Sunday, May 27, 2012

Head scratchers - May 2012

Some things that make you say ... HUH?
  • Hey, guess what mommy and daddy do - A standardized state test for third graders in New Jersey had a question asking them to write down a secret.  Wow, who would even think that is an appropriate question?
  • Just fill out the form - Apparently the form used by Best Buy to request Geek Squad service asks for the customer to supply a password.  However, because of the placement on the form, it seems they are asking for the customer's email account password. 
  • Smile, you're on TV - This shows password security at it's finest.

Thursday, May 24, 2012

Monday, a few days late

I'm not sure what happened, but it's Thursday already.  Here's a look at some of the more interesting articles from the last few weeks:
  • There's a nasty attack out there hitting some German bank web sites that send customers transaction authorization numbers (TAN) via SMS.  Seems a man in the browser (MitB) attack using the Tatanga trojan creates a bogus web form which the customer then unknowingly enters their valid transaction authorization number (TAN).  From that point, the customer sees a display showing the expected balance and a successful transaction.  Problem is, the trojan sends in an "authorized transaction" that transfers most of the money in the account elsewhere.
  • There was an article or two about hospitals notifying medical personnel they should not associate with patients or discuss medical issues on-line.  I would think this is something that wouldn't have to be explained, but with the explosion of social networking sites, it happens quite a bit.
  • DHS released a report on medical device (in)security.  Lots of concerns ranging from taking over implanted medical devices, to gaining network access, to mobile device use.  
  • If you haven't done so already, check your computers out to see if they have the DNS Changer malware.  According to the those keeping track, there are possibly more than 300K computers world-wide still trying to resolve domain names to the bogus DNS servers.  The DNS Changer Working Group has all the information on how to check your computer and what to do if infected. Another way to check now could be simply going to Google. According to their security blog, Google will now display a banner message if it appears your computer is infected.

Monday, May 14, 2012

Another Monday

Here's a few interesting items from last week:
  • Yet another story about somebody going on Facebook and creating a bogus profile to lurk around.  This time it was a high school principal.  Really?  She apparently took it upon herself to pose as a student and friend as many others from the school as she could.  Not sure what the real motivation was, but it's a violation of Facebook user policy as well as just plain creepy.  Adults pretending to be students?  That usually ends up with the adult having to register their whereabouts.  Maybe she thought it was better than remoting into the laptop cams like a school around Philadelphia did a few years back.  Seems that school administrators are having a hard time understanding where their authority over students ends.
  •  The FBI is worried about getting left in the dark.  With more communication moving to the internet from land-line phones, the FBI is concerned they lack the means to monitor the bad guys.  So the FBI wants social networking, VoIP, messaging and various other businesses to build in back doors specifically for their use. I wonder how they propose to open these holes so that only "authorized" sources can use them?
  • Here's another ridiculous story on a set of breaches that may have exposed as many as 350,000 social security numbers and other personal and financial information for people associated with UNC-Charlotte.  The thing that makes this one stand out is some of the data may have been exposed for over 10 years! The school sent out a release to explain things.  Of course the reason this happened was "system misconfiguration".  The part I like even better is the quote "The University has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime".  That's awesome!  So after letting data dangling on the internet for over 10 years, you can be absolutely certain none of it was accessed and used inappropriately.  Talk about rose colored goggles.

Saturday, May 12, 2012

Were hotel networks ever safe?

Recently, the FBI put out this warning to travelers about using hotel internet connections.  Basically the warning says that people have found malicious code on their laptops after hooking up to hotel provided internet connections.  Apparently the people encountered popups when setting up their initial connections telling them some program on their computer needed an update.  So once the user agreed to allow the update, they got nailed with the malware.  The warning is kind of vague on details.  No mention of what the users were told to update.  No mention of what specific malware was involved.  No mention of where or how often this occurred.  But it does say to be careful when performing updates when traveling.

Monday, May 7, 2012

It's Monday

Some interesting topics from the last few days ...
  • According to this Computerworld article, if history holds true almost half of all Mac users will stop getting security updates and patches very soon.  Apple is in the habit of dropping support for an OS that is 2 versions older than the new release.  So with the impending release of OSX 10.8 (Mountain Lion), support to OSX 10.6 (Snow Leopard) will cease.  You would think with the extra attention Mac users have been getting recently they would possibly rethink this and continue security updates for such a large chunk of their user base.
  • TrendMicro says that while some malware infested apps have been removed from the Andriod app store (Google Play), others are still being found.  Unfortunately this is something that probably will not get better for quite some time.  The rush to everything mobile has greatly outpaced security.
  • I don't usually pay much attention to anything from Consumers Report, but this report talks about 13 million Facebook users not properly using or even understanding their privacy settings.  While that 13 million is a really small percentage of the total users, it's still a ridiculously high number.  Doesn't help much when the default settings on a new account are blast out everything to everyone.  Would be interesting to see how different that number would be if the default account configuration was more strict.

Friday, May 4, 2012

Social network privacy?

It really doesn't matter what kind of privacy controls are implemented on Facebook or any of the other social network sites.  People just post too much personal information to begin with.  Even if they think are limiting their posts to a small set of "friends", once that info is out there, they have very little control over where it ends up.  Sure, most people will not intentionally leak private information and most sites will try to keep data private (yeah, good one).  That doesn't always happen though.  People just really need to think about what they are about to post. Maybe one little piece of info isn't so terrible, but combine it with other previously posted bits of info and pretty soon you have way too much out there.

Thursday, May 3, 2012

Mobile News Items

Some interesting topics related to mobile devices from the last few weeks:
  • Proof-of-concept work on using the motion sensors on android phones to figure out what might be happening on the touchscreen. The article mentions similar work done last year on iPhones.
  • Starting to find web pages out there that can infect mobile devices.  Lookout Security wrote about it in their blog.  You could almost figure this was about due.  With the explosion of BYOD to work there should be all kinds of fun coming down the road.
  • Might want to check the cool new lock-screen app you just got for your iPhone.  Apparently at least one developer decided to create an app that is just a few wallpapers that look like screen locks.  Even after stating the app really doesn't lock anything and categorizing it as "entertainment", people still bought it to lock their phones.  Now they are surprised it doesn't work and are trying to get their money back.  I'd like to say that surprises me, but sadly it doesn't.

Tuesday, May 1, 2012

Why is Conficker still around?

Seeing this article and this article and this article about Conficker is really kind of discouraging.  How could something that should have gone through it's life cycle a few years ago still be infecting the amount of machines that it is today?  According to Microsoft, infections seem to be steadily increasing ... almost 3 years later.  Yeah, it might be hard to get off of a corporate network, but you would think over time things would eventually get patched and cleaned up enough to slow this thing down.  That's apparently not the case. If it is really as simple as patching systems and using better password policies, why is this thing still running amok?  Part of the problem is that Conficker shuts down Windows updates and a lot of the anti-malware tools.  Then all kinds of other malware can jump right in and set up shop, as this article shows.  Nothing good at all can come from malware working together.  Whether it was intended or not, not cool at all.  Time to get back to basics and take control of our networks.  Find the problems, clean up and closeup the holes.  Yeah, wish it was really that simple.