Recently in Trust Category

Is anyone really surprised that social networking sites such as Facebook and Myspace were discussed at this year's Blackhat in Vegas? The entire purpose of the genre is to share data, which can be difficult to do securely. According to one presentation, though, they aren't really even trying.

From Information Security Magazine:

Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

* * *

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.[From MySpace, Facebook ignoring basic principles of security]

A University of Michigan study found that 75% of online banking websites suffer from design flaws then open customers to criminals.

From The IT Security Guy:

This should, of course, come as no surprise to anybody in IT security, particularly those specializing in protecting web sites. But a study released by researchers at the University of Michigan says 75% of banking web sites have design flaws that open online customers to cybercriminals, according to Finextra and CNET. [From The IT Security Guy: Banking Web Sites Still Insecure]

You can read the full study here.

Can you believe that Apple just handed out an Apple ID password in response to a one-line request? From Marko Karppinen:

I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine. Luckily, my "security question" was still the same, so I was able to reset the password and email address back.

Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

To which Apple reacted by doing the only reasonable thing - saying Sir, Yes Sir! and handing my account over. [From Apple just gave out my Apple ID password because someone asked - MK&C]

You have to believe that Apple actually does have procedures in place (based on the "security question") that were ignored in this case. This is just evidenced that no matter how strict security policies are, there is always going to be a McEmployee that will ignore them; even technical constraints that enforce policy can usually be overridden by somebody who is too busy to ask a couple of extra questions.

What's the better solution, to pour money into building more sophisticated safeguards or to outsource the risk?

From rbnexploit, RBN - Partners Official Sponsors of ICANN?:

Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.

This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN's vulnerability via influence, commercial sponsorship and registrar development.

This one may fall into the tin-foil-hat arena, especially considering the following text:

The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more 'who' and 'what' which will be presented in full later.

The "there's more evidence, but it's secret" line is a classic for conspiracy theorists. It may pan out or it may not, but the article does raise a couple of very interesting points.

First, organizations such as ICANN are designed to be completely open and transparent (and they should be). An completely open dialogue requires full and complete disclosure, however, and it's very easy for malicious entities such as the RBN to participate without that disclosure, which adds significant risk to the process.

Congress requires all lobbyists to be registered so that our representatives know who they're talking to and what interests they represent. It allows them to control to dialogue and keep entities such as drug cartels from influencing US policy. Whether that particular system works or not, it still addresses an important need.

The second issue they raise is one of trust. The most fundamental trust most web entities (such as small online businesses) make is with their registrar and hosting provider. Registrar/Hosting companies have propegated so quickly that reputation economics are useless in making a vendor decision, so price/performance is the metric many entities use in choosing a registrar/hosting solution. This makes it far too easy for entities such as the RBN to victimize their customers without any possibility of recourse.

At any rate, I look forward to any information that makes the article's case more directly. It promises to be interesting.

Lots of people want to hack you. Despite persistent stereotypes about bored teenagers, cyber-crime is big business. A search on the Russian Business Network should end any doubts about that. Physical world criminals have very simple motives; they're after valuables -- money, jewelry, electronics, cars. Cyber criminals really aren't any different. If you want to know what they're after, follow the money.

Q: "Willie, why do you rob banks?"

A: "Cause that's where the money is."

-- Willy Sutton, depresson-era bank robber

There are three things every user has that are valuable to cyber criminals:

• Financial Assets and Intellectual Property.
• Computing Resources.
• Identity.

The first of these things is the most obvious. Financial records -- including bank account and credit card information -- are almost as good as cash to a criminal. Even if individual assets are modest, when aggregated with other victims, the value of the information is significant and is sold and traded online.

Intellectual property is similarly valuable as the MPAA will attest to. While most intellectual property -- an unfinished novel, plans for the new deck, and the latest vacation pictures -- probably aren't as valuable as a major motion picture, piracy does occur. If the machine contains IP belonging to a commercial, governmental, or academic institution, it could be extraordinarily valuable or compromising.

The value of computing resources isn't quite as intuitive. Every modern computer has storage, network bandwidth, and processing power. All three of these things are useful to a criminal.

Storage is the most obvious commodity they're after. Why would a criminal store black market files on their own machines when they can do it anonymously on somebody else's? All of those pirated movies that the MPAA is hunting down have to be stored somewhere. So does the source code for the most recent catastrophic virus outbreak. And then there's child pornography. There are serious legal consequences if it's found on a computer, and criminals love to transfer that sort of risk to the unsuspecting.

Bandwidth is valuable for similar reasons. A computer's Internet connection connection can be used to host this illicit content for downloading. It can also be used to attack other machines. A botnet is a collection of computers that have been hacked and can be controlled remotely by the attacker. These huge groups of hundreds of thousands of compromised machines can be used in coordinated attacks against individuals, businesses, and nation states.

Processing power is a little bit more subtle. Keep in mind that encryption is at the core of security technology. It's what keeps passwords, communications, and commerce private. Without it, anybody could listen in during online banking sessions and while credit card numbers are sent to online stores. Essentially, encryption is just very complex math which, given a big enough calculator, can be solved. While this doesn't seem as immediate a risk as bandwidth and storage, it does pose a viable long-term threat.

The final and most universal asset that every end user has is identity. This is a dual threat -- first to your personal assets and second to the assets and intellectual property of any person or organization trusts you.

Identity theft is all over the news these days. This type of identity threat is the theft of a victim's real-world identity. But what about a victim's online identity? Highly targeted phishing e-mails that appear to come from a trusted individual or organization are much likelier to succeed than random spam. Another attack would be to use a victim's electronic credentials (usually a password) to access an employer's intellectual property or financial assets -- employees who's username and/or password can be cracked or discovered open an employer's network up to attack from the inside.

Cybercrime is clearly a problem that threatens all types of computer users from the board room to the backyard; everyone is a target.

This document is intended for a non-technical audience. It's a sketch for part of a document I'm working on that introduces business users to online risks and best practices...

This is a very brief post regarding pubcookie.

When compiling the Apache pubcookie module on OpenBSD, you have to add a flag when running ./configure:

--with-ssl-dir=/usr/include/openssl/

Everything else should be as documented on the pubcookie site.