Creepin’ on Facebook Just Got Easier

If you were like me and a beta tester, you might not have noticed that Facebook Graph Search is now open to all users. But, it is. Everyone from your former high school classmates to your co-workers to your mom’s neighbor has access to Facebook’s powerful search engine.

While many users may use it to find friends with similar interests, it can also reveal some rather interesting and embarrassing things.

If you’d rather not show up in a Graph Search (innocent or like the ones from that Tumblr), there are a few steps to take:

Read more…

Watch and Learn: Security Metaphors

In case you weren’t able to attend Secure360 this year, you can catch the presentation that Josh More gave entitled “Security Metaphors” right here.

Here’s the original description of the presentation:

There is a divide between the so-called “security/technical” people and the “business” people. We’ve all heard about how we need to “speak the language of business” and “get soft skills” to succeed. However, even after decades of trying, the divide still exists. Why does it seem that we never make progress? Are we truly not improving? Is the goal receding as we chase it?

This presentation posits that we’ve been making a fundamental error in trying to explain things to people outside our field. One thing that people-oriented people do naturally, and technically-oriented people do not, is communicate with others using the target’s metaphors. By taking this approach and translating issues into different frames of reference, more time is spent exploring the issue instead of arguing over why it matters.

By focusing first on being understood and second on the specific issues, rapport can be built and, over time, you can get the resources you need to win more battles.


Personal Security?

We pride ourselves on our approach to security here at RJS and have been keenly interested in the goings on with the NSA and the PRISM program and all the third parties that seem to have no problem coughing up your personal info, corporate giants such as Google, Facebook, Microsoft, etc.

Here’s a new one to add to the list: Motorola.

Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.

In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.

We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.

When you break the trust of your customer’s it is really hard to recover.

HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.

Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.

Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …


The Insidiousness of Cellphone Malware

Hackers and cyber criminals continue to get more sophisticated, especially when it comes to fooling people via less traditional attack vectors. For example, I got an interesting text on my work cell phone earlier this week …

“heyy that’s what I was telling you you should join.

The message came from a local Twin Cities telephone number that I didn’t recognize. So, being the suspicious type that I am, I “Googled” the phone number and found that the same number was spamming local numbers here in the Twin Cities and that there are several complaints about it already.

Taking this a step further, I fired up a clean VM with antivirus on it that goes through our Sophos WS1000 web security appliance and pulled up the URL in Google Chrome.  Sure enough, the site was blocked and classified as “High Risk” and that “Mal/HTMLGen-A” has been found on the site.

Sophos warning

Sophos classifies malware by its behavior, and Mal/HTMLGen-A happens to be a very commonly used browser payload delivery mechanism that affects Windows, Mac OS X, and Linux.

After doing a little more digging, I found that the URL that was sent resolves to, which has some really interesting history to it. This particular IP range was in Volgograd, Russia back in 2010, and is now owned by a Romanian internet hosting company parked in Schiphol, Netherlands.

A few companies I’ve worked at in the past IP block Romania at the firewall since there is a high amount of fraud and scam traffic that originates from there, so it makes sense that they would host from another country to get around geo location-based IP blocking.

And finally, we arrive at the nature of the attack itself.

Cell based text messaging. Both my phones run a variant of Linux, one being Apple iOS (work cell) and the other Android (personal cell). If an attack is highly sophisticated, it will include some sort of detection routine so it knows which payload to push onto the phone such as iOS JailBreak code or Android rooting scripts/programs – something that will allow the attacker to access your dialer without you knowing about it to make premium calls or text messages. Sure, you’ll figure it out once you get your next phone bill, but by then it’ll be too late.

If the attack is low-tech, then it may be as simple as trying to get you to share you URLs (like Chrome does) with a far more vulnerable Windows OS and use some canned Blackhole Exploit Kit scripts that were purchased to farm some bank info.

I’d love to take the time to pull the payload code apart to see what it’s trying to do, but from the poor English used in the text message itself, I’m betting its low tech.  If the attacker can’t be bothered to try to make the message look legit, you can more than likely bet they bought their malware off the shelf.

Moral of the story: your cellphone is as at as much risk as your computer. Be wary, be vigilant.

A Security Lesson from the Dinosaurs

Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

camarasaurusYou might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

  • Taking a superficial view of evidence
  • Not comparing logical conclusions to examples of modern data
  • Avoiding analysis and basing beliefs on the misguided work of others
  • Looking strictly at hard evidence and ignoring behavior
  • Hyper-focusing on dramatic scenarios

Sound familiar?