September 2008

You are currently browsing the monthly archive for September 2008.

It’s Not OK to Click “OK”

September 29, 2008 in malware, Web

If you are a user of Microsoft’s Windows operating system, you no doubt are very familiar with the popup dialogue boxes that are so frequently displayed on your screen.  These popup windows were designed to inform you when an event occurs that requires your attention or input.  These popup windows occur even more frequently with Windows Vista which by default asks for your permission before running applications that require administrative privileges.  This is a good thing from a security perspective, but a bad thing from an annoyance perspective.

As a result, computer users have become accustomed to simply clicking “OK” to every popup window they are presented with.  A recent conducted by researchers at North Carolina State University found that two-thirds of the participants in the study would click “OK” to any popup window presented to them, even ones that were fake.  Furthermore, the study found that most Internet users have a difficult time distinguishing between real and fake popup windows.

This fact is not lost on Internet scammers.  If you have surfed the web for any length of time at all you have likely encountered a fake popup dialogue box such as the one below:

These fake popup windows are generally designed to install malware on your system.  There are several things you can do to protect yourself.  First, always run up-to-date antivirus and antispyware software.  Second, enable the popup blocker option in your browser.  This is available in both Firefox and Internet Explorer.  Third, take the time to read the message.  Familiarize yourself with real popup dialogue boxes so that you can tell the difference between these and fake ones.  If you are presented with a popup window while actively surfing the web it is most likely a fake intended to do your system harm.  Do not click the “OK” button unless you are sure of its authenticity and understand what you are agreeing to. If not, close the window by clicking the “X” in the top right hand corner of the dialogue box or by using the Windows task bar.  And if it happens to be one of those persistent popups that just doesn’t want to go away, you should close and restart your browser.

A Lesson From the Sarah Palin Email Hack

September 22, 2008 in Uncategorized

Much has been written recently about the .  This hack was not the result of some exotic new virus or an uber-hacker with a secret toolkit for compromising webmail accounts.  No, this was nothing more than a curious youngster doing some basic Internet searches and using the information obtained to take advantage of a weakness in the email provider’s password reset feature.  I have written before about the dangers of social networking sites andhow it is important to limit the amount of personal information you publish about yourself and your family.  The Sarah Palin email hack is a perfect example of what can happen if you fail to heed that warning.

Sarah Palin, the Republican Vice Presisential nominee, was using Yahoo for her personal email account.  Yahoo provides a method for changing a forgotten password that requires four pieces of information: 1) Date of Birth 2) Country of Residence 3) Postal Code and 4) Answer to a Security Question.

The security question is usually something like “What is your pet’s name?” or “Where did you go to high school?”.  In the case of Sarah Palin it was “Where did you meet your spouse?”.  The hacker had little trouble finding out the first three pieces of information with basic Internet searches.  The answer to last question was not difficult to guess once he or she learned that Sarah and Todd Palin met in high school.  After a few guesses the hacker hit the jackpot with the fairly obvious answer of “Wasilla high”.

It is not difficult these days to find out just about anything about anyone by searching the Internet.  Add to that the fact that most social networking sites not only allow you to share personal information with the world, but actually encourage it.  By searching sites such as MySpace and Facebook one can find a treasure trove of personal information freely shared by the users of such sites.  The four pieces of information necessary to reset a Yahoo account (and most other accounts) are often easily obtainable for users of such sites.  And it doesn’t take much more effort to find enough information to obtain credit or steal the identity of those who share too much information.  It should be obvious by now that the best way to prevent such an incident from happening to you is to limit the amount of personal information you make available.  Don’t share any information that is used as a security question, such as mother’s maiden name or where you met your spouse.  Conduct an Internet search for information about yourself and view your social networking site profiles to make sure you are not revealing too much information.  It is better to divulge too little information than too much.

A Business Guide to North Carolina’s Identity Theft Protection Act

September 17, 2008 in Identity Theft, Legal | 1 comment

Like many other states, North Carolina has enacted a data breach notification law in an effort to help protect its citizens from identity theft due to the disclosure of personally identifiable by private enterprises.  Passed in 2005, the sets out guidelines that companies must follow for the proper use, protection, and destruction of personal information.  It also outlines the steps a business must take to notify its customers, business partners and possibly the state government in the event of a breach of personal information.  If you operate a business in North Carolina and maintain personal information, whether in digital or paper form, please read on to ensure you are familiar with the law.

The law defines personal information as either a first name or first initial and a last name in combination with any of the following:

  • Social security or employer taxpayer identification numbers
  • Drivers license, state identification card or passport numbers
  • Checking account numbers
  • Savings account numbers
  • Credit card numbers
  • Debit card numbers
  • Personal Identification (PIN) Code
  • Digital signatures
  • Any other numbers or information that can be used to access a person’s financial resources
  • Biometric data
  • Fingerprints
  • Passwords

If a business stores this information in either digital or paper form, it is required to abide by the following rules in the case of unauthorized access:

  • In the case of a breach of personal information in which the business owns or licenses the information, the business must notify each person affected “without reasonable delay”.
  • In the case of a breach of personal information in which the business does not own or license the information, the business must notify the owner or licensee “immediately following discovery of the breach”.
  • The notice must include information about the breach, the type of information that was disclosed, acts taken by the business to prevent further unauthorized access and a phone number that the customer can call for assistance.
  • The notice may be written, telephonic or electronic under certain circumstances.
  • If more than 1000 notifications are made the business must also notify the Consumer Potection Division of the state Attorney General’s office.

Additionally, businesses must take the following safeguards regarding the disposal of personal information:

  • Implement policies and procedures to ensure the physical destruction of paper documents that contain personal information.
  • Implement policies and procedures to ensure the physical destruction or permanent erasure of electronic media that contain personal information.
  • Develop an official policy regarding the disposal of personal records.
  • Perform due diligence when contracting with a disposal company to ensure that they take adequate measures to properly destroy paper and/or electronic media containing personal information.

Finally, any business operating in North Carolina may not do any of the following:

  • Intentionally make known or publish to the general public an individual’s SSN.
  • Intentionally print an individual’s SSN on any card required for the individual to access products or services.
  • Require an individual to transmit their SSN over the Internet without a secure, encrypted connection.
  • Require the use of an SSN for authentication to a web site without the use of a password or PIN as well.
  • Print an individual’s SSN on any materials mailed to the individual unless required by state or federal law.
  • Sell, lease, loan, trade or otherwise disclose an individual’s SSN to a third party without written consent from the individual if it is known or should be known that the third party has no legitimate need for the information.

Businesses that violate the North Carolina IPTA can be subjected to lawsuits under North Carolina’s Unfair and Deceptive Trade Practices Act.  This, combined with the cost of notifying customers and potential loss of business due to loss of credibility, should be a wake-up call to take action to ensure your business is in compliance with this law.  Below is a list of recommendations that every North Carolina business handling personal information should undertake in order to ensure compliance:

  • Conduct an internal audit to determine the amount and type of personal information that is collected and stored as part of your business processes.  If this personal information is not required for business purposes, discontinue using it and dispose of it securely.
  • Ensure that personal data necessary for business purposes is stored securely and is only accessible to those who need to access it in order to perform their job duties.  Be sure to include your own employees’ data as this often contains personal information covered by the ITPA.
  • Develop policies and procedures for the secure collection, usage, storage and disposal of personal information.
  • Enact a training program for all employees to ensure that they are aware of the company’s policies and procedures for handling personal data.  A business can be held liable if a non-managerial employee breaks the law and he or she was not properly trained, supervised or monitored.
  • Develop an incidence response plan to address the unauthorized disclosure of personal data.  The plan should include determining the source of breach, corrective actions, mitigation plans and proper notification of those affected.

North Carolina’s ITPA is a positive step to help protect consumers from the very real threat of identity theft.  It requires businesses to take practical steps to safeguard this information and it ensures that consumers will be notified if their personal information is breached so that they can take appropriate action to protect themselves.  As a business owner, it is best to go even further than the requirements of the ITPA.  There are many other controls and safeguards that can and should be implemented to help reduce the likelihood that you may one day have to notify your customers that their personal information was disclosed due to your negligence.

V is for Vishing

September 10, 2008 in Vishing

First, a little background on the term vishing.  Vishing is a type of attack that combines voice (i.e. phone services) with traditional phishing techniques.  If you are unfamiliar with phishing attacks, please see my earlier article on this topic for a refresher.  Vishing has become more prevelent in recent years as VoIP services have made them far cheaper to conduct and far less likely that the perpetrator will get caught.  And not only have the attacks become more numerous, they are also becoming more sophisticated as well.

A traditional vishing attack usually starts with an email.  The email will appear to be from a banking institution or credit card company asking you to contact them by phone due to unauthorized charges, card/account reactivation or some other reasonable sounding explanation.  When you call the number provided you are typically greeted with an automated attendant that will request you to authenticate yourself by providing your card number, social security number and potentially other sensitive information.  Of course by doing so, you have just made yourself the future victim of credit fraud and/or identity theft.  Below is an example vishing email:

Recently these types of attacks have become even more complex.  They often leave out the email all together and use either text messaging or actual phone calls.  The calls can appear to be from a local number even though they may originate from anywhere in the world thanks to the magic of VoIP.  Typically these calls will go to your voice mail leaving you a message claiming to be your banking institution and asking you to call them using a number they provide in the message.  When you call you will get the automated attendant asking for authentication via your card number, etc.  You may even be greeted by a real person who may or may not be knowingly involved in the scam.  Some people have been recruited to answer these calls on behalf of what they believe is an actual bank or credit card company which makes the scam even more believable.

And if what I have described above was not alarming enough, vishing scammers have raised the bar to new heights of late.  To make their emails even more believable, vishers have been posting their fake telephone numbers against the names of the legitimate businesses to bulletin boards and other web sites in an attempt to associate those numbers with the customer support numbers for the banks they are targeting.  This combined with search engine optimization poisoning techniques can result in their fake number showing up with the highest ranking in a Google search for the bank’s customer support information.  Thus if someone received a vishing email but was suspicious about the number and decided to perform a search to find the customer service number of their bank or credit card company, they very well may find the fake number listed first in their search results.  Obviously this would give them an erroneous sense of security in the validity of the email as well as the number they are calling.  Very clever indeed.

If you ever receive an email or call of this type, always go to the bank’s web site directly or look in the phone book for their number.  Don’t rely on a search and definitely don’t call the number in the email or voice mail.  It’s the wild west out there, so keep your guard up.

Internet Explorer 8 Security Features Lacking

September 6, 2008 in Web

I became excited when I read the press release for Microsoft’s Internet Explorer 8 Beta 2 browser software.  IE has traditionally lagged behind Firefox when it comes to security so I thought I would investigate.  According to Microsoft, IE8 incorporates many new and in some cases interesting security features.  I installed it on my laptop and have been using it for several days.  Below are my impressions.

The InPrivate Browsing feature allows you to browse the web without the browser keeping any record of the sites you have visited.  No cookies, no history, no form data, etc.  Microsoft claims this is useful in situations where a computer is shared by different people and you don’t want others to know what sites you have been visiting.  Such as when a husband is searching for a birthday gift for his wife and he wants to keep it a secret.  Right!  More likely this feature will be used to keep others from seeing the adult sites that are being visiting.  In my testing this feature did work as advertised and could be useful when using a public computer.

SmartScreen Filter is a feature that is supposed to alert you when you attempt to access a suspicious or known malicious web site.  For example, it should block access to sites that are known to host malware as well as phishing sites.  I tested this feature by attempting to visit a few known malicious web sites including some phishing web sites (don’t try this at home!).  In each case IE8 failed to detect and block access to the site even though SmartScreen Filter was enabled.  On the other hand, Firefox 3.0.1 blocked each site of the same sites, appropriately alerting me to the danger of the requested site. 

Finally, Content Advisor, which has been around since IE6, is a feature that allows you to restrict access to web sites based on content categories such as gambling, nudity, etc.  It also allows you to specifically deny access to user defined URLs.  This is a great feature especially for parents of young children who want to prevent them from accessing inappropriate sites.  Content Advisor has been maligned for years and it has not improved any with IE8.  It relies on a rating system in which web developers rate their own content.  Many sites have no rating and others have incorrect ratings leading to a content filtering system that is virtually useless.  If you are looking for parental control software and don’t have much money to spend, try product which is FREE for home use.

In sum, IE8′s security features were a little disappointing.  To be fair it is a beta release.  Perhaps these issues will be addressed by the general release product.  I will revisit it in the future to see if they listened to my criticisms.  For now I am sticking with Firefox.

A New Kind of Honey Stick

September 3, 2008 in Hacking, malware, Social Engineering

When I visit the local farmers market with my family, my children are always excited to buy a couple of honey sticks from the local bee keepers.  These are essentially plastic tubes about the size of a straw filled with honey.  Unlike these delicious treats, there is another type of honey stick that isn’t so tasty and could be very harmful to your computer.  The , which was started earlier this year, is a research project designed to determine how many people will plug a USB thumb drive that they find in a random place into their computer.  These USB drives have a program on them to “phone home” so that the researcher can determine what percentage of thumb drives distributed to random locations will be accessed.  The results so far?  Out of 33 deployed honey sticks, 42% of them have been accessed.

You may be wondering what the issue is with plugging a found thumb drive into your computer.  I mean hey, who wouldn’t want a free thumb drive, right?  Unfortunately, by installing a thumb drive from an unknown source into your computer you are putting your system at risk of infection by a virus or trojan.  The autorun feature of many operating systems can automatically execute a malicious program on the drive which could lead to the compromise of the machine.  Such a compromise could lead the theft of your bank account information, personal information, usernames, passwords and more.  So if you ever find a USB drive or any other type of media (CDROM, DVD, etc), don’t put it in your machine unless you are feeling very lucky that day.

A well known technique used to test the security of a company’s network is to distribute a few thumb drives in the parking lot of the target company.  These thumb drives will have software on them that will automatically install when the drive is plugged into a computer leading to the compromise of the system and potentially other systems within the corporate network.  Many unsuspecting people will see these thumb drives while walking through the parking lot, pick it up and plug it in to their computer.  Our curiosity often gets the best of us leading to unintented consequences (like a visit from the corporate security administrator).

Recently a virus was detected on laptops used in the .  It is suspected that they were transmitted via shared USB drives.  There was nothing sweet in those sticks!

Copyright © 2011 InfoSecStuff.com — All Rights Reserved