Archive for December, 2010

by Ondrej Krehel

With the New Year upon us, I’ve been thinking about some of the larger or more interesting security cases of 2010. One of the oddest happened in January, when .

Yes, that’s right, the same carbon credits that may help prevent global warming. With the Kyoto Protocol, 191 countries, including all of Europe, agreed to a cap and trade system in which the total number of carbon emissions is limited per region. Businesses that produce less carbon then they’re allotted can sell those credits—the amount of pollution they aren’t polluting—to other companies.

This move created a huge market. More than 8 million tons of CO2 emissions were traded in Europe in 2009, worth more than $130 million. Then hackers got into the system.

With a rather conventional attack—a targeted phishing scam—they hit businesses connected to the German Emissions Trading Authority. Emails looking like they came from the Authority redirected the targets to a fake Authority site that asked them to re-register their accounts.

Seven companies fell for it. Using their login credentials, hackers drained 250,000 carbon permits worth $4 million and promptly resold them to other companies. One firm lost a reported $2.1 million.

Now people love to argue the ins and outs of global warming—is it due to man, is it a natural warming, etc., etc.—but this case demonstrates something there’s no argument about: the need for security education, as well as thorough security measures. Locked doors are great—but not particularly effective if there’s a window open.

It’s easy to blame the guy who fell for the phishing scam and jeopardized his company, but that’s hardly a solution, especially when hackers routinely look for the weakest link. In this case they sent 2,000 phishing emails and caught seven fish. We all know that a multilayered authentication process is better than a simple username and password.

Whatever the computer system, no matter how sophisticated the security, if people with access to the system don’t have proper security training—and at least understand the basics of staying safe and the methods of the most common scams—all that security could be for naught.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Ondrej Krehel

Being a woman in the digital world makes you a target.

In two separate cases earlier this month, hackers targeted young women. First they sought compromising images and video of the victims, then extorted them, threatening to release the images to their friends and family and on the web.

, a 23-year-old California man hacked roughly belonging to young women, guessing at their password reset questions on Gmail, Yahoo Mail, Hotmail and other web services. He combed their Sent Mail folders and found compromising images of more than 170 women. The hacker then used the webmail password information to hack his victims’ Facebook pages. From there he targeted their friends, posted graphic photos on their profiles and tried to extort more pornographic images from them in exchange for not releasing other photos.

A Los Angeles man was arrested in a similar—and perhaps —case. In a series of “spear fishing” attacks, he would send victims a video link from a friend’s or sister’s hacked social networking account. When the victim clicked on the link, it downloaded a virus that gave the hacker control over her computer, including the webcam and microphone functions. Soon he had captured more than 100 computers and spied on 230 people, watching them through their computers, without them knowing about it.

“What’s so frightening about this case was how easily the victims’ computers were compromised,” FBI Special Agent Jeff Kirkpatrick, a Los Angeles cyberinvestigator who worked the case, said in .

Most of the victims were teenage girls, and the hacker demanded more pornographic images from at least one of them. If she didn’t comply, he threatened to send what he found on the girl’s computer to her parents.

“If he hadn’t attempted to contact the victims,” , “he could have done this forever and gone undetected—the victims would never have known he was listening and watching. That is one of the most disturbing things about this case.”

This is just one more graphic reason to use strong passwords and to make sure your passwords are different for email, social networking, and financial and other frequently used sites. Be wary of video and image links—even those sent by friends—and always make sure you have a strong antivirus, anti-malware and firewall package up and running.

Being suspicious and having a keen eye for detail are always the best protection.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Ondrej Krehel

Hacking is illegal. But when you hack a self-designed system for learning purposes, it’s a different story. Doing this can provide a solid learning experience and help those in your educational community or business or the world at large. Often these kinds of self-produced hacking attacks are put on by computer investigators and draw big crowds on the forensic conference circuit. They demonstrate how systems are broken in real time, on the fly—and offer solutions for protecting against such attacks.

But what happens when the target of an education attack is unaware that they’re under fire? What happens when it’s a popular website or million-dollar desktop program? The moral line gets a little blurry.

was auto-hacked as a kind of educational experiment. An add-on called Idiocy hacked accounts that were posting on rather than —the latter being the secure site connection—to ostensibly “teach” the users that they should always roll securely. A little harsh? Maybe. Effective? Definitely.

While one should never break the law, many—dare I say most—security tools and practices were born as a response to a hacker attack. Hackers help security professionals stay sharp. If the hacker is going after a site or account without malicious intent, I tend to think of them as doing the developer—or the system—a favor. The next hacker might have different ends in mind. Not a lesson anyone wants to learn when, say, a bank account is being drained or other important information is on the line.

There should be rules, though, or at least one big one: If a site or program is broken, the vendor should know about it and be given ample time to fix it before the information is released to the public. Once they know about it, the ball is in the developer’s or designer’s court. But if they know about it and don’t act, sometimes a public release of the information or the mode of attack can apply needed pressure. That was the case with the Twitter virus in September. Twitter officials knew about the issue for months but didn’t move on fixing it until a colorful hack made headlines.

The bonus effect of hacking to educate is that it informs and furthers development. and started as hacking and exploitation tools, became commercialized and are now two of the industry-leading security tools in vulnerability assessment and exploitation. Hacking in this case is—forgive the cliché—like planting a seed. Which is to say that hacking, when not used for malicious purposes or ill-gotten gain, produces information—information that can be helpful and ultimately protect you from future attacks that might not be so kind.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image:

by Ondrej Krehel

Phishing, Pharming, Vishing and Smishing

Hackers are always coming up with new ways to separate you from your money. The most popular methods like include:

Phishing has become a catchall term for any electronic criminal fraud scheme that tries to capture personal identifying information (PII), such as names, passwords, credit card information and ATM pins. Usually this takes the form of a hacker-designed email or instant message that looks and feels like an official communication from a bank, Internet service provider or social website that tricks the receipt to respond with personal information.

Pharming occurs when hackers exploit DNS server software to redirect traffic from a legitimate website to a bogus site to capture personal data. For example, they’ll route a bank’s web traffic to a site controlled by hackers. Think of this as a postal mail redirection.

Vishing is a malicious combination of phishing and Voice-over IP or Internet phone service. It amounts to hackers making phone calls via the Internet that look to Caller ID systems like official business lines from, say, a bank, credit card company or insurance provider. Often it’s an automated call that asks the recipient to call back, at which point con artists asks for PII.

Smishing combines SMS text messaging with Phishing, amounting to hackers disguised as official institutions using cell phones to phish.

In all of these scams, criminals are pretending to be a trusted financial institution or company, and in that disguise ask the victim to disclose their personal information. Sometimes they even offer incentives, such as free reward cards and special credit financing. With these particular tactics, it’s important to keep in mind the old saw, if it seems too good to be true it probably is.

But sometimes your bank or Internet provider does in fact need to contact you. Here are some tips to separate the legit from the illegal:

Check the source for misspelled content. Online, make sure it’s the actual company URL address in your web browsers. Hackers are very smart at making fake URLs look real, like, say Credits.com for Credit.com. The text inside of the message or URL itself is often misspelled.

Watch for redirection. You may click your tried and true bookmark to go to your bank’s website, but if your PC or the bank site is compromised it could point you to a hacker lookalike site. If you see that you’re being redirected to site that doesn’t look right, or notice the URL link contains characters other than normal, disconnect.

Google the malicious email, SMS, caller number. You might not be the only one who was targeted. Google the number or email address to see if there’s larger scam and possible means to report it.

Just say no. No company will ask for your date of birth, Social Security number or ATM password in an email, website or text message. They also won’t ask questions about your personal life, such as pet or family members names, which hackers will do to guess at your passwords.

The key here, as with all Internet security, is to stay aware and have your computer in safe state, clean and up-to-date, ready for the full Internet experience.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Eduard Goodman

We’re Addicted, Net Execs Like it That Way

The Social Web

It’s tiresome when billion-dollar Internet CEOs tell us that our privacy concerns are overblown. Whether they run Google, Facebook or an online marketing company, the truth is that they obviously have a financial interest in trading my personal and search information, online contacts and purchases. They’re a business out to make money. Their business is information. I’m not judging; just own up to it. Don’t dismiss our privacy fears because frankly it’s insulting.

In fact the more I hear the mantra, “Don’t worry about your privacy,” from executives in industries that know more about us than our own relatives, the more they sound like tobacco executives in the 1990s. “Your privacy fears are overblown,” is about as convincing as the statement, “Nicotine is not addictive,” especially given the source.

Like tobacco executives of the last century, Internet executives think that we don’t recognize that they have their own agendas and own financial interests at heart. They want us all to believe that there are no downsides to sharing our information or to their collection of it. Just like there are no downsides to smoking, right? They are quick to point out all of the “upsides” and reasons to share information though. Strangely, many also were reasons people smoked at one time, too.

Some of them include:

• Everyone else is doing it, so it must be okay.

• It’s cool. (“What do you mean you aren’t on Facebook?”)

• You’re addicted (because where else are you going to go for an online search?  The expression to “Google” something is even in the dictionary.)

Now today, nobody doubts that nicotine is in fact addictive and that smoking causes cancer. We have the research and millions of examples of people who have suffered from smoking-related illnesses to prove it. Yet, worldwide over 1.3 billion people still choose to smoke, knowing the risks and dangers. That is their choice and tobacco is still a multibillion-dollar industry both in the U.S. and abroad.

Like their tobacco industry executive predecessors, people including Facebook CEO Mark Zuckerberg and Google CEO Eric Schmidt raise the point that Internet users have a choice, too. If they don’t like the privacy ramifications of using Google or Facebook, then they don’t have to use them. The problem is that we as a nation have become addicted to Facebook and Google. Like the throngs of chain smokers of the 1950s, we as a nation are failing to recognize the dangers associated with our behavior. With industry executives preserving our collective ignorance towards our vanishing privacy, in the end, like a misinformed, addicted smoker, how much choice do we really have?

Eduard Goodman, Chief Privacy Officer,

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Image:

by Eduard Goodman

A friend raised this question recently—on Facebook no less.

The question isn’t new. Whether we recognize it or not, Americans have historically asked and re-asked this question. We redefine what privacy means to us on a regular basis. You could say it’s part of our national DNA.

The concept of privacy was central to our forefathers’ discussions of revolution. Okay, so the word “privacy” never appears in the Declaration of Independence, the Constitution or the Bill of Rights. But it’s a reappearing theme in our nation’s legal, social and political framework. Two examples: the First and Fourth Amendments, which address the freedom of religion and unreasonable searches and seizures.

America is constantly shifting its views when it comes to privacy. While the catalyst for these shifting perspectives has often been political, more often it has been technological.

Take for example the industrial revolution and the invention of the telegraph in 1837 and the telephone in 1876. Suddenly, information could be communicated instantaneously around the world. Then there’s the 1890 census, the first one to use mechanical data-processing technologies rather than human tabulation. (Interestingly, the device that read the census punch cards resulted in the eventual founding of IBM, but that’s another story.)

When you overlay innovations in communications and data processing with the rapid development of photographic and newspaper publication technologies, suddenly Victorian concerns about privacy don’t seem so distant or quaint.  As Louis Brandeis who later became a U.S. Supreme Court Justice noted in his 1890 Harvard Law Review article, “Right to Privacy”:

“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”

This quote could have easily been written yesterday, and that’s my point.  Every generation has had to ask the question: “What does privacy mean?” The universal answer for every generation is simply that: Privacy means what we demand it to mean.

When we’re willing to endure the Patriot Act to feel more “secure,” we redefine privacy. When we’re willing to accept online tracking of our behavior, searches and human connections for the sake of convenience, we redefine privacy.

I alone can’t answer the question. It requires all of us as a society to actually chime in, so to speak.  What I can tell you though is simply this:

The more we demand regarding our privacy, the greater its meaning, whatever that meaning comes to be.

Eduard Goodman, Chief Privacy Officer,

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

by Ondrej Krehel

Speed Up Your Mac with These Simple Tips

Last week we looked at tips for maintaining a PC. This week we’re turning to Mac OS X. Generally speaking, OS X is more stable than Windows desktops and requires less user maintenance. Yet there are a few things you can do to revive an older or slow Mac.

First, delete any Applications you don’t use. Usually there’s no straightforward way to delete Mac apps. Simply trashing them could leave some information behind in the system, such as preferences and application support files. But there are plenty of shareware deleter programs out there, such as , and . Also, applications may have their own uninstall script, included in the installation menu.

Next, check your drive health. OS X has a native solution in Disk Utility. Run the program, then click “Verify Disk Permissions” and “Verify Disk.” If it is then recommended, click “Repair Disk Permissions” and “Repair Disk.”

Now that your drive is lighter and in good running order, run a Software Update. You should automate this process as it will keep your computer on top of the latest performance and security patches. Don’t forget to run software updates on third party applications, such as MS Office.

When that’s done, determine which programs automatically load when you boot your Mac. In System Preferences, click on Accounts. You’ll see a list of “Login Items.” The fewer items selected, the more resources will be available on your Mac and the faster it will run. Some items you might want to keep running, such as iTunesHelper, which helps recognize your iPhone or iPod. If you don’t know what the program does, simply Google it to decide if it’s worth running right from startup. More advanced users can review the processes in the command line via “ps ax” command, and disable unnecessary ones.

Lastly, think about your Cron scripts, which are usually set to run daily, weekly and monthly. These scripts generate log files and remove old ones. They are automatically scheduled to run at a specified time, usually nighttime. If you regularly restart your Mac and the computer regularly sleeps or is shut down at the scheduled times, it’s possible that the scripts will never run. If they don’t run, your old log files are not deleted, thus cluttering your system. There are to maintain your Cron scripts and data associated with them. We’re partial to . This freeware app can also delete your system and file caches, among other utility sweeps. It’s certainly worth exploring.

And at the end, don’t forget to empty your Trash. Always choose secure deletion.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.