Tuesday, 25 September 2007

A tale of Social Networking sites (yet again)

In my last post the last thing I advised was to be careful what you post up on social networking sites, as it may come back to haunt you, well I had barely uploaded that post when yet another social networking news story broke in the UK.

The British people love their Tennis and particularly Wimbledon, but for decades now we have been really unrepresented in this sport, with only one or two players in the top one hundred, which for a country of over 60 Million and a decent sized middle class, is pretty poor form. To remedy this, the Lawn Tennis Association (LTA), has been ploughing money into supporting young tennis players, which makes good sense really.

Well two of these funded young players were found publicising a lifestyle of partying, drinking and eating junk food on the Bebo social networking site. Pictures included one in a street holding an empty bottle with a the caption “Me Drunk for a change”, and statements saying hates-“hangovers after a good nite owt[sic]” and “wiv the boyz parting and chillin[sic]”

The players had left their social networking sites unlocked for the whole world to view. The LTA and public have taken poor view after seeing what they posted up, which resulted in the LTA taking action and withdrawn their funding for these players and warning several other players.

Putting aside the morals and the rights and wrongs, these young tennis players have seriously jeopardised their careers by their postings online, if they had been more careful in the way they used their social networking space, they probably would of got away with it, after all we were all young once, instead their statements and images are now all over the British media and they have lost their tennis funding.

These young tennis players aren’t the first to have their careers damaged as a result of postings on a social networking site, employers in the UK have sacked several people over postings online. Today I am seeing more and more employers checking social network sites as a background check, before they even decide on employing someone, so just be careful what you post online.

Monday, 24 September 2007

Facebook's Privacy Policy

A Facebook enthusiast recently asked me why I "hated" Facebook so much, well I don't hate Facebook at all, I have never posted or said such a thing, however I have to say I am not mad keen on the idea of the site and where it might be heading. Lets take Facebook's privacy policy for instance, it is over 3,500 words length and has the little caveat of “We reserve the right to change our Privacy Policy and our Terms of Use at any time.” Given that statement, you have to ask yourself whether you can trust Facebook with your private data? Their policy is well worth a read if you are a user of the site.


So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data.

Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify validation, so anyone can pretty much pretend to be anyone. Just how many people have huge and unmanagable lists of “friends”, “friends” they just don’t know or have ever met? Putting aside the issue of your personal information being available to complete strangers, in July spammers successfully used Facebook to create realistic profiles like ordinary users, and persuaded people to accept them as a friend, and hit their inboxes with spam. I understand Facebook internal spam is on the rise at the moment.

I’m not saying social networking sites are all doom and gloom, they have the use and a place in the business and social worlds, but just be careful how you use them, especially who you accept as a “friend”, and what you post up about yourself, as it could come back to haunt you!

Friday, 14 September 2007

Google on Global Privacy Standards

My love / hate relationship of Google is definitely in the loving zone after I heard Google chief, Peter Fleischer calling for Global Privacy Standards. I won’t regurgitate what Fleischer said, as there's a perfectly good report on the BBC News website linked below.

Also check out this link to a report which I have touched on a couple a months back, you should find it quite interesting if you are into personal privacy online.

I really think a hundred years from now, when history looks back on the last couple of decades, it will be recognised as the start of the Information Age, and when it comes to personal information privacy and information security, we are merely still trying to take our first steps. So it's just so refreshing to see that Google are looking ahead and attempting to take a lead in this area, and lets face it, Google are getting so powerful these days , they certainly could help push us forward, so tonight I salute you Google, who incidentally also do a great job in hosting this blog for me free (not that I'm Google bias of course!)

Anyway I’m about to fly out to Toronto, Canada for the PCI Council meeting next week, so hopefully I might have some very interesting (or not) PCI posts next week.

Friday, 7 September 2007

Facebook: Welcome to the World of Google Hacking

To be completely honest, sites like Facebook has the same appeal to me as reality TV, which almost zero! Anyway a friend of mine a couple months back bullied me into setting up an account on Facebook. But being a typical paranoid security guy, I didn’t upload any photos or post any personal information, other than my name and a fake Date of Birth, I guess it’s the most boring Facebook page on the whole site!

The way I understood it, Facebook was suppose to be a private network, where you add links and share your personal information including work and educational history with friends, work colleagues and former class mates etc. Significantly you either had to accept an invite or have your own invite accepted by another party, before your information is shared.

But here’s the big scary change, Facebook are now allowing members personal information to be accessible by everyone, even non-members. We are not just talking private pictures either, but information such as people’s date of birth, which is often used as a typical security question, especially when you are asked to prove who you are or asked to reset a password.

Within the next few weeks, Facebook profiles will be indexed and be fully searchable by search engines like Google and Yahoo. The art of “Google Hacking” is about searching for information about a target (person), for example a fraudster may have already obtained some of your private details elsewhere, they will then use a search engine like Google to fill in all the blanks, building the full picture and completing the profile, this is especially common place when you are talking about identify theft, which is on the rise in the UK.

You might be really surprised what’s searchable on Google about you, just give it go. When demonstrating Google hacking in the past, I have actually found people’s mobile phone numbers and even full home addresses.
Apparently there is a way to prevent your Facebook profile details to going into search engines like Google, but a friend of mine, who is an avid Facebook user, couldn't find the option to do it.

Thursday, 6 September 2007

Web App Sec: With Great Power comes Great Responsibility

Thanks to the explosion of Web 2.0, companies have more power than ever on the Internet, however with great power comes great responsibility. Trends show hackers are targeting web applications increasingly, simply because they are easier to hack and the rewards are greater than traditional hacking, like writing viruses for example. Often companies get the network security level right, with proper DMZs and firewall configuration, but this is merely the foundation of providing web application security and in reality offers very little protection against application level attacks.

The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the vendors, who have to keep up with the latest exploits, as web application vulnerabilities are cropping up on a daily basis. QA tools not only ensure secure application development but prove an extremely useful aid in developing coder’s web app security awareness and knowledge, ensuring future development of web applications are project planned (correctly budgeted) and coded securely in the first instance.

Finally once you have your web application up and running, you should ensure the website is vulnerability scanned on a daily basis, followed by periodic full scale penetration tests, to ensure the web application says secure.

Simply put, providing secure web applications costs it is unfortunate a lot businesses want to have their web app cake and eat it for cheap as possible. Away from costs some businesses simply just don’t have the security know how to do it correctly, “but we have a firewall” mentality, or they just don’t have the drive to ensure their web applications are secure, the old “it will never happen to us” mentality. These are precisely the reasons why trends in successful hacking of the new generation of website applications will continue to increase.

Wednesday, 5 September 2007

All of the UK must be on DNA database!

To follow up my previous posting on the UK DNA database, which is the biggest in world and growing by 30,000 records a month, I said there were "moves" going on by the UK establishment to have everyone's DNA recorded in the database, well a senior UK judge yesterday was pushing for just that. What they won't tell you is that they don't actually need everyone's DNA in the database. As it only takes a family relative's DNA to provide a close enough match, which is enough to home in on an individual.


Tuesday, 4 September 2007

Off the Shelf Malware with 1 Year Technical Support!

It’s common knowledge within the security industry that you can hire hackers, hire out the use of botnets and even buy zero day exploits, malicious scripts and viruses, but what surprised me recently, is that you can buy packaged Malware, which even comes with technical support. Recently one such package, MPack, a PHP malware kit put together by Russian hackers has been causing problems. MPack can be bought for £500 ($1000), and includes a year of technical support and options of purchasing extra exploitation modules. MPack exploits the latest vulnerabilities in M$ Windows web browsers; oh it is browser aware as well, so Opera and FireFox won’t save you. For the most part an infected MPack website scans your browser and OS for security flaws, and if it finds any it exploits them, as well as storing stats about your system for future reference. The fact the MPack product can be regularly updated by the hackers producing it, is its greatest danger, as it means it can stay ahead of Anti Virus products signature updates (i.e. undetected by Anti Virus) and use the latest discovered zero day exploits.

MPack has been around since December 2006 and has been used to infect completely legitimate websites, most notable in Europe, where Italy’s largest website hosting companies had been infected and MPack embed within legitimate websites, which attacked any computer visiting the infected website. It is believed hundreds and thousands of users were affected by the Italian attack alone.

If you want to stay protected, I suggest keeping your OS Patches and AV signatures up-to-date. Although legitimate websites have been hit by this, I wager the MPack product will be and is being used on “no so legitimate” websites.

Monday, 3 September 2007

A Cashless Society

I often wondered how long it would be before there wasn’t any need to carry any physical money, well from today it appears we are well on the way, and even trends backup the move towards a cashless society.

In 2004, card payments over took cash payments for the first time in the UK, while last year £321 billion ($642bn) card purchases were made in comparison to £274bn in cash, with the average Briton putting around £10,000 through card payments. Fraudsters stole around £428 million, which has actually come down slightly thanks to the introduction of Chip and Pin two-factor authentication.

Today the big five UK mobile phone operators switched on “PayForIT”, which allows the payment of transactions up to £10 to be made by mobile phone. I love the idea of not needing to carry any cash, but I am rather sceptical about the use and the potential abuse of mobile phones by criminal elements. To be fair I haven’t had a chance to fully review the “PayForIT” process in great detail, but from what I heard from a spokesman on the radio this morning, it appears convenience has been put ahead of security, which from my point of view always spells trouble.

Personally I think this new payment method will spark an increase in petty mobile phone theft and an increase in mobile phone hacking. I have waffled on about mobile phone security on my blog and Podcast in detail before, so I’ll spare you that today, but with these sorts of payment services becoming common place, the importance of personal mobile phone security becomes even more of a priority. The trouble is the average Joe doesn’t “do” mobile phone security, hence why I think the system will be so open to abuse. And guess what, in a few months time PayForIT can be used for web purchases as well.

It’s worth mentioning Barclaycard have also recently launch their “cashless” payment card, again for all transaction under £10, Barclaycard OnePulse cards requires no signature or pin number, just a simple swipe and you’ve paid, however only a few outlets currently accept the card. I understand the plan is add this “OnePulse” functionality to regular credit cards, which sounds a bit of backward step after the success of chip and pin. Although I tell you what peeves me, is those retailers who insist you spend at least £5 if you use card, or they charge your 50p or a £1 extra. Perhaps the payment card companies should focus more on preventing retailers from having minimum spends and extra costs for low card payments instead of introducing new less secure payment systems, and perhaps they’ll get what they really desire, which namely is all our money directly through their banking systems.

I purchased some Scrumpy Cider from a Cornish Cider distillery just last week, they had a minimum card payment spend of £15, although I have to tell you I had no trouble in exceeding that requirement! *hic*