I’m not too ashamed of myself to whore out a few select email addresses for personal gain, or even promote a certain company by liking or retweeting something if it will benefit me more than the actions required, but I always keep a hesitant nature towards most of these promotions. I mean who doesn’t like free money?

I received an email the other day supposedly sponsored by a reputable programmer-related site. What it entailed was signing up for a big vendor’s developer program. If I did so, they would send me a $15 gift certificate to one of the major online retailers. I’m trying to keep all parties in this matter anonymous simply because I do not want to promote anything involved in this so-called promotion, and the actual parties involved are irrelevant. The email went something like this:

 

Happy Holidays Developers!

Get a $15 [online retailer] Gift Certificate by joining the [vendor] Developer Program (no charge!)

Thanks to your [programmer site] participation, here’s all you have to do!

1. Visit The [hyperlink to vendor site] and register at no cost!

2. [vendor] will send you a validation email: confirm your registration following the URL provided in the email which will prompt you to choose a password

3. Once you have chosen a password, [vendor] will then send you a password reset email: forward the password reset email and the sign up email address used to [promotional site email]

4. Once verified on our end, a gift certificate will be sent to you promptly after the program ends!

Hurry! This is limited to the first 600 respondents, one per person.

For full terms and conditions please visit [marketing link to promotional site]

Step 3 is the one that caught my eye here. You want me to forward you an email sent to me that allows me to reset my password? By doing this I would essentially be sending the promoter an email that contained a link with an embedded token allowing them to authenticate as myself and then change my password, essentially gaining access to my account at this vendor site. Mind you, this isn’t exactly a critical account. But still these are very poor security practices.

So, what’s to be learned from this? Pay attention to what’s being asked of you. If it seems slightly out of the ordinary, it probably is. Inboxes are being filled with more and more spam these days, some make it through, and some even seem legitimate. It’s up to the users to educate themselves on how to detect and avoid these types of situations. In closing, I’ll leave you with a list of things you can do to help protect yourself.

• If it seems too good to be true, it probably is. So use common sense people!
• Do not click on links in emails – period! Just because it says it’s a link to SiteA doesn’t mean it’s actually going there.
• Enable spam controls on your email client – if you’re using Outlook, Thunderbird, or even Gmail’s web interface – they are all pretty good at detecting what may or may not be spam.
• Use multiple emails or use gmail’s ‘+’ email features or mailnull to help sort out those mailing list emails and let you know which emails are being distributed to others.
• Do not load images by default or at all.
• Do not enable scripting at all!

These are just the tip of the iceberg, but you get the idea. Help protect yourself and you’ll be helping to protect all of us.

In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media.

Enjoy:

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ’123456′ as a password.

A couple years ago, Facebook.com revealed just how much information is shared on social networking sites when they introduced news feeds to the home page and user profile pages. These feeds made users nervous perhaps because they had thought that their personal information was safe as long as it was not broadcast to everyone on their friend lists. In reality, it was a new way of distributing information that had always been available to them. Since then, Facebook has added a wide array of privacy options, yet we still find stories of people being fired because of something they said online.

How do you prevent this from happening to you? I guess one option could be to start removing Facebook friends until you are only connected to people that you completely trust, but then why use the site at all? You could instead make all of your not-so-close friends into “limited profile” friends who can only see certain parts of your information, but you will find that it is very difficult to separate your many friends into just two groups. There is another way, and that is what today’s tutorial is about.
(more…)

This from BetaNews (link opens in new window):

Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings.

Fortunately for my own sanity, I haven’t had to jump through any hoops with UAC to get my code working, but that’s mostly because I deal with server-side code now.  While the developer perspective is interesting, it’s really the user perspective that’s important to me, as someone who is concerned with the overall state of desktop security.  Developers are not only in the minority, we also don’t have the option of just turning UAC off on client machines…we have to deal with it or simply not write software for Vista.  In the current incarnation of Vista, however, UAC is so obtrusive that many users opt to disable it entirely to get the warnings to stop.

Sinofsky said that with UAC, Microsoft had what he described as “the best intentions” in mind. But its attention to informing the user about what’s going on and getting consent “possibly went too far.”
…
For now, in the Pre-Beta version of Windows 7, there are now four settings for configuring how intrusive UAC will be: Never notify me, Only notify me when programs try to make changes, Always notify, and Notify and wait for my approval.

I think this is the right approach.  UAC doesn’t really bother me too much as an end user, but then again, I know what it means and what it’s actually doing.  I think that Microsoft took a big step in the right direction security-wise with UAC, but those pop up windows can be a real turn-off.  I’m glad to see that rather than abandoning the model and starting over from scratch, they’re trying to make the “security vs. usability” tradeoff for users less of an all-or-nothing proposition.

An article from Dark Reading touched on some very valid points with regards to the security at financial institutions. According to the article:

Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.

Even though this is very bad from a security standpoint, it seems like a natural human response. However, if someone is able to walk into a bank merely posing as an auditor and without having their credentials checked or challenged, it’s possible for them to make off with a lot of sensitive information.

This type of behavior isn’t limited to just bank employees. Economy-induced anxiety can also affect the judgment of regular users. The most successful phishing attacks prey on a user’s familiarity or interest in the subject presented as bait. So a phishing email claiming to request important information from a bank customer might be more likely to succeed when the economy and specific financial institutions are in a state of flux.

In fact, it would be wise for both bank employees and bank customers to be MORE cautious during times of economic uncertainty, as attackers are notorious for taking advantage of such situations. It just goes to show– when it comes to security, we can’t afford to be careless.

This week, reports have surfaced that spammer activity is increasing on Microsoft and Google sites that employ CAPTCHA. CAPTCHA is a method for distinguishing between human users and programs used to automatically enter information. Those who would like to create large amounts of e-mail accounts or efficiently add SPAM content to blog comments or message boards are constantly scheming new methods for circumventing CAPTCHAs. Meanwhile, web site administrators continue to invent creative techniques for detecting computers masquerading as human.

As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can be mistaken for lower-case if distorted the right way, and there is no feedback that allows me to correct myself if I can’t read it.

Now, I’m not saying that I have ever been completely fooled by a CAPTCHA to the point that I wasn’t able to create an account or post a comment. Humans will eventually get through, but if users find them difficult, and they no longer effectively prevent spamming, maybe more thought needs to be applied to the problem. Here are some suggestions I have found for methods to weed out spamming programs. (more…)

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

Smart security people learn from their adversary’s tactics, not shun them. Despite modern technology, broad operations, and publicity, the Mafia (particularly Italian mob) continues to survive. While the crimes they commit are deplorable, the security of the organization works using tried and true methods.

Here are some you can teach your employees and enforce without having a baseball bat.

• “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the least amount of privileges they need to do their work and log as much as you can.

• “Talk to Me, Directly” – An email from some executive you’ve never heard of, being intimidated by someone in HR who wants your SSN (which they should already have), and any other strange requests should be verified. Employees should do directly to their immediate supervisor when in doubt. Unencrypted emails containing important information shouldn’t be sent – if possible get up and relay the message in person, refuse to send documents if they can’t be encrypted and signed with a digital signature (non-repudiation).

• “Keep Outsiders Out” – All business partner connections, 3rd party maintenance, and external developers should have an independent security assessment performed of them by security experts. Create separate network segments, monitor maintenance and hardware changes, and always escort visitors on your premises. Smaller companies, make sure to lock the doors to the office and secure any network closets and servers.

• “Be Respectful” – Too often in mob movies we see some underling getting picked on by his superiors. The result is usually “ratting out to the Feds”, equivalent to an employee changing jobs to a competitor or leaking proprietary information. Treating your employees poorly reduces the overall security of an organization since it undermines loyalty. As we learned in “A Bronx Tale” it is better to be loved than feared.

• Use Your Head Instead of A Notepad – Mob guys never write anything down for fear of leaving behind evidence. Users should be trained never to write down passwords, leave company documents out on their desks, or store unencrypted sensitive files on unprotected devices.

Security professionals and auditors should remember to learn from tactics and be cautious with methods. Make sure you have, in writing, the scope of any assessment/audit and make sure that the tools and techniques you use are OK with the company in question or you might get whacked. A good strategy with questionable tactics may make you the criminal.

What are some of the tricks you’ve learned from the bad guys?

We’ve all heard about the stories involving EIBKAC such as using the CD-ROM drive as a coffee mug holder, and erasing the C:\Windows folder to free up space on your hard drive. InfoWorld has an informative article which turns these stories on their head, and provides stories about stupid IT administrator actions.

The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern.

• Preconfiguring PCs with stone-age malware
• Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair
• Oh, you wanted to recover those backups?
• An entire issue of BusinessWeek was lost when a hard drive crashed
• Soup of the day: Social Security numbers
• A school’s database of folks to send the weekly cafeteria menu into was completely unprotected and contained SSNs
• The tool and the toolbar
• The Alexa toolbar was used to crawl and cache sensitive parts of a company website
• Paging Dr. Data Breach, please come to the IT morgue
• Company took down firewalls to ease (sensitive) data migration, and then inexplicably never turned them back on

Next time you blame users for lax security, remember that the IT staff can be brain-dead as well.