Archive for January, 2011

by Ondrej Krehel

Tablet mania may have consumed this year’s Consumer Electronics Show, as dozens of players looked to cash in on the iPad—or hoped to be the supposed “iPad killer”—but some of the underdog items could have longer-term ramifications.

When it comes to business and personal computing, I’m most impressed with the recent advances in data encryption. As self-encrypted drives—drives with built-in hardware-based encryption chips, rather than software options—are fast becoming the norm.

As storage devices and hardware became more affordable, they’re also getting faster and safer. Solid state drives (SSDs) get cheaper every quarter, while transfer speeds and storage capacities continue to climb. With on-board encryption, they’ll also stand among the speediest and most secure options. Hardware single-chip encryption, it’s being touted, offers zero performance degradation and no physical or electronic keys to lose. (Encryption essentially scrambles drive data so that only someone with a key or password can access and read it—a lifesaver when a flash drive or laptop with sensitive material is lost or stolen.)

Among the options on the market are drives that when the wrong key is entered one too many times and drives with that can track a drive’s physical location. External hard drives with encryption, some that even require fingerprint scans to log in, and the new self-encrypted drives mentioned in that PCWorld article are pushing the technology forward and making it available to larger and larger segments of the computer-consumer population. Soon we’ll see the day, I think, when most businesses will mandate encryption on all their laptops and portable drives as industry best practice. The risks of data loss—and the state and federal laws that impose fines and expensive response tactics to data loss—are certainly helping move this technology forward. Definitely something to consider when evaluating your business or personal storage needs.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image:

by Ondrej Krehel

What does the future of political protest look like in a highly digitalized world? We’re watching it unfold in real time through .

The day the cables were slated for release in major newspapers around the world, a so-called “” took down the WikiLeaks site with a distributed denial-of-service (DDoS) attack. He later wrote on Twitter that he went after the site for “attempting to endanger the lives of our troops and other assets.”

WikiLeaks moved the site from its Swedish webhost to Amazon.com-owned Elastic Cloud Computing (EC2) in Ireland. After U.S. Senator Joseph Lieberman contacted Amazon about hosting the site, Amazon discontinued service to WikiLeaks, citing terms of use.

Then the free-for-all began. Hackers got involved again, this time on WikiLeaks’ behalf, targeting Amazon. When PayPal froze payments to WikiLeaks, the hacking group Anonymous, which organized the Amazon attacks, . When MasterCard announced it would stop transactions on WikiLeaks’ behalf, MasterCard.com was attacked.

[Related Article: ]

Since then Visa.com has been hit with a DDoS attack, as has the and the lawyer representing the two women who have brought sexual misconduct charges against WikiLeaks founder Julian Assange. As the story progresses, I’m sure we’ll see more sites, for and against WikiLeaks, suffer hacker wrath.

This isn’t the first example of a DDoS domino effect, but it’s certainly the highest profile. We’re sure to see more stories like this. With the success of movies like The Girl with the Dragon Tattoo, in which hacking against evil government and corporate forces is elevated to a new kind of heroism, we’re bound to see more. The mythology is already forming: a new type of cyberwarfare engaged in the never-ending battle of good and evil.

Yet with all this hoopla, we can’t lose sight of the lesson. The data breach that started it all, like so many others that don’t grab headlines, stemmed from poor information-access policies. Politics and protests aside, security professionals need to understand the risk of large systems in which information is shared across separate organizations. The tale of the Army private with access to high-level State Department information should force us not just to comment on the story, or wage protest online, but to ask the basic questions of computer security: Who has access to your information? And have they been vetted?

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image:

by Ondrej Krehel

recently ran a story about an online retailer who was a real bully. The particular eyeglass merchant in question, who we’re not going to name here, sold fake glasses—among other crimes—and when consumers complained or requested money back, he went so far as to threaten their lives (even emailing one customer a photograph of her apartment building to let her know he knew where she lived).

A retailer can’t do this for very long without people screaming—digitally, in this case—but this particular vendor didn’t care. In fact, he liked it. He had discovered that the greater the number of angry complaint posts filed in consumer advocacy forums about him, the higher his company popped up in Google—a marketing plan that’s been dubbed the or anti-customer-service approach.

This charmer not only scammed his customers and Google but also . These companies have a monthly limit on “charge-backs”—when customers contact their credit card companies for a refund. Too many—a secret number neither merchants nor the credit card companies will disclose—and a merchant can lose his VISA or MasterCard privileges. When this vendor approached that limit, he toned down his hate tactics until the next month.

Clearly these companies have security and customer-service issues to consider. Hopefully law enforcement will shut down this bully once and for all, but in the meantime, here’s what you can do to avoid buying from a less-than-social retailer.

[Related: ]

• Just like in the real world, the bigger online stores offer more protection. You might save money on that new hardcover at cheapbooks4you.com, but should you encounter a problem, it’s not going to be nearly as easy as dealing with Amazon.com or Barnes & Noble.

• Google’s price shopper, Froogle.com, and Pricegrabber.com allow you to compare retailers’ prices, but they also have retailer reviews. Read them. Also, if you find a good deal but can’t find any reviews on the retailer, do an online search for the retailer’s name and look for feedback in the results. As the New York Times story points out, that would have been enough to help customers avoid this particular vendor.

• If it sounds like broken, misspelled or grammatically incorrect English, i.e. cheapboks4you.com, avoid it. Yes, it could be fine, but if the company is sloppy enough to have errors all over its website, where else does it take shortcuts?

• Pay with a rather than a debit card. You have some layer of protection with credit—the money isn’t coming directly from your account. And while you’re at it, use a credit card that you know has high-quality customer service. A high standard of security, helpful customer service and strong merchant vetting vary from provider to provider.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image:

by Ondrej Krehel

, the antivirus company, recently released a study that one in five Facebook users are exposed to malware through bogus news feeds.

The statistics were gleaned from the beta app . More than 14,000 FB users have installed the app, which isn’t much of a sample considering there are a half-billion users. As CNET put it, though, “…it’s also a sample of users who, by virtue of installing the app in the first place, indicate that they’re relatively security-minded. The ‘average’ Facebook user may well be even more likely to see malicious posts, in theory.” We couldn’t agree more.

More than 60 percent of malware attacks on the social networking site come from third-party apps that offer things such as free items in FarmVille and fake items such as dislike buttons or free backgrounds. Other attacks include links to shocking videos.

This is just one more example of Facebook becoming the preferred platform for hackers and scammers. So it’s no surprise that we’re seeing a boom in security-centric Facebook apps, such as Safego, designed to halt malicious use of Facebook accounts.

Get used to this back-and-forth. Facebook isn’t going anywhere, whether you like it or not, and as they continue to add features, hackers and app developers will continue their dance.

For example, Facebook Messages, which launched last month, provides users an @facebook.com email address with an inbox that also collects chats and SMS messages—all in one place. It may be convenient for you, but it’s also —and the hackers masquerading as app developers—who, if you grant it to them in your permissions, have access to your personal messages.

So now, if you’re using Facebook Messages and you unwittingly download a scary movie app that’s really a front for Russian hackers, you’ve handed them all your text and email messages, instead of just access to your Facebook page. Your Facebook assets just became more valuable—so they require better protection. Now the question is who will provide it and at what cost?

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image: