Tag Archive for Social

| June 2, 2011
Comments Off on LinkedIn Accounts can be Hijacked

LinkedIn Accounts can be Hijacked

Help Net Security has a report that users of the newly minted public LinkedIn (LNKD) are in danger of having their account hijacked. The Linkedin accounts can be hacked when accessing them over insecure Wi-Fi networks or public computers. Independent security researcher Rishi Narang told Help Net Security that the risk is due to two reasons. First, the LinkedIn session and authentication cookies have an unnaturally long lifespan. Secondly, LinkedIn does not remove the cookies once the user logs out.

LinkedInThe article says the cookies in question are JSESSIONID and LEO_AUTH_TOKEN, and are available even after the session initiated by the user has been terminated. The cookies are also set to expire only after one solid year, and this fact allowed the researcher to get access to a number of active accounts of various people from all over the world during a period of many months. “They would have login/logged out many times in these months but their cookie was still valid,” Mr.Narnag writes on his blog.

In addition to all of that, those two cookies and the others that the welcome page stores are transmitted in clear text over HTTP, because they don’t have a secure flag set. “If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic,” explains Mr. Narang.

According to the researcher, until LinkedIn makes some changes, the only way to “expire” the cookies is for the users to change their password and then authenticate themselves with the new credentials. This could be a stopgap measure if you know that someone has stolen those cookies and is accessing your account, but won’t new cookies be created after the password change and authentication?

Help Net Security says that the only solution to this problem is for LinkedIn to effect some changes, and according to Reuters, they are planning to offer “opt-in” SSL support for the entire site in the coming months (and that would encrypt the cookies in questions), but have not commented on the cookies have such a long lifespan.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , , ,
| May 21, 2011
Comments Off on 2/3 K-12 Networks Breached Multiple Times

2/3 K-12 Networks Breached Multiple Times

2 of 3 K-12 Networks Breached Multiple Times a YearPanda Security, a provider of cloud-based security software, recently released a report that says 63 percent of K-12 schools experience malware outbreaks or unauthorized user access at least twice a year.  The report, Kindergarten-12 Education IT Security Report (PDF), had some other interesting infobits.

Personal devices on K-12 networks

The survey reports that eighty-two percent of schools allow students and staff to connect personal computers and laptops to the school network. Panda says schools recognize outside devices introduce external risks, but they struggle to fully integrate security policies for multiple devices. Only 74 percent of districts are monitoring the use of external devices. Fifteen percent fail to take any extra security measures, leaving those school systems more vulnerable to infection.Pamda Laptop chart Most schools have implemented IT security best practices, there is still room for improvement reports Panda. The report says ninety percent of schools install anti-virus and/or anti-malware on computers, but nearly 25 percent fail to use firewalls, block high-risk websites, or employ user authentication. 86% prevented the use of very risky websites; while 89% mandated users install security software on their systems. Further, 15% of respondents acknowledged that there weren’t any extra security measures in their districts if they wanted to use laptops.Panda Best Pratices

Social media threats

Social media is a top concern for schools, but the stringency of school policy varies greatly. Ninety-five percent of schools have a social media policy in place, citing the mitigation of malware-related risks as the main reason for implementation. Twenty-nine percent of schools allow students unlimited access to social media sites, while 32 percent deny students access altogether.

Panda Social MediaSchools lack the funding to be secure. I have always said that schools face attacks from the inside and the outside. Insiders in a K-12 school network range from technically unsavvy to damn good malicious attackers. Despite this, the report says 72% of schools reported that budget limitations were the main obstacle, to better security and 38% reported non-availability of staff, and 29% of the schools, reported their IT staff had to attend to other more important tasks than IT security.  IT administrative staff at 38 percent of schools report removing viruses or malware from IT systems a few times a week, and 21 percent are doing this daily according to Panda.

With malware on the rise and new threats propagated through social media every day, having the right security tools in schools has never been more important. Security issues consume staff time, diverting attention from the business of education. Help Net Security quotes Rick Carlson, president of Panda Security US, who has a great grasp of the obvious, “While the Internet is an invaluable tool for education, it can cause serious interruptions to day-to-day operations if schools fail to properly address security concerns.”

rb-

Just to prove the point, the Oakland Press is reporting that 4 students at Romeo High School in Romeo, Michigan were caught allegedly intercepting 60 staff members’ emails, including the Superintendent after “something goofy” happened to the website. While I have no first-hand knowledge, the news did say the attackers went after people who read their emails on their cellphones. So more than likely it was some kind of Bluesnarfing attack, maybe including a Cain and Able payload to get at passwords.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 26, 2007
Comments Off on Three+ Years to Recover From a Data Breach

Three+ Years to Recover From a Data Breach

Over Three Years to Recover a Reputation After Data BreachIn an article on Todays Facilities’ Manager website reports that it takes over three years for a firm to recover from a crisis like a data breach hat damages its reputation, according to the market research firm BursonMarsteller. The firm points out that quickly disclosing the details of a scandal or corporate misstep and making visible progress toward recovery should be the first steps any organization takes to rebuild its reputation.

Not only will it take over three years to recover a corporate reputation, but Forrester is reporting it can take a lot of money. In an April 11, 2007 article at Information Week, Forrester analysts report that the average data breach can cost a company between $90 and $305 per lost record.

Information that firms like TJX Companies and Menu Foods seem to have missed.

(updated 06-17-07)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized | Tags: , , , , , , ,
  Recent Entries »