I have completed and uploaded my guide to "reducing personal risk of card & identity fraud", with 20 key tips and some FAQs about Identity fraud/theft.
ITSEeducing_your_Risk_of_Identity_Theft
I had a lot of interest and requests to produce a formal guide by various site visitors and offline friends. I'm aware most of the guide will be just common old sense to any security professional out there, but the guide nor generally my website is aimed at the level.
Wednesday, 24 October 2007
Monday, 15 October 2007
Why do Spammers Spam?
I noticed Microsoft's Eileen Brown was pondering Spam in her Blog, asking “Why the heck do these spammers keep on spamming people?"
http://blogs.technet.com/eileen_brown/archive/2007/10/15/a-lot-of-spam.aspx?CommentPosted=true#commentmessage
Well here’s my response…
It is because out of the tens of thousands of Spam Email they send, which costs practically nothing, there are always one or two gullible people who click through to buy a product or get done, making it a profitable and worthwhile exercise.
“Two years from now the Spam problem will be solved” - Bill Gates, January 2004
Bill got that wrong, it's increased big time since then.
Why the problem? Well Standard Email is just not secure, it is impossible to tell or control who has actually has sent them, not without using Certificates and PGP etc, even the latest Anti-Spam software isn't the silver bullet.
http://blogs.technet.com/eileen_brown/archive/2007/10/15/a-lot-of-spam.aspx?CommentPosted=true#commentmessage
Well here’s my response…
It is because out of the tens of thousands of Spam Email they send, which costs practically nothing, there are always one or two gullible people who click through to buy a product or get done, making it a profitable and worthwhile exercise.
“Two years from now the Spam problem will be solved” - Bill Gates, January 2004
Bill got that wrong, it's increased big time since then.
Why the problem? Well Standard Email is just not secure, it is impossible to tell or control who has actually has sent them, not without using Certificates and PGP etc, even the latest Anti-Spam software isn't the silver bullet.
Thursday, 11 October 2007
Contactless Cards: Convenience before Security?
I was on national Radio Monday lunch time, taking part in a debate on cashless societies; specifically I was giving my (the security) perspective on the new Contactless Debit/Credit Cards, which will be rolled out within the UK early next year. My points were as follows:
Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.
The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.
I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.
Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.
If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.
Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?
Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.
Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.
Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.
The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.
I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.
Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.
If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.
Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?
Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.
Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.
Sunday, 7 October 2007
Reducing your Risk of Credit Card & Identity Fraud
Here's my 15 tips to help reduce your personal risk of credit card fraud and identify fraud. Oh when I say identify fraud\theft, I mean when someone assumes your identify to rack up credit\loans and other fraudulent activity in your name.
1. Invest in a decent shredder, avoid cheap shredders they are a false economy, they often don’t last long anyway, and can make shredding a real chore. Try to get into the habit of regularly shredding receipts, statements or anything else with financial and personal information.
2. Never ever disclosure your PIN number, login details or passwords. Often fraudsters will “confidence trick” by appealing to either greed or fear. For example if you are told you have won a competition or entry into a free cash draw, but you have never entered the competition, I 99% guarantee it is either a scam or an attempt to collect your personal details for marketing, just remember there is no such thing as a free lunch. Also fraudsters will use fear to by pass your normal cautious thinking, often fraudsters impersonate organisations like your bank or your favourite online auction site, stating they have detected a security breach with your online account, and you must validate your details.
3. Never ever write down passwords, login details or especially Chip & Pin number.
4. Never send card details or bank details by Email, even if a hotel or online shop requests your card details by Email. My golden rule with Email security is, if you are not happy to write the Email contents on the back of postcard and post it, you shouldn’t be writing within an Email, as Email is no a secure medium. Also when reading your Email, the senders Email address and Name is no guarantee it is from that person or organisation, and of course never accept Email attachments, or click on links within Emails you aren’t sure of or expecting.
5. Never let your debit/credit cards or your card details out of your sight when making a transaction in the real world. Unfortunately low paid shop staff are some of the worst culprits when it comes to card fraud, either collecting card details and selling them on, or committing fraud directly themselves, it only takes them seconds for them to steal the info from your card.
6. When using a Chip and Pin devices or cash machines, use your free hand to shield the number pad as you type in your PIN. This will provide protection against bad guys who “shoulder surf” and hidden cameras.
7. If you can, avoid divulging your card details by telephone. You don’t know who might be listening nor can you see the person collecting details, and what they might doing with them.
8. With online banking, always type in your bank website address directly in the address bar of your web browser. Never click on web links, especially those sent in Emails.
9. At all times, make sure your computer has up-to-date anti-virus software, up-to-date Microsoft Windows Patches, Anti-Spyware and a Firewall installed and Enabled.
10. When Shopping online, make sure the webpage is encrypted before entering any personal and credit card details. Look for a locked golden padlock and “https” at the start of the web site address. You probably wouldn’t give your credit card details to a street trader right? Well consider the same approach when shopping online. If a website looks dodgy and you have never heard of the business, you probably should go with your instincts, as you would in the real world.
11. Always check through your statements, and chase up any anomaly you find, even the smallest unexplained transaction could be a sign of identify theft or account compromise.
12. When filling out forms or being asked for personal information verbally, never be afraid to question what you are supplying, as is it is all too easy to go into autopilot. Let’s say if someone knocks on your front door promoting a new local car wash, and gives you a discount voucher and then proceeds to ask for your your name, Email and phone number. Ask yourself why that information is being collected and question the promoter about what the car wash company will do with it. Don’t be afraid to question organisations as well, about how they are going to protect your personal information, read up on their privacy policies before parting with your personal information, know what you letting yourself in for.
13. Always keep your guard up, it's not as easy as it seems. We are all bombard with requests for our personal information on a dialy basis, whether via a street survey, or a small opt in check box on a form, always try to avoid giving up your personal information unnecessarily, often the people collecting it will sell it on to marketing firms for a profit or even worst.
14. Keep track of your bills, if every month you get a credit card statement, and one doesn’t turn up, chase it up. Also when you receive a new cheque book, check all the cheques are present, one cheque scam committed by fraudsters, is to intercept the mail, open it and steal a couple of cheques from near the back of the book and then cash them, before resealing and sending up the cheque book, its far too late before the victim discovers the missing cheques.
15. If you feel particularlly concerned that you might be a victim of identify theft, arrange a credit check on yourself to make sure. (I plan another blog around dealing with this at a later date)
1. Invest in a decent shredder, avoid cheap shredders they are a false economy, they often don’t last long anyway, and can make shredding a real chore. Try to get into the habit of regularly shredding receipts, statements or anything else with financial and personal information.
2. Never ever disclosure your PIN number, login details or passwords. Often fraudsters will “confidence trick” by appealing to either greed or fear. For example if you are told you have won a competition or entry into a free cash draw, but you have never entered the competition, I 99% guarantee it is either a scam or an attempt to collect your personal details for marketing, just remember there is no such thing as a free lunch. Also fraudsters will use fear to by pass your normal cautious thinking, often fraudsters impersonate organisations like your bank or your favourite online auction site, stating they have detected a security breach with your online account, and you must validate your details.
3. Never ever write down passwords, login details or especially Chip & Pin number.
4. Never send card details or bank details by Email, even if a hotel or online shop requests your card details by Email. My golden rule with Email security is, if you are not happy to write the Email contents on the back of postcard and post it, you shouldn’t be writing within an Email, as Email is no a secure medium. Also when reading your Email, the senders Email address and Name is no guarantee it is from that person or organisation, and of course never accept Email attachments, or click on links within Emails you aren’t sure of or expecting.
5. Never let your debit/credit cards or your card details out of your sight when making a transaction in the real world. Unfortunately low paid shop staff are some of the worst culprits when it comes to card fraud, either collecting card details and selling them on, or committing fraud directly themselves, it only takes them seconds for them to steal the info from your card.
6. When using a Chip and Pin devices or cash machines, use your free hand to shield the number pad as you type in your PIN. This will provide protection against bad guys who “shoulder surf” and hidden cameras.
7. If you can, avoid divulging your card details by telephone. You don’t know who might be listening nor can you see the person collecting details, and what they might doing with them.
8. With online banking, always type in your bank website address directly in the address bar of your web browser. Never click on web links, especially those sent in Emails.
9. At all times, make sure your computer has up-to-date anti-virus software, up-to-date Microsoft Windows Patches, Anti-Spyware and a Firewall installed and Enabled.
10. When Shopping online, make sure the webpage is encrypted before entering any personal and credit card details. Look for a locked golden padlock and “https” at the start of the web site address. You probably wouldn’t give your credit card details to a street trader right? Well consider the same approach when shopping online. If a website looks dodgy and you have never heard of the business, you probably should go with your instincts, as you would in the real world.
11. Always check through your statements, and chase up any anomaly you find, even the smallest unexplained transaction could be a sign of identify theft or account compromise.
12. When filling out forms or being asked for personal information verbally, never be afraid to question what you are supplying, as is it is all too easy to go into autopilot. Let’s say if someone knocks on your front door promoting a new local car wash, and gives you a discount voucher and then proceeds to ask for your your name, Email and phone number. Ask yourself why that information is being collected and question the promoter about what the car wash company will do with it. Don’t be afraid to question organisations as well, about how they are going to protect your personal information, read up on their privacy policies before parting with your personal information, know what you letting yourself in for.
13. Always keep your guard up, it's not as easy as it seems. We are all bombard with requests for our personal information on a dialy basis, whether via a street survey, or a small opt in check box on a form, always try to avoid giving up your personal information unnecessarily, often the people collecting it will sell it on to marketing firms for a profit or even worst.
14. Keep track of your bills, if every month you get a credit card statement, and one doesn’t turn up, chase it up. Also when you receive a new cheque book, check all the cheques are present, one cheque scam committed by fraudsters, is to intercept the mail, open it and steal a couple of cheques from near the back of the book and then cash them, before resealing and sending up the cheque book, its far too late before the victim discovers the missing cheques.
15. If you feel particularlly concerned that you might be a victim of identify theft, arrange a credit check on yourself to make sure. (I plan another blog around dealing with this at a later date)
Tuesday, 25 September 2007
A tale of Social Networking sites (yet again)
In my last post the last thing I advised was to be careful what you post up on social networking sites, as it may come back to haunt you, well I had barely uploaded that post when yet another social networking news story broke in the UK.
The British people love their Tennis and particularly Wimbledon, but for decades now we have been really unrepresented in this sport, with only one or two players in the top one hundred, which for a country of over 60 Million and a decent sized middle class, is pretty poor form. To remedy this, the Lawn Tennis Association (LTA), has been ploughing money into supporting young tennis players, which makes good sense really.
Well two of these funded young players were found publicising a lifestyle of partying, drinking and eating junk food on the Bebo social networking site. Pictures included one in a street holding an empty bottle with a the caption “Me Drunk for a change”, and statements saying hates-“hangovers after a good nite owt[sic]” and “wiv the boyz parting and chillin[sic]”
The players had left their social networking sites unlocked for the whole world to view. The LTA and public have taken poor view after seeing what they posted up, which resulted in the LTA taking action and withdrawn their funding for these players and warning several other players.
Putting aside the morals and the rights and wrongs, these young tennis players have seriously jeopardised their careers by their postings online, if they had been more careful in the way they used their social networking space, they probably would of got away with it, after all we were all young once, instead their statements and images are now all over the British media and they have lost their tennis funding.
These young tennis players aren’t the first to have their careers damaged as a result of postings on a social networking site, employers in the UK have sacked several people over postings online. Today I am seeing more and more employers checking social network sites as a background check, before they even decide on employing someone, so just be careful what you post online.
The British people love their Tennis and particularly Wimbledon, but for decades now we have been really unrepresented in this sport, with only one or two players in the top one hundred, which for a country of over 60 Million and a decent sized middle class, is pretty poor form. To remedy this, the Lawn Tennis Association (LTA), has been ploughing money into supporting young tennis players, which makes good sense really.
Well two of these funded young players were found publicising a lifestyle of partying, drinking and eating junk food on the Bebo social networking site. Pictures included one in a street holding an empty bottle with a the caption “Me Drunk for a change”, and statements saying hates-“hangovers after a good nite owt[sic]” and “wiv the boyz parting and chillin[sic]”
The players had left their social networking sites unlocked for the whole world to view. The LTA and public have taken poor view after seeing what they posted up, which resulted in the LTA taking action and withdrawn their funding for these players and warning several other players.
Putting aside the morals and the rights and wrongs, these young tennis players have seriously jeopardised their careers by their postings online, if they had been more careful in the way they used their social networking space, they probably would of got away with it, after all we were all young once, instead their statements and images are now all over the British media and they have lost their tennis funding.
These young tennis players aren’t the first to have their careers damaged as a result of postings on a social networking site, employers in the UK have sacked several people over postings online. Today I am seeing more and more employers checking social network sites as a background check, before they even decide on employing someone, so just be careful what you post online.
Monday, 24 September 2007
Facebook's Privacy Policy
A Facebook enthusiast recently asked me why I "hated" Facebook so much, well I don't hate Facebook at all, I have never posted or said such a thing, however I have to say I am not mad keen on the idea of the site and where it might be heading. Lets take Facebook's privacy policy for instance, it is over 3,500 words length and has the little caveat of “We reserve the right to change our Privacy Policy and our Terms of Use at any time.” Given that statement, you have to ask yourself whether you can trust Facebook with your private data? Their policy is well worth a read if you are a user of the site.
http://www.facebook.com/policy.php
So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data.
Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify validation, so anyone can pretty much pretend to be anyone. Just how many people have huge and unmanagable lists of “friends”, “friends” they just don’t know or have ever met? Putting aside the issue of your personal information being available to complete strangers, in July spammers successfully used Facebook to create realistic profiles like ordinary users, and persuaded people to accept them as a friend, and hit their inboxes with spam. I understand Facebook internal spam is on the rise at the moment.
I’m not saying social networking sites are all doom and gloom, they have the use and a place in the business and social worlds, but just be careful how you use them, especially who you accept as a “friend”, and what you post up about yourself, as it could come back to haunt you!
http://www.facebook.com/policy.php
So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data.
Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify validation, so anyone can pretty much pretend to be anyone. Just how many people have huge and unmanagable lists of “friends”, “friends” they just don’t know or have ever met? Putting aside the issue of your personal information being available to complete strangers, in July spammers successfully used Facebook to create realistic profiles like ordinary users, and persuaded people to accept them as a friend, and hit their inboxes with spam. I understand Facebook internal spam is on the rise at the moment.
I’m not saying social networking sites are all doom and gloom, they have the use and a place in the business and social worlds, but just be careful how you use them, especially who you accept as a “friend”, and what you post up about yourself, as it could come back to haunt you!
Friday, 14 September 2007
Google on Global Privacy Standards
My love / hate relationship of Google is definitely in the loving zone after I heard Google chief, Peter Fleischer calling for Global Privacy Standards. I won’t regurgitate what Fleischer said, as there's a perfectly good report on the BBC News website linked below.
http://news.bbc.co.uk/1/hi/technology/6994776.stm
Also check out this link to a report which I have touched on a couple a months back, you should find it quite interesting if you are into personal privacy online.
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961
I really think a hundred years from now, when history looks back on the last couple of decades, it will be recognised as the start of the Information Age, and when it comes to personal information privacy and information security, we are merely still trying to take our first steps. So it's just so refreshing to see that Google are looking ahead and attempting to take a lead in this area, and lets face it, Google are getting so powerful these days , they certainly could help push us forward, so tonight I salute you Google, who incidentally also do a great job in hosting this blog for me free (not that I'm Google bias of course!)
Anyway I’m about to fly out to Toronto, Canada for the PCI Council meeting next week, so hopefully I might have some very interesting (or not) PCI posts next week.
http://news.bbc.co.uk/1/hi/technology/6994776.stm
Also check out this link to a report which I have touched on a couple a months back, you should find it quite interesting if you are into personal privacy online.
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961
I really think a hundred years from now, when history looks back on the last couple of decades, it will be recognised as the start of the Information Age, and when it comes to personal information privacy and information security, we are merely still trying to take our first steps. So it's just so refreshing to see that Google are looking ahead and attempting to take a lead in this area, and lets face it, Google are getting so powerful these days , they certainly could help push us forward, so tonight I salute you Google, who incidentally also do a great job in hosting this blog for me free (not that I'm Google bias of course!)
Anyway I’m about to fly out to Toronto, Canada for the PCI Council meeting next week, so hopefully I might have some very interesting (or not) PCI posts next week.
Friday, 7 September 2007
Facebook: Welcome to the World of Google Hacking
To be completely honest, sites like Facebook has the same appeal to me as reality TV, which almost zero! Anyway a friend of mine a couple months back bullied me into setting up an account on Facebook. But being a typical paranoid security guy, I didn’t upload any photos or post any personal information, other than my name and a fake Date of Birth, I guess it’s the most boring Facebook page on the whole site!
The way I understood it, Facebook was suppose to be a private network, where you add links and share your personal information including work and educational history with friends, work colleagues and former class mates etc. Significantly you either had to accept an invite or have your own invite accepted by another party, before your information is shared.
But here’s the big scary change, Facebook are now allowing members personal information to be accessible by everyone, even non-members. We are not just talking private pictures either, but information such as people’s date of birth, which is often used as a typical security question, especially when you are asked to prove who you are or asked to reset a password.
Within the next few weeks, Facebook profiles will be indexed and be fully searchable by search engines like Google and Yahoo. The art of “Google Hacking” is about searching for information about a target (person), for example a fraudster may have already obtained some of your private details elsewhere, they will then use a search engine like Google to fill in all the blanks, building the full picture and completing the profile, this is especially common place when you are talking about identify theft, which is on the rise in the UK.
You might be really surprised what’s searchable on Google about you, just give it go. When demonstrating Google hacking in the past, I have actually found people’s mobile phone numbers and even full home addresses.
Apparently there is a way to prevent your Facebook profile details to going into search engines like Google, but a friend of mine, who is an avid Facebook user, couldn't find the option to do it.
Thursday, 6 September 2007
Web App Sec: With Great Power comes Great Responsibility
Thanks to the explosion of Web 2.0, companies have more power than ever on the Internet, however with great power comes great responsibility. Trends show hackers are targeting web applications increasingly, simply because they are easier to hack and the rewards are greater than traditional hacking, like writing viruses for example. Often companies get the network security level right, with proper DMZs and firewall configuration, but this is merely the foundation of providing web application security and in reality offers very little protection against application level attacks.
The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the vendors, who have to keep up with the latest exploits, as web application vulnerabilities are cropping up on a daily basis. QA tools not only ensure secure application development but prove an extremely useful aid in developing coder’s web app security awareness and knowledge, ensuring future development of web applications are project planned (correctly budgeted) and coded securely in the first instance.
Finally once you have your web application up and running, you should ensure the website is vulnerability scanned on a daily basis, followed by periodic full scale penetration tests, to ensure the web application says secure.
Simply put, providing secure web applications costs it is unfortunate a lot businesses want to have their web app cake and eat it for cheap as possible. Away from costs some businesses simply just don’t have the security know how to do it correctly, “but we have a firewall” mentality, or they just don’t have the drive to ensure their web applications are secure, the old “it will never happen to us” mentality. These are precisely the reasons why trends in successful hacking of the new generation of website applications will continue to increase.
The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the vendors, who have to keep up with the latest exploits, as web application vulnerabilities are cropping up on a daily basis. QA tools not only ensure secure application development but prove an extremely useful aid in developing coder’s web app security awareness and knowledge, ensuring future development of web applications are project planned (correctly budgeted) and coded securely in the first instance.
Finally once you have your web application up and running, you should ensure the website is vulnerability scanned on a daily basis, followed by periodic full scale penetration tests, to ensure the web application says secure.
Simply put, providing secure web applications costs it is unfortunate a lot businesses want to have their web app cake and eat it for cheap as possible. Away from costs some businesses simply just don’t have the security know how to do it correctly, “but we have a firewall” mentality, or they just don’t have the drive to ensure their web applications are secure, the old “it will never happen to us” mentality. These are precisely the reasons why trends in successful hacking of the new generation of website applications will continue to increase.
Subscribe to:
Posts (Atom)