The Security Pub

Random Thoughts About Security

Category Archives: Identity Protection

Form Based Phishing Attacks are on the RISE

As always, spammers are keeping abreast with the important events of the season’s, and know that January is when the public usually submits tax returns and starts getting refunds. Websense is reporting that the form-based approach is being used more frequently than the usual direct links to phishing sites.

What are form-based email attacks?

Form-based attacks is just another type of phishing attack.  Instead of using a link to take the user to a phishing site, the hacker includes a form that the user is asked to complete. When the user completes the form and submits it, the details are then sent to the attacker. Here is a short video that shows an example.

What to do if your Facebook profile has been hacked

imagesWith its millions of users, the world’s most popular social network has become a perfect target for attackers exploiting such a dense concentration of potential victims. There are numerous reports from users whose Facebook profile has been hacked and whose identity has therefore been placed at risk.  If your Facebook profile is hacked below are some steps to follow to help limit the ongoing effects.

[box type="info"]Step 1: Firstly, remove all permissions that have been given to the malicious application. This is a simple process: from Account > Application settings in the top-right corner of your Facebook profile. This ensures that the application will not continue to have access to your profile once the password is changed.

Step 2: Change the login password! To keep your identity safe, it is advisable to change your password and the user name (it’s a good idea to do this from time to time anyway). This is also easy: Go to Account > and Account Settings in the menu in the top left corner of your Facebook profile. It is also advisable to use strong passwords that cannot easily be guessed. [/box]

Identity Theft and What to Know

Identity Theft, What is it?

comic id theft Identity theft is a crime in which personal information such as a name, social security number, date of birth, and address is stolen and may be used by someone to assume someone’s identity, often for the purpose of financial gain. It is also referred to as “identity fraud” when the stolen identity is used to impersonate the victim. Here are some methods a criminal may use to steal your data over the Internet.

  • hacking
  • spam
  • phishing
  • social media sites (facebook, twitter, etc)
  • file sharing

All these and many more can be targets for identity thieves, since users often make the assumption that these places on the internet are trusted environments. They will begin sharing personal information without understanding the consequences. But know, Identity theft is not just a risk for those of us who use the Internet. Criminals can obtain information by sorting through garbage, eavesdropping, stealing wallets, picking up receipts at restaurants, and other means.

Once enough information has been gathered, criminals may open new credit card accounts, apply for loans, empty your bank accounts, make charges on your credit card, or develop fake forms of identification. Another thing to know is identity thieves will not always use the information themselves. They may sell it to underground markets for financial gain.

What can you do to protect your identity?

  • Ensure that any computer used to connect to the Internet has proper security measures in place. Use and maintain anti-virus software and keep your application and operating system patches up-to-date.
  • Do not follow links provided by unknown or un-trusted sources.
  • Do not open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
  • Be careful what personal information you distribute, particularly on social networking sites (Facebook, Twitter), and continuously check to see what information others may be posting about you. Also verify your privacy settings to ensure you are not inadvertently sharing your personal information. Check out these two pages for more information to protect yourself on Facebook.  Page 1 | Page 2
  • Check your credit reports from all three major credit bureaus (Equifax, Experian, and TransUnion) at least once a year. You are entitled to one free credit report from each bureau every year. You may wish to stagger your requests to check a different credit bureau every four months.
  • Guard your personal information, including your social security number. Don’t carry your social security card with you, and don’t provide your social security number to anyone unless they have a legitimate need for it.
  • Don’t put your social security number or driver’s license number on your checks.
  • Be aware of your surroundings when providing personal information orally. Watch for eavesdroppers.
  • Properly discard hard copy documents containing personal information. A crosscut paper shredder works best.

What should you do if your identity has been stolen?

The first step is to notify your bank, and any other entities with which you have accounts, to inform them that someone may be using your account fraudulently. File a report with your local police and report the event to the Federal Trade Commission. It is helpful to have your financial statements available to better explain your situation.

Contact all three major credit bureaus to request a credit report, and have a fraud alert or a credit freeze placed on your credit reports to prevent accounts from being opened without your permission.

Continue to monitor all of your accounts for any suspicious activity.

What To Consider When Using FaceBook

Facebook is more popular than ever and the new features available on Facebook are opening new windows for vulnerabilities that everyday users may not be aware of.  A compromised facebook account could be a backdoor to more serious attacks on email or banking.

Here are 10 things to consider when using facebook….

  1. Stop posting your phone numbers. Remember that your number is exposed to your friends, and therefore you’re relying on their security practices as well as your own to protect you. If a phisher can spoof your number, they have an extra layer of authenticity in convincing your friends you are in trouble and need money.
  2. Put down the games. I know the Mafia can’t take Cuba without you, but it’s time to stop. The top games on Facebook have been hacked, and it’s just a matter of time before the one you play is next. It’s arguable that the damage is already done with the games and applications you’ve already allowed, but don’t sign up for any new ones! Third party apps are not guaranteed to be secure, and you should not trust them with your credentials. Here is a post I wrote last week on face book applications.
  3. Don’t trust chat. The chat feature on Facebook should be treated as a public conversation.
  4. Never give out any private information, even if you’re positive you are talking to your friend. Refresh your personal info. Take a fresh look at your profile from the perspective of a social engineer. Does your profile tell a story about you? What information can you cut out? Many security questions ask about personal details about primary school and pets. Delete any photos or profile details that may relate to those kinds of questions.
  5. Don’t use the lazy emails. Facebook will fill your email inbox with notifications, and the links to easily respond. Instead of following the links in email, open up a fresh tab and go to facebook.com directly. Facebook and most social networks are targets for email spoofing. Otherwise you’ll be entering your login password at facebock.com!
  6. Don’t friend acquaintances. Think of the friends list as a circle of trust. If you don’t know the person well enough to trust their security savvy, than you’re very unlikely to recognize the behavior of a phisher pretending to be them. 500 friends means 500 possible inroads to a social engineering or phishing attack. Tone down the number.
  7. Don’t keep an old password! Changing your password short circuits many trivial forms of attack. Facebook is a high risk target for Identity Theft, especially if you’re using applications frequently. How about doing it now!
  8. Photos are forever. Make it clear to your friends and family that you do not want those pictures of you in your birthday suit on anyone’s profile. (As opposed to the one of you in a suit on your birthday!) Pictures give behavioral information to an attacker. Bruce Schneier calls this “incidental data” in his Taxonomy of Social Networking Data. There he makes the assumption that incidental data is information that you did not create about yourself, and therefore do not control. I would add that although much of it is outside your control, there are ways to influence your friend’s posting behavior overall. Also, Facebook gives users the ability to “untag” themselves in pictures. While the damage is already done in the short term, you’ve influenced long term vulnerability.
  9. Don’t forget @mentions. This new feature brings more incidental data. Be respectful of your neighbor’s privacy. Ask yourself if having a friend’s entire profile pinned to your comment like a big arrow is actually necessary for the joke to be funny.
  10. Don’t trust other websites. Facebook is everywhere now. The same trust rules apply to the Facebook Login feature that is spreading to other websites. If you don’t trust the website you’re on, then signing in with the Facebook credential does not give you an added layer of protection, but rather hands your password to strangers.

Google Dashboard: Control Your Data

Google has launched a new feature that allows you to view what data is being stored on a number of Google services, with more to come.  Google Dashboard will let you control some of the data and how it is used by Google or even delete it.  Right now Google Dashboard supports Gmail, Picasa, Calendar, Google Docs, Alerts, YouTube, Web History & a few others.  Google is working to add more services to the Dashboard such as Checkout, Google Groups, FeedBurner and more.

Stay tuned as more information is released.