For some it has become a daily routine to check one's Facebook, Myspace, Twitter, or other social networking sites. The draw to these sites is simple. Connect with friends both old and new within an atmosphere that comes with plenty of bells and whistles allowing a variety of engaging ways to keep each other informed and entertained.
These social networks allow you to search for friends, add them to your inner circle, and offer the ability to upload photos, music, share birthdays, share platform specific applications (send a hug lately?) etc. Most folks are inclined to include lots of great details regarding their current and past jobs, where they live, where they went to school, their birthdays, and all kinds of other personal details that are seemingly harmless when shared amongst friends, right? I mean, after all, you can set up your profile to share only the minimum of information and only to those who you have accepted as friends (read: not friends of friends).
This is why social networking sites are so great for attackers. There are tons of people, in a single environment, dolling out oodles of information that can be used in countless ways to aid in identity theft, or any variety of account masquerading or spoofing. How can this be? Here are some very simple examples.
1. Friends do not have to prove themselves to you. Think about when you log in to your bank's website. You need to provide multiple factors of authentication to prove to the bank that you are who you say you are. You provide a user name, password, sometimes a PIN, an answer to a secret question, etc. Only after jumping through those hoops does the bank trust you enough to share the data for that account. In Facebook, you see that a new fan page has been added for your favorite author. To show your support for the writer, you submit a friend invite and cross your fingers that they accept you, so you can keep tabs on them and share juicy little tidbits from time-to-time. Did you ask for proof that the person is who they claim to be? Was there any authentication to prove identity? No, of course not. But now that you are officially a "fan," the clever hacker that created the fan site now has any information you choose to share amongst friends. Moreover, your friends will see that you are a fan, and they might join in too! Very simply, the hacker just attained a plethora of personal information that can be used to steal your identity.
2. Applications have security settings right? Yeah, but applications don't protect themselves from other applications. The really cool thing about these sites is that you can create and submit an application to share with friends. The really bad thing is that these applications can very easily be designed to extort information from other applications (read: legit ones) without you ever knowing about it. True, you can limit what each individual application might share about you, but there is no way for you to prevent an application from stealing data for another application.
3. Your information is not private! All of the social networking sites have disclosures within their terms/license agreements (that you read and accepted), explaining they can use your info (including your photos) in any way they see fit. Mostly they see fit to sell the demographics of their registered users to a wide variety of companies that wish to develop targeted advertising campaigns on your Facebook page. For example, suppose you disclose in your profile that you are single, gay, and male between the ages of 20-30. In the not so distant future you will likely see ads in the page that appeal to gay men in their twenties. To some, that might not seem like that big of a deal. To others, this is an invasion of privacy. Who knows how many companies now have the skinny on me, and to what extent they "know" me. Who's to say those companies won't sell their databases to other, less scrupulous companies who try to mine data in that will yield much more intimate details about you and your life. Remember, even if you delete your account and never visit the site again, it's too late. Your data has been recorded in a database that will never go away, and you have no right to do anything about it.
Scared a little? You should be! Should you become an internet hermit and never put even so much as your gender on a website ever again? No, I don't advocate that either. What you need to remember, is that anything you put out there, no matter how harmless or secure it seems to be, is always going to be the target of people who have nothing but time and resources to try to mine for that data. If you want to minimize (and I say this because I don't believe you can hide entirely) the attack surface for the bad guys, be extremely vigilant with regard to the information you share about yourself. Reputable companies, banks, etc are compromised daily, which leaves you as the only person that can truly keep your data secure.
Monday, February 16, 2009
Wednesday, December 10, 2008
How do the bad guys get my stuff?
This is a question that has no definitive answer. Essentially, the attackers are getting more and more sophisticated in just about every way you can imagine, and in ways you can't. The notion that data is now the currency of thieves, and that the world is so deeply entrenched in being networked (even your refrigerator can be connected) it's all so overwhelming to try to consider everything you might be doing to expose yourself.
What people often forget is that the bad guys aren't usually out for you. Instead, they are out for anyone they can get ahold of. Think of it in terms of sales campaigns where everyone in the country might get a flyer which offers a product. If you send out 300 million flyers, you only need a very small percentage in order to make out like bandit! The same principle applies to most of these attacks. The bad guys might scan huge segments of the internet to try to find a small percentage of holes that might help them get what they're looking for.
A quick list of attacks or vulnerabilities to help bad guys steal your personal information:
1. Dumpster diving
2. Worms/Viruses/other malware
3. Social engineering
4. Spam/phishing emails (think scammers)
The list above is ridiculously generalized and literally the tip of the iceberg, BUT they are by far the most common means of theft and really easy to secure.
Here are some things you can do to protect yourself (in order as listed above):
1. Shred everything! If your name is on it, shred it. Even if you name isn't on it, shred it! Cross-cut shredders can be bought just about anywhere (Wal-Mart, Best Buy, Staples, etc) and they do a great job to deter the common dumpster diver.
2. Worms/Viruses/Malware are essentially small applications that have been crafted by attackers to perform a specific function on your PC/iPhone/etc without you knowing about it. This is by far the trickiest part of keeping you data out of bad guys hands, because they are so damn clever anymore. Not only are the viruses designed to hide themselves and reproduce, they are made so often that a lot of anti virus vendors (Norton, McAfee, etc.) can hardly keep up with the volume. Despite the AV vendor struggles, make sure you have one of their products and keep it up to date and scan often for viruses often. Antivirus definitions are published regularly, so it may be in your best interest to set your AV software to auto update. Another good idea is to stay away from sketchy sites! Even legit websites can unknowingly spread a virus, but you can almost bank on the naughty sites to pilfer this stuff. Try to stay away from anything that offers a free download or free anything for that matter. You know the old saying...nothing is for free. I'll go much deeper into this subject another day.
3. Social engineering is basically the art of getting you to spill the beans. It's essentially the same thing as a con man, except it doesn't have to be like it is in the movies. No, instead it could be a casual conversation on a flight to Albuquerque where you might divulge where you grew up, went to high school, if you celebrated a birthday recently you might share your DOB. Those three elements alone are likely enough for me to start Googling around to fill in any blank spots to steal your identity. I know it seems ridiculous, but it really is that simple. Easier yet, these guys are trolling through Myspace, Facebook, and the like. Suppose you join a group in Facebook and the bad guy has made it a point to join every group he can find in Facebook. Once you join a group, your profile is available. Often times the profiles in Facebook, Myspace, etc. provide more than enough information to commit ID theft. Trim your profiles to include nothing meaningful. Your friends should already know your birthday ;) so keep it to yourself. Or share that info via an email instead of posting it for the world to see.
4. Spam/Phishing is usually easy to spot. We've all seen the Viagara, Colon cleanse, or "Claim your prize now" emails. Spammers, again, are trying to get even the smallest percentage of users to fall prey to their attack. Simply put, do not open/read/reply/forward any email you get that doesn't come DIRECTLY from a person you know and trust. Delete that garbage and don't look back. Also, if there is an attachment in the message and it isn't from a friend...delete it! Phishing is a little trickier as it appears to be legitimate. If you get an email about your Paypal, or bank, or any other business relationship you might have...take down any interesting info, and delete the email. do not respond. Instead, call them directly and ask what the deal is. Chances are, it was a phishing email in an effort to steal important data.
Surely there is a lot more that can be done, and needs to be done, but I'll write that up in separate posts, to try to keep people from falling asleep =D.
Till next time.
What people often forget is that the bad guys aren't usually out for you. Instead, they are out for anyone they can get ahold of. Think of it in terms of sales campaigns where everyone in the country might get a flyer which offers a product. If you send out 300 million flyers, you only need a very small percentage in order to make out like bandit! The same principle applies to most of these attacks. The bad guys might scan huge segments of the internet to try to find a small percentage of holes that might help them get what they're looking for.
A quick list of attacks or vulnerabilities to help bad guys steal your personal information:
1. Dumpster diving
2. Worms/Viruses/other malware
3. Social engineering
4. Spam/phishing emails (think scammers)
The list above is ridiculously generalized and literally the tip of the iceberg, BUT they are by far the most common means of theft and really easy to secure.
Here are some things you can do to protect yourself (in order as listed above):
1. Shred everything! If your name is on it, shred it. Even if you name isn't on it, shred it! Cross-cut shredders can be bought just about anywhere (Wal-Mart, Best Buy, Staples, etc) and they do a great job to deter the common dumpster diver.
2. Worms/Viruses/Malware are essentially small applications that have been crafted by attackers to perform a specific function on your PC/iPhone/etc without you knowing about it. This is by far the trickiest part of keeping you data out of bad guys hands, because they are so damn clever anymore. Not only are the viruses designed to hide themselves and reproduce, they are made so often that a lot of anti virus vendors (Norton, McAfee, etc.) can hardly keep up with the volume. Despite the AV vendor struggles, make sure you have one of their products and keep it up to date and scan often for viruses often. Antivirus definitions are published regularly, so it may be in your best interest to set your AV software to auto update. Another good idea is to stay away from sketchy sites! Even legit websites can unknowingly spread a virus, but you can almost bank on the naughty sites to pilfer this stuff. Try to stay away from anything that offers a free download or free anything for that matter. You know the old saying...nothing is for free. I'll go much deeper into this subject another day.
3. Social engineering is basically the art of getting you to spill the beans. It's essentially the same thing as a con man, except it doesn't have to be like it is in the movies. No, instead it could be a casual conversation on a flight to Albuquerque where you might divulge where you grew up, went to high school, if you celebrated a birthday recently you might share your DOB. Those three elements alone are likely enough for me to start Googling around to fill in any blank spots to steal your identity. I know it seems ridiculous, but it really is that simple. Easier yet, these guys are trolling through Myspace, Facebook, and the like. Suppose you join a group in Facebook and the bad guy has made it a point to join every group he can find in Facebook. Once you join a group, your profile is available. Often times the profiles in Facebook, Myspace, etc. provide more than enough information to commit ID theft. Trim your profiles to include nothing meaningful. Your friends should already know your birthday ;) so keep it to yourself. Or share that info via an email instead of posting it for the world to see.
4. Spam/Phishing is usually easy to spot. We've all seen the Viagara, Colon cleanse, or "Claim your prize now" emails. Spammers, again, are trying to get even the smallest percentage of users to fall prey to their attack. Simply put, do not open/read/reply/forward any email you get that doesn't come DIRECTLY from a person you know and trust. Delete that garbage and don't look back. Also, if there is an attachment in the message and it isn't from a friend...delete it! Phishing is a little trickier as it appears to be legitimate. If you get an email about your Paypal, or bank, or any other business relationship you might have...take down any interesting info, and delete the email. do not respond. Instead, call them directly and ask what the deal is. Chances are, it was a phishing email in an effort to steal important data.
Surely there is a lot more that can be done, and needs to be done, but I'll write that up in separate posts, to try to keep people from falling asleep =D.
Till next time.
Monday, December 1, 2008
What's it about?
Welcome to Information Security with Merritt!
The goal of this blog is to provide news, tips, how-to's, discoveries, legislation, and general musings that might help you to understand what's at stake, and how to better secure your data.
This is really geeky stuff! I know that a lot of you either don't know or don't want to know the nuts and bolts of why things work the way they do. I assure you that I will do my best to make this blog simple and relevant to your everyday lives.
For those of you who might possibly be a bigger nerd than me, please contribute...or at least shoot me ideas or corrections via email!
A little about me. I come from an information security engineering background, where I have earned various information security and networking certifications. My day job includes performing security evaluations within US finance and insurance sectors leveraging various industry-standard techniques and methods. My reports are used to inform senior management of the risks (technical, administrative, physical or otherwise) as I perceive them, to help secure information assets (data).
I can't promise that everything I say will be true. I'll do my best to share good information, but I'm certain I don't know everything! I look forward to your feedback to help keep the information within this blog helpful and accurate.
I'll be back soon to publish my first article. See you then!
[with] Merritt
The goal of this blog is to provide news, tips, how-to's, discoveries, legislation, and general musings that might help you to understand what's at stake, and how to better secure your data.
This is really geeky stuff! I know that a lot of you either don't know or don't want to know the nuts and bolts of why things work the way they do. I assure you that I will do my best to make this blog simple and relevant to your everyday lives.
For those of you who might possibly be a bigger nerd than me, please contribute...or at least shoot me ideas or corrections via email!
A little about me. I come from an information security engineering background, where I have earned various information security and networking certifications. My day job includes performing security evaluations within US finance and insurance sectors leveraging various industry-standard techniques and methods. My reports are used to inform senior management of the risks (technical, administrative, physical or otherwise) as I perceive them, to help secure information assets (data).
I can't promise that everything I say will be true. I'll do my best to share good information, but I'm certain I don't know everything! I look forward to your feedback to help keep the information within this blog helpful and accurate.
I'll be back soon to publish my first article. See you then!
[with] Merritt
Subscribe to:
Posts (Atom)