I received an email the other day supposedly sponsored by a reputable programmer-related site. What it entailed was signing up for a big vendor’s developer program. If I did so, they would send me a $15 gift certificate to one of the major online retailers. I’m trying to keep all parties in this matter anonymous simply because I do not want to promote anything involved in this so-called promotion, and the actual parties involved are irrelevant. The email went something like this:

 

Happy Holidays Developers!

Get a $15 [online retailer] Gift Certificate by joining the [vendor] Developer Program (no charge!)

Thanks to your [programmer site] participation, here’s all you have to do!

1. Visit The [hyperlink to vendor site] and register at no cost!

2. [vendor] will send you a validation email: confirm your registration following the URL provided in the email which will prompt you to choose a password

3. Once you have chosen a password, [vendor] will then send you a password reset email: forward the password reset email and the sign up email address used to [promotional site email]

4. Once verified on our end, a gift certificate will be sent to you promptly after the program ends!

Hurry! This is limited to the first 600 respondents, one per person.

For full terms and conditions please visit [marketing link to promotional site]

Step 3 is the one that caught my eye here. You want me to forward you an email sent to me that allows me to reset my password? By doing this I would essentially be sending the promoter an email that contained a link with an embedded token allowing them to authenticate as myself and then change my password, essentially gaining access to my account at this vendor site. Mind you, this isn’t exactly a critical account. But still these are very poor security practices.

So, what’s to be learned from this? Pay attention to what’s being asked of you. If it seems slightly out of the ordinary, it probably is. Inboxes are being filled with more and more spam these days, some make it through, and some even seem legitimate. It’s up to the users to educate themselves on how to detect and avoid these types of situations. In closing, I’ll leave you with a list of things you can do to help protect yourself.

• If it seems too good to be true, it probably is. So use common sense people!
• Do not click on links in emails – period! Just because it says it’s a link to SiteA doesn’t mean it’s actually going there.
• Enable spam controls on your email client – if you’re using Outlook, Thunderbird, or even Gmail’s web interface – they are all pretty good at detecting what may or may not be spam.
• Use multiple emails or use gmail’s ‘+’ email features or mailnull to help sort out those mailing list emails and let you know which emails are being distributed to others.
• Do not load images by default or at all.
• Do not enable scripting at all!

These are just the tip of the iceberg, but you get the idea. Help protect yourself and you’ll be helping to protect all of us.

Enjoy:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ’123456′ as a password.

How do you prevent this from happening to you? I guess one option could be to start removing Facebook friends until you are only connected to people that you completely trust, but then why use the site at all? You could instead make all of your not-so-close friends into “limited profile” friends who can only see certain parts of your information, but you will find that it is very difficult to separate your many friends into just two groups. There is another way, and that is what today’s tutorial is about.

1. Click on “Friends” in the top menu bar.
2. Notice the “Make a New List” option on the left under your friend lists.
3. Use this option to create groups for your friends (“Family,” “Best Friends,” “Acquaintances,” etc.)
4. Click “Everyone” at the top of your list of friends to display all of them.
5. For each friend, click the empty space by their name and picture to expand their box, click the little arrow next to “View Friends,” and choose a list to put them in.
6. If they don’t belong in any list, create a new one or consider removing them.

Now that everyone is categorized, you can begin to set your privacy rules.

1. Hover over “Settings” in the top menu bar then click “Privacy Settings.”
2. Click “Profile.”
3. You will see a lot of drop-down menus. Each one gives you a few options including “Customize…”
4. If you do not like the other options, choose “Customize…” This is where you get to use your lists. You can decide to allow access to only some friends (specific people or lists), or you can decide to deny access to certain people.
5. Save your changes when you’re finished and continue the process with “Search,” “News Feed and Wall,” and “Applications” under “Privacy Settings.”

You can set privacy options for individual applications by clicking “Application Settings” under “Settings.” Then, click “Edit Settings” for any application. In the popup, choose the “Profile” tab. Use the drop-down list to choose which friends can see that application.

You might need to set aside some time to do everything, especially those of you who have hundreds and thousands of friends. It’s worth it for the sake of privacy and security, and once you have your lists set up, you will only need to make tweaks here and there as your relationships evolve. Don’t lose your job or identity because you added everyone you ever met as a friend. Facebook has added a lot of tools for keeping your information private. Be smart and use them.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings.

Fortunately for my own sanity, I haven’t had to jump through any hoops with UAC to get my code working, but that’s mostly because I deal with server-side code now.  While the developer perspective is interesting, it’s really the user perspective that’s important to me, as someone who is concerned with the overall state of desktop security.  Developers are not only in the minority, we also don’t have the option of just turning UAC off on client machines…we have to deal with it or simply not write software for Vista.  In the current incarnation of Vista, however, UAC is so obtrusive that many users opt to disable it entirely to get the warnings to stop.

Sinofsky said that with UAC, Microsoft had what he described as “the best intentions” in mind. But its attention to informing the user about what’s going on and getting consent “possibly went too far.”
…
For now, in the Pre-Beta version of Windows 7, there are now four settings for configuring how intrusive UAC will be: Never notify me, Only notify me when programs try to make changes, Always notify, and Notify and wait for my approval.

I think this is the right approach.  UAC doesn’t really bother me too much as an end user, but then again, I know what it means and what it’s actually doing.  I think that Microsoft took a big step in the right direction security-wise with UAC, but those pop up windows can be a real turn-off.  I’m glad to see that rather than abandoning the model and starting over from scratch, they’re trying to make the “security vs. usability” tradeoff for users less of an all-or-nothing proposition.

Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.

Even though this is very bad from a security standpoint, it seems like a natural human response. However, if someone is able to walk into a bank merely posing as an auditor and without having their credentials checked or challenged, it’s possible for them to make off with a lot of sensitive information.

This type of behavior isn’t limited to just bank employees. Economy-induced anxiety can also affect the judgment of regular users. The most successful phishing attacks prey on a user’s familiarity or interest in the subject presented as bait. So a phishing email claiming to request important information from a bank customer might be more likely to succeed when the economy and specific financial institutions are in a state of flux.

In fact, it would be wise for both bank employees and bank customers to be MORE cautious during times of economic uncertainty, as attackers are notorious for taking advantage of such situations. It just goes to show– when it comes to security, we can’t afford to be careless.

As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can be mistaken for lower-case if distorted the right way, and there is no feedback that allows me to correct myself if I can’t read it.

Now, I’m not saying that I have ever been completely fooled by a CAPTCHA to the point that I wasn’t able to create an account or post a comment. Humans will eventually get through, but if users find them difficult, and they no longer effectively prevent spamming, maybe more thought needs to be applied to the problem. Here are some suggestions I have found for methods to weed out spamming programs.

• Pick the cats – Given a set of pictures, choose the ones that are of cats. Another variation has the user choose the person judged hottest on HOTorNOT. This might be a little more work than someone would like to do especially if there are twenty images to judge. Also, the authors of the Google CAPTCHA crack claim to be able to crack these as well.
• Solve the math problem – Examples of these are normally complex-looking problems that, upon further inspection, are not so difficult. Unfortunately, many people don’t remember what a derivative is or what sin(-π/2) equals. Another problem is that a lot of these problems come out to some simple answer like one or zero, and spammers might eventually figure that out.
• Decipher the hieroglyphics – Another method uses an image with symbols that can be deciphered using the key at the bottom. I think this is the best of the ones I’ve mentioned so far. It might slow you down some, but it’s not too hard. I can’t say it’s perfect though because I think a determined spammer could develop an automated solution to these.

Before today, I had not put much thought into the subject, but now that I have pondered it some, I have an idea. Have users follow instructions or answer a question in which each word has been randomly modified by adding, removing, or transposing letters. People have to read through typos every day. Computers would be fooled, and the time lost to solving the problem would be minor.

Sgo, waht do oyu tink? Ad a commnet if yuo ave ayn thouhgts or idetas.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

• “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the least amount of privileges they need to do their work and log as much as you can.

• “Talk to Me, Directly” – An email from some executive you’ve never heard of, being intimidated by someone in HR who wants your SSN (which they should already have), and any other strange requests should be verified. Employees should do directly to their immediate supervisor when in doubt. Unencrypted emails containing important information shouldn’t be sent – if possible get up and relay the message in person, refuse to send documents if they can’t be encrypted and signed with a digital signature (non-repudiation).

• “Keep Outsiders Out” – All business partner connections, 3rd party maintenance, and external developers should have an independent security assessment performed of them by security experts. Create separate network segments, monitor maintenance and hardware changes, and always escort visitors on your premises. Smaller companies, make sure to lock the doors to the office and secure any network closets and servers.

• “Be Respectful” – Too often in mob movies we see some underling getting picked on by his superiors. The result is usually “ratting out to the Feds”, equivalent to an employee changing jobs to a competitor or leaking proprietary information. Treating your employees poorly reduces the overall security of an organization since it undermines loyalty. As we learned in “A Bronx Tale” it is better to be loved than feared.

• Use Your Head Instead of A Notepad – Mob guys never write anything down for fear of leaving behind evidence. Users should be trained never to write down passwords, leave company documents out on their desks, or store unencrypted sensitive files on unprotected devices.

Security professionals and auditors should remember to learn from tactics and be cautious with methods. Make sure you have, in writing, the scope of any assessment/audit and make sure that the tools and techniques you use are OK with the company in question or you might get whacked. A good strategy with questionable tactics may make you the criminal.

What are some of the tricks you’ve learned from the bad guys?

The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern.

• Preconfiguring PCs with stone-age malware
• Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair
• Oh, you wanted to recover those backups?
• An entire issue of BusinessWeek was lost when a hard drive crashed
• Soup of the day: Social Security numbers
• A school’s database of folks to send the weekly cafeteria menu into was completely unprotected and contained SSNs
• The tool and the toolbar
• The Alexa toolbar was used to crawl and cache sensitive parts of a company website
• Paging Dr. Data Breach, please come to the IT morgue
• Company took down firewalls to ease (sensitive) data migration, and then inexplicably never turned them back on

Next time you blame users for lax security, remember that the IT staff can be brain-dead as well.