The Unintended Consequences of Social Networking

With today being Facebook’s IPO I wanted to address an unintended consequence of social networking. I am a huge fan of LinkedIn for expanding my professional network, for learning and collaborating with other security/privacy pros, and it certainly helps with a job search. I teach advanced LinkedIn every week to 20 to 30 people in career transition.

Bad guys are using LinkedIn to create org charts of their targets. Odds are high that you are connected to your manager and your team is connected to you. If you or your team received an e-mail from your boss (or someone spoofing your bosses e-mail address) and it contained an attachment labeled “Corporate Strategic Plans – Confidential” (or any document containing malware), would you open the mail and the attachment? Highly likely.

Good guys a.k.a. your competitors are watching the new LinkedIn connections from your executives, especially the business dev team. They look for patterns. A few execs connecting to a particular company can be a clue about M&A activity. Want to know who a company’s suppliers are? Check LinkedIn. Competitors are also looking at new hires gleaming information about new products being developed.

Actionable advice: Security teams need to advise HR, business dev, and product teams about the information bad guys and competitors can learn from social networking.

Guidance for Enterprises on Protecting Passwords

A report from Imperva on how enterprises can protect passwords. A little salt on the hash will do the trick.

http://www.imperva.com/docs/HII_Enterprise_Password_Worst_Practices.pdf

Stupid Password Reset Questions

When I was at AOL we fought a constant battle between bad guys and executives who thought that customers should have easy access to their accounts. The bad guys loved “easy to guess” passwords and password reset questions which were used in case a customer forgot their password. One of my projects was to update the reset process for current vulnerabilities. AOL had the last 4-digits of the customers Social Security number. Two problems: a) If you know someone’s age and U.S. birthplace you can figure out the first five digits so the only random part was the last four digits. For an ID thief, this was the part they wanted the most. b) Many states were including partial SS#’s as PII in the definition for “data breach notification.” Other reset questions were easy to guess. If you have to guess someone’s favorite food, it is probably not brussel sprouts (although they are tasty). In five guesses you can probably figure out 98% of the U.S. populations favorite food (donuts, cake, ice cream, etc.).

Websites need to ensure that reset questions are not easy to guess. To shame websites, especially banking and financial institutions, to use reasonable steps to protect our data I am creating a list of real “stupid” password reset questions. Of course if a website asks me for my brothers middle name I’ll say “ju8klw#nq.”

THE QUESTIONS

What color was your first car? Would it be chartreuse or Lavender? How many car colors are there? Who cares if its your first car or your fifth car the color choices are the same.

What year were you born? Until people start living until age 1,000, the choice of birth years is 100 or less. Certainly few babies born last year of using banking sites and most people in the 90′s are unlikely also. The universe of birth years is about 50 numbers. Hackers like those odds.

Bravo to Google for Publicizing Their New Privacy Policy

Whether you like their new policy or not, Google deserves a huge credit for telling their customers about it at every touch. I started Gmail and there was a conspicuous notice to pay attention to their new privacy policy. Same thing when I did a search, used Google Voice, etc. Whether consumers read the summary notice, the full notice , or ignore it is something Google knows but I am glad they are doing it.

 

Cybersecurity/Privacy Predictions for 2012

Now that I am closing my consulting business and looking for my next great adventure I wanted to get advice from cybersec, privacy, and business leaders. I called this this “thought leader 2011 tour.” I wanted to know the issues that we’d be dealing with in the next year. Here are some common themes I heard:

a)     Big data – Online activities that leave easy-to-follow digital footprints which provide a rich profile of what we buy, where we go, who are our friends, and who we are. Hadoop and advanced analytics can drive innovation. Personal data is more valuable than gold. What is the appropriate balance between privacy and innovation?

b)     Data warehouse in your pocket – Smartphones can collect a treasure trove of data. Where you are, who are your friends, your speech, your shopping list, your health and diet data, etc. A smartphone is always with us and is always on. It is hard for end users to control their mobile privacy by deleting cookies or blocking unique ID’s identifying a specific phone. Protecting this info from bad guys and unscrupulous marketers will be of great concern in the future.

c)      The “personalized attack” – As the amount of personal info online grows it provides bad guys with the information they need to personalize an attack. This includes using info to guess your password reset question (“what is your favorite food”) or sending an email with malicious content from a friend or co-workers e-mail address. Personalizing the attack increases the effectiveness.

d)     Be prepared for the inevitable breach

e)     The merger of cybersecurity and privacy – In the past these organizations typically did not work closely. There needs to be a tight coupling to ensure that the right data is being collected and used as well as ensuring that it is protected. Protecting the “corporate gold” is a difficult task requiring collaboration.

Is 2012 about the Control of Data?

Big data, Hadoop, analytic’s were on many 2012 prediction lists including mine. Perhaps one of the important keys is “control of the data.” How does data enter an organization (directly from customers, purchased or shared from third parties), where does it reside (internal vs. external, US, outside the US), how is it processed, who can access and manage it, and archiving/deletion. With exabyte sized systems (thousands of petabytes), cybersecurity/privacy pro’s job will be tougher.

Tips to Keep You Safe Online

Some tips to keep you and your family safer online.

a)      Use Lastpass.com to keep track of your passwords. With Lastpass I remember only one long, random, secure password and Lastpass remembers over 200 of my passwords which all look like random variations of “C5r$u9cLy#bG”. I also use YubiKey with Lastpass to provide secondary authentication. Yubikey is a small plastic USB device that sends a pseudo-random number to a server to authenticate me. Google Authenticator is an alternative secondary authentication.

b)      Change your password reset questions so that your answers are no longer “Snoopy”, “ice cream,” or “Justin Bieber.” Too easy to guess the name of your first pet or your favorite food. Too easy to find out from your Facebook profile your favorite singer. Use answers like “game73elmo29.” Write them down in a secure place or you can use Lastpass to keep track of tem.

c)       Do not use the same password at multiple sites.

d)      Change the default password on your router. Some of the sophisticated hacks attack widely-available Belkin, D-Link, Linksys, etc., routers. If you are adventurous build your own router like Astaro or PFSense using an old PC.

e)      Check your router’s security using the ShieldsUP! tool at grc.com.

f)       Make sure your wireless router uses WPA2. WEP is too easy to crack.

g)      Check to see that hardware DEP is turned on if you are using a Windows PC.

h)      Use NoScript to prevent malicious scripts from running if you are using Firefox. I think Firefox is the most secure browser but you could also make an argument for Chrome or IE9.

i)        Use SandboxIE to virtualize any browser.

j)        Backup your essential files. Bad things can and will happen. I use the 3-2-1 rule. Three copies, two different media (I use hard drives and cloud drives), and one copy off-site (I use two off-site vendors, Amazon and Rackspace)

k)      Scan your PC occasionally using a LiveCD like Microsoft System Sweeper. The LiveCD does not boot into Windows so difficult to detect malware like rootkits can be detected.

l)        If you want to check to see if the file in an e-mail or you downloaded, check the file at virustotal.com. It will be checked against more than 40 antivirus products. Of course just because the file appears to be virus-free, it may be a zero-day.

My Personal Tale of Malware – Undetectable!

I received an email with the subject, “FedEx Shipment Notification.” The body of the email says that I have a package waiting for me and I should open the attached PDF for more details. The grammar and spelling are fine, often telltale signs of a malicious email. I’m suspicious so I check the email header and it confirms the mail didn’t come from FedEx servers.

I’m curious about the attached PDF so I test it with Microsoft Security Essentials I have running on this PC. MSE shows that it is virus-free. I’m still suspicious so I test the attachment at virustotal.com, a fantastic tool that tests files against 40 or so anti-virus engines running the latest updates. BTW, the bad guys test their latest inventions using this website. Only three out of 41 AV engines show that this file contains malware. Only one of the three was a major AV vendor. That’s scary.

So I wonder about the thousands, perhaps hundreds of thousands of recipients of this mail? I wonder how AOL’s email system didn’t detect this mail as spam. More importantly how would other recipients of this mail have handled it. My suspicion is that a large number thought the mail was legit and opened the attachment. Their PC is owned. Too late!

A Government Clearinghouse for Reporting Breach Info?

Breaches and bots share much in common including the damage they do to consumers and the US economy but also the need for government action. At the October 2011 Online Trust Alliance Forum meeting I attended two sessions on breaches. The panelists included lawyers and CSO’s who have been engaged on multiple breaches. I wrote and regularly tested AOL’s breach plan. The discussions and my experience indicate that breaches get reported (unfortunately not all are reported) to multiple groups from the local police department to the FBI, Secret Service, and other Federal/state agencies. This hodgepodge of reporting results in an incomplete view of essential statistics. Data on breaches becomes widely-varied guesses. There needs to be a central government clearinghouse where all breaches are reported. 1-800-DATABREACH. This clearinghouse then collects statistics and parses the cases to the appropriate agency for investigation.

More importantly the hodgepodge of reporting results in the inability to collect information on the cause and the cures which is essential to share with other companies. My experience with Internet crime shows that the bad guys continually exploit the same techniques. The clearinghouse should be sharing data on the exploit and recommendations to prevent the problem from reoccurring.

The clearinghouse also needs to be sharing data about the individuals who were breached so that other sites where the same user authentication data is used can be shut down. In other words it is very common for sites to use an email address as the user ID. Sites have the terrible habit of using email addresses as the user ID for convenience purposes. Consumers have the terrible habit of using the same password on multiple sites. The bad guys know this and once user names are compromised at one site the bad guys are using the same info to compromise individual accounts at financial institutions, ISPs, etc. In fact there is a website in which you can check to see if your email address has been compromised. The clearinghouse should make available to vetted companies the compromised email addresses and passwords so that sites can test the combination and temporarily shut off access before additional accounts get compromised.

How NOT to Publicize Your Privacy Policy – Spotify.Com

I like the idea of giving users easy access to your privacy policy and terms of use. I wish more sites would not hide their policies. On the other hand when you put the policy in the face of your users (i.e.,when they log in), it should be concise, not written in legalese, and use proper English (or whatever language your site uses). I logged into Spotify.Com, the hot free music streaming service. Immediately the new privacy policy is in the users face.  First line: Spotify Terms and Conditions of Use. OK. Next sentence: Effective as from 14 October 2011. I guess this means effective as of October 14. Next sentence is absolute legalese. 62 words long and four lines of text. The next sentence is eight lines long. I continue reading. The entire agreement takes 26 mouse clicks to read. I defy anyone to read it in less than 15 minutes. My mom is very smart but she would have no idea what the words mean nor would she have the patience to read this. It doesn’t pass the “mom test.”

We privacy professionals have got to do better.