The Security Pub

Random Thoughts About Security

Monthly Archives: September 2009

Credit Card Encryption Needed

I finally agree with something Heartland CEO – Carr has said in this PC World article.

I now know that this industry needs to, and can, do more to better protect it against the ever-more-sophisticated methods used by these cyber criminals.

Its time for the card brands to step up and focus on an end-to-end encryption standard.  Bob Russo will still say that its not the Silver Bullet to the issue, but it’s better than anything we have now.

Social Network Security Risks for the Corporate Environments

I recently talked about the risks of personal information being sent to 3rd parties from social networking sites, but now I want to talk about the risks that could affect the corporate environments.
Social networking sites like Facebook, Twitter, MySpace, and LinkedIn, have been growing at an incredible rate. IT Security Professional should now be looking at these sites as a security threat on corporate networks. Not only is it seen as a contributing factor to productivity loss, but it is also a security threat for data loss and potentially data breaches. It is a great social engineering tool for hackers to use to gain entry to corporate networks where these social networks are used. These networks have built up trust with their users and these users take them into the corporate networks with that same level of trust. So those applications that can pose a security risk at home will pose an even greater threat in the office.
Social network sites are great for helping people with similar backgrounds meet and stay in touch. The problem for corporate users is that inside large enterprises where no one person knows everyone in the company, it is easy for someone with a fake ID to establish trust with individuals in a company due to the basic fact that they claim to be a colleague. From there it is a simple matter of setting up a phishing scheme. The problem with this form of attack is that there is no evidence of a breach and no log of what data was even stolen.
With these new methods of data breaches that social networking sites bring to the corporate environments, it is imperative to take a new approach to network security.  We should no longer look at networks in a segregated way. There is no longer a boundary between the corporate network and the internet. They must be treated as one and have a policy that encompasses them both. Also, when introducing new technology into a network environment, you must look at where that technology stands from a security stand point and in what ways it increases your security risks. Create a security policy that includes social network sites. Prevent the access to these sites from inside the corporate network and also have a company policy about what employees are allowed to say about the company whether they are currently on duty or not. Finally, be sure to run penetration tests from both inside and outside the network and be sure that the tests included some form of social engineering.  Always remember that hackers don’t have any boundaries, so chances are that if a tool that follows rules is able to break into your network, it will be even easier for a hacker to do so.
Check out this Fox News Segment on Social Networks Security Risks.

I recently wrote about the risks of personal information being sent to 3rd parties from social networking sites. Now I want to talk about the risks that could affect the corporate environments.

Social networking sites like Facebook, Twitter, MySpace, and LinkedIn, have been growing at an incredible rate. IT Security Professional should now be looking at these sites as a security threat on corporate networks. Not only is it seen as a contributing factor to productivity loss, but it is also a security threat for data loss and potentially data breaches. It is a great social engineering tool for hackers to use to gain entry to corporate networks where these social networks are used. These networks have built up trust with their users and these users take them into the corporate networks with that same level of trust. So those applications that can pose a security risk at home will pose an even greater threat in the office.

Social network sites are great for helping people with similar backgrounds meet and stay in touch. The problem for corporate users is that inside large enterprises where no one person knows everyone in the company, it is easy for someone with a fake ID to establish trust with individuals in a company due to the basic fact that they claim to be a colleague. From there it is a simple matter of setting up a phishing scheme. The problem with this form of attack is that there is no evidence of a breach and no log of what data was even stolen.

With these new methods of data breaches that social networking sites bring to the corporate environments, it is imperative to take a new approach to network security.  We should no longer look at networks in a segregated way. There is no longer a boundary between the corporate network and the internet. They must be treated as one and have a policy that encompasses them both. Also, when introducing new technology into a network environment, you must look at where that technology stands from a security stand point and in what ways it increases your security risks. Create a security policy that includes social network sites. Prevent the access to these sites from inside the corporate network and also have a company policy about what employees are allowed to say about the company whether they are currently on duty or not. Finally, be sure to run penetration tests from both inside and outside the network and be sure that the tests included some form of social engineering.  Always remember that hackers don’t have any boundaries, so chances are that if a tool that follows rules is able to break into your network, it will be even easier for a hacker to do so.

Check out this Fox News Segment on Social Networks Security Risks.

How well can you identify a Phishing Scam?

phishingI just took this quiz by SonicWall and was able to get them all right.  This is a fun exercise to test your ability to recognize a phish scam at a glance.  After a few questions you really start to see how difficult it really is to recognize a well done phishing attempt. If we as security professionals have a hard time recognizing phishing attempts, what’s it like for everyone else?

By definition spam means unsolicited commercial e-mail, which can be lead to phishing. Phishing is the process of attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication.

Are you using Facebook?

SocialNetworking PicIf your using Facebook your personal information could be at risk.  Did you realize by default when you subscribe to use Facebook, you are authorizing them to capture and send your personal information to 3rd parties?  Your Facebook account can be configured not to allow the sharing of this information, but most Facebook users don’t understand how to do it.

Basically when using a social networking site like Facebook check under the settings of your profile you will see something like Privacy Settings and there is were you can choose what is done with your information you place on social networking sites like Facebook.

In August of this year there was a suit filed in California against Facebook regarding the use of personal information and how Facebook allegedly violates California Privacy Laws.

Former IT Specialist Hacks into Charity's Network

Here is a good example of what could happen if you don’t decommission users when they leave the company.

A computer specialist has been arrested and indicted for breaking into his former employer’s computer network one year after he was let go.  The admin is accused of causing significant damage by deleting records and crippling critical communications systems such as email and telephone.

Here is the rest of the article