A recent article on ComputerWorld.com took a closer look into how hackers are using information gathered from social networking sites to hack into users personal accounts. This is done in several ways. Hackers “friend” users on sites such as Facebook, Twitter or MySpace and then use personal information gathered from their profile to guess either their password or their password security questions. Another common hacking technique is to “friend” a user and then become familiar enough with them to post links on their profiles. When users click on the links, malicious software is automatically downloaded onto their computers and information can then be stolen. Most people don’t think twice when accepting friend requests from people, especially if they seem to be your age or possibly even go to your school. What users of such sites don’t realize is just how easy it is to create a false account and then exploit the information gathered from these profiles. All users should be really selective about what information they put out there, and they should know exactly who they allow to see said information.
http://www.computerworld.com/s/article/343900/How_Hackers_Find_Your_Weak_Spots?taxonomyId=82
Friday, October 30, 2009
Thursday, October 29, 2009
For U Blackberry Lovers
According to the U.S. Computer Emergency Readiness Team, there is a warning Blackberry users need to be aware of. There seems to be a new software that could be used by hackers to turn the smartphone into a listening device. The application is being called the PhoneSnoop. What it actually does is it can configure the phone's speakerphone function to enable a hacker to listen to surrounding conversations remotely. The software uses what is known as a Blackberry API to intercept incoming calls. It is said that once the software is downloaded and installed, the software is triggered by a simple phone call, placing the device into speakerphone mode.
Sheran Gunasekera, who is the known developer of this application, wrote on his blog that he wanted to shed light on the threats posed by careless use of Blackberry smartphones. Gunasekera said "the application can be easily detected and is visible in the Blackberry user interface." According to US CERT, "This software allows an attacker to call a user's BlackBerry and listen to personal conversations." In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop."
Doesn't seem to be a major threat unless you are careless enough to download it or allow someone else to. I thought this was crazy when i first heard it. That would be horrible if people could just listen to what you were saying. If someone has this program all they have to do is simply delete it. The problem seems to be that a lot of people aren't aware of this application. Awareness seems to be the key to not having this as a problem.
Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1372852,00.html
Wednesday, October 28, 2009
Internet phone systems become the fraudster's tool
Cybercriminals recently hacked into multiple telephone systems across the US and using them to contact bank customers to give up their bank account information. They are attack smaller regional institutions that have lighter security towards detecting scams. These cybercriminals used the telephone systems to automatically call customers with an automated message. This message states that there is a problem with their billing information and the customer needs to type in their username, password, credit card number, pin number or other sensitive information to fix the problem.
This process of breaking into phone company systems is 20 years old and was know as phreaking, but now that phone systems are integrated with the internet it is giving scammers more opportunities to hack. It is now now as VoIP (voice over internet protocol) which is a term used to describe a family of transmission technologies for delivery of voice communications over IP networks such as the internet.
The way the hackers got into these VoIP systems is they just guessed thousands of times what the system's password was. Unlike gmail that will block a user if it makes too many guesses, VoIP systems are not set up this way. If they VoIP has a weak password then it doesn't take long for a computer to figure it out. Once these hackers have access they can launch their attack on bank customers. The problem is that it is hard to track these hackers because they use distant VoIPs that are unrelated to themselves.
Scams like these have been a reoccuring theme this year. It is easy to see how these attacks could be prevented. At the level of the VoIP's, stronger passwords, smarter configurations to prevent password guessing attacks, and increased security could easily prevent hacking from cybercriminals. On the side of the victim I have one word: common sense. Who would give their personal information to an automated message? Never give your personal information out, and if you are worried that there is a problem with your billing information call your bank.
This process of breaking into phone company systems is 20 years old and was know as phreaking, but now that phone systems are integrated with the internet it is giving scammers more opportunities to hack. It is now now as VoIP (voice over internet protocol) which is a term used to describe a family of transmission technologies for delivery of voice communications over IP networks such as the internet.
The way the hackers got into these VoIP systems is they just guessed thousands of times what the system's password was. Unlike gmail that will block a user if it makes too many guesses, VoIP systems are not set up this way. If they VoIP has a weak password then it doesn't take long for a computer to figure it out. Once these hackers have access they can launch their attack on bank customers. The problem is that it is hard to track these hackers because they use distant VoIPs that are unrelated to themselves.
Scams like these have been a reoccuring theme this year. It is easy to see how these attacks could be prevented. At the level of the VoIP's, stronger passwords, smarter configurations to prevent password guessing attacks, and increased security could easily prevent hacking from cybercriminals. On the side of the victim I have one word: common sense. Who would give their personal information to an automated message? Never give your personal information out, and if you are worried that there is a problem with your billing information call your bank.
Tuesday, October 27, 2009
16 Year Old Hacks NASA haha
Jonathon James became the first juvenile to be sent to prison for hacking at the age of 16 years old. Through our knowledge from this class, James claimed to be gray hat hacker. In an anonymous PBS interview James was quoted saying, “I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off."
James’s actions were directed towards prestigious and important institutions. One institution affected was ironically the Department of Defense. He installed a backdoor into a Defense Threat Reduction Agency server. The DTRA is an agency of the Department of Defense charged with reducing the threat to the U.S. and its allies from nuclear, biological, chemical, conventional and special weapons. The backdoor he created enabled him to view sensitive emails and capture employee usernames and passwords.
Another important institution the 16 year old compromised was NASA! NASA claimed that the boy stole over 1.7 million dollars worth of software. The Department of Justice claimed that the software stolen directly controlled the Space Station’s physical environment, including control of the temperature and humidity within the living space. NASA had to shut down its computer systems which cost them 41,000 dollars. How could a 16 year old boy hack into what millions of people base their safety upon? His response, "The code itself was crappy . . . certainly not worth $1.7 million like they claimed."
With all of the intrusions compiled against James, he would have served at least ten years as an adult. Due to his age, he was banned from computer use and was forced to serve a six-month sentence under house arrest with probation. The funniest part is that he then served six months in prison for violating his parole. James now claims that he learned his lesson and is in the process of starting a computer security company. Regardless, Jonathan James will always be known as the sixteen year old who hacked NASA!
If someone would have asked me what NASA should do to prevent hackers before I read this article, I would’ve said that their security is way beyond my technical knowledge. Although I’m sure the 16 year old was extremely knowledgeable, this should not have been possible. NASA obviously needs to add more firewalls and more up to date virus software. Most importantly, NASA and DTRA should conduct vulnerability tests. Vulnerability tests will highlight flaws and limitations on their systems and can show areas that may need improvement.
Wednesday, October 21, 2009
Reflections of Insecurity
There is an interesting article in Scientific American that would make a good case study or blog post for anyone who is looking for a topic...
Friday, October 16, 2009
Notre Dame Federal Credit Union
Today, my mom called me to let me know that a letter for me had been sent to my home address to notify me that my account information with the Notre Dame Federal Credit Union may have been compromised. This was the only form of notification that I received - I did not receive an email, or an additional letter to my campus address which I also provided to the NDFCU. After learning about some of the information security breaches that we have looked at in the case studies, I wonder how long ago my information was made vulnerable to hackers. I plan on looking into this matter further, but because it is the weekend and the banks are closed, for now I can only hope that the NDFCU is taking steps to secure my information. After this incident I am seriously reconsidering how much I need a bank account at school, and I may choose to cancel this account soon.
Tuesday, October 13, 2009
Hotmail Security Breach
On October 6th, Murad Ahmed and Elizabeth Judge reported in an article in the Times Online that Hotmail, the world's most popular e-mail provider, was the victim of an internet phishing scam. As we have previously discussed in this class, phishing is the process by which individuals are tricked into disclosing private information, including but not limited to names, passwords, and financial details, by malicious people pretending to represent a legitimate business operation.
Microsoft, owner of the e-mail service, admitted that 10,000 hotmail.com, msn.com, and live.com accounts were illegally accessed, the details of which were shared by the hacker on a website that caters to technology experts. This information has since been removed and a Microsoft spokesperson noted, "We are working diligently to help customers regain control of their accounts.
According to Tom Warren, the Neowin.net reporter who broke the case, the majority of the Hotmail accounts that were breached had European addresses and could possibly be British. This is notable as Hotmail is about one and a half times larger than its closest competitor in Britain and, with this, becomes "the latest in a long line of big organisations, from the UK Government to major banks, who have been faced with internet security breaches recently."
If this security breach is, as claimed, the result of a phishing scam, then most of the blame falls on the account holders who surrendered their private information. In this case, the compromised users should establish new accounts or change their current settings to ensure security. However, if it turns out to be the result of an error in Hotmail's operation or a direct attack on its system, then it seems that Microsoft must be held accountable to its users in some way.
Source: http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article6861965.ece
Monday, October 12, 2009
Smart Grids: The Future of Electricity
The current U.S. power grid supplies electricity to end users through a one-way relationship, which works in a similar way to our water heaters. Large amounts of electricity are generated and stored until they are sent to the end users in need. This system is outdated and inefficient; furthermore, it is difficult to apply to renewable energy sources. With renewable energy sources, wind will not always be blowing and the sun will not always be shining. In order to update power grid and get around these difficulties, a “smart” power grid is being developed. In the smart grid, electricity works through a two-way relationship where electricity flows both from the utility company to the end users and from the end users back to the utility company. The smart grids also use digital technology to monitor equipment throughout the grid in order to make power delivery more efficient.
In order to make the smart power grid secure, the utility companies must keep their computer systems secure so hackers cannot exploit the vulnerabilities presented with the smart grid. Utility companies must first keep the data of how much electricity is flowing back and forth between the utility company and the end users confidential. The companies must also have safeguards in place to prevent hackers from modifying the flow of electricity which will protect the integrity of the smart grid. Finally, the utility companies must make sure the smart grid works so electricity is available to the end users.
In contrast to the utility companies’ security goals, attackers are going to try and exploit the smart grid. They will attempt to disclose confidential information to gain access to the data on electricity flow, alter the flow of electricity between end users and utility companies, and deny end users and utility companies’ access to electricity.
IOActive, an application and smart grid services provider, made comments on the vulnerabilities of the smart grids with Richard Adhikari of technewsworld.com “research has been conducted throughout the industry and has concluded that the power grid is susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits and code propagation”. Potential attacks will focus on these vulnerabilities.
The inherent risk with the smart grid technology lays in the dependency on the internet and having to rely on Internet Protocol. The risk of having a major breach in the security of smart grids can result in situations ranging from problems, such as people getting away with paying their power bill and can be as serious as terrorists gaining complete control of the system and causing mass blackouts across the United States.
In order to prevent this from happening utility companies must use centralized log management systems, which can track when and where cyber security threats exists and how to respond to those threats. There should also be third-party assessments made on the smart grids to ensure the security of grids are being audited.
Sources:
Smart Meters and Security: Locking Up the Grid by Richard Adhikari
In order to make the smart power grid secure, the utility companies must keep their computer systems secure so hackers cannot exploit the vulnerabilities presented with the smart grid. Utility companies must first keep the data of how much electricity is flowing back and forth between the utility company and the end users confidential. The companies must also have safeguards in place to prevent hackers from modifying the flow of electricity which will protect the integrity of the smart grid. Finally, the utility companies must make sure the smart grid works so electricity is available to the end users.
In contrast to the utility companies’ security goals, attackers are going to try and exploit the smart grid. They will attempt to disclose confidential information to gain access to the data on electricity flow, alter the flow of electricity between end users and utility companies, and deny end users and utility companies’ access to electricity.
IOActive, an application and smart grid services provider, made comments on the vulnerabilities of the smart grids with Richard Adhikari of technewsworld.com “research has been conducted throughout the industry and has concluded that the power grid is susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits and code propagation”. Potential attacks will focus on these vulnerabilities.
The inherent risk with the smart grid technology lays in the dependency on the internet and having to rely on Internet Protocol. The risk of having a major breach in the security of smart grids can result in situations ranging from problems, such as people getting away with paying their power bill and can be as serious as terrorists gaining complete control of the system and causing mass blackouts across the United States.
In order to prevent this from happening utility companies must use centralized log management systems, which can track when and where cyber security threats exists and how to respond to those threats. There should also be third-party assessments made on the smart grids to ensure the security of grids are being audited.
Sources:
Smart Meters and Security: Locking Up the Grid by Richard Adhikari
Radiation Overdoses
One of the first cases we discussed in class was the Therac-25 system which, after experiencing software malfunctions, administered lethal and near-lethal doses of radiation to cancer patients. A similar incident occurred recently at Cedars-Sinai Medical Center in Los Angeles. There is a story with the details in today's New York Times.
Thursday, October 8, 2009
Networking Slides
Here are the slides from our recent class discussions on networking. Note that this material is not covered on the midterm.
Monday, October 5, 2009
Credit Card Use
The more we talk about the use of credit cards in class, the more I realize how easy it could be for someone to illegally use another person's card. I took special notice every time I used my credit card this past week to see whether the cashier would attempt to verify my identity. Of the five times I used my card, only once did a cashier make that attempt (this happened at Martin's when the cashier asked to see my ID as well). Interestingly enough, it does not even appear to be what store you go to that affects whether or not you will get asked for verification, as a separate time I went to Martin's I was not asked.
Even more scary is the fact that, of the five times I used a credit card, three times I swiped the card myself. This means that a criminal could have easily used "white plastic" (a plain card with nothing but a magnetic strip) if my card was ever "skimmed." The use of white plastic also occurred in the TJX case we studied. The cashier would never even notice that the card was fraudulent, which should be easy to spot, because the criminal would be able to swipe the card himself or herself.
Once again, it appears that the biggest risk in information security lies with human error. The technology is all there, and it works. However, it is when people are either too careless or too lazy to verify a persons identity that puts people at risk for fraudulent charges. The only reassuring news is that it is the business itself or the bank that will ultimately pay should the fraudulent charges occur.
Even more scary is the fact that, of the five times I used a credit card, three times I swiped the card myself. This means that a criminal could have easily used "white plastic" (a plain card with nothing but a magnetic strip) if my card was ever "skimmed." The use of white plastic also occurred in the TJX case we studied. The cashier would never even notice that the card was fraudulent, which should be easy to spot, because the criminal would be able to swipe the card himself or herself.
Once again, it appears that the biggest risk in information security lies with human error. The technology is all there, and it works. However, it is when people are either too careless or too lazy to verify a persons identity that puts people at risk for fraudulent charges. The only reassuring news is that it is the business itself or the bank that will ultimately pay should the fraudulent charges occur.
Sunday, October 4, 2009
Computerized Time Clocks
Computerized time clocks are a common technology in the workplace. I use a computerized time clock at both my job at home and my job here at the University. Before acquiring my current job at home, I worked at a small store that used a traditional time clock that required that each employee have a card for each week so that our boss could collect and record our hours at the end of the week. Computerized time clocks make this process of logging employee hours more efficient. With computerized time clocks, managers of organizations can simply use software programs to keep track of the hours that employees work and can distribute pay accordingly. For my job at home, each employee has a personal identification number, and when we arrive at work, we input this number onto the computer, and at that time we also select which role we will perform, i.e.: maintenance, wait staff, hostess, etc. For my job at the University, my coworkers and I use our student identification cards to “swipe in” to a magnetic card reader.
The owners of this technology expect that the computerized time clocks will protect the integrity and availability of the information that is stored on them. They expect that the identity of the employee, the number of hours that each employee works, and the task that the employee performs is authentic, and they also expect that the employees are consistently able to interact with the system. These expectations are part of the overall expectation that the time clock will be consistent, easy to use, and accurate. Also, as an employee interacting with the system, I would expect that my information would be kept confidential.
An attacker could want to exploit this system in several ways. The most frequent attacker of a system like this would be an employee attempting to make more money than he or she earned for the tasks that he or she performed or the number of hours worked. Other attackers could include competitors who want to shut down operations by either violating the integrity of the information, shutting the system down so that employees could not clock in, or disclosing personal information of employees like bank account numbers, assuming that the time clock software connects to the bank for direct deposit.
The biggest risk inherent to this system is that it is not monitored as thoroughly as traditional time clocks and is more vulnerable to employee dishonesty or tampering as a result. Like I said, at my job at home it is the employee’s responsibility to enter into the computer which task he or she performs that shift. Breaching the integrity of this system is as easy as telling the computer that I worked a higher paying job than I actually did every so often. Also for this organization, the employee identification number is only four numeric digits long, so it would be very easy for other employees or outside attackers to access my personal information.
As a manager who would use this technology I would mitigate my risks by putting several safeguards in place. To reduce my risk I would either make my employees’ identification numbers longer, or I would require them to enter two forms of identification to clock in. I would also make sure that my employee’s information was protected to insure that their bank account numbers were not vulnerable to theft. Finally, I would check the information stored by the computerized time clock at regular intervals to protect myself against expensive employee dishonesty.
The owners of this technology expect that the computerized time clocks will protect the integrity and availability of the information that is stored on them. They expect that the identity of the employee, the number of hours that each employee works, and the task that the employee performs is authentic, and they also expect that the employees are consistently able to interact with the system. These expectations are part of the overall expectation that the time clock will be consistent, easy to use, and accurate. Also, as an employee interacting with the system, I would expect that my information would be kept confidential.
An attacker could want to exploit this system in several ways. The most frequent attacker of a system like this would be an employee attempting to make more money than he or she earned for the tasks that he or she performed or the number of hours worked. Other attackers could include competitors who want to shut down operations by either violating the integrity of the information, shutting the system down so that employees could not clock in, or disclosing personal information of employees like bank account numbers, assuming that the time clock software connects to the bank for direct deposit.
The biggest risk inherent to this system is that it is not monitored as thoroughly as traditional time clocks and is more vulnerable to employee dishonesty or tampering as a result. Like I said, at my job at home it is the employee’s responsibility to enter into the computer which task he or she performs that shift. Breaching the integrity of this system is as easy as telling the computer that I worked a higher paying job than I actually did every so often. Also for this organization, the employee identification number is only four numeric digits long, so it would be very easy for other employees or outside attackers to access my personal information.
As a manager who would use this technology I would mitigate my risks by putting several safeguards in place. To reduce my risk I would either make my employees’ identification numbers longer, or I would require them to enter two forms of identification to clock in. I would also make sure that my employee’s information was protected to insure that their bank account numbers were not vulnerable to theft. Finally, I would check the information stored by the computerized time clock at regular intervals to protect myself against expensive employee dishonesty.
Friday, October 2, 2009
Facebook's Newest Challenge
Hackers have found a way to bypass the Captchas needed to create new user profiles as numerous Facebook profiles created in an automated process have popped up over the past few days. Captchas are supposed to ensure that only humans can register. These profiles, which have different names but the same profile picture, send links which if clicked, download malicious software. A spokesperson said the threat does not seem particularly serious, and Facebook is disabling such accounts as soon as they are discovered. "Even so, the fact that hackers got past Facebook's Captchas highlights a continuing trend by attackers to try and exploit social networks."
The Captcha used by Facebook is supposed to be top of the line, leading to speculation that humans may have done it manually. In fact, there is the possibility that people were paid to enter the information necessary for each account. Tasks like this could even be outsourced for a very small amount of money. Based on my own experience with registering for Facebook, I find either of these scenarios likely. However, if someone has created a program which can bypass human involvement with Captchas, then this would pose a significant security threat for many different websites, and it would be important that Captchas be improved.
The URL which these profiles are trying to spread has already been blacklisted by most web browsers and disabled from being shared on Facebook. This URL is the same as one that was early being spread through compromised accounts of actual people. Furthermore, Facebook has already publicized that users should be wary of clicking on strange links. Using common sense, most people should know better than to click on a link sent to them by someone who they do not know, especially since most of the messages in which these links are contained are obviously not legitimate. However, as we have learned, many people using the Internet lack this type of common sense. Facebook may need to improve their user verification system. I had heard of the possibility that a cell phone number could be used. After signing up, Facebook would send a text containing a code to the new user, and that code would be used to activate the account. Repeat cell phone numbers could not be used. However, this would eliminate people who do not have cell phones or texting from using Facebook, even if they are legitimate. Since this idea may not be realistic, Facebook will need to continue to monitor accounts, and users need to be aware of these schemes.
Source: http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?taxonomyId=17
The Captcha used by Facebook is supposed to be top of the line, leading to speculation that humans may have done it manually. In fact, there is the possibility that people were paid to enter the information necessary for each account. Tasks like this could even be outsourced for a very small amount of money. Based on my own experience with registering for Facebook, I find either of these scenarios likely. However, if someone has created a program which can bypass human involvement with Captchas, then this would pose a significant security threat for many different websites, and it would be important that Captchas be improved.
The URL which these profiles are trying to spread has already been blacklisted by most web browsers and disabled from being shared on Facebook. This URL is the same as one that was early being spread through compromised accounts of actual people. Furthermore, Facebook has already publicized that users should be wary of clicking on strange links. Using common sense, most people should know better than to click on a link sent to them by someone who they do not know, especially since most of the messages in which these links are contained are obviously not legitimate. However, as we have learned, many people using the Internet lack this type of common sense. Facebook may need to improve their user verification system. I had heard of the possibility that a cell phone number could be used. After signing up, Facebook would send a text containing a code to the new user, and that code would be used to activate the account. Repeat cell phone numbers could not be used. However, this would eliminate people who do not have cell phones or texting from using Facebook, even if they are legitimate. Since this idea may not be realistic, Facebook will need to continue to monitor accounts, and users need to be aware of these schemes.
Source: http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?taxonomyId=17
Thursday, October 1, 2009
Express Scripts: A Security Issue Long After
Express Scripts, a company based in St. Louis, failed to inform the security breach of hundreds of thousands customer prescription records almost a year after the breach. The company specializes in pharmacy benefits management for . In October 2008, a few extortionists had hacked the system and gained access to some of the records, which included Social Security numbers, names, birth dates, and prescription data of 75 patients. These extortionists also claimed that they would make the information public if the company did not concede with the money. Instead of providing the money, Express Scripts reported the problem directly to the FBI (Federal Bureau of Investigation). In November, the company notified customers of the breach, but it did not specify who or what information was hacked. At the present moment, the company announced that it was 700,000 customers whose information was accessed.
Source:
http://www.computerworld.com/s/article/9138723/Express_Scripts_700_000_notified_after_extortion
Subscribe to:
Posts (Atom)
Posts
