Tag Archive for Web 2.0

How-secure-is-my-password Tells You

The former DownloadSquad points out howsecureismypassword.net. How secure is my password is basically like a full-screen version of one of those password-strength meters websites sometimes use. But instead of showing you a bar going from “weak” to “strong”, it shows you an estimation of how long your password would take to crack. That’s a much more visceral way to understand why your password is strong.

How secure is my password

rb-

How secure is my password helps make password best practices meaningful.

For example, when I entered “Detroit”, it came back with “your password is one of the 1090 most common passwords. It could be cracked almost instantly.  “D3troit!” would take 57 days, and “!D3tro1tM!” would take 928 years to crack.

Password best practices include using:

8 or more characters , that is not a dictionary word, which includes capital letters, digits, and a symbol or two.

 

Staff End Runs Security

Social networkingWhen I in my remote Bach Seat, contemplating sharing tech services, I am constantly facing the consumerization of IT. The iPads have made an official beachhead and Skype has made it inside the perimeter. So I should not feel alone according to recent reports from Trend Micro and Cisco (CSCO).

Facebook Help Net Security reports that despite more workplaces regulating social networking site access, employees bypass security roadblocks to engage in social networking. The research by Trend Micro says that employees are finding ways around security roadblocks, making social networking a way of office-life around the world. Trend Micro’s 2010 corporate end-user survey, found that globally, social networking at the workplace steadily rose from 19 percent in 2008 to 24 percent in 2010.

The survey also found that laptop users are much more likely than desktop users to visit social networking sites. Globally, social networking usage via laptops went up by 8 percent from 2008 to 2010. In the U.S., it increased by 10 percent In 2010, 29 percent of laptop users versus 18 percent of desktop users surveyed said they frequented these sites at work.

MalwareThe survey also found that laptop users who can connect to the Internet outside of company network are more likely to share confidential information via instant messenger, Web mail and social media applications than those who are always connected to a company’s network.

A 2010 Cisco survey, which looked at the security impact of personal gadgets and social networking in the workplace, found that employees are consistently (Cisco’s words) finding ways around security policies. 68 percent of those surveyed by Cisco said that employees use unsupported social networking applications.  Heavy use of unsupported collaboration, P2P and cloud applications were also reported. More than half said social networking is one of their organization’s three greatest security risks. More than a third reported that their company lost data or experienced a breach because of employees using unsupported devices.

rb-

So why is Facebook such a problem for enterprises? For one, it is a huge time waster.  Datacenter Knowledge reports that Facebook users spend a total of more than 16 billion minutes on social networking site Facebook per day. Facebook VP of Technical Operations Jonathan Heiliger stated that 3 billion photos are uploaded to Facebook each month and users view more than 1 million photos every second during a presentation at the Velocity 2010 conference

The more popular the social network, the more effective social networks become as malware distribution platforms. KOOBFACE, the “largest Web 2.0 botnet,” controls and commands compromised machines globally. This demonstrates the scale of the threat, and emphasizes the need to educate users and implement strong policies.

Trend Micro says that trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats. The lesson, in Cisco’s view, is that you better find the technologies–and resources–to support personal devices and applications because they will be used regardless. “The best strategic approach is to focus less on restricting usage and more on effective solutions to ensure highly secure, responsible use,” said Fred Kost, Cisco’s director of security solutions.

Call me old-school but  it seems that employees have always learned to work within reasonable company boundaries. Another option for those organizations that need web 2.0 in the organization should tale a look at Palo Alto Networks who have developed a firewall that can block the wasteful parts of social media and leave some parts of the web 2.0 app accessible.

Consumer technologies evolve faster than the IT department budget, and it could be a constant game of catch-up trying to accommodate the latest rogue gadgets and widgets. Ultimately, rogue IT use is not so much a failure of technology, but a failure of policy and policy enforcement.

Jay Leno Most Dangerous Celebrity in Cyberspace

MalwareThere are many late nights when I sit in the Bach Seat after a long day of coordinating shared technical services and need some silliness. Jay Leno was my late-night source of silliness until BitDefender told me he is the Most Dangerous Celebrity in Cyberspace.

Jay LenoAccording to an analysis of 25 million spam messages by the Bucharest, Romania based anti-malware firm, comedian and TV host Jay Leno is the most dangerous Hollywood celebrity in cyberspace. BitDefender found Mr. Leno mentioned in the subject line of 38,000 spam messages most of which focused around medicine and the purchasing of pills but come with enticing subjects such as ‘Jay Leno found taking drugs.’

“Cyber criminals follow the latest trends just as consumers do and they use these and the names of popular celebrities in their campaigns in order to lure people to websites that are full of malicious software (malware),” said Catalin Cosoi, Head of the BitDefender Online Threats Lab.

AfBitDefenderter Mr. Leno, the article at InfosSec Island says that cyber criminals next most often used Madonna and Cameron Diaz to spread spam. (I noted Cameron Diaz’s reign as the McAfee “Most Dangerous Celebrity on the Web” here). The rest of the top 10 personalities used by spammers include:

Other notables on the list are:

Notable for their absence from the list are:

rb-

The use of celebrities to promote malware and spam is deeply rooted in social networking and Web 2.0. In 2009, Barracuda Networks identified a ‘Twitter crimewave’ on Twitter after popular celebrities joined the service to tweet to fans. Criminals followed the celebrities to the new service sensing a new population of easy-to-fool users, using a range of techniques including impersonation and simple link spamming to draw people to malware-infested websites. Facebook still has a major problem with celebrity abuse.

This may seem trivial because most firms have set up gateways to filter these spam-mails from hapless users in boxes. However, there are enough users that ignore the warnings and open spam-mails to make spamming on a vast scale worthwhile to the spammers.

What do you think?

Who is your favorite late nigt host?

View Results

Loading ... Loading ...

YouTube Founders Acquire Delicious from Yahoo!

Social NetworkingIn one of the most search engine friendly articles, ITnewsLink reports that on April 27th, YouTube founders Chad Hurley and Steve Chen announced they have acquired the Delicious technology from Yahoo! (YHOO). They plan to continue the service that users have come to know and love and make the site even easier and more fun to save, share and discover the web’s “tastiest” content.

deDeliciousProviding a seamless transition for users is incredibly important. Yahoo! will continue to manage Delicious over the next couple months as users are able to sign up for new accounts. After the transition period is complete, users’ information will be moved over to the new service.

“As we have said, part of our product strategy involves shifting our investment with off-strategy products to put better focus on our core strengths and fund new innovation, says staff on Yahoo! blog. We believe this is the right move for the service, our users and our shareholders. Chad Hurley and Steve Chen are building an exciting new company and we look forward to watching the Delicious service continue to develop!”

The Value of Stolen Credentials

The Value of Stolen CredentialsThe evolution of Web 2.0 services and the parallel world of cybercrime is driving up the price that criminals charge each other for user credentials. The price of a file of user credentials, aka  a `dump’ in hacking circles, depends on the Internet service(s) where they can be used, Amichai Shulman, CTO of Imperva told Help Net Security.

imperva “Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters,” he said. “Today, however, there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the `popularity’ of the account in question,” the Imperva CTO told Net Security.

This is illustrated by the `going rate’ of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favor, while Gmail’s all-round flexibility means it is central service for business users, Mr. Shulman said. This means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts. Mr, Shulman explained that Google Docs can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.

GrmailAnd it’s a similar story with Twitter accounts, but with the added dimension of the immediacy of a social networking connection, said Mr. Shulman.  “Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said. What’s happening is that users are re-using passwords that they’ve used on other sites, and some of those other sites turn out to have not been secure.

That’s the thing; as soon as any of the sites you log in to gets compromised, the email address or username and password associated with it can be tried by the bad guy on various other services. Since most people re-use passwords, there’s a high likelihood that they will gain access to your account. From there, who knows what kind of damage they might cause. If you’re lucky, you’ll notice something’s amiss.  Twitter advised that people are continuing to use the same email address and password (or a variant) on multiple sites.  We strongly suggest that you use different passwords for each service you sign up for.

In a related arTwitterticle, Trusteer reports that most of online banking customers reuse their login credentials to use non-financial and much less secure websites. Trusteer found that 73 percent of bank customers use their online account password to get access to other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet.

Cybercriminals are exploiting the widespread reuse of online banking credentials. These criminals have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.

TrusteerThe report’s key findings include:

  • 73% of users share the passwords which they use for online banking, with at least one nonfinancial website
  • 47% of users share both their user ID and password with at least one nonfinancial website
  • When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites
  • When a bank chooses the user ID for its customers, 42% use the bank issued user ID with at least one other website.

“Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”

“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” Shulman told Help Net Security.