Posts

Showing posts from September, 2007

A tale of Social Networking sites (yet again)

In my last post the last thing I advised was to be careful what you post up on social networking sites, as it may come back to haunt you, well I had barely uploaded that post when yet another social networking news story broke in the UK. The British people love their Tennis and particularly Wimbledon, but for decades now we have been really unrepresented in this sport, with only one or two players in the top one hundred, which for a country of over 60 Million and a decent sized middle class, is pretty poor form. To remedy this, the Lawn Tennis Association (LTA), has been ploughing money into supporting young tennis players, which makes good sense really. Well two of these funded young players were found publicising a lifestyle of partying, drinking and eating junk food on the Bebo social networking site. Pictures included one in a street holding an empty bottle with a the caption “Me Drunk for a change”, and statements saying hates-“hangovers after a good nite owt[sic]” and “wiv th...

Facebook's Privacy Policy

A Facebook enthusiast recently asked me why I "hated" Facebook so much, well I don't hate Facebook at all, I have never posted or said such a thing, however I have to say I am not mad keen on the idea of the site and where it might be heading. Lets take Facebook's privacy policy for instance, it is over 3,500 words length and has the little caveat of “We reserve the right to change our Privacy Policy and our Terms of Use at any time.” Given that statement, you have to ask yourself whether you can trust Facebook with your private data? Their policy is well worth a read if you are a user of the site. http://www.facebook.com/policy.php So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data. Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify va...

Google on Global Privacy Standards

My love / hate relationship of Google is definitely in the loving zone after I heard Google chief, Peter Fleischer calling for Global Privacy Standards. I won’t regurgitate what Fleischer said, as there's a perfectly good report on the BBC News website linked below. http://news.bbc.co.uk/1/hi/technology/6994776.stm Also check out this link to a report which I have touched on a couple a months back, you should find it quite interesting if you are into personal privacy online. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961 I really think a hundred years from now, when history looks back on the last couple of decades, it will be recognised as the start of the Information Age, and when it comes to personal information privacy and information security, we are merely still trying to take our first steps. So it's just so refreshing to see that Google are looking ahead and attempting to take a lead in this area, and lets face it, Google are getting so pow...

Facebook: Welcome to the World of Google Hacking

To be completely honest, sites like Facebook has the same appeal to me as reality TV, which almost zero! Anyway a friend of mine a couple months back bullied me into setting up an account on Facebook. But being a typical paranoid security guy, I didn’t upload any photos or post any personal information, other than my name and a fake Date of Birth, I guess it’s the most boring Facebook page on the whole site! The way I understood it, Facebook was suppose to be a private network, where you add links and share your personal information including work and educational history with friends, work colleagues and former class mates etc. Significantly you either had to accept an invite or have your own invite accepted by another party, before your information is shared. But here’s the big scary change, Facebook are now allowing members personal information to be accessible by everyone, even non-members. We are not just talking private pictures either, but information such as people’s date of bi...

Web App Sec: With Great Power comes Great Responsibility

Thanks to the explosion of Web 2.0, companies have more power than ever on the Internet, however with great power comes great responsibility. Trends show hackers are targeting web applications increasingly, simply because they are easier to hack and the rewards are greater than traditional hacking, like writing viruses for example. Often companies get the network security level right, with proper DMZs and firewall configuration, but this is merely the foundation of providing web application security and in reality offers very little protection against application level attacks. The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the ven...

All of the UK must be on DNA database!

To follow up my previous posting on the UK DNA database, which is the biggest in world and growing by 30,000 records a month, I said there were "moves" going on by the UK establishment to have everyone's DNA recorded in the database, well a senior UK judge yesterday was pushing for just that. What they won't tell you is that they don't actually need everyone's DNA in the database. As it only takes a family relative's DNA to provide a close enough match, which is enough to home in on an individual. http://news.bbc.co.uk/1/hi/uk/6979138.stm

Off the Shelf Malware with 1 Year Technical Support!

It’s common knowledge within the security industry that you can hire hackers, hire out the use of botnets and even buy zero day exploits, malicious scripts and viruses, but what surprised me recently, is that you can buy packaged Malware, which even comes with technical support. Recently one such package, MPack, a PHP malware kit put together by Russian hackers has been causing problems. MPack can be bought for £500 ($1000), and includes a year of technical support and options of purchasing extra exploitation modules. MPack exploits the latest vulnerabilities in M$ Windows web browsers; oh it is browser aware as well, so Opera and FireFox won’t save you. For the most part an infected MPack website scans your browser and OS for security flaws, and if it finds any it exploits them, as well as storing stats about your system for future reference. The fact the MPack product can be regularly updated by the hackers producing it, is its greatest danger, as it means it can stay ahead of Anti...

A Cashless Society

I often wondered how long it would be before there wasn’t any need to carry any physical money, well from today it appears we are well on the way, and even trends backup the move towards a cashless society. In 2004, card payments over took cash payments for the first time in the UK, while last year £321 billion ($642bn) card purchases were made in comparison to £274bn in cash, with the average Briton putting around £10,000 through card payments. Fraudsters stole around £428 million, which has actually come down slightly thanks to the introduction of Chip and Pin two-factor authentication. Today the big five UK mobile phone operators switched on “PayForIT”, which allows the payment of transactions up to £10 to be made by mobile phone. I love the idea of not needing to carry any cash, but I am rather sceptical about the use and the potential abuse of mobile phones by criminal elements. To be fair I haven’t had a chance to fully review the “PayForIT” process in great detail, but fro...