Death by Facebook: What You Tweet Can Harm You!

Almost every one of us has at least one social networking account. Be it Twitter, Facebook, Linkedin or MySpace, people are having a grand time updating their friends, family and the rest of the people in their contact lists about what they are doing, where they are eating, what events they are planning to attend, or simply how they are feeling at the moment.

When you are logged on to your account, it is easy to share information to everyone and anyone who would listen. What is more, social networking sites are often two way streets where you can also get to know what is happening to everyone else. Understandably, in this laid back world of microblogging, it is easy to give out too much information about yourself, your work, the company you work for and just about anything.

It is easy to forget about online security.

Here are some ways to make sure that you do not get in trouble.

1. Create a separate account for business and personal use. This may sound counter-intuitive with a lot of people using more than one social networking site but it is better to keep your personal contacts and business contacts separate. This helps you keep a professional image to your business colleagues, while maintaining a personal touch to family and friends. Think about it, an employer could bypass you if they see your Facebook pictures where you are mooning somebody. Professional contacts might frown on your use of cuss words and inappropriate language.

2. Protect your company, its products, strategies and intellectual property. When people go online, it is easy for them to brag about their companies. Your status updates might be picked up by people working for your competitor, who would then be in a position to duplicate your company's efforts, or sabotaging it.

It could also open your company's resources to hacking attacks, in an effort to be the first to leak your new products onto the World Wide Web. Case in point is the various leaked photos of some mobile phone manufacturers coming out on Engadget.com or it could be a much more serious hacking effort, with the aim of getting your company's research and development files and other trade secrets.

3. Watch what you click. If you have a Facebook account, you might be guilty of clicking anything and everything in your inbox approving game requests, gift request and other stuff like that. The thing is when you click everything, there is a possibility that you just might click on a link that installs malware onto your computer.

4. Ranting. Do avoid rants in your social networking updates. If you put your angry words out there, people you do not want to read it or see it, will eventually stumble upon it. The first rule to follow is not to post anything when angry. The next, but equally important, rule is to watch what you say.

5. Too much information. If you have ever twitted "Just withdrew my salary and eating at Burger King on Main Street!", congratulations, you have just opened yourself as a target for theft, kidnapping or new age social engineering attacks. Try not to disclose your whereabouts. Much more importantly, do not disclose names, address, and birthdays, these are information that could be used by identity thieves.

6. Use a different password for each social networking site. Most people use the same password for all their social networking sites. Some even use the same password for their work e-mail, personal e-mail and other online sites. Remember that every site has witnessed its own application security vulnerabilities, and a hacker could possibly get into these sites and get your login details. Having your Facebook account hacked into is bad enough, but having your personal emails read along would be even worse. In the event that one site is compromised, having different passwords would limit the damage it would bring.

Vulnerability Management in an Application Security World

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules.

Client Side Penetration Testing

Client Sides are the new remote exploit. If you aren't allowing client side attacks during your vulnerability assessments or penetration tests you are ignoring a huge attack vector and the current attack method.

How to Stay Secure in These Insecure Times?

This isn't any April fool's story, but a rather depressing one about how easy it is to compromise a corporate network. Markoff's recent story in the New York Times got me looking for the research paper by Anderson and Nagaraja that should be required reading by anyone in the email and network security space.

The paper describes a determined attack on the exiled government offices of the Dalai Lama by purported agents of the Chinese government. It is a chilling account of how easy it is for hackers to penetrate a network with a little bit of social engineering and a lot of clever programming. While none of this is new, what is new is how it is getting harder to keep the bad guys out.

The Tibetan government contacted the authors of the paper when they observed suspicious diplomatic behavior. The authors found the following disturbing items:
- A number of successful logins were observed to the Tibetan's US-based hosting accounts that came from Chinese IP addresses, none of which originated with genuine Tibetan users,
- Social engineering tactics were used to obtain the email identities of many Tibetan government officials who were then sent a number of phished emails
- The emails contained rootkit programs masquerading as ordinary documents from apparently legit sources
- Once the attachments were opened by Tibetan monks by mistake, the rootkits were then used to obtain more information and compromise other users on the network.

What is interesting about this case was the combination of malware and "good guessing" - which is really what social engineering is anyway -- by doing research on the Tibetan communications, to find plausible email addresses of their correspondents, so that the phished emails would be more likely to be opened by the exiled monks. The guessing was made easier given the nature of the Tibetan diaspora and how open the monks are about their activities and outreach.

Here is the nut graph of the report:

"Until recently, one might have assumed that it would take a 'geek' to write good malware, and someone with interpersonal skills to do the social manipulation. But the industrialisation of online crime over the past five years means that capably-written malware, which will not be detected by anti-virus programs, is now available on the market. All an attacker needs is the social skill and patience to work the malware from one person to another until enough machines have been compromised to complete the mission. What's more, the 'best practice' advice that one sees in the corporate sector comes nowhere even close to preventing such an attack."

So what countermeasures can a typical corporate IT person take? Certainly, encrypted email should be used more, and while this is something that I have written about for more than a decade, I probably will still be writing about it 10 years from now. (None of the Tibetan emails were encrypted.) Second, when possible, use separate networks for external communications that don't contain operational elements of a company: don't put your payroll on your SMTP mail servers, use firewalls or even physically separate networks, and so forth. The authors state: "It would in our view be prudent practice to run a high-value payment system on a PC that does not contain a browser or email client, or indeed any other software at all." Of course, as the Internet becomes more pervasive, this becomes harder to do.

Next, don't open unexpected attachments, and certainly be careful when receiving unexpected documents, even from your usual correspondents. And as we conduct more business over social sites like Facebook and LinkedIn, be wary of what you receive there as well: the bad guys are using fake accounts and expanding their reach to phishing these sites. Just because someone is your "friend" doesn't mean that they are actually legit.

Finally, take a look at data leak prevention appliances and tools. While these are expensive, they can save your bacon and do a tremendous job at detecting abnormal situations. A good place to start is with Code Green Networks, one such product that I review over on my WebInformant.tv series of videos. The company tells me that every installation has resulted in finding someone doing something that they shouldn't be doing within the first week of use.

David Strom is a noted speaker, author, podcaster and consultant who has written two books and thousands of magazine articles for dozens of IT publications such as Computerworld, eWeek, Baseline Magazine, Information Week and Information Security magazine. His blog can be found at http://strominator.com, and he can be reached at david@strom.com.  http://EzineArticles.com/?expert=David_Strom

On Demand Security Testing Demo

We had been trying to come up with a cool demo of our On Demand Penetration Testing portal. Here is a first attempt towards it.

Why DLP will be hot in 2009?

2009 is coming with new security challenges and organizations have to be prepared for them. After analyzing the past years security violation incidents security professional predicts that in coming year organizations will be facing more number of data loss incidents and as a consequences organizations will be forced to follow new data protection laws.  In current scenario organizations rely on high speed networks for sharing and accessing information. Some time information traveling via these networks may be lost but even a single data loss incident may impose a continuous cost on organizations. As a consequence of data loss organizations will be forced to conduct the following steps:-

    * Conduct investigation to detect system flaws
    * Repairing of internal system caused by breach
    * Deal with appropriate legislation
    * Conduct no of external audits
    * Submit fine due to data breach incident

Other consequences include increased regulatory body oversight, case against organization in several courts. These consequences will impose a lot of cost on organization. These conditions impose following challenges for security professional

    * Protection of customer sensitive and private information
    * Protection of organizational Intellectual Property
    * Protection of storage devices from theft, Fire or any other condition by which information stored may lost
    * Compliance of Data Security standard
    * Protection of End points

Sensitive organizational data can be leaked from three distinct levels (1) Endpoints level (2) Network level (3) Storage level. To prevent data leakage from these three levels different technologies are available. Data Loss Prevention (DLP) ensures protection from leakage of sensitive information via Endpoints. Organizations have to adopt Data Loss Prevention (DLP) solutions and products to protect themselves from data breach incidents.

Market Driver for Data Link Prevention (DLP):

Organizations are quickly adopting Data Link Prevention (DLP) due to various reasons some of them include:

   1. Risk to loss Market Reputation: No organization want to loss its market reputation due to data breach.
   2. Risk of Financial fines: If your organization faces any data breach compromise incident then you have to pay a lot of money in term of fine imposed by regulatory and compliance authorities.
   3. Various compliances: DPA, HIPPA, GILBA SOX are some of compliance requirements which force organization to protect customer sensitive information and other sensitive information. Organizations that come in the domain of following compliance adopt Data Link Prevention (DLP) to comply these regulations.
   4. Competitive advantage: Organizations adopt Data Link Protection for competitive advantages by protecting Intellectual Property.

Advantages:

   1. Helps organization in managing and sharing sensitive information
   2. Helps organization to achieve compliance
   3. Helps organization to protects its brand image and reputation
   4. Helps organizations to automate policy enforcement
   5. Helps organization to mitigate risk exposure factor

Difference between Vulnerability Assessment and Penetration Testing

Lot of time we have seen customer asking about the difference between Vulnerability assessment and penetration testing. So here is quick difference between the two types of testing:

• Vulnerability Analysis is the process of identifying vulnerabilities on a network, whereas a Penetration Testing is focused on actually gaining unauthorized access to the tested systems and using that access to the network or data, as directed by the client.
• A Vulnerability Analysis provides an overview of the flaws that exist on the system while a Penetration Testing goes on to provide an impact analysis of the flaws identifies the possible impact of the flaw on the underlying network, operating system, database etc.
• Vulnerability Analysis is more of a passive process. In Vulnerability Analysis you use software tools that analyze both network traffic and systems to identify any exposures that increase vulnerability to attacks. Penetration Testing is an active practice wherein ethical hackers are employed to simulate an attack and test the network and systems' resistance.
• Vulnerability Analysis deals with potential risks, whereas Penetration Testing is actual proof of concept. Vulnerability Analysis is just a process of identifying and quantifying the security Vulnerabilities in a system. Vulnerability Analysis doesn't provide validation of Security Vulnerabilities. Validation can be only done by Penetration testing.
• The scope of a Penetration Testing can vary from a Vulnerability Analysis to fully exploiting the targets to destructive testing. Penetration Testing consists of a Vulnerability Analysis, but it goes one step ahead where in you will be evaluating the security of the system by simulating an attack usually done by a Malicious Hacker.
• For instance a Vulnerability Analysis exercise might identify absence of antiX software on the system or open ports as a vulnerability. The Penetration Testing will determine the level to which existing vulnerabilities can be exploited and the damage that can be inflicted due to this.
• A Vulnerability Analysis answers the question: "What are the present Vulnerabilities and how do we fix them?" A Penetration Testing simply answers the questions: "Can any External Attacker or Internal Intruder break-in and what can they attain?"
• A Vulnerability Analysis works to improve security posture and develop a more mature, integrated security program, where as a Penetration Testing is only a snapshot of your security program's effectiveness.
• Commonly Vulnerability Assessment goes through the following phases: Information Gathering, Port Scanning, Enumeration, Threat Profiling & Risk Identification, Network Level Vulnerability Scanning, Application Level Vulnerability Scanning, Mitigation Strategies Creation, Report Generation, and Support. Where as a Penetration Testing Service however have following phases: Information Gathering, Port Scanning, Enumeration, Social Engineering, Threat Profiling & Risk Identification, Network Level Vulnerability Assessment, Application Level Vulnerability Assessment, Exploit Research & Development, Exploitation, Privilege Escalation, Engagement Analysis, Mitigation Strategies, Report Generation, and Support.