Brilliant Thinking

Earlier this week there was a “name game” being played out on Twitter. For a couple of days my tweet stream was filled with people’s porn names as they happily divulged personal information about themselves under the guise of a game.

Since this information is publically available it is very easy for identity thieves to simply combine the real name of the twitterer with the “porn name” and harvest key facts that help secure the identity of the individual. The game encourages twitter users to post a combination of their first pet’s name and the street they grew up on (or their mother’s maiden name) to create the name they would use if they were a porn star. While this is similar to the methods used in the adult industry (so I am told), the fact that it is public and linked to the individual’s real name creates the risk of identity theft.

Read: The Twitter Porn Name Game Is a Scam! for more information.

However, a far more insidious variant of this tool appeared in my Facebook stream this afternoon where one of my friends posted their responses to a much longer questionnaire. Here is the questionnaire which encourages you to respond and post to your friends: continue reading »

Image via Wikipedia

We’ve been watching this one since the news broke a couple of months ago, and you could say it’s the Internet’s equivalent of the Y2K scenario.

In essence, the DNS system (the fabric of the Internet that routes all traffic) is flawed. Very flawed.

A bug has been discovered that could allow people to hijack entire portions of the Internet and redirect traffic to wherever they want to. So, when you type in www.mybank.com you will get a site that looks and feels exactly as it should - it would even pass all the anti-phishing checks your browser or PC runs - but, and here’s the catch, it would be operated by thieves from a server far, far away from your bank because the DNS flaw has allowed them to trick the Internet into sending all traffic for www.mybank.com legitimately to their server instead of the proper one.

But this flaw does not just extend to www.mybank.com and other websites - because it is a flaw in the underlying fabric of the Internet it allows any web traffic to be redirected - this includes FTP, email, spam filters, SSL, automated software updaters, etc.

“Every network is at risk,” Kaminsky said at the Black Hat conference on Wednesday. “That’s what this flaw has shown.”

Automated software updating systems like those used by Microsoft and Apple could also be subverted, allowing hackers to trick users into installing malicious software disguised as authenticated software updates.

“There are a ton of different paths that lead to doom,” he said.

There is light at the end of the tunnel. Before the details of the DNS flaw were (inadvertently) made public, Kaminsky had been working with the key players in Internet to patch DNS servers to prevent the theft of the web.

Kaminsky said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched, while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole. [We would guess that these statistics are US-based. Ed.]

He showed a video that mapped DNS servers around the world as they were tested and patched over the last month. Servers that were vulnerable first appeared as red dots on the map then turned green as they patched. The most heavily patched geographical regions were the East Coast of the United States and Western Europe.

We haven’t heard of any major companies being affected by this DNS flaw, but we would advise that any web company that is providing DNS services to its clients ensures that they are patched to avoid becoming part of the domino effect of any future potential exploit (this includes anybody running a dedicated or virtual server which has DNS services operating). Fortunately, small companies are less likely to be targeted by people or organisations looking to exploit the DNS flaw, but unpatched servers represent a hole in the fabric of the web which could allow them to gain a foothold. You have been warned.

Black Hat: DNS Flaw Much Worse Than Previously Reported

Image via Wikipedia

According to Christopher Gormley, chief operating officer at Tiversa Inc., a Cranberry Township, Pasadena-based P2P network monitoring firm: On average, about 1.5 billion searches take place on P2P (peer to peer) networks daily compared with 180 million on Google, and that a growing number of the searches are being done for malicious purposes. Gormley also said that Tiversa also has noticed the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.

1.5 billion compared to 180 million is almost 10 times as many searches. And given they are being done on P2P networks, this means that these searches are uncovering the files stored on individual computers connected to the Inernet, computers which vary from individuals at home right through to computers in the heart of large corporations. And direct access to information on these computers could reveal a lot more than the person intended - P2P software often allows access to many of the folders on the computer on which it is installed by default rather than by permission. This means that the person who installed the P2P software often unwittingly exposes all the data on their computer to the rest of the world, and this can include password files, personal information, private lists and much more.

Numerous organisations have suffered data leaks as a result of such carelessness. Last year, for instance, the personal data of about 17,000 Pfizer employees was exposed after an employee installed unauthorized P2P software on her laptop. And at a US Senate hearing last year, lawmakers heard testimony from several witnesses about the abundance of classified government and military documents as well as corporate data freely available on P2P networks.

The data said to be available included a full diagram of the Pentagon’s secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio-frequency manipulation techniques for dealing with improvised explosive devices in Iraq; the complete minutes of a board meeting held at a large financial services company; and the detailed launch plan of a start-up company, complete with growth targets and other business forecasts.

Naturally, the immediate reaction is to not allow P2P software and so remove the risk of this happening. But people are creative and find ways around the rules which means P2P software will creep in and the risk resurface. And while the main threat comes from public P2P software (e.g. Limewire, Kazaa), P2P technology is also being used as a business enabler in many organisations.

So, the big question is how do we mitigate against confidential data loss? One thought is to focus attention on network monitoring to see which files are being sent in and out of corporate networks. However, I am not sure how this benefits us as it doesn’t directly prevent illegal transmission versus legal transmission - it simply gives us an audit trail we can dissect when the proverbial excrement hits the fan.

However, there may be a more straightforward solution … most connected systems use specific port numbers over which they transmit data. A corporate network should have a know port topology - ie we should be able to define exactly which ports are needed for communication with the outside world, and in which direction that communication should be. So, for example, if we needed port 6346 to be open (which is Limewire’s default communication port), we could easily define which direction traffic was allowed. We could block outbond traffic with a simple rule in the firewall and so stop all outbound traffic dead in its tracks. We could work through all the ports (OK there are a lot) and define a full firewall map and so manage corporate network traffic exactly as we needed to. The remaining ports could be monitored if required, but this would be a more manageable task.

Quick reference lists of common port numbers abound, and so a network administrator would be able to quickly present a route-map to securing their corporate network and earn a few brownie points from their CIO. Of course, implementing or even suggesting such a plan of action might be met with blank stares because few people are fully aware of the risk to their sensitive data from unctontrolled P2P applications.

IRC Beginners Reference
List of Common TCP/IP numbers (PDF)

Let’s hope this article helps IT departments get a head start on securing their networks, or at least raising awareness of the issue to the execs.

Article inspired by: File-sharing breach at investment firm highlights dangers of P2P networks — again

Image via Wikipedia

It’s been a while since I last wrote on systems security, but the latest revelation of a couple of “mainstream” trojans to affect Mac OS X suggests a new wave in Internet security threats.

The most notable is a security hole in the latest versions of Tiger and Leopard that allows attackers to install malware on a Mac without first requiring a user to enter an administrator’s password. A flaw in OS X makes it possible to circumvent the safety measure by funneling Applescript commands through the Apple Remote Desktop Agent (ARDAgent). Because the commands run as the root user, they have almost unfettered access to sensitive parts of a machine.

Interestingly, the exploit was was written modularly, so that the code that actually exploits the Mac weakness can be bundled with other malware code. That means the same weakness could be targeted over and over by a variety of other Trojans.

Full story: Trojan heralds OS X’s ‘new phase of exposure to malware’

The last bit - about the code being modular and thus more portable to other applications - implies there is a growing trend to target the once “safe” bastion of the Apple Macintosh. There are a lot of them in use now, and many owners see them as safe alternatives to the Windows PC. However, is now the time to get on board the Mac security train?

The bottom line?

Nothing is totally secure, but you can add differing layers of security to provide your desired level of protection.

Image via Wikipedia

I have had a couple of emails and MSN messages in the last couple of days from people I know. These messages are invitations to sign up to a service that allows you to see who has blocked you from their MSN Messenger contacts list.

This sounds like an interesting service - a kind of “who doesn’t like me any more” service feeding off our online social insecurities made all the more visible by the huge growth of online social networking on sites like Facebook, Bebo, etc, etc.

However, in the terms and conditions of these services there is a clause which allows the service to contact anybody on your contacts list with promotional messages. Given that these people did not opt in to receive such promotional messages, this clause is clearly in violation of online privacy rights and is a clever attempt to steal the email addresses of a large proportion of registered MSN Messenger users for spamming.

If you get invited to use a service such as blokr or anything to do with blocked MSN Messenger users, AVOID IT! If you have friends who have already signed up, be prepared to receive a torrent of spam and MSN Messenger messages (which you should also AVOID!) Given that the sign-up sites seem to be “here today, gone tomorrow” this should be a clear sign that they are not to be trusted.