Avoidable Attacks Cause Most Data Breaches

1/22/2012

SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard.

Speaking at the Infosecurity Europe Press Conference in London last week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. Citing the most recent figures from the National Fraud Authority, she said that identity fraud costs the UK more than £2.7 billion (US$4.7 billion) every year, and affects more than 1.8 million people. 

"Data breaches have become a statistical certainty," said Jones. "If you look at what the public individual is concerned about, protecting personal information is actually at the same level in the scale of public social concerns as preventing crime." 

SQL injection is a code injection technique that exploits a security vulnerability in a website's software. Arbitrary data is inserted into a string of code that is eventually executed by a database. The result is that the attacker can execute arbitrary SQL queries or commands on the backend database server through the web application. 

In October 2011, for example, attackers planted malicious JavaScript on Microsoft's ASP.Net platform. This caused the visitor's browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor's PC via a number of browser drive-by exploits. 

Avoidable Attacks

Microsoft has been offering ASP.Net programmers information on how to protect against SQL injection attacks since at least 2005. However, the attack still managed to affect around 180,000 pages. 

Jones said that, with the number of interconnected devices on the planet set to exceed the number of humans by 2015, cybercrime and data protection need to take higher priority on the board's agenda. In order for this to happen, however, the Chief Information Security Officer (CISO) needs to assess the level of risk within their organization, and take one step at a time. 

"I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in heaven, because APTs are not the problem.," said Jones. "I'm not saying that they're not real, but let's fix the basics first. Are organizations completely certain they're not vulnerable to SQL injections? And have they coded their web application securely?" 

Generally it takes between 6 and 8 months for an organization to find out it has been breached, Jones added. However, by understanding their risk profile and taking simple proactive measures, such as threat scenario modelling, companies could prevent 87 percent of attacks. 

By Sophie Curtis, Techworld.com

Read Post |

FBI Busts Programmer for Stealing US Treasury Code

1/20/2012

The FBI said it arrested a computer programmer in New York this week and charged him with stealing proprietary software code from the Federal Reserve Bank of New York. The software known as the Government-Wide Accounting and Reporting Program (GWA) handles all manner of U.S. government financial transactions.

IN OTHER NEWS: Cutting-edge electronics will require US to revamp auto defect investigations

From the FBI: "As alleged in the complaint, between May 2011 and August 11, 2011, Bo Zhang was a contract employee assigned to the Federal Reserve Board of New York (FRBNY) to work on further developing a specific portion of the GWA's source code which the United States has spent approximately $9.5 million to develop. In the summer of 2011, Zhang allegedly stole the GWA Code.

"According to the complaint, Zhang admitted that in July 2011, while working at the FRBNY, he checked out and copied the GWA Code onto his hard drive at the FRBNY; he subsequently copied the GWA Code onto a bank-owned external hard drive; and he connected that external hard-drive to his private office computer, his home computer, and his laptop. Zhang stated that he used the GWA Code in connection with a private business he ran training individuals in computer programming."

"Zhang took advantage of the access that came with his trusted position to steal highly sensitive proprietary software. His intentions with regard to that software are immaterial. Stealing it and copying it threatened the security of vitally important source code," said FBI Assistant Director in Charge Janice Fedarcyk in a statement.

Now free on bond but due back in court in February, Zhang, 32, of Queens, New York, faces a maximum term of 10 years in prison and a $250,000 fine if guilty.

While the FBI didn't identify which company Zhang currently worked for, Bloomberg.com reported he in the past had worked for at Goldman Sachs Group Inc. (GS) and Bank of America Corp.

Bloomberg.com also said Matt Anderson, a Treasury spokesman, said the department has worked to strengthen security procedures for Federal Reserve contractors working on Financial Management Service projects. "There was no compromise of any transaction data, personal identifying information or federal funds," Anderson said.

By Michael Cooney, NetworkWorld 

Read Post |

The Cloud, Day 20: What About Security?

1/04/2012

30 Days With the Cloud: Day 20

It seems like a week doesn’t go by without some sort of data breach incident. As I venture through the 30 Days With the Cloud journey, it occurs to me that I am placing an awful lot of faith in third parties to keep my data protected. So, the inevitable question becomes, “can I trust my data in the cloud?”

If I am going to keep gigabytes upon gigabytes of sensitive data stored online, I need some assurances that it is safe. The data needs to be secured, preferably encrypted, so that it is protected even in the event that the storage that contains it is compromised. But, even encrypting data can be tricky when it comes to third party cloud storage providers.

For example, cloud storage provider Dropbox was at the heart of some controversy last year related to its file encryption. Dropbox claimed that all files are encrypted and protected from unauthorized access, but Dropbox maintained control of the actual encryption keys.

That means that -- although other random people may not be able to access my data -- Dropbox employees can. They may share my data if compelled by law enforcement, or employees might access and view the files themselves. It is strictly forbidden as a matter of policy, but anyone who would surreptitiously view my data probably also lacks the moral compass to care about the policy.

Data stored online needs to be encrypted to protect it from unauthorized access.In defense of Dropbox, there is a reason it maintains control of the encryption keys -- simplicity. While it is more secure to allow customers to control their own data encryption keys, it can also create serious issues when the customer loses those keys and finds out that nobody else -- not even Dropbox -- can access the information. And, customers can still encrypt their data through other means with their own keys if they prefer.

That really seems to be the only viable solution. If I encrypt the data myself, I know that I hold the keys and theoretically only those people I authorize will be able to access my files. But that complicates things, and adds some administrative and processing overhead.

For businesses considering a move to the cloud, there are also compliance mandates to consider. Putting data online comes with some risks, and businesses need to take extra precautions to make sure that data is not exposed or compromised.

For tomorrow’s 30 Days With the Cloud post, I am going to examine the flip-side to this coin, and take a closer look at some ways that my data might actually be in better hands in the cloud.

By Tony Bradley, PCWorld

Read Post |

4 Facebook Security Tips to Stay Safe in 2012

1/01/2012

Facebook founder Mark Zuckerberg was hacked last month.

On December 7, more than a dozen private photos of Zuckerberg were leaked to photo-sharing site Imgur under the headline, "It's time to fix those security flaws Facebook." The social network later confirmed that the flaw was the result of a recent code push and was live "for a limited period of time"--affecting not just Zuckerberg's account, but also an undetermined number of others.

This latest security problem comes one week after Facebook agreed to settle the charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, then allowed it to be shared and made public.

Unfortunate timing for Facebook, no doubt. But, according to Mike Geide, senior security researcher at Zscaler ThreatLabZ, a cloud security company, Facebook has stepped up its security measures in the last year, though "there's certainly room for improvement," he says.

"Hackers are getting more and more sophisticated with their attacks," Geide says. "Facebook credentials that are stolen and sold underground are a huge commodity--kind of like email addresses are for spammers."

As hackers up the ante with attacks, Facebook users need to take extra precautions and exercise better judgment to ensure their accounts--and their personal information--stay safe. Here are four ways to do so.

1. Enable SSL Encryption

In the past, Facebook used HTTPS--Hypertext Transfer Protocol Secure--only when you entered your password. If you've shopped or banked online, you might also notice this amped-up security feature, denoted by a small lock icon that appears in your address bar, or just a green address bar. Facebook now applies SSL encryption to all browsing done on the site, and it is strongly recommended if you use public computers or access points, such as at coffee shops, airports or libraries.

To enable this security feature, visit your Account Settings page, then choose "Security" from the options on the left side of the screen. Here, you'll be able to see whether this option, "Secure Browsing," is enabled or disabled. Click "Edit" to enable it.

Do note that encrypted pages take longer to load in this mode and that not all third-party apps may support it.

[Want more tips, tricks and details on Facebook privacy? Check out CIO.com's Facebook Bible.]

2. Be Wary of Information You Share

The information you share in your profile may seem harmless, but particular pieces are popular "ins" with hackers. Take, for example, your birthday. This piece of data, Geide says, is sometimes used in security questions. Disclosing it at will could put you at risk.

Geide also recommends opting out of the feature that lets you--and your friends--check you into places. Here's how to find this setting:

Navigate to your Privacy Settings page and click "Edit Settings" next to "How Tags Work." Then, turn it off.

Geide says that hackers use your location data not just for physical-world attacks such as stalking and robbery, but for social-engineering attacks, too. One example of this: messaging you to say, "Hey, I met you at XYZ conference last week," in order to obtain more information or promote a malicious link.

[Facebook's New Timeline: Important Privacy Settings to Adjust Now]

3. Use Applications and Games Sparingly

In the past, rogue Facebook apps have spammed users and hijacked accounts. Facebook has since put a number of safety protocols, such as App Passwords, in place to better vet their apps and ensure security.

App passwords are one-time passwords you use to log into your apps, without needing to enter your Facebook password. To get an app password, go to your Account Settings, then select the Security tab. Click "Edit" next to App Passwords, then follow the prompts.

Geide also recommends carefully reviewing the permissions granted to Facebook apps before you install and use them.

"Applications may use a number of permissions. Because of this, it is best to limit your applications to those that you actually use and have a level of trust for," he says.

Specifically, Geide recommends paying careful attention to which applications have the ability to write on your wall or message friends, as this could be used to propagate something malicious. Also, check to see what information the application is able to access about you and what content it can read--for example your wall, posts and photos.

"Think about the actual expected behavior of the application," he says. "And if the level of access that it is requesting doesn't seem needed for its functionality, the chances are that it's doing something in addition to what it is advertising."

4. Log Out of Facebook When You're Done

When you're finished browsing Facebook, be sure you log out, Geide says. "This will prevent threats, such as 'Likejacking,' that leverage logged-in sessions to Facebook," he says.

Likejacking is a form of clickjacking, or the malicious technique of tricking users into posting a status update for a site they did not intentionally mean to "like."

One example of this: In June 2010, hundreds of thousands of users fell victim to likejacking after clicking links that read, "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE," and, "This man takes a picture of himself EVERYDAY for 8 years!!"

After clicking the link, users were asked to "click here to continue." The following page contained a clickjacking worm that posted content to the users' walls.

If you have forgotten to log out of Facebook from a computer or mobile device, you can do so remotely. From your Account Settings page, click the "Security" tab on the left. Select "Edit" next to Active Sessions.

[READ: Facebook Privacy: Uncovering 5 Important Settings]

The following information will show you where you're logged in on other devices, when you last accessed it and the device. To log out of any of the sessions, just click "End Activity."

By Kristin Burnham, CIO

Read Post |

Play Hard, Stay Safe

12/27/2011

You might think that you don’t have to worry about security while playing games—after all, that activity is about as far from online banking as you can get—but as the PlayStation Network data breachlast spring and the more recent hack into the servers of the Steam gaming platform both show, you are vulnerable, even when you’re at play.

However, just taking some basic steps can keep your data more secure, and let you focus on holding down the fort against The Horde.

Use strong passwords: This one step seems obvious, but it bears repeating. Your password is your first line of defense in protecting your personal information, and it is one aspect of security that you can directly control, so make it good.

Consider using a “passphrase” instead of a password—that is, string several words together—and replace some letters with other characters. Also, come up with a mnemonic that only you know, and apply it to your passwords. See “How to Build Better Passwords Without Losing Your Mind” to learn more.

Avoid entering your credit card information, if possible: Some gaming services, such as Steam, can store credit card information to make buying games easier. If you have a choice, though, try to avoid using your credit card altogether. This can reduce the risk of your number being stolen in the event that a company’s servers become compromised.

Alternatively, if you must enter credit card information, consider using a prepaid credit card so that you don’t have to give out your actual credit card information. Prepaid cards are generally reloadable, so you can add cash value to them as you go. Check with your bank to see what it offers.

If you are making one-time payments, look into using virtual credit card numbers. These are numbers that you can use in place of your actual credit card number and that are good for one use only. They’re an appropriate choice for any form of online shopping, and most major banks provide a virtual credit card service of some sort. See “Go Virtual for Safer Online Shopping” for more on this approach.

Consider paying with prepaid gift cards: For some gaming services, such as PlayStation Network and Xbox Live, you can purchase prepaid cards or gift cards and use those instead 
of paying with your credit card. This may be a good option if you’re feeling extra paranoid about giving out your credit card details. And these prepaid cards are readily available—look for them at your local supermarket or drugstore.

Use a designated email account for your gaming: In other words, set up an email account specifically for use with your gaming accounts. That way, if someone compromises one of your gaming accounts and gets hold of the email address you used with it, your main email account won’t be inundated with spam. And be­­cause of its gaming-only use, if your gaming email account becomes compromised, you’ll face a lower risk of having other accounts (such as your online banking account) hijacked as well. Of course, you should still make sure to use a strong password for your gaming email address.

Beware of Facebook games: When you approve a Facebook app or game (FarmVille, Mafia Wars, or whatever), you allow that app to access various bits of personal data that you’ve posted to your Facebook profile.

Users implicitly trust app developers to manage such personal data responsibly, but ultimately it’s out of our hands: In October 2010, for instance, a class-action lawsuit alleged that Facebook game developer Zynga (FarmVille, Mafia Wars) gave users’ personal information to advertisers and others, violating federal privacy laws and Facebook’s own policies.

So if you care about your privacy, don’t approve any and every app somebody invites you to try. Instead, use apps only from developers you trust. And if possible, check the app’s terms of use and privacy policy be­­fore you approve it, so you know what you’re getting into.

Steam Guard is your friend: If you use the Steam service, use Steam Guard. It’s a feature that adds security to Steam accounts by requiring you to respond to a confirmation email every time you sign in to Steam from a new computer. That step will help prevent someone from being able to log in to your account and purchase games or access your personal information without your consent.

By Nick Mediati, PCWorld 

Read Post |