Ok, one more on application security.

Application developers must take responsibility to ensure their clients security.

Poorly coded software combined with growing network complexity has increased the attack surface at many organisations and it is taking its toll financially, said Spafford.

He called for an investment in computer programming education and a move by software manufacturers to embed software security concepts early into the development process.

http://news.techeye.net/business/security-industry-run-aground

Also, personal information + poorly coded software + in the public = disaster waiting to happen.

Putting your passwords in the cloud is not a good idea…it’s like putting your cash in a suitcase and leaving the safe in the middle of a busy road.

http://www.darkreading.com/cloud/hacking-password-managers/d/d-id/1297250

Advertisements

Hotel (un)safe

Did someone mention that last week is hotel safety week…Do you think your hotel is safe?

Hotel Wifi is probably a bad idea but so are ‘free’ computers at hotel business centers.

What about your hotel safe, the reason why the hotels recommend that you put your valuables in the main hotel safe is that the room safe is…well, not as safe.

What are your options?

  • Obviously, don’t use any public computers…you don’t get something for nothing!
  • If you have to use Wifi, use an encrypted VPN
  • Hotel safes, yes, use the hotel’s main safe.
  • Credit card swipe safes, don’t use a credit card…if you have a store loyality card, library card, etc (something that is not of value), use that. Better still, use the hotel’s main safe if it really is expensive or a pain to replace. Think what would happen if someone got your passport, …

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

http://www.theregister.co.uk/2014/07/17/hotel_safe_unsafe/

What ever you put on a site, it is no longer private

There are a number of reasons why:

  • Your security settings may allow the public access to your information (unless if you tie it down and monitor it for changes by the hosting site)
  • The hosting site (eg: Facebook) have access to your information (you read the EULA, didn’t you?)
  • Law enforcement have access to your information (depending on jurisdiction, with or without a warrant)
  • Hackers may break/steal/social engineer their way through to get access to your information (more likely to be the last option)

What are your options:

  1. Never post anything that would get you expelled, fired or arrested
  2. Don’t post anything that would get you kicked out of your house, break up your relationship, start a fight.
  3. Don’t post anything that could be used against you

http://nakedsecurity.sophos.com/2014/06/30/facebooks-facing-a-losing-battle-to-protect-users-privacy/

Phone ‘Hacking’

Lots of news in the UK about phone ‘hacking’.

In short, it wasn’t ‘hacking’, the investigator was using the default password to get access to their voicemails.

How does it work?

It varies between providers but in short, you can access a person’s voicemail even if you don’t have their phone, all you need is their number and their voicemail PIN (in this case it was the ‘default’ PIN.

Food for thought:

  1. Who still uses voicemail?
  2. If you have something important to say: call them or text them to get you to call back.

If you have a phone there are at least 3 passwords you need to change:

  1. Your SIM password so that no one but you can use that SIM
  2. Your phone password so that no one but you can use your phone
  3. Your voicemail password so that no one but you can access your voicemails.

More on phone hacking:
http://www.independent.co.uk/topic/PhoneHacking

The simple things in life are often the best.

It doesn’t matter how strong your defences are, if the operator/human is tricked, it is a game over.

Targeting infrastructure for malicious attacks water, gas, electricity, telecommunications, etc. could lead to a massive loss of lives. Transport and the Airline industry is a big one.

Something as simple as a social engineering attempt shows that, as long as humans are in control or have access to powerful systems, they will also be targets for attack.

The compromise started with a phishing attack in which email containing a malicious link was sent to people working in the aviation industry. The CIS said the attackers used a “public document” in selecting their victims, but did not identify the document.

The fact that the attackers were able to trick people into downloading malware that led to the compromise is “surprising, but not unexpected,” Murray said. “Simple attacks work.”

You’re a CxO of a company or a high risk individual, you receive an e-mail, you fall for the trap. Now, is your company, family, reputation, etc at risk?

If you need further proof that social engineering affects everyone, just ask the  head of Australia’s Military. His pictures were lifted from a site and used for a lonely hearts scam. This is a reverse scenario where leveraging someone’s position of power to carry off a scam.

Remember phishing:

  • Addressed in a personal nature
    • Connected via Facebook, ‘direct’ relationship to you
  • Something to get you to react
    • He has been single and is looking to meet up
  • Consequence should you fail to act
    • Missing out on an opportunity to meet someone
  • The con: need to send €300 to ‘him’ to arrange for costs

Side note: with greater access to anonymous methods for money transfer, traditional financial gain crimes will become increasingly prevalent, brazen and are harder to stop (scams, extortion, etc).

http://www.csoonline.com/article/2378585/data-protection/airport-breach-a-sign-for-it-industry-to-think-security-not-money.html

http://www.smh.com.au/national/defence-chiefs-identity-stolen-in-love-scam-20140628-3b0jk.html