June 28, 2013

Facebook Bug Bounty Program Reward to Security Engineer

Recently Facebook rewarded $20,000 through its White Hat program, also referred to as the bug bounty program, to a security researcher for
reporting a newly discovered security bug. Facebook, like many major software or web-based companies, offers rewards as an incentive for experts to report rather than exploit newly found bugs.

The reported security flaw allowed somebody to hijack someone else's Facebook account via text message. The flaw could have potentially allowed malicious hackers to steal personal information, send out spam, or engage in phishing attacks. Mashable reports that Jack Whitton, an application security engineer, discovered the bug on May 23.  He immediately reported to Facebook, and the vulnerability was fixed by Facebook within five days.

Facebook provides the option of linking your account with your cell phone. This permits you to not only receive updates through text messages, you can also login using your cell phone number instead of your email address. The security vulnerability, which is now fixed, allowed Mr. Whitton to spoof Facebook's text message verification system into sending a password reset code for an account that was not his. Using this, he could go to Facebook, reset a target user's password, and access the account.

Mr. Whitton describes in detail how he specifically exploited the bug in his June 26, 2013 blog post "Hijacking a Facebook Account with SMS." In his words, "we enter this code into the form, choose a new password, and we're done. The account is ours...The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue." According to Facebook the minimum reward the bug bounty program pays out is $500.

References:
Facebook. White Hat: Information. Retrieved on 28 June 2013 from https://www.facebook.com/whitehat/bounty
Franceschi-Bicchierai, L. (2013 June 28). Security researcher earns $20,000 for uncovering major Facebook bug.  Mashable. Retrieved from http://mashable.com/2013/06/28/researcher-facebook-bug/
Lee, D. (2013 June 28) Facebook gives UK man $20k for discovering security flaw. BBC News. Retrieved from http://www.bbc.co.uk/news/technology-23097404
Whitton, J. (2013 June 26). Hijacking a Facebook account with SMS. Blog fin1te. Retrieved from http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms.

June 25, 2013

Prevent Vehicle Break-Ins

Image from WKTV Channel 2 News
Yesterday, I received a sad update from a friend out on a family vacation. Thieves broke into their car and stole all the items inside. Their luggage, identification, and money were gone. According to the Federal Bureau of Investigation's 2011 Uniform Crime Reports, there were over 715,000 motor vehicle thefts nationwide. The average dollar loss per stolen vehicle was $6,089. This caused a loss of more than $4.3 billion. Unfortunately for my friend, she became another one of these statistics.

There are simple measures you can take to prevent this from happening to you.
  • Hide valuables. Stow away your valuables and loose change, even if your car will be locked.
    The best tip to reduce your
    car break-in risk.
    Image from CBS Atlanta
    This is the number one reason cars are broken into. Put your valuable items in the trunk out of sight. This includes empty book-bags, purses, or luggage that may appear to contain valuables. Out of sight out of mind is a mantra to reduce risk. Most crimes are a crime of opportunity. By removing the temptation, you decrease the likelihood of your items being stolen. It's best to hide these items prior to parking.
  • Hide tip offs to valuables. When hiding expensive electronics, don't forget to hide all its wires, chargers, and paraphernalia, since these items could act as a clue. While you're at it, clean off the suction cup ring from the GPS mount, and put the car cigarette lighter back. 
  • Be visible. Park in well lite areas that receives a good bit of foot traffic or in attended lots. Avoid parking on isolated streets. Thieves are less likely to act if there are a number of witnesses in the area.
  • Roll up your windows and lock your doors. This appears as a no-brainer, but you would be surprised how many cars broken into are unlocked. Even if you're going into the store for five seconds, roll up your windows and lock the doors.
  • Don't hide keys in the car. You may think you're clever leaving a spare key in the car, but thieves are all too aware about those hiding spots.
References:
Federal Bureau of Investigation (2012). Uniform Crime Reports: 2011. Retrieved from http://www.fbi.gov/about-us/cjis/ucr/crime-in-the-u.s/2011/crime-in-the-u.s.-2011/property-crime/motor-vehicle-theft
Halvorson, B. (2009 April 15). Tips to prevent car break-ins. CNN. Retrieved from http://www.cnn.com/2009/LIVING/wayoflife/04/15/aa.avoid.car.break.ins/
Hartford Police Department (2010). Car Break Prevention Tips. City of Hartford, CT. Retrieved from http://police.hartford.gov/CommunityServicesBureau/2010_CarBreakPreventionTips.pdf
King, H. (2012 March 13). Greenville Police issue car break-in prevention tips. WITN News. Retrieved from http://www.witn.com/news/headlines/Greenville_Police_Issue_142445225.html
Nationwide Mutual Insurance Company (2013). Car break-ins: Avoiding car theft smash-and-grab. Retrieved from http://www.nationwide.com/rss/car-break-ins.jsp

June 23, 2013

Facebook Security Bug

Image from The Guardian
Security Checks often advocates limiting social media posts containing personal and sensitive information. The latest Facebook security bug, which reportedly exposed up to six million users' email address and phone numbers, provides an example of why we keep providing such warnings.

"We recently received a report to our White Hat program regarding a bug that may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them," Facebook's Security team wrote in a post published on Friday.

Here's what the bug was doing: If you had uploaded your address book and you had a friend named Karen with the e-mail address karen@gmail.com and karen@someplace.com, Facebook would house that information in its database. When Mark joined Facebook and put in his address book with just Karen's karen@gmail.com address, it would suggest that he become friends with Karen and maybe even you.

Facebook reports there is no evidence that the bug has been exploited maliciously.

Most people are not too worried about having email addresses and phone numbers inadvertently exposed, since this has little risk beyond the annoying spam mail and soliciting phone call. However, this incident provides us a warning. Social media like all software sometimes contain glitches that disclose information regardless of your privacy settings. The best way to reduce the risk for unauthorized disclosure of your sensitive information is to not post it in the first place.

References:
Facebook Security (2013 June 21). Important message from Facebook's White Hat Program. Retrieved from https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766
Stern, J. (2013 June 21). Facebook security bug exposes account information of 6 million users. ABC News. Retrieved from http://abcnews.go.com/Technology/facebook-security-bug-exposes-account-information-million-users/story?id=19460435#.UcaXE778LIU

June 16, 2013

NSA Data Breach: USB Flash Drive

Recent reporting on former NSA contractor, Edward Snowden states he allegedly used a USB flash drive (also called thumb drive) to download highly classified information and sneak it out of a highly secure government facility. The L.A. Times reports the removable media is generally barred on the NSA facilities, but Mr. Snowden had the capability to use the device. He was a system administrator with greater access and privileges across the networks.

After major breaches, government agencies typically become hyper vigilant in security protocols. When the Bradley Manning/Wikileaks fiasco occurred a few years back, the military tightened its computer security processes by banning USB flash drives and severely restricting use of other removable media. There were many grumblings with many complaining the restrictions interfered with the speed of carrying out operations. Army users on their network classified as secret required special permission to have the capability enabled to burn information to CD/DVDs and this had to be tied to actual mission requirements. Additionally, they had to use the two person integrity rule, and maintain a log of downloaded material. All of this is in accordance to the Army 2011 Acceptable Use Policy that users are required to sign if they want to maintain their network access.
Small device. Big damage.

NSA will likely implement tighter security in light of the Snowden data breach. I suspect greater scrutiny and oversight will probably be applied to those individuals with elevated privileges, but general users will not totally be left out of the fray. They should expect a temporary increase in security awareness training with focus on insider threat, handling of classified material, and sensitive government information in the public domain. The NSA may possibly review oversight procedures on contracts with access to sensitive information.

As we continue to learn more information about how he committed his huge security breach, procedures will be modified.  Typically large data breaches are proceeded by smaller incidents serving as red flags, but unfortunately our government has a history of ignoring such indicators. As Mr. Snowden's story continues  to unfold in the media, Security Checks will follow in attempts to spotlight the red flags.

References:
Department of Army. Acceptable Use Policy. Fort Gordon. Retrieved on 16 June 2013 from http://webcache.googleusercontent.com/search?q=cache:oOtHgpBxvWMJ:www.gordon.army.mil/nec/documents/FG_AUP-26_Aug11.pdf+&cd=1&hl=en&ct=clnk

Dilanian, K. (2013 June 13). Officials: Edward Snowden took NSA secrets on thumb drive. L.A. Times. Retrieved from http://www.latimes.com/news/politics/la-pn-snowden-nsa-secrets-thumb-drive-20130613,0,791040.story

Fantz, A., Courson, P. (2013 June 3). Prosecutors: Bradley Manning 'craved' notoriety. CNN. Retrieved from http://www.cnn.com/2013/06/03/us/manning-court-martial/index.html?iref=allsearch

Franceschi-bicchierai, L. (2013 June14). Snowden stole secret NSA documents with a flash drive. Mashable.  Retrieved from http://mashable.com/2013/06/13/snowden-nsa-thumb-drive/

Shachtman, N. (2010 Sep 12). Military bans disks; Threatens court-martial to stop new leaks. Wired: Danger Room. Retrieved from http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-martials-to-stop-new-leaks/

June 10, 2013

Privacy: Why you should care about PRISM

Time magazine asked on Facebook whether people even cared about the U.S. government data mining project, PRISM controversy. Needless to say, the response was a bit alarming. Unfortunately, I cannot find it to link back to it, but the responses still going through my mind. Many expressed little concerning, citing the logic, "if you haven't done anything, you have nothing to hide." Really people?!? Using this logic, do we really need such rights as the protection against unreasonable search and seizures?
 
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no Warrants shall issue but upon probable cause supported by Oath or affirmation, and particularly describing the place to be searched , and the persons or things to be seized."
               -4th Amendment U.S. Bill of Rights
 
The Supreme Court case Olmstead v. United States, established electronic surveillance as being subjected to this Amendment's requirements. (Congress, 1992, page 1205) Don't get me wrong, what somebody purposely makes public does not fall under the protection of the Fourth Amendment; however, what somebody purposely tries to make private "even in an area accessible to the public" falls under the scope of this right. (Congress, 1992, page 1206)  At the crux of search and seizure is probable cause. Did the government really have probable cause to collect substantial amount of information involving its citizens? (Congress, 1992, page 1217) It is not reasonable for the government to collect large amounts of data on its citizens, particularly if the citizens have not partaken in unlawful activity. Besides, due to "the sheer breadth of the information being collected by the NSA [under PRISM,] means that very little of it is actually being looked at; it's being put into a database to be used later in ways that will more seriously raise privacy concerns and implicate policy." (Holmes, 2013) Meaning? All that collected information being collected for the sake of our security, is not really supporting your protection.
 
Others stated the data-mining is okay in the name of safety and security. Oh how short sighted is our vision and our memories?

Governments through history have a track record of partaking in surveillance upon its populace under the ruse of security. Recent U.S. history supports this clam. From 1956 to 1971, the Federal Bureau of Investigation (FBI) ran a domestic surveillance program, Counter Intelligence Program (COINTELPRO). It "was a secret FBI program designed to monitor and 'neutralize' domestic groups deemed by the FBI to be a danger to national security. Such groups included anti-war groups and civil rights groups and individuals like Martin Luther King, Jr. and even Eleanor Roosevelt." (PBS, 2004) Even people like the peaceful activist Reverend Dr. Martin Luther King, Jr. were targeted under the guise of national security, because they expressed dissenting opinions. The FBI even states  that the program was "rightfully criticized by Congress and the American people..." (FBI) In the 1970s, Congress authorized the Church Reports to investigate the domestic surveillance program. The report stated:
 
"We reject the view that the traditional American principles of justice and fair play have no place in our struggle against the enemies of freedom. Moreover, our investigation has established that the targets of intelligence activity have ranged far beyond persons who could properly be characterized as enemies of freedom and have extended to a wide array of citizens engaging in lawful activity."
 
This statement from the 1970s fits our current time. If you're interested in learning more, the American Civil Liberties Union has additional stories available at http://www.trackedinamerica.org/.
 
Some also pointed out the fact that commercial entities already do this, so what is the big deal if the government does it? My mom use to say, "two wrongs do not make a right." She also said, "if all your friends jump off a bridge, doesn't mean you should." Security Checks argues against government and commercial privacy invasion. Commercial entities should not data-mine personal data under the pretenses of customer service, just like the government should not under the name of national security. In the Information Age, we need to ask why do these entities need all the requested information? And we need to say ENOUGH! In order to do that, you need to care.
 
References.
American Civil Liberties Union. (2012) Civil rights movement and Vietnam: Unlawful surveillance, intimidation, and harassment. Tracked in America. Retrieved from http://www.trackedinamerica.org/timeline/civil_rights/intro/
 
Federal Bureau of Investigation. COINTELPRO. FBI Records: The vault. Retrieved (June 10, 2013) from http://vault.fbi.gov/cointel-pro 
 
U.S. Congress. 103rd, 1st session.  The Constitution of the United States of America: Analysis, and Interpretation - 1992 edition. Federal Digital System. Retrieved from http://www.gpo.gov/fdsys/pkg/GPO-CONAN-1992/pdf/GPO-CONAN-1992-10-5.pdf
 
Holmes, L. (2013 June 9). When your data is currency, what does your privacy cost? National Public Radio (NPR). Retrieved from http://www.npr.org/blogs/monkeysee/2013/06/09/189857722/when-your-data-is-your-currency-what-does-your-privacy-cost?utm_source=NPR&utm_medium=facebook&utm_campaign=20130609 
 
Public Broadcasting Station. (2004 March 5). Going undercover/criminalizing dissent? Now on PBS. Retrieved from http://www.pbs.org/now/politics/cointelpro.html 

June 7, 2013

Newton School Shooting Charity Scam

Charity Scammer Caught
In my late May post Charity Scams, I used the Newton School Shooting Charity Scam as an example of scammers using catastrophic events to bilk money out of people's generosity in supporting victims. On June 6, 2013, the Federal Bureau Investigation reported that Nouel Alba of Bronx, New York pleaded guilty for in engaging in a fraudulent fundraising scheme related to the horrible December 2012 Sandy Hook Elementary School shooting.

“This defendant’s criminal conduct exploited the victims of this tragedy, their grieving families, and caring individuals who sought to help in any way they could,” stated Acting U.S. Attorney Deirdre M. Daly. “As charity and fundraising scams prey upon vulnerable people and have a corrosive effect on the trust and generosity of all citizens, investigators will continue to monitor the Internet to uncover similar schemes. While we believe that this case has had a deterrent effect on other potential bad actors, individuals who ignore this warning and operate these schemes face federal or state prosecution to the fullest extent permitted by law.”

For those unfamiliar with the case, Alba used social media, email, text messages, and phone calls claiming to be an aunt of one of the deceased Sandy Hook students killed in the school shooting in order to solicit donations for a so called "funeral fund."

Honestly, it warms the bottom of heart to read about these scammers facing justice.

Alba pleaded guilty to one count of wire fraud, which carries a maximum term of imprisonment of 20 years, and one count of making false statements, which carries a maximum term of imprisonment of five years. She is scheduled to be sentenced by United States District Judge Michael P. Shea in Hartford on August 29, 2013.

Alba has been released on a $50,000 bond since her arrest on December 27, 2012.
Individuals with knowledge of fraudulent fundraising and charity schemes are encouraged to contact the FBI in Connecticut at 203-777-6311.

Reference:
U.S. Attorney's Office, District of Connecticut (2013 June 6). New York woman pleads guilty to Newtown fundraising fraud and lying to federal agents. Federal Bureau of Investigation. Retrieved from http://www.fbi.gov/newhaven/press-releases/2013/new-york-woman-pleads-guilty-to-newtown-fundraising-fraud-and-lying-to-federal-agents?utm_campaign=email-Immediate&utm_medium=email&utm_source=fbi-in-the-news&utm_content=231382

June 4, 2013

A Call to Vigilance

"Police are warning residents to be extra vigilant after a recent string of break ins..." (Smith, 2013)
"...we must be very vigilant in the face of terror..." (Sheva, 2013)
"...warned to be extra vigilant in public after the murder..." (Herbert, 2013)
"Security is a challenging, tireless job that requires eternal vigilance." (Cavanagh, 2013)

"V" is for vigilance
We often hear security professionals telling us to be vigilant, stay vigilant, or even better, be extra vigilant. Since September 11, 2001, this  call to vigilance was repeated through the years in multiple posters, messages, and articles used in awareness campaigns. Even the U.S. Department of Homeland Security's "See something, say something" campaign states that "everyone should be vigilant."

After seeing countless security messages calling for vigilance, I have to ask myself, what does this even mean? What does staying vigilant look like? Through the repetitive use, has vigilance become nothing more than a cliche security catch phrase? I hope not.

What is vigilance?

Oxford dictionary defines vigilance as "the action or state of keeping careful watch for possible danger or difficulties." (2013) The call to vigilance does not simply mean acting in a state of paranoia suspecting the world is out to get you.  The vigilance security professionals are looking for is more of an attentive observer.  In other words, it simply means paying attention to what is going on around you. Instead of walking with your face buried in your smart phone, look up and take notice of what is going on around you. That's it! Just look around at your surroundings.

You are only keeping an eye out for odd behavior that should cause a red flag to pop up in your head.
Image obtained from
Pittsburgh Regional Business
 Coalition for Homeland Security
For instance, "why is this person buying so much hydrogen peroxide?," "why are they asking for types of explosive they don't know much about?," "why do people come in and out of these houses at all hours?," "why are they buying so much bombing making material?,"or "why do I smell chemicals coming from that house?"

As the C&C Music Factory song goes, "it's the things that make you go, hmmm."

Having vigilance does not mean you're investigating these suspicious behaviors to answer these questions. Being vigilant means you take notice of the event, try to remember as much as the detail as possible, and report it to law enforcement. Law enforcement will do the investigative work.

Why vigilance?

As stated in a CSO Online article after the Boston Marathon Bombing, "for security to be as effective as possible, everyone must do their part, including citizens being aware of their surroundings and reporting suspicious activity...The most important aspect of security is the help of the public." (Cavanagh, 2013) The public taking notice and reporting unusual activity give security the pieces to a larger puzzle. "Prevention of events like [the Boston Marathon Bombing] starts not only with law enforcement vigilance but with citizens taking better notice of their surroundings." (Stevens, 2013)

References:
Cavanagh, R. (2013 April 29). Wake up! Boston bombings a call for renewed citizen vigilance. CSO Online. Retrieved from http://www.csoonline.com/article/732481/wake-up-boston-bombings-a-call-for-renewed-citizen-vigilance.
Department of Homeland Security. Contact Us. Retrieved from http://www.dhs.gov/main-contact-us.
Herbert, D. (2013 May 26) Woolwich attack: Prince Harry warned to be vigilant after killing of Drummer Lee Rigby. The Mirror News. Retrieved from
http://www.mirror.co.uk/news/uk-news/woolwich-attack-prince-harry-warned-1912581.
Sheva, A. (2013 May 28). NYC Councilman: Look terror in the face. Arutz Sheva, Israel National News. Retrieved from http://www.israelnationalnews.com/News/News.aspx/168400.
Smith, R. (2013 May 31).  Police warn public to be extra vigilant. The Transcontinental. Retrieved from http://www.transcontinental.com.au/story/1540886/police-warn-public-to-be-extra-vigilant/?cs=1538.
Stevens, T. (2013 April 16). Homeland security officials encourage vigilance, 'step up precautions for larger events. Ledger-Enquirer. Retrieved from http://www.ledger-enquirer.com/2013/04/16/2466699/homeland-security-officials-encourage.html

June 2, 2013

Cyber Scam: Auto for sale!

Scammers use online
 car sale advertisement
to lure new victims. 
The FBI reports cyber criminals are changing up their technique to lure in new victims. It's a spin-off of the traditional auction scam the FBI has been warning about for years. The latest ruse starts off with the scammers selling at a legitimate online site a vehicle without an accompanying photo in the advertisement. Upon request, the scammer will email pictures of the supposed vehicle for sale.

The emailed photo typically contains malicious code to infect the victim's computer. Sometimes the victim receives a link to an online photo gallery. The report goes on to state the code redirects the victim's computer to a fake website the scammers set up to look identical to the original advertisement site. The scammers run all aspects of the fake site, such as the tech and live chat support, to make it feel like the original site. Once the victim agrees to buy, and makes payment on the advertised item, the scammer ceases all communication. The victim never receives the merchandise, is out of money, and left with an infected computer.

People should be very cautious when shopping online, especially expensive purchases such as automobiles.
Be a happy buyer by
following some security tips.
  • Research the seller to determine if they're a legitimate car dealer.
  • If dealing with a private seller, see the for sale item in person. If the seller keeps giving you excuses for not seeing the item that should serve as a red flag.
  • Keep your computer's software, operating system, firewalls, and anti-virus updated to help prevent malware.
  • Scan files before downloading to your computer.
  • If you're bidding through an auction site and lose, be leery of the seller contacting you outside of the site claiming the original winning bidder fell through. The auction site will not provide you any protection for deals made outside of the site.
  • Be cautious if purchasing from somebody outside the country.
  • If the price is too good to be true, it is probably a scam.
  • If you have fallen victim to this type of scam, you can file a complaint with the Internet Crime Complaint Center, http://www.ic3.gov/ , as well as with your local law enforcement.
References:
Internet Crime Complaint Center (2013 May 30). Cyber criminals using photo-sharing programs to compromise computers. Retrieved from http://www.ic3.gov/media/2013/130530.aspx

June 1, 2013

LinkedIn Steps Up Security

Social media increase security
Over the past few years, there are various articles decrying social media's lax security and privacy settings. It warms my paranoid security heart when I read about a prominent social media site upping its security. LinkedIn, a social media site for working professionals,  revealed technology they will integrate into its platform. Their announcement comes a couple of weeks after Twitter's announcement, and about a month after Microsoft rolled out a similar security technology. Are we starting to see a trend? I hope so! The technology is to help protect user accounts in fighting against unauthorized sign-in attempts.
"Known as two-factor authentication, [it] is designed to verify the identity of users as they log in by requiring them to enter numeric codes sent via text message." (Finkle &  Saba, 2013)

Basic access control formula.
This follows access control's basic formula of something you know plus something you have. You know your password, and you would have the text message with your unique numeric code.

This certainly makes it difficult for somebody else to hijack your account. Even if a hacker got a hold of your password, he would still need that other piece of information to enter your account, the code sent via text. Of course, in order to use this security option, you will need to provide LinkedIn your cell phone number, and standard text rates apply. Also, you might have a problem gaining access to your own account if you lost your cell phone. There is always some type of catch.

I'm interested to know how these sites plan on protecting your phone number, but that is another post for another time.

References:
Finkle, J., & Saba, J. (2013 June 1). LinkedIn boosts security, offering similar technology as Twitter. Reuters. Retrieved from http://in.reuters.com/article/2013/05/31/net-us-linkedin-security-idINBRE94U16P20130531

Silveira, V. (2013 May 31). Protecting your LinkedIn account with two-step verification. LinkedIn Blog. Retrieved from http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification/

Wawro, A. (2013 April 25). How to set up two-factor authentication for Facebook, Google, Microsoft, and more. PCWorld. Retrieved from http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html