Facebook’s New Features

With new modifications implemented on facebook, and without proper changes to some privacy settings, your friends can see your current activities such as what game your  playing, websites or articles that you are currently visiting, and even what music or song that you are listening to without your consent to share this information. With all of these new ‘real time’ apps on facebook, it brings up the common question “where is the line  drawn that the information being broadcasted is getting too personal”.

Another new feature that will be added onto facebook is a timeline feature. It has already been documented that this timeline could pose to be a “gold mine” for harvesting information about people. The information would be displayed in chronological order, and could potentially increase the risk of the user being “cyber-stalked”. The information provided in the timeline could also help a criminal steal your passwords, since most users generally use personal information as their credentials.

Overall, I think that the new modifications on facebook will take some ‘getting used to’. It is becoming more of a controversy whether the information outputted on the website, knowing or unknowing to the user is being displayed is a privacy concern.



Biometric Authentication Systems

Many companies are now looking for ways to leave behind the “password”. The problem with using passwords is human error. Many people usually just make really simple password that are easy for them to type and or remember. Many times it not just simple passwords but rather some employees are willing to trust anyone with their password. This leaves a huge security risk for companies because many of their employees have access to sensitive information and if their account is compromised then there will be problems.

Biometric security systems fix many of the problems with passwords. Biometrics provides faster access to secure documents which in the end leaves employees happy. It also prevents people from letting others know their password because you can’t really lend a finger or eyeball. Biometrics is improving and now offers things like USB finger print scanners which allow users to easily access their account form multiple systems. They are also developing Biometrics for mobile platforms which will give users even more ways to access their accounts. Biometrics still has security risks but it is much more secure than passwords.

Internet Legislation in the Era of Digital Warfare

Ever since the inception of CYBERCOM (a newly created branch of the US Department of Defense that deals with cyber strategy, security and networking for the military), there has been a noticeably heightened sense of awareness here in the US due to the increased attention given to a number of cyber attacks sustained by the government and civilian networks over the past two years.  These attacks range from hacktivism (like the DDoS attacks on Paypal),  to espionage (like the Chinese cyber attacks),  and even fraud (like the recent bitcoin scams).  However serious all these attacks may seem, the most serious of them cross into the realm of cyber terrorism (examples include the successful disabling of government networks, and multi city blackouts caused by hacking).

If the increased number of proposed legislative bills are any indication, the US government is trying to be proactive in answering a very serious question – how can it protect itself and the nation against cyber attacks, especially attacks targeting critical infrastructure. While some proposals (like the Cyber Security Enhancement Act of 2010) suggest the improvement of cyber security technical standards, other proposals are more controversial. Take for instance, the proposed amendment to the Homeland Security Act, which would give the president almost limitless power to restrict internet access to protect national interests in the from of a figurative ‘internet kill switch’.  And even though the idea of using regulatory power to restrict communication or access is not new in the United States (see the Communications Act of 1934), the fact that it could now be applied to the open landscape of the internet has inspired many arguments for and against proposals to apply regulations on internet use. With all this being said, it makes me wonder – do people fear the government abusing this power more than they fear the outcome of an actual attack or vice versa? Could that fear, whatever it’s origin, result in a far less open version of the internet as American’s now know it?

Whatever the case, government officials are closer than ever on coming to a consensus on these issues.  The only thing Americans can hope for is that the measures being put in place today help mitigate the fallout of possible attacks in the future, and create a more capable cyber security defense for American networks and infrastructure.

To learn more about new legislature or to track the progress on proposed legislature, please visit http://govtrack.us.

*The Image in this post is bring used for educational purposes, and is owed by Ars Technica.

USB Dead Drops

Dead Drop

The first time that I heard about Dead Drops, I was intrigued by the idea behind them. Offline public file sharing using USB thumb drives that were built into buildings; but then I realized how bad this idea is from a security stand point. Auto run scripts, viruses with images in them, etc. could very easily be planted in these thumb drives and then installed on an unsuspecting machine. The faq page at deaddrops.com suggests to use a virtual machine to read the drive, but even then it is not always easy to tell whether or not the USB port is directly sent to the virtual machine or if the data first gets sent to the host OS. If the latter, this is not any more secure than no virtual machine. Another option is to use a machine that is dedicated to connecting to Dead Drops. This works as long as it stays dedicated to Dead Drops. Even then though, if the Dead Drop isn’t actually a real Dead Drop and is actually connected to 110v wall power (for example), good luck trying to fix your computer.

See also:

[EDIT: After I posted this I was checking xkcd and the current one is relevant- http://www.xkcd.com/956/] 

Image above credited to Aram Bartholl (Creative Commons By-NC-ND).

Evil-VNC: A VNC Server Injector

There has been countless trojan/back door viruses made over the last decade, some more complex than others, but all unnerving nonetheless. There is one in particular though that I’ve always found to be a good example of how hackers can sometimes run ideas off of normal legitimate software.

Back in early 2000 remote access software known as RealVNC was released. Since then it has become widely used by many people. Basically it allows a computer to be remotely controlled by another computer. The server part is installed on the remote computer and then the computer accessing it would use the client part. RealVNC is meant for legitimate purposes. It doesn’t really present a security threat since it requires the cooperation of the remote computer and can have a password set for the server.

An example screenshot running of the client viewing two other remote computers:

In around 2004 a hacker known by matiteman created a vnc server injector. He named it Evil-VNC. It can secretly install an vnc server on remote host and run it automatically. The victim would not see anything or even know it would be running. After installation the hacker would be notified immediately by the server with the remote ip and password for connection sent to a preset cgi or php logger.

When it was first released it only had few features, but eventually was updated to include a whole bunch more, like even file transferring and built in file binding.

The hacker can use RealVNC client to view his victims, but since the Evil-VNC server features a JavaViewer Applet, it allows for remote control without any viewer application. This means the hacker could use any computer that has an internet browser with java and watch/control their victims from there!

Although Evil-VNC is well detected by anti-viruses nowadays, it’s source code was released. Thus anyone with the know how could crypt it with a crypter of their own or one that hasn’t been used by other people.