What ever you put on a site, it is no longer private

There are a number of reasons why:

  • Your security settings may allow the public access to your information (unless if you tie it down and monitor it for changes by the hosting site)
  • The hosting site (eg: Facebook) have access to your information (you read the EULA, didn’t you?)
  • Law enforcement have access to your information (depending on jurisdiction, with or without a warrant)
  • Hackers may break/steal/social engineer their way through to get access to your information (more likely to be the last option)

What are your options:

  1. Never post anything that would get you expelled, fired or arrested
  2. Don’t post anything that would get you kicked out of your house, break up your relationship, start a fight.
  3. Don’t post anything that could be used against you

http://nakedsecurity.sophos.com/2014/06/30/facebooks-facing-a-losing-battle-to-protect-users-privacy/

Advertisements

Phone ‘Hacking’

Lots of news in the UK about phone ‘hacking’.

In short, it wasn’t ‘hacking’, the investigator was using the default password to get access to their voicemails.

How does it work?

It varies between providers but in short, you can access a person’s voicemail even if you don’t have their phone, all you need is their number and their voicemail PIN (in this case it was the ‘default’ PIN.

Food for thought:

  1. Who still uses voicemail?
  2. If you have something important to say: call them or text them to get you to call back.

If you have a phone there are at least 3 passwords you need to change:

  1. Your SIM password so that no one but you can use that SIM
  2. Your phone password so that no one but you can use your phone
  3. Your voicemail password so that no one but you can access your voicemails.

More on phone hacking:
http://www.independent.co.uk/topic/PhoneHacking

The simple things in life are often the best.

It doesn’t matter how strong your defences are, if the operator/human is tricked, it is a game over.

Targeting infrastructure for malicious attacks water, gas, electricity, telecommunications, etc. could lead to a massive loss of lives. Transport and the Airline industry is a big one.

Something as simple as a social engineering attempt shows that, as long as humans are in control or have access to powerful systems, they will also be targets for attack.

The compromise started with a phishing attack in which email containing a malicious link was sent to people working in the aviation industry. The CIS said the attackers used a “public document” in selecting their victims, but did not identify the document.

The fact that the attackers were able to trick people into downloading malware that led to the compromise is “surprising, but not unexpected,” Murray said. “Simple attacks work.”

You’re a CxO of a company or a high risk individual, you receive an e-mail, you fall for the trap. Now, is your company, family, reputation, etc at risk?

If you need further proof that social engineering affects everyone, just ask the  head of Australia’s Military. His pictures were lifted from a site and used for a lonely hearts scam. This is a reverse scenario where leveraging someone’s position of power to carry off a scam.

Remember phishing:

  • Addressed in a personal nature
    • Connected via Facebook, ‘direct’ relationship to you
  • Something to get you to react
    • He has been single and is looking to meet up
  • Consequence should you fail to act
    • Missing out on an opportunity to meet someone
  • The con: need to send €300 to ‘him’ to arrange for costs

Side note: with greater access to anonymous methods for money transfer, traditional financial gain crimes will become increasingly prevalent, brazen and are harder to stop (scams, extortion, etc).

http://www.csoonline.com/article/2378585/data-protection/airport-breach-a-sign-for-it-industry-to-think-security-not-money.html

http://www.smh.com.au/national/defence-chiefs-identity-stolen-in-love-scam-20140628-3b0jk.html

Web of trust case study

A couple of blogs back we were on the subject of the Web of Trust and Tinder Hacking.

An article today has a good example of how both can be used and abused.

It is important to note that low hanging fruit is fair game, by leveraging trust, any campaign is just as effective.

Key steps:

  • assume a trusted identity
  • leverage that trust to target associations (friends)
  • SocEng: Use a time limited situation (ie: an emergency) for personal gain

Not everything is what they seem.

Countermeasures:

  • Out of band: call them, email them but don’t reply to the message (online dating, remember the burn phone)
  • Ignore: if it’s important, they will try again (use best judgement! If it is an emergency, get in touch with a next of kin, etc)

http://www.bbc.co.uk/news/technology-27922710

Free internet: it comes at a cost

It is a well known fact in security circles that if you were to do anything at all over an ‘untrusted network’ you must use some sort of countermeasure to ensure that you are not being watched.

Countermeasures include usually mean encryption that is, some sort of strong encoding that only you and the other party would know.

Free internet can be setup by anyone, any where, and is very hard to verify unless if you happen to be in the know.

Anything passing through it could be intercepted and analysed by the owner. It is giving your enemy a free lunch.

By using encryption, it only makes the analysis harder (if it is a well funded organisation, it may not be as hard)

The other and more important issue is our ‘trust‘ in applications, Dave Porcello CTO of Pwnie Express (company that make ‘interesting’ gear) said, “We just look for apps that work and trust them, because they help get work done

Applications are created by people, people are not perfect, applications are not perfect.

Application vendors are usually there to make money and do not always focus on privacy but yet we place our trust in them by giving them sensitive information which may include:

  • Name
  • Address
  • Date of birth
  • Geo location
  • Pictures
  • etc.

If the application developer is not taking steps to secure this information, then The Enemy will have a field day.

In short, if you don’t need the application, don’t use it. If you ‘do’ need the application, don’t give personal information (or use aliases…remember aliases?)

This article is a good case study:
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/

Takeaways:

  • Don’t use free internet!
  • Use line/network encryption (a VPN does not always use encryption)
  • Badger your application developer to make sure their applications are created with security and privacy in mind
  • Use the latest version of any application you use

Your friend could be your weakest link

Picture this:

  • you were at a location that you were not supposed to be at.
  • a friend takes a snap and posts it on a social media site
  • your friend’s security setting is quite lax
  • the world can see that you were at that location
  • The Enemy(tm) searches for you but you have good OpSec so you’re ok
  • The Enemy(tm) expands their search for affliates, associations, etc.
  • The Enemy(tm) finds your friend
  • The Enemy(tm) finds your photo
  • sprung!

People that are connected to you form a web of trust. You trust them to be a connection whether it be friend, business associate, etc. These connections are people that you trust with a certain amount of information about you (online or otherwise).

Depending on your influence, your web of trust could be quite large, multi layered and complex.

As we’d like to keep things simple here, let’s say that your web of trust is online via a well known social networking site.

Now, if one of your connections were to be compromised, as shown by the opening example, you’ll have a lot of explaining to do.

As an attacker, our job is to find the weakest link and exploit it, even if that means finding your web of trust and use them as leverage to achieve a goal.

Naturally, if you’re a target, you may want to get tighten up your web of trust or communicate this scenario to your own web. Increasing the strength of your weakest link will increase the security of others on the whole.

There is even a tool to do find your web of trust:
http://www.theregister.co.uk/2014/06/03/rejected_researcher_builds_facebook_friends_harvester/