InfoSec Links April 9, 2014

Microsoft: Let's be clear, WE won't read your email - but the cops will - Lain Thomson - The Register

Note to self: don't use Hotmail to distribute pirated copies of Windows 8.

The Heartbleed Bug, explained - Timothy B. Lee - Vox

I good explanation of the OpenSSL bug that has rocked the infosec world the past couple days. This is a pretty serious bug that puts millions of sites at risk and potentially your information such as passwords. Unfortunately, there's really nothing you can do about it except hope that the sites you have accounts on apply the patch that fixes the bug ASAP. Most big sites have probably already done it.

Xbox password flaw exposed by five-year-old boy - BBC

Five-year-old wants to get into his dads Xbox account. What does he do? Find a vulnerability in Microsoft's Xbox Live, thus starting his illustrious hacking career. It's not the least bit surprising that his dad works in security.

This post first appeared on Exploring Information Security.

More on the Experian breach

On Saturday I posted about Experian's breach of costumer data not being the hack that the media seems to think it is. It's actually much worse than that. Apparently, I wasn't alone in identifying the inaccuracies of the Experian breach and Experian themselves went to set the record straight. Except they really didn't, and Brian Krebs broke their statements with factual information.

If you liked Krebs article, then I would suggest reading the post he did last month that looked at whether or not credit monitoring services are really worth it. Even if you don't use a credit monitoring service, there are some good tips on how to protect yourself from identity theft in the article.

And in-case you're wondering who Brian Krebs is, he's kind of a big deal. Sony pictures is planning on making a movie about Brian Krebs' life.

This post first appeared on Exploring Information Security.

InfoSec Links April 5, 2014

Fandango, Credit Karma settle with FTC over app security flaws - by Kate Tummarello - The Hill

If you build an insecure app the FTC is going to come after you. Hopefully, this will make developers start taking security into consideration when build apps. Especially, when it deals with some form of currency.

Web TV service Boxee.tv Hacked, Details of 158,000 Forum Users Leaked - By Eduard Kovacs - Softpedia

If you have a Boxee.tv account you might want to go change your password. And this is just another example of why you want to have different passwords for different accounts. If you need help with managing your password might I suggest Password Safe (look for a post in the future).

Big Brother Goes Dutch - by Lee Munson - Security Watch

The Dutch have voted fore more surveillance. /facepalm

 This post first appeared on Exploring Information Security.

InfoSec Links April 2, 2014

Banks Drop Suit Against Target, Trustwave - Brian Prince - Security Week

A day after linking articles that talk about how ridiculous it was to sue Target and Trustwave we learn that both banks have put in for dismissals of their lawsuit. Coincidentally, news of this comes on April Fool's day, which makes it just an elaborate April Fool's day joke.

Analyzing the Target Break "Kill Chain Analysis" Report - Rafal Los - Following the Wh1t3 Rabbit

Excellent in-depth analysis and discourse of the Target breach and how it happened.

The Continuing Public/Private Surveillance Partnership - Bruce Schneier - Schneier on Security

What's really happening between the government and the companies that are handing over your data.

This post first appeared on Exploring Information Security.

InfoSec Links April 1, 2014

Trustmark Pulls out of Class-Action Suit Against Target and Trustwave - by Lee Munson - BH Consulting

The lawsuit was ridiculous to being with, so it's no surprise to see someone backing out this early. The language is key here and Trustwave is a service that provides appliances and compliance checks. It does not, itself, monitor Target's network. That's what Target's IT network is for.

Responding to Lawsuit, Trustwave Says Did Not Monitor Target's Network - by Mike Lennon - Security Weekly

In fact Trustwave said just that in it's response to the lawsuit.

Hackers Can Unlock Tesla Cars by Stealing Owners Passwords - Eduard Kovacs - Softpedia

Passwords for cars? Say it ain't so. Not only is the maximum password length ONLY six characters, but apparently the API allows mobile app developers to use those credentials. The Tesla is a $70,000 car.

This post first appeared on Exploring Information Security.

InfoSec Links March 28, 2014

How To Disable Twitter Photo Tagging - Jerry Gamblin

This setting has been turned on by default. Here's how to turn it off if you wish to do so.

Thinking Beyond The Password When Protecting Your Online Accounts - Lee Munson - BH Consulting

Following my 'watch what you put on the internet post' is a link that talks about security questions. If you're using security questions that can be searched on social media, you're doing it wrong.

Windows XP will continue receiving security support in China - Michael Kan - PC World

Windows XP support ends next month, April 2014, but it looks like Microsoft will make bank by providing China with special support.

This post first appeared on Exploring Information Security.

Information can be a powerful thing

Check out this article:

Trolling Wrong number style

Information, even something as simple as a phone number on Facebook, is a very powerful thing. What gets put on the internet stays there and can potentially be used against you.

Here's another article:

How Social Media Networks Facilitate Identity Theft and Fraud - by Kent Lewis - Entrepreneurs' Organization

Social networks are a powerful tool that we use on a day to day basis. Misuse can cause significant harm not only to yourself, but also to your family and friends.

Be careful what you're putting online.

This post first appeared on Exploring Information Security.

Information Security Is More Than Electronic Security

15 years ago I worked at a movie theater. It was one of the best jobs I've ever had. A couple of days ago I got this letter in the mail:

On January 7, 2014, Carmike was notified by the IRS that certain Carmike employee W-4 cards were located during a search and seizure. The IRS believes the W-4 cards were stolen from Carmike's warehouse in Alabama. On February 7, 2014, the IRS provided Carmike with a copy of the W-4 cards that were seized. Your W-4 card was not one of the seized cards, but we believe additional W-4 cards were stolen. We have conducted an investigation and have been unable to determine which additional W-4 cards were stolen from our warehouse. We are providing you with this notice out of an abundance of cautions since you W-4 card included your name, address, and social security number.

15 years ago I worked at Carmike Cinemas and filled out a W-4 form. Now my information might not have been compromised, but there's no certainty of that. They have a piece of paper that has my social security number, one of my old address' and my name. They can find my current address pretty easily with a little bit of searching and they can find out I work in information security, which pays fairly well.

This wasn't some hacker getting past firewalls and intrusion prevention systems and segmented networks. These were guys who walked out of a warehouse with stacks of W-4 forms or found a bag of W-4's that hadn't been disposed of properly. In this digital age of identity theft it's easy to forget that a piece of paper from your past could potential hurt you financially.

There are some valuable lessons here:

  • Always ask why you're providing this information and if it's necessary for whoever to complete their job (a W-4 form is necessary).

  • Shred all documents with your personal information when you don't need them anymore. This includes those unsolicited credit card applications.

  • Sometimes there is nothing you can do to prevent your personal information out there. Make sure you're checking your bank account a regular basis for unknown charges.

This post first appeared on Exploring Information Security.

InfoSec Links March 19, 2014

Beware of this Dangerously Convincing Google Docs Phishing Scam - Adam Clark Estes - Gizmodo

This is really scary if you use your Google account, and more specifically Google Docs, regularly. Essentially, some scammers have figured out that if they upload a file to Google Docs and use preview mode, they can replicate the Google account login page relatively easily AND make it look like it's coming from Google.

Be very careful and aware of where you're logging into Google and please turn on two-factor authentication. It's easy to do and improves the security of your Google account (or any other account that offers two-factor authentication) tremendously.

Better WP Security Changing To iThemes Security What You Need To Know - Cory Miller - ithemes

If you're using WordPress I hope you have a security plugin installed if not check out Better WP Security, soon to be iThemes Security. If you already have Better WP Security, here are some changes to look forward to in the near future with the plugin.

Metadata = Surveillance - Bruce Schneier

Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

-Bruce Schneier

This post first appeared on Exploring Information Security.

Safety Starts With Strong Passwords

This is a post I wrote for work talking about how to create a strong password.

Creating a strong password is one of the best things you can do to keep both yourself and your accounts safe, both at work and at home. However, creating a strong password is not the easiest thing to do and requires a little bit of thought.

If you choose a long string of random characters, the password is strong but easy to forget. If you choose a much shorter password without any random characters, then it’s easy for someone to guess. The idea is to find a balance between the two. A recent study of passwords that had been compromised, showed the top 10 worst used passwords were:

  1. 123456

  2. password

  3. 12345678

  4. qwerty

  5. abc123

  6. 123456789

  7. 111111

  8. 1234567

  9. Iloveyou

  10. adobe123

Fortunately, most places have a set of password requirements designed to keep your information safe. That does create a bit of a challenge for users because you are required to change your passwords every three months. Here are some tips that will help make the seemingly daunting task of creating strong and memorable passwords, a little easier.

Pick a Theme

Most organizations will require a password to be at least eight characters—with  at least one special character and one number. Try to think of something in your life, non-work related, that has all three of those elements.

Some examples include:

  • Restaurant menu

  • Retail stores

  • Hardware stores

  • Legal documents

  • Food stores

Once you have a theme, start mixing and matching numbers in a way that you can remember. For example, Chicken Strips for 14.99 from a restaurant could be ChSt14.99 or ChcktRips14.99 or Ch1ck4Nst9i9s!

There are thousands of different passwords waiting to be thought up from everyday life. The one caveat is, that if you create a password from your everyday life, make sure you’re not posting it all over your social media site. It’s pointless to use chicken strips as part of a password if you’re tweeting about it for the world to see.

Pick a Phrase

Pick a phrase and then use a combination of letters, numbers and special characters to craft your password. For example, Take The Bull By The Horns could be T-tB-b-TH0 or T8k-7@buLL-bi*7-h0rns or T-T@8’8@T-H0. Be intuitive about it and craft it in a way that you can easily remember it. The same rule applies here; don’t use your own personal catchphrase that’s on your social media profile. Don’t use anything obvious because phrases are easily searchable, especially if they’re popular.

Other Ideas
The two suggestions above are only a couple of ways to create strong and easy- to-remember passwords. It just takes a little thought on the front end. Find something that works for you, and once you do it’s much easier to change and improve on a regular basis.

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.