The Unintended Consequences of Social Networking

With today being Facebook’s IPO I wanted to address an unintended consequence of social networking. I am a huge fan of LinkedIn for expanding my professional network, for learning and collaborating with other security/privacy pros, and it certainly helps with a job search. I teach advanced LinkedIn every week to 20 to 30 people in career transition.

Bad guys are using LinkedIn to create org charts of their targets. Odds are high that you are connected to your manager and your team is connected to you. If you or your team received an e-mail from your boss (or someone spoofing your bosses e-mail address) and it contained an attachment labeled “Corporate Strategic Plans – Confidential” (or any document containing malware), would you open the mail and the attachment? Highly likely.

Good guys a.k.a. your competitors are watching the new LinkedIn connections from your executives, especially the business dev team. They look for patterns. A few execs connecting to a particular company can be a clue about M&A activity. Want to know who a company’s suppliers are? Check LinkedIn. Competitors are also looking at new hires gleaming information about new products being developed.

Actionable advice: Security teams need to advise HR, business dev, and product teams about the information bad guys and competitors can learn from social networking.

Guidance for Enterprises on Protecting Passwords

A report from Imperva on how enterprises can protect passwords. A little salt on the hash will do the trick.

http://www.imperva.com/docs/HII_Enterprise_Password_Worst_Practices.pdf

Stupid Password Reset Questions

When I was at AOL we fought a constant battle between bad guys and executives who thought that customers should have easy access to their accounts. The bad guys loved “easy to guess” passwords and password reset questions which were used in case a customer forgot their password. One of my projects was to update the reset process for current vulnerabilities. AOL had the last 4-digits of the customers Social Security number. Two problems: a) If you know someone’s age and U.S. birthplace you can figure out the first five digits so the only random part was the last four digits. For an ID thief, this was the part they wanted the most. b) Many states were including partial SS#’s as PII in the definition for “data breach notification.” Other reset questions were easy to guess. If you have to guess someone’s favorite food, it is probably not brussel sprouts (although they are tasty). In five guesses you can probably figure out 98% of the U.S. populations favorite food (donuts, cake, ice cream, etc.).

Websites need to ensure that reset questions are not easy to guess. To shame websites, especially banking and financial institutions, to use reasonable steps to protect our data I am creating a list of real “stupid” password reset questions. Of course if a website asks me for my brothers middle name I’ll say “ju8klw#nq.”

THE QUESTIONS

What color was your first car? Would it be chartreuse or Lavender? How many car colors are there? Who cares if its your first car or your fifth car the color choices are the same.

What year were you born? Until people start living until age 1,000, the choice of birth years is 100 or less. Certainly few babies born last year of using banking sites and most people in the 90’s are unlikely also. The universe of birth years is about 50 numbers. Hackers like those odds.

Bravo to Google for Publicizing Their New Privacy Policy

Whether you like their new policy or not, Google deserves a huge credit for telling their customers about it at every touch. I started Gmail and there was a conspicuous notice to pay attention to their new privacy policy. Same thing when I did a search, used Google Voice, etc. Whether consumers read the summary notice, the full notice , or ignore it is something Google knows but I am glad they are doing it.

 

Cybersecurity/Privacy Predictions for 2012

Now that I am closing my consulting business and looking for my next great adventure I wanted to get advice from cybersec, privacy, and business leaders. I called this this “thought leader 2011 tour.” I wanted to know the issues that we’d be dealing with in the next year. Here are some common themes I heard:

a)     Big data – Online activities that leave easy-to-follow digital footprints which provide a rich profile of what we buy, where we go, who are our friends, and who we are. Hadoop and advanced analytics can drive innovation. Personal data is more valuable than gold. What is the appropriate balance between privacy and innovation?

b)     Data warehouse in your pocket – Smartphones can collect a treasure trove of data. Where you are, who are your friends, your speech, your shopping list, your health and diet data, etc. A smartphone is always with us and is always on. It is hard for end users to control their mobile privacy by deleting cookies or blocking unique ID’s identifying a specific phone. Protecting this info from bad guys and unscrupulous marketers will be of great concern in the future.

c)      The “personalized attack” – As the amount of personal info online grows it provides bad guys with the information they need to personalize an attack. This includes using info to guess your password reset question (“what is your favorite food”) or sending an email with malicious content from a friend or co-workers e-mail address. Personalizing the attack increases the effectiveness.

d)     Be prepared for the inevitable breach

e)     The merger of cybersecurity and privacy – In the past these organizations typically did not work closely. There needs to be a tight coupling to ensure that the right data is being collected and used as well as ensuring that it is protected. Protecting the “corporate gold” is a difficult task requiring collaboration.

Is 2012 about the Control of Data?

Big data, Hadoop, analytic’s were on many 2012 prediction lists including mine. Perhaps one of the important keys is “control of the data.” How does data enter an organization (directly from customers, purchased or shared from third parties), where does it reside (internal vs. external, US, outside the US), how is it processed, who can access and manage it, and archiving/deletion. With exabyte sized systems (thousands of petabytes), cybersecurity/privacy pro’s job will be tougher.

Tips to Keep You Safe Online

Some tips to keep you and your family safer online.

a)      Use Lastpass.com to keep track of your passwords. With Lastpass I remember only one long, random, secure password and Lastpass remembers over 200 of my passwords which all look like random variations of “C5r$u9cLy#bG”. I also use YubiKey with Lastpass to provide secondary authentication. Yubikey is a small plastic USB device that sends a pseudo-random number to a server to authenticate me. Google Authenticator is an alternative secondary authentication.

b)      Change your password reset questions so that your answers are no longer “Snoopy”, “ice cream,” or “Justin Bieber.” Too easy to guess the name of your first pet or your favorite food. Too easy to find out from your Facebook profile your favorite singer. Use answers like “game73elmo29.” Write them down in a secure place or you can use Lastpass to keep track of tem.

c)       Do not use the same password at multiple sites.

d)      Change the default password on your router. Some of the sophisticated hacks attack widely-available Belkin, D-Link, Linksys, etc., routers. If you are adventurous build your own router like Astaro or PFSense using an old PC.

e)      Check your router’s security using the ShieldsUP! tool at grc.com.

f)       Make sure your wireless router uses WPA2. WEP is too easy to crack.

g)      Check to see that hardware DEP is turned on if you are using a Windows PC.

h)      Use NoScript to prevent malicious scripts from running if you are using Firefox. I think Firefox is the most secure browser but you could also make an argument for Chrome or IE9.

i)        Use SandboxIE to virtualize any browser.

j)        Backup your essential files. Bad things can and will happen. I use the 3-2-1 rule. Three copies, two different media (I use hard drives and cloud drives), and one copy off-site (I use two off-site vendors, Amazon and Rackspace)

k)      Scan your PC occasionally using a LiveCD like Microsoft System Sweeper. The LiveCD does not boot into Windows so difficult to detect malware like rootkits can be detected.

l)        If you want to check to see if the file in an e-mail or you downloaded, check the file at virustotal.com. It will be checked against more than 40 antivirus products. Of course just because the file appears to be virus-free, it may be a zero-day.