September 11, 2011

Un-stealthify short links

Have you seen a short link and wonder where it leads to, without visiting it? You never know where it will take you. We all use these services ourselves for legitimate purposes but we also know there have been and continue to be numerous attacks using these link shortening services.

Well unlike Kiss' Unmasked album, where the band doesn't show their faces as promised,
I recently found a very handy website that will show you where that short link leads to. This website gives you a way to see the link without having to visit it directly. Check it out.

http://unshorten.com/

July 5, 2011

World Economic Forum Global Risks 2011 Report (Jan 2011)


This past January 2011, the WEF released a report which detailed out what they see as the global risks in 2011(http://riskreport.weforum.org/). The report is called Global Risks 2011 Sixth Edition: An Initiative of the Risk Response Network
(http://riskreport.weforum.org/global-risks-2011.pdf).

It's an interesting read especially for those of us who deal with risk regularly in our profession. They identified two cross-cutting global risks, focused on 3 risk clusters, and noted 5 risks to watch.

The two cross-cutting global risks are Economic Disparity and Global Governance Failures. They note that these influence many other global risks and are a result of the globalization. Quote from the report:

"Globalization has generated sustained economic growth for a generation. It has shrunk and reshaped the world, making it far more interconnected and interdependent. But the benefits of globalization seem unevenly spread – a minority is seen to have harvested a disproportionate amount of the fruits. Although growth of the new champions is rebalancing economic power between countries, there is evidence that economic disparity within countries is growing."

The 3 risk clusters they focus in on are "macroeconomic imbalances" nexus, "illegal economy" nexus, and the "water-food-energy" nexus.

Illegal Economy Nexus:
This nexus examines state fragility, illicit trade, organized crime, and corruption. Quote from the report:

"A networked world, governance failures and economic disparity create opportunities for such illegal activities to flourish. In 2009, the value of illicit trade around the globe was estimated at US $1.3 trillion and growing. These risks, while creating huge costs for legitimate economic activities, also weaken states, threatening development opportunities, undermining the rule of law and keeping countries trapped in cycles of poverty and instability.
International cooperation – both on the supply side and on the demand side – is urgently needed."


For those of us who are constantly fighting cyber criminals it's nice to see a validation of what we've been saying about how it's growing rapidly, threatens our economies, and we are lacking the legal tools (policies, cooperation between countries) to help with deterrence and prosecution.

Speaking of cyber security, it's identified as one of the 5 risks to watch. Interestingly survey respondents assessed them with low levels of confidence while experts consider they may have severe, unexpected or under-appreciated consequences. The specific text in the report was:

"Cyber-security issues ranging from the growing prevalence of cyber theft to the little-understood possibility of all-out cyber warfare."

They note 4 distinct global risk-related activities as stand outs:
* Cyber theft
* Cyber espionage
* Cyber war
* Cyber terrorism

I'm particularly concerned with cyber theft. From the report:

"Cyber theft has become a growing industry with a long tail, particularly in countries where economic disparity has recently been combined with access to global communication technologies. Actors in this field range from entrepreneurial individuals to shell corporations built with the hope of economic gains offset by acceptable risks. Interestingly, some assessments indicate that cyber thieves experience a substantially lower feeling of guilt than is apparent in other criminal activities."

They spell out the potential for disruption causing a large impact:

"The pervasiveness of the Internet and importance of related technologies to everyday life and business means that should a major disruption occur, it is likely to have high impact globally."

I agree wholeheartedly!

I recommend checking out the report (link below). It's an interesting read.
http://riskreport.weforum.org/global-risks-2011.pdf

Main site:
http://riskreport.weforum.org/

June 27, 2011

Would you grant complete access to your Twitter account?

Rafal Los posed the question recently in his blog: "am I too paranoid?"

The context is he was speaking about a Twitter statistics website that he found which requires your login credentials in order to provide capabilities beyond statistics. Being the good security-minded chap that he is he looked into what this widget will do for you if you provide your credentials. Here's what he found.

It will...

* Read Tweets from your timeline.
No worries here, everyone can do that.

* See who you follow and follow new people.
Okay to the see who you follow, that's public. ...wait, "follow new people"? Why? What makes it think I want to follow these people it auto-follows? Nope, don't like this. I would accept suggestions on who to follow though.

* Update your profile.
Huh? What for? What would it add? Don't like that. Rafal mentions he doesn't even let his marketing people do that. Heh, I don't have marketing people but if I did I might let them access it...well maybe.

* Post Tweets for you.
What are you going to post? Advertisements spamming ppl? That's get me fewer followers. Ah no, no you won't you lil widget, you won't be doing this.

* Reading direct messages.
Excuse me! Why? For what purpose?

There's no way I would want a widget like this to have complete access to my Twitter profile. Am I too paranoid like Rafal? Maybe but I think for good reason, well many reasons. One such reason is need to know principle. In my opinion, this widget does not need access to some of the areas it accesses. It's the same reason why I don't give out my social security number easily or without asking why they need it. At the DMV, sure, at a department store, nope.

So no Rafal, you aren't being too paranoid...you're being sensible, safe, smart.

Check out Rafal's blog, he writes some good stuff.
http://h30499.www3.hp.com/t5/user/viewprofilepage/user-id/604516

Entry related to this topic:
http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/Am-I-Just-Too-Paranoid-Federating-Identity-by-Twitter/ba-p/2414931

June 24, 2011

Get your milk, bread, beer, and ID theft insurance from one place...huh?

"Honey on the way home from work pick up some milk, bread, bananas, pound of hamburger, and identity theft insurance." "Wait, what?"

Bet you never heard that one before. So I was in Kroger(1) the other day picking up some of the staples and as I was walking past the end of an aisle I saw something that stopped me in my tracks. A brochure advertising identity (ID) theft protection.
My jaw dropped. I mean, come one, who goes to a grocery store to pick up ID theft protection? Not the place I would expect it.

A division of Kroger called Kroger Personal Finance offers something PrivacyGuard. Essentially it's a monitoring service which will watch your credit cards and credit information, alerting you if any anonmalies are detected. It will also alert you when someone requests your credit report.

Unfortunately it won't alert you when you are low on milk or bread. Maybe that's another service Kroger should offer: Kroger Food Pantry Monitoring. ;) Makes a little more sense than ID theft insurance.

(1) This blog posting is in no way endorsing any brand or product.

April 3, 2011

Major breach exposed customers of major brands

There's been a data breach (article 1, article 2) at one of the largest marketing services companies around and your email might have been exposed. The breach occurred at a company called Epsilon which handles email communications for many big brands such as Capital One, Citi, Disney, etc. Their website boasts over 2,500 clients including 7 Fortune 10 companies.

At this time the list includes about 15 companies but it's been growing, so even if you've not done business with one of the companies listed below, one that you have done business with might have been exposed.

Criminals are using the emails to send malicious software (in the form of PDFs or other documents) and/or links to websites that lead to malicious software and/or phishing scams. Be alert. Here's the list of companies confirmed to have been exposed at this time (some have links to notifications):

UPDATE 06-APR-2011 (LIST UPDATED):
1800-Flowers
Abe Books
AbeBooks
Air Miles CA
Ameriprise Financial
Barclays Bank
Beachbody
Bebe Stores Inc.
Benefit Cosmetics
BestBuy
Brookstone
Capital One
Charter Communications (Charter.com)
Citibank
City Market
Dillons
Disney
HSN (Home Shopping Network)
Eddie Bauer
Eurosport/Soccer.com
Food 4 Less
Fred Meyer
Fry's
Hilton Worldwide
JP Morgan Chase
Kroger
Jay C
King Soopers
Kroger
LL Bean Visa Card
Lacoste
Marriott International
Marriott Rewards
McKinsey & Company
Moneygram
New York & Company
QFC
Ralphs
Red Roof Inns Inc.
Ritz-Carlton
TiVo
Robert Half
Smith Brands
TD Ameritrade
TIAA-CREF
Target
The College Board
The Home Shopping Network
TiVo
US Bank
Verizon
Walgreens
World Financial Network National Bank

April 2, 2011

NSA to investigate NASDAQ hack


Several sources are reporting that the National Security Agency (NSA) is looking into the breach of the company that runs NASDAQ experienced back in October of 2010.

Bloomberg News interviewed former head of U.S. counterintelligence in the Bush and Obama administrations, Joel Brenner, who stated “By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack, or it’s an extraordinarily capable criminal organization.”

It's being reported that other U.S. Federal Govt agencies (FBI, Secret Service) are assisting as well.




Kim Zetter (@KimZetter) over at Wired Magazine has a good article on this topic:
http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/

Happy Birthday Portable PC

April 3, 2011: On this day 30 years ago something occurred in the PC industry that started what I'll call a revolution: the portable PC was introduced. In 1981 journalist and book author Adam Osborne released the 24 pound Osborne 1 computer. The machine was state of the art back then with a 5-inch CRT, disk drives that stored 102KB of data, 64KB of RAM, and a full size keyboard. It could even fit under the seat on a plane. But it was heavy and could not be used without plugging into AC socket; it did not have a battery.

An interesting piece of history is that one of the co-designers, Lee Felsenstein, theorized that the concept might have been borrowed from a couple of Apple employees who failed to sell the idea to Steve Jobs.

More information about the Osborne 1 can be found here.

Happy Birthday Portable PC

March 9, 2011

Malware targeting Blackberry's



According to Trend Micro, a ZeuS banking trojan is targeting Blackberry mobile devices. Previously ZeuS variants targeting only mobile devices running Symbian and Windows Mobile had been spotted.

This story just helps bolster the point that malware's growth will occur in the mobile device world. Strap in your seatbelts, we're in for a rough ride!

http://www.finextra.com/news/fullstory.aspx?newsitemid=22336

February 9, 2011

Great Cleveland Security Event: BSidesCleveland

I wanted to direct your attention to a great security event being held in Cleveland next week: BSidesCleveland. It's a one-day event on Friday February 18, 2011 filled with interesting speakers and topics and great opportunities to network with your peers.

A local security group that I founded, the Northeast Ohio Information Security Forum, is one of the sponsors. The other local sponsor is SecureState.

Seating is limited and to if you don't have a ticket you are out of luck because it's sold out. You can still follow the goings on there via Twitter @BSidesCLE.

You can find out more about BSidesCleveland here:
http://www.securitybsides.com/w/page/27427415/BSidesCleveland