For twitter, you can add different accounts on Twitter. While you need to be the owner/admin of the Facebook page that you are adding, you can add any public Twitter profile that you like.

 

You can even add multiple persons to administer your RebelMouse site. You can add them as Editor, Administrator or Guest. Once you have added the feeds, your post will automatically start appearing. At the moment, RebelMouse is offering a free account. But paid accounts for individuals and businesses with a top level domain name will be added soon, according to their site.

The interface of the site is pleasant to see albeit a little bit cluttered. They provide a few options on the fonts and that’s the only customization option you will get.

 

Coming to a conclusion, it’s an easy to use service to aggregate your content. Will anyone want to visit another site for social updates is an entirely different question. But considering they got about 12,000 signups within the first week, that isn’t an issue.

FBI Arrests 24 Cyber Criminals in an International Cyber Crime Takedown

FBI has released details of an international operation directed at curbing card crimes. The operation, which is said to be the largest aimed at curbing card crimes, lead to the arrest of 24 individuals in 13 countries among which, 11 are from US.

Carding crimes include stealing of personal information such as credit card details, social security numbers, bank account details etc. and using them or selling them in order to make money.

The operation was a result of a two year undercover operation lead by the FBI. Of the 13 arrested outside US, 6 are from United Kingdom, 2 from Bosnia and 1 each from Bulgaria, Norway and Germany, Italy and Japan.

Preet Bharara, Manhattan Attorney explained the crime in a press release,

“The allegations unsealed today chronicle a breath-taking spectrum of cyber schemes and scams. As described in the charging documents, individuals sold credit cards by the thousands and took the private information of untold numbers of people. As alleged, the defendants casually offered every stripe of malware and virus to fellow fraudsters, even including software-enabling cyber voyeurs to hijack an unsuspecting consumer’s personal computer camera. To expose and prosecute individuals like the alleged cyber criminals charged today will continue to require exactly the kind of coordinated response and international cooperation that made today’s arrests possible.”

Janice K. Fedaryck, FBI Assistant Director in Charge also commented on the operation as follows,

“From New York to Norway and Japan to Australia, Operation Card Shop targeted sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. Spanning four continents, the two-year undercover FBI investigation is the latest example of our commitment to rooting out rampant criminal behavior on the Internet.”

FBI also conducted more than 30 searches and interviews as a part of the operation. The case is currently handled by the Complex Fraud’s Unit.