Tag Archive for Facebook

| June 19, 2012
Comments Off on Attackers Attack Emerging Technologies

Attackers Attack Emerging Technologies

Help Net Security reports that attackers continue to focus on social engineering attacks and circumventing legacy enterprise security systems according to a recent report by Zscaler. The Sunnyvale, CA-based firm reported shifts in the sources of enterprise web traffic, and that some popular sites attempt to improve user security. Here are some of the top findings detailed in the report:

  • Local apps are generating more direct HTTP and HTTPS traffic
  • Not all web traffic comes from browsers, and as this traffic shifts, web threats have a new attack vector
  • Internet Explorer 6 is on the decline in the enterprise. While this mitigates the security risks of the old browser platform, it could lead to a shift in attacks.
  • Google (GOOG) is actively attempting to thwart search engine optimization (SEO) spam and fake AV attacks, the topmost Internet threats today. However, most users remain exposed to these threats.
  • More sites, like Facebook (FB) and Gmail, are moving to HTTPS delivery. This is good for preventing sidejacking, but it allows savvy attackers a way to bypass traditional network-based security controls like IDS/IPS, which cannot decrypt traffic for inspection.

Internet of Things“Attackers know the limits of traditional security solutions,” says Michael Sutton, VP of Security Research at Zscaler. “But they are also very good at taking advantage of emerging technologies and new vectors for attack. Standalone user applications, social engineering attacks, and the move to HTTPS all have the potential to introduce new threats. Now more than ever, enterprise security solutions must inspect traffic in real-time, all the time, regardless of source, to provide true protection.”

RB-

I have covered IOT for a while here and here. I wrote about the big sites moving to HTTPS a while ago here and even wrote about HTTPS Everywhere here. And I am sure I don’t cost as much as an engagement with these firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| June 12, 2012
Comments Off on Security Considerations for IPv6

Security Considerations for IPv6

Security Considerations for IPv6For those who missed the Internet Society (ISOC) announcement that World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March) Carl Herberger, VP of Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Internet Society logoMany high-profile organizations have hooked their plans on change over to the ISOC launch date. Supporters include Google (GOOG), Facebook (FB), Microsoft (MSFT) Bing, Yahoo (YHOO), and Akamai (AKAM).  Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built them for mobile devices, Mobile devices will connect to the Internet with IPv6 addresses by default. He argues that since a 4G phone must also be 3G and IPv4 compatible, the 5G providers have not done much. The service providers have woven IPv6 into the existing IPv4 Internet much to the chagrin of the initial IPv6 designers.

IPv6 Pandora’s Box

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1

Dog and catIPv6 will first be implemented on the WAN, IPv4 will continue to stay in the LAN for years to come – Google, Facebook, DNS, CDN providers, and many, if not most ISP’s are all moving to default IPv6 WAN connectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2

IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6.  The transition mechanisms to ease the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not been standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet-Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however, nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

  • Encapsulating IPv4 in IPv6 (or 4in6)
  • Encapsulating IPv6 in IPv4 (or 6in4)IPv6 tunnel
  • IPv6 over IPv4 (6over4)
  • DS-Lite
  • 6rd
  • 6to4
  • ISATAP
  • NAT64 / DNS64
  • Teredo
  • SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, one of the dirty little secrets is that nearly none of today’s technologies have the capability to inspect encrypted traffic such as SSL  or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Take away #3

ConfusedMeet your old vulnerability – Same as the new vulnerability! Much of our defense is single-threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless we are acting now to make certain that our gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something different because the inertia path will leave you vulnerable.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 6, 2012
Comments Off on Bad Day at LinkedIn

Bad Day at LinkedIn

Bad Day at LinkedInIt’s been a bad day for LinkedIn (LNKD). LinkedIn users have been the victim of two security and privacy blunders on the same day. First, the LinkedIn mobile app for iOS devices is sending potentially confidential private and business information to the company servers without the users’ knowledge.

LinkedIn logoHelp Net Security reports that security researchers Yair Amit and Adi Sharabani at Skycure Security identified the security hole. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS device.

“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”

The first response from LinkedIn‘s spokeswoman Nicole Perlroth appears to minimize the issue and blame the users for the privacy breach when she told Help Net Security that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore) This was reinforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared. LinkedIn did change the LinkedIn app for Google (GOOG) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.

But wait it gets worse…

LinkedIn also lost 6.5 million accounts today. They were however found on a Russian forum. LinkedIn has confirmed on their blog that there are “compromised accounts.” Cameron Camp, Security Researcher at ESET, commented on the leak for Help Net Security:

“The difference with this hack … is that people put their REAL information about themselves professionally on the site not just what party they plan on attending, ala Facebook and others …  mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”

rb-

I wrote about the value of different credentials here and here.

I am wondering about the timing of the two security problems for LinkedIn. Could they be related? Were attackers using the Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.

Mitt Romney

What happened here?

Action Items:

  • Toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app on your Apple iOS devices
  • Immediately change your LinkedIn password and any accounts that share the same password.
  • Be on the lookout for phishing campaigns that might leverage the incident.
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| May 15, 2012
Comments Off on Internet of Things

Internet of Things

Internet of ThingsThe Internet of Things is a world where everything can be both analog and digitally approached. It reformulates our relationship with objects – things- as well as the objects themselves.  Any object that carries an RFID tag relates not only to you but also through being read by an RFID reader nearby, to other objects, relations or values in a database. In this world, you are no longer alone, anywhere.

The Machines Are Talking a Lot

The Machines Are Talking a LotCisco’s Visual Networking Index Global Mobile Data Traffic Forecast Update, 2011-2016 reports that Internet traffic continues to grow at unprecedented rates. Cisco says that the second leading source of internet traffic will be the Internet of Things devices.

The networking giant says the source will be from machine-to-machine communications, or “M2M.” Brian Bergstein at MIT‘s Technology Review says to think of sensors in cars and in appliances, surveillance cameras, smart electric meters, and devices still to come, monitoring the world and reporting to each other and to centralized computers what they’re detecting. The chart below, reprinted from the Cisco report, shows just how extreme the jump in machine-to-machine communications could be. Cisco says M2M will grow, on average, 86 percent a year, reaching 508 petabytes a month, or half a billion gigabytes by 2016.

Related articles

New ARM chip for Internet of Things

ARM logoARM (ARMH), the semiconductor company whose chip technology powers most modern smartphones, has come up with a chip for the Internet of things (IoT). Om Malik at GigaOM reports that the Cortex-M0+ is an energy-efficient chip, optimized for use in everything from connected lighting to power controls to other home appliances. In a press release, the company explains:

The 32-bit Cortex-M0+ processor … consumes just 9µA/MHz … around one-third of the energy of any 8 or 16-bit processor available today, while delivering much higher performance …[to] enable the creation of smart, low-power microcontrollers to provide … wirelessly connected devices, a concept known as the ‘Internet of Things.’

At GigaOM’s Mobilize 2011 event ThingM CEO Mike Kuniavsky said that “ubiquitous network connectivity, cloud-based services, cheap assembly of electronics, social design, open collaboration tools, and low-volume sales channels create an innovation ecosystem that is the foundation for an Internet of things.”

GigaOM says Freescale and NXP (NXPI), both are major suppliers to the automotive and home automation industries have signed up for the new ARM Internet of Things chip technology. Freescale and NXP have locations in the Farmington Hills, MI area.

Related articles

A new chip for the Internet of Things

Atheros logoOm Malik at GigaOm recently noted that Atheros, a division of Qualcomm (QCOM) launched a new very low power consuming Wi-Fi chip. The AR4100P, is focused on the “Internet of Things.” He predicts that soon, there might be Wi-Fi in everything around us, including Samsung’s (005930) Wi-Fi-enabled washing machines, which Malik wrote about earlier.

According to the blog, the new “highly integrated 802.11n single-stream Wi-Fi system-in-package with integrated dual IPv4 IPv6 networking stack” is focused on smart home and building controls and appliances. Atheros and other chip companies such as ARM are betting that the Internet of Things will prove to be a new giant market opportunity.

rb-

The new Atheros chip also includes an IPv6 stack as well as 802.11n to give end-to-end control of your home appliances.

Related articles
  • Marvell chip makes appliances and LED lights ‘smart’ (ces.cnet.com)

The Web Connected Smelly Robot

olly logoThe Internet of Things now has smell-o-vision from Olly. Olly takes services on the Internet and delivers their pings as smell according to his website. Whether it’s a tweet or a like on Instagram, Olly will be sure to let your nose know about it. Mint Foundry, a graduate design lab at Mint Digital dedicated to exploring the potential of web-connected objects developed Olly.

It is possible to change Olly’s smells in an instant. It has a removable section in the back which can be filled with any smell you like. It could be essential oils, a slice of fruit, your partner’s perfume, or even a drop of gin.

Olly is stackable, so if you have more than one, you can assign each one to a different service with a different smell. Connect one to Twitter and another to your calendar. Before you know it, you’ll have a networked Internet smell center claims the website.

Olly is not yet in production, but Mint is glad to offer the source files to anyone who’s got a 3D printer and a nose for adventure.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| March 29, 2012
Comments Off on Social Media Biggest Risk in 2012

Social Media Biggest Risk in 2012

Social Media Biggest Risk in 2012The Security Labs over at Websense (WBSN) a provider of Web, data, and email content security have used the Websense ThreatSeeker Network (PDF) which provides real-time reputation analysis, behavioral analysis, and real data identification to announce (PDF) their picks for the top IT security threats for 2012. Social media is the #1 risk in 2012,.

1. Websense says that stealing, buying, trading credit card, and social security numbers is old news. They say that your social media identity may prove more valuable to cybercriminals than your credit cards.

LinkedIn connections for saleToday, your social identity may have greater value to the bad guys because Facebook (FB) has more than 800 million active users. More than half of FB users log on daily and they have an average of 130 friends. Trust is the basis of social networking, so if a bad guy compromises social media logins, the security firm says there is a good chance they can manipulate your friends. (Stacy Cowley at CNN Money has an excellent article on how this can work with LinkedIn (LNKD). Which leads to their second prediction.

2. According to Websense most 2012 advanced attacks’ primary attack vector will blend social media “friends,” mobile devices, and the cloud. In the past, advanced persistent threats (APTs) blended email and web attacks together. In 2012, the researchers believe advanced attacks could use emerging technologies like: social media, cloud platforms, and mobile. They warn that blended attacks will be the primary vector in most persistent and advanced attacks of 2012.

iPad malware3. The San Diego CA-based firm says to expect increases in exposed vulnerabilities for mobile devices in 2012. They predict more than 1,000 different variants of exploits, malicious applications, and botnets will attack smartphones or tablets. Websense security investigators predict that a new variant of malware for mobile devices will appear every day.

The Internet security firm stresses that application creators need to protectively sandbox their apps. Without sandbox technology malware will be able to get access to banking and social credentials as well as other data on the mobile device. This includes work documents and any cloud applications on that handy device. The firm believes that social engineering designed to specifically lure mobile users to infected apps and websites will increase. Websense predicts the number of mobile device users that will fall victim to social engineering scams will explode when attackers start to use mobile location-based services to design hyper-specific geolocation social engineering attempts.

SSL/TLS blindspot4. SSL/TLS will put net traffic into a corporate IT blind spot. Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First, the disruptive growth of mobile and tablet devices is moving packaged software to the cloud and distributing data to new locations.

Second, many of the largest, most commonly used websites, like Google (GOOG) Search, Facebook, and Twitter have switched their sites to default to HTTPS sessions. This may seem like a positive since it encrypts the communications between the computer and destination. But as more traffic moves through encrypted tunnels, Websense correctly says that many traditional enterprise security defenses (like firewalls, IDS/IDP, network AV, and passive monitoring) will be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic. These blind spots offer a big doorway for cybercriminals to walk through. (We have started to battle this as we move from a POC system from McAfee another vendor to a modem content filter to be nameless but was just bought and we haven’t solved it yet, the NoSSLSearch for GOOG still needs some work)

Network security5. For years, security defenses have focused on keeping cybercrime and malware out (Also called M&M security, hard on the outside, soft and chewy on the inside). The Websense Security Lab team says that there’s been much less attention on watching outbound traffic for data theft and evasive command and control communications. The researchers say hacking and malware are related to most data theft; they estimate that more than 50 percent of data loss incidents happen over the web. This is aggravated by delayed DLP deployments as vendors use traditional overly excessive processes like data discovery (designed to over-sell professional services?).

In 2012, organizations will have to stop data theft at corporate gateways that detect custom encryption, geolocations for web destinations, and command and control communications.  The security firm predicts organizations on the leading edge will add outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

Black-Hat-SEO_full6. The London Olympics, U.S. presidential elections and Mayan calendar apocalyptic predictions will lead to broad attacks by criminals. SEO poisoning has become an everyday occurrence. The Websense Security Labs still sees highly popular search terms deliver a quarter of the first page of results as poisoned.

The researchers expect that as the search engines have become savvier on removing poisoned results, criminals will port the same techniques to new platforms in 2012. They will continue to take advantage of today’s 24-hour, up-to-the-minute news cycle, only now they will infect users where they are less suspicious: Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations. Websense recommends extreme caution with searches, wall posts, forum discussions, and tweets dealing with the topics listed above, as well as any celebrity death or other surprising news from the U.S. presidential campaign.

Scareware7. Scareware tactics and the use of rogue anti-virus, will stage a comeback. With easy to acquire malicious tool kits, designed to cause massive exploitation and compromise of websites, rogue application crimeware will reemerge Websense says. Except, instead of seeing “You have been infected” pages, they expect three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems. Also, expect that the use of polymorphic code and IP lookup will continue to be built into each of these tactics to bypass blacklisting and hashing detection by security vendors. (Rival IT Security firm GFI Software proves Websense’s point by reporting a “new wave of fake antivirus applications (or rogue AV)” since the start of the year and are “a popular tactic among cybercriminals.”)

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »