Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Android Updates taking to long?

Through some searching online and reading multiple articles I found that many users are not on the latest Android version. This can obviously be seen as a security problem. As with many different software updates often include important security fixes. I doubt Android is any different. Although phones are shipped with a fairly recent version of the Android OS, the problem seems to be with how long it takes before the user even gets an update to the latest version. It can be a long process before the provider offers the update to its users. An article on computer world explained it better:

Google releases code that is in turn adapted by hardware manufacturers, and that in turn is adapted by various service providers. The software release latency from Google to device is long in the best of situations, and insurmountably long in many others.

With smart phone becoming some of the more popular devices to target for attacks, I feel this long process for updates could soon become a big issue. That is if it’s not already.

http://www.computerworld.com/s/article/9221844/Kenneth_Van_Wyk_The_security_implications_of_being_stuck_with_an_old_Android_OS

Hacker Vs. Hacker?

A recent news article over at InfoWorld ( http://www.infoworld.com/d/security/hacker-selling-access-compromised-websites-gets-hacked-178103 ) talks about a hacker by the name of Srblche. He is known to try to profit from hacking by compromising systems for money, and he also runs an online store selling access to high profile websites and data. But in this article it doesn’t go into details about how he did these things, or talk about how he got caught. This article talks about a group of hackers known as d33ds decided to hack him.

Members of the hacking community accused Srblche in the past of stealing other people’s tools from underground forums and trying to profit from them, which might explain why d33ds targeted him.

“Anyone willing to pay for this service must be as stupid as he is,” d33ds wrote in its announcement of Srblche’s online catalogue being hacked. The group published information about the server, the password hashes of his customers and even the hacker’s administrative access code in plain text.

It’s common to think about how hackers break into peoples systems and try to steal things. What people don’t think about much is hackers hacking other hackers. This article made me start wondering how much this really goes on. Is it common for hackers to go after each other? I think it could easily be a common occurrence without it being known. The hacker being attacked has his ego and reputation to protect, and the hacker doing the hacking doesn’t want to get caught. So isn’t it possible this happens fairly often but details never get out?

Nation Wide Attacks against Law Enforcement

Multiple law enforcement agencies nationwide have become targets of cyber attacks. While some being more successful then others, a majority of these attacks are sure to  be the same group of hackers. It is believed that the hackers are trying to get access to databases that contain law enforcers personal information. That personal information being public could be very dangerous. At this point there isn’t a whole lot of concern, this is not the first time law enforcement agiences have been targeted, and they try to take some precautions to keep there data safe. Dothan Systems Analyst Robb Meredeth said

We try to take our security in layers so that we have multiple layers so if any fail we’re still in good shape

He went on to say how they keep track of attacks:

We monitor success and failures of people trying to get into things. We would go back and start reviewing log-ons and access.

So for now the security of there systems is holding up well enough to keep any important data out of hackers hands. But if these attacks continue its possible they could eventually get some important data they shouldn’t have there hands on. Robb later said

It’s just like being an officer on the street you’re always aware of your surroundings and what’s going on but one thing that I’ve learned in my time with the new technology is that there’s absolutely no sure-fire secure system.

I agree that there’s no secure system, which means its only a matter of time before hackers succeed. Really made me start questioning what type of things the police have on there systems, and how good is the security for local police, they most likely don’t have the same budget for security as the FBI. But just because there budget might not be as high doesn’t mean they don’t have information that could be dangerous if public.

Opera didn’t patch a vulnerability?

Opera recently released an update for its browser fixing a vulnerability with its handling of Scalable Vector Graphics (SVG) files. So yes it was fixed, but why did it take 362 days before it happened? I can’t answer that question, but Opera is denying it happened.

Computerworld posted news about this topic saying:

Security researcher Jos A. Vzquez stirred controversy at the beginning of last week when he released proof-of-concept exploit code for an unpatched vulnerability in Opera.

 

Making security issues public without notifying affected vendors in advance is generally frowned upon in the security community, but is not particularly uncommon. However, in this case, the researcher claims to have tried acting responsibly without success.

Jose claims that he reported this vulnerability to Opera through their SecuriTeam Secure Disclosure (SSD) program. After 362 days of waiting from when Opera was notified a patch to fix this vulnerability was still not out. Jose decided to give them some encouragement by writing his proof-of-concept post on the internet, hoping that the vulnerability being publicly available would get Opera to fix the problem. Luckily this pushed them to fix this problem.

Opera tried to defend themselves by saying:

Opera admits being alerted about the flaw six months ago, as part of a larger report, but it claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Sigbjørn Vik also responded on behalf of Opera in a post saying:

we find out that a researcher – presumably the same original researcher – has found a way to modify the vector, so current Opera releases could be exploited. We received no details about this modified vector until the details of it were made public, effectively putting our users at risk from the issue, without us immediately having any way to protect them.

He blames Jose for putting Opera users at risk, which realistically Jose did. But if Opera had fixed this problem when it was originally reported that would not have had to be done.

So Jose claims to have told them about a year ago. Opera claims to have found out about six months ago, and no patch until a little over a week ago after they were slightly forced by the information about the vulnerability being posted. To me it sounds like Opera messed up somehow or just decided not to patch it for whatever reason. You can decide for yourself. Personally if this was chrome I’d be worried, but hey, its Opera, almost nobody uses it anyway.

http://www.computerworld.com/s/article/9221043/Opera_denies_refusing_to_patch_critical_vulnerability
http://my.opera.com/securitygroup/blog/2011/10/19/about-the-svg-font-manipulation-vulnerability-that-was-fixed-in-11-52
http://spa-s3c.blogspot.com/2011/10/spas3c-sv-006opera-browser-101112-0-day.html

Preventing skimming

For those who don’t know skimming is when a person records the information on a credit or debit card without the persons permission, and in most cases without them knowing. Skimming has been going on for a long time and continues to be a big issue. Just recently a German man was sentenced to three years in prison for bringing skimming equipment into the UK. SANS had a article about this in there news bits that read:

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann’s sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.
-http://www.bbc.co.uk/news/technology-15312057
-http://www.h-online.com/security/news/item/Sentenced-German-engineer-modified-ca
rd-terminals-for-criminal-gangs-1362217.html

Law enforcement in the United States as well as other countries are continuously investigating skimming attacks. But the problem I have found is that even with investigations and prison sentences, skimming attacks are still to easy to preform with little risk of getting caught. Equipment to perform simple skimming attacks is very easy to come by. A simple search around the internet and you can find a place to purchase some equipment at not to high of a price. Also people don’t really watch out for skimming much, which makes it easy to get away with and not get caught. If people don’t know its happening there not going to report it to the police.  An article at merchantequip.com said:

Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand.

Which brings to question, how many people even think about whats happening to their card when they give it to the waiter or waitress at a restaurant.

What to do to prevent skimming? I doubt it will ever just stop happening, so the best thing to do is just be aware of how it can happen, and watch out for it. If your careful about how you use your card, and who you give it to there’s less chance your cards information will be stolen.

Why report a cyber crime?

Companies that become victims of cyber crimes sometimes question if they should report it. They figure they will try to increase there security and keep law enforcement out of it. They do this for a number of reasons, for example they question if the information being publicly known will be bad for business. Also some companies worry that company secrets may be leaked by law enforcement, especially if a case goes to trial. But the truth is the help of law enforcement might be worth the risk. Law enforcement has spent a good amount of time working with cybercrimes now, and they understand the necessary secrecy inside the company, and will try to work with companies to be get the job done while being discreet. Nancy Gohring from IDG News Service reported on on Networkworld saying:

Aravind Swaminathan, assistant U.S. attorney in the Western District of Washington, took pains to describe the lengths to which his office goes to be sensitive to the needs of companies that report crimes. He spoke during a cybercrime conference at the University of Washington School of Law on Friday.

“Everybody’s worried that their trade secret will end up on the front page of the paper,” he said. “Trade-secret cases are hard, but work with us. We aren’t obtuse. We know that’s the stock and trade of your business.”

The law enforcement will try there best not to cause problems for the company, and if the company doesn’t seek there help they could run into even more serious problems. If information that a cyber crime happened and was not reported to the police, the company could end up being sued in the future. Also if an attack is taking place the company employees might not have the experience and knowledge to correctly fend off a cyber attack. Law enforcement in the cyber crimes field will most likely have the knowledge to assist with this and recommend ways to tighten up security as well as analyzing what the most probable next target would be.

On a more personal computing note. Its not only important for large organizations to report cyber crimes. Even simple home office cyber crimes should be reported. Theres no guarantee they will get the same attention from law enforcement as a coperate attack, and there may not be as much reason for you to report it. But the fact is a crime still took place and the police should be notified. If nobody reported cyber crimes then hackers would have nothing to be afraid of, and internet security problems would increase. So do your part in keeping the internet safe.

Office printer sending malicious emails?

Printers are obviously an important part of most offices, and lots of times we don’t really think of a printer as more than a printer. Why would we consider it a security threat, it just prints paper? Well the fact is there are many attacks that involve network printers. Some of the more recent printers are specifically a problem. Office printers are now being built with a scan to email feature. When a paper is scanned the copy of that paper gets received through email. Attackers are taking advantage of this by sending emails that look as if they are from the printers containing an attachment the same way the normal printers send the file. The difference is these attackers are sending a ZIP file containing an exe file inside. This is an example Symantec has on there website:

This exe is usually hidden by an icon of a word document or something similar. This exe when executed installs malware on the system. The best way to prevent this is to try to filter out these emails, and educate employees about the possible threat. When receiving a ZIP file as an attachment, no matter who the sender you should take caution.

More information can be found at:

• http://www.symantec.com/connect/blogs/malicious-emails-masquerade-office-printer-messages-0
• http://www.pcworld.com/businesscenter/article/239456/a_hidden_security_threat_beware_the_office_multifunction_printer.html

Physical Thinking

For the most part people in the IT field are aware that security is important in many different areas. On our individual systems we install Anti-virus software. On our servers we run firewall software and setup authentication methods to only allow specific users access. On our switches we setup access control lists and VLANs, and on our routers we may set up PPP with CHAP instead of HDLC. There are many different way for things to be configured to get exactly what you want out of your technology. Lots of people understand the importance of learning how to get this functionality while still keeping your technology secure. But while you might have put hours of thought into your authentication methods and your firewalls to get them configured perfectly, did you accidentally forget to lock the door when you left? Or did you walk away from your desktop to get a cup of coffee without logging out?

Physical security is a very important part of security that many IT professionals overlook or don’t take as seriously as they should. As Robert L. Bogue said in “Lock IT Down: Don’t overlook physical security on your network“.

“Computers are unavoidably vulnerable to physical attack. Routers allow their passwords to be reset, server software-based security can be easily bypassed, and user passwords can be cracked and stolen. All of this is possible with a reasonable amount of physical access to the system.”

So while you may have your technical security in place, also take the time to form and implement an effective physical security plan. It is important to secure all components of your network, although for the most part the question of cost comes into play and limits you. For example it could be a bad idea to keep Ethernet cables exposed as it may be possible for an attacker to tap into those cables to perform man in the middle attacks. For some cases fully securing all your Ethernet runs could be to costly and you may feel the money would be better used to install security specifically for your server rooms.

There are many different devices you can use for security and being an Information Technology person, you may not be the most qualified to develop a physical security plan. So don’t just ignore it, go find someone who is knowledgeable of that area to help. For the most part though the devices used for physical security are very technology based, so you should have a good shot at learning how to use and implement them. At a minimum you want your equipment under lock and key. Now days there’s better options than a simple key, with a key you may never know when someone used it, if they lost it, or if a copy was made. That is why a card access system might be better, you can keep track of who has accessed the locked area. Also you can make things easier by assigning that person access to multiple areas with one card instead of needing to carry around a ring of keys.

Also many bio metric authentication options are available, all with the purpose of locking people out who shouldn’t have access, and allowing the person who should have access in. Some of these options include:

• Retina scanning
• Iris scanning
• Fingerprints
• Hand geometry
• Facial recognition
• Signature verification
• Voice authentication.

Any of these could possibly be a good option for you. But in real basic terms do what you can to keep people away from your equipment who shouldn’t have access, while letting those who need access in. These security steps are important even if you don’t think you will become the target of an attack. There is always the possibility you will be a target and you need to be prepared. But also sometimes there’s just the curious employee who decides to mess around and see what he can do. So put the security in place to stop him.

Everyone in the IT world gets taught to back up your files, you never know what could happen. But this brings us to another important point. Do those backups hold the same sensitive information your trying to secure? If they do then you need to make the security to get to those backups is just as good as the security to the devices holding the original data.

To finish things off, if you haven’t thought about this yet you probably need to start thinking more about security. Install video cameras! If you can’t keep them out with your security at least you have video evidence of what happened. Or if you did keep them out now you can see who tried to get in. Ideally you should have someone monitoring the video, to also possibly respond to an obvious unauthorized access attempt.

Wi-Fi Security on Mobile Devices

Wireless security has been a fairly large security topic for a long time now, and it is one that should be taken very seriously. From a simple web search you will find information about how insecure WEP is, and that you should be using WPA/WPA2. But if your someone like me who often finds access points that are insecure, you may be wondering what type of chances are you taking by connecting to it?

Your best choice for security here is to simply not use this connection, find a better secure method of internet access. But we all know most people want the fast and easy way to get online and they’re willing to take the risk. Although its not the best option, if your going to connect to it just be smart and know what your doing. Eavesdropping isn’t to difficult on an insecure Wi-Fi connection. Anyone with a little computer knowledge could download some free software that captures your data being transmitted. Any packet sniffers such as the ones here could do the trick, but some are specifically programmed to search for login credentials of insecure websites. Now some people might think “What are the chances of this happening to me on this Wi-Fi network I just found.” Probably not extremely high, but the small chance that it will should make you be cautious. It’s probably not worth giving someone your passwords just because you didn’t want to be careful and take the time to be secure.

Theres a few simple things to check for to help keep yourself safe. When browsing don’t enter any login information or personal information on websites if they are not secure. Check to make sure your on an HTTPS connection before you log in. You may find a website that you use that doesn’t offer HTTPS, and think “it doesn’t matter if someone finds out my information to access this site so ill just do it anyway.” Well before you do that also consider did you use that same login information on any other websites? Are you someone who uses the same username and password to login on a gaming website as your Paypal account? If your not sure about something or a website your using just don’t do anything unless your sure its encrypted. Also if your using email clients you may want to make sure that is encrypted with SSL for both in going and outgoing email as well. If you have it configured without encryption, that might be something to consider before you use it on an insecure network.

The best option is to connect through a VPN (Virtual Private Network) which you can read more about here Simply put everything through the VPN will be encrypted which will allow you to browse more securely while connected through this insecure Wi-Fi connection by blocking out local eavesdroppers . The Wi-Fi network will still be insecure, but the packets you will be sending will be encrypted. VPN options are available for many devices, not just desktops and laptops. But if you can’t use a VPN just be smart and know what your sending out that won’t be encrypted.

Wireless security is a very complex topic, and with many people not fully educated on how to setup a access point securely it isn’t to uncommon to find one insecure or simply using WEP. I think most people would agree with me that WEP would also be classified as insecure. There are so many devices people bring with them now days that can connect to Wi-Fi such as smart phones, laptops, tablets, and even mp3 players. Because of this its important you understand the possible security risks of the Wi-Fi network you may connect to.