Facebook’s “Trusted Contacts”

One of my favorite quotes is “if you aren’t paying for it, you are the product, not the customer.” The reason I like it is that it very succinctly and accurately describes the relationship we as end users have with many of the online services we have come to rely on ranging from email to social media.

We don’t pay for gmail accounts or Facebook accounts or LinkedIn accounts so that means we are the products, not the the customers of these services. So what happens if your account gets hijacked and you need a way to take back control? Can’t you just call customer service and have them restore things as they should be? Not really and that’s because products don’t get to complain — customers do.

So, what can you do to get your account back? One thing is to do some work up front that will make the need less likely and, failing that, make recovery less painful.

One bit of prevention is to make sure you choose a strong password.

Another is to set up two-factor authentication for your account (assuming the service provider supports this — Google and Facebook do, for instance) so that if anyone tries to log in from a new, untrusted device a code will be sent to your mobile phone via SMS (as one example) which must then be entered in order to complete the login process. This way an attacker would not only have to steal your password but also your phone in order to break in. Not impossible, but certainly harder.

Still another precaution you can take is to leverage Facebook’s new “Trusted Contacts” feature which lets you designate 3 to 5 friends who can then be leveraged to provide you with a security code to get back into your account. It’s sort of like giving parts of spare keys to your neighbors so that they can help you get back in if you lock yourself out.

Since the service is brand new there’s no telling just yet how well it will work but it certainly sounds promising. Here’s a good article from PC World that goes into more detail, if you’re interested …

http://www.techhive.com/article/2037098/facebooks-trusted-contacts-lets-friends-bail-you-out-of-a-hack-attack.html#tk.nl_today

WITX

Here’s an article from the Greater Wilmington Business Journal covering the keynote I gave on social media threats yesterday at the Wilmington IT eXchange.

http://www.wilmingtonbiz.com/industry_news_details.php?id=5198

Thanks to the 130 or so people that came out and packed the house and a special thanks to Dr. Tom Janicki and Dr. Bryan Reinicke, for the invitation to speak and hospitality while I was there.

The sandbox is leaking …

Sandboxing is a great security technique. In theory it isolates programs running in it from the rest of the system it is running on, therefore, preventing the spread of malware, escalation of privileges, data compromise and all sorts of other problematic interference. In the browser context, a Java applet is intended to be downloaded automatically when a user visits the server it is stored on and run inside the protected walls of a secure sandbox. It’s a good model… when it works.

Sometimes it doesn’t, as demonstrated in the latest in a growing line of Java exploits as described in an article by the Institution of Engineering and Technology where theory and practice fail to converge:

By using a vulnerability in a Java reflection API, which has been the target of recent attacks, Forshaw was able to disable the Java sandbox and perform actions under the privileges of the logged in user, including reading and writing files and executing new programs.

In general, Java’s security model is much more robust than some of its alternatives but it never hurts to remind ourselves that it isn’t perfect. No software of any real complexity is. This is why you have assume that any security defense can and will be breached and architect a solution that is resilient in the face of such a failure.

Another aspect of Java that is working against the good guys stems from one of its greatest strengths, and that is that it is cross-platform in nature. In other words, a developer can write it once and have it run on Windows, Linux, Mac OS and so on. Generally speaking, that’s a good thing. However, it also means that bad guys can write exploits that are able to cut across a wide range of platforms as well. Previously, such a feat would have been far more difficult due to the uniqueness of each OS.

Yet another area of concern is that while we continue to learn of more and more vulnerabilities in Java, we are also becoming keenly (and painfully) aware of just how many people are running old versions of it on their systems, leaving them open to an increasing number of threats.

A recent report from Websense asserts that only 1 out of 20 systems is running the latest version of Java and that 94% of systems were vulnerable to a recently discovered flaw. 

Ouch! And in this case, the sandbox is leaking a lot more than just sand …

Hacker trends

The bi-annual IBM X-Force Trend and Risk Report was recently released and, as always, there are some interesting insights …

First of all, in case you aren’t familiar, the IBM X-Force team is a group of security researchers who “study and monitor the latest threat trends including vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content.”

They have at their disposal an enormous base of empirical data based upon the information gleaned from the more than 3,700 client networks managed  which generate roughly 13 billion (with a “b”) events per day across 133 countries. In addition, this group also maintains a data base of 17 billion web pages and images, 40 million spam and phishing attacks and 80 thousand documented vulnerabilities. In other words, way more than enough data to identify meaningful trends which can be generalized to apply across industries and international borders.

So, what did they find? Lots of things, of course, but some that I found interesting were:

• Publicly disclosed vulnerabilities increased by 14% over to 8,168 over the previous year
• Cross-site scripting accounted for over half of the total web app vulnerabilities disclosed in 2012 — the highest rate seen in X-Force’s history
• Java has become a favorite hacker target in part due to its cross-platform nature, which means that a single exploit can be developed that would compromise Windows (all versions), Mac OS and Linux, for instance, essentially leveling the playing field for the bad guys and removing the (false) sense of security that some have enjoyed due to their choice of operating system
• Botnet command and control server users have become more resilient over the past several years as the impact of taking down these infrastructures has had progressively less and less effect going forward

Then there’s this provocative prediction that mobile computing will actually become increasingly more secure eventually surpassing that of traditional desktop/laptop devices. That’s a statement you may want to noodle on a bit to see whether you agree or disagree but before you decide either way, take a look at the report to see the rationale behind this unconventional assertion.

The report is available at ibm.co/xforce or bit.ly/xreport. In addition, you might want to listen in on a podcast hosted by IBM’s Caleb Barlow discussing some of the findings, which can be found at his blog at www.blogtalkradio.com/calebbarlow

 

Which is safer – Android or iOS?

The conventional answer to this question is that Apple’s “walled garden,” which places restrictions on app developers, creates a more secure environment for iOS whereas Google’s more permissive model puts Android users at greater risk.

As I have posted here before, there is plenty of ammo to bolster that position:

• Android Zombie Uprising?
• 115 and counting … (a reference to the number of unique Android malware families)

But the story is more complicated than that. For instance, take this recent report from Appthority which finds that “iOS apps leak more personal data than do Android apps”.

The differences are not huge but they do add fuel to the fire regarding which platform is safer. Apple Insider sums it up well:

A number of questionable policies and security concerns have painted Google’s Android platform as inherently less secure than Apple’s iOS. Android does appear to be more vulnerable to malware than iOS, but mobile malware affects only one percent of apps. The larger concern, the study concludes, should be over how mobile apps handle personal information and company data.

In the end, the unsatisfying answer as to which is more secure is, you guessed it, — it depends — so pick your poison …

 

Decaf Java?

Hopefully, you’ve heard about the recent security vulnerabilities involving Java. I blogged about it last month in this post.

“Patch and pray” might be a good start for dealing with software issues like this but you can do more. The reason? There’s always going to be another vulnerability and, in some cases, the bad guys will exploit it before the good guys have developed a defense for it — the dreaded “zero-day” vulnerability.

So what can you do? In my previous post I extolled the virtues of the NoScript browser plug-in as one approach. It doesn’t have to stop there, though.

There’s a good article entitled “How to Safely Keep Java in Your Web Browser” that points out just how difficult it is to wean yourself off of Java (the software — not the beverage) along with some possible strategies to lessen the risk. Among the techniques described involves using separate browsers for Java and non-Java content (which is sort of a more drastic version of the NoScript approach).

I hope you find it useful since going cold turkey with Java could be the equivalent of cutting off your nose to spite your face …

Wilmington IT eXchange

 

I’ll be doing the keynote presentation at the Wilmington (NC) IT eXchange and Conference on April 9, 2013. The annual event will be held on the campus of by UNC Wilmington and led by Dr. Tom Janicki and other faculty.

My talk will be about Social Media Threats and will kick off what should be an interesting afternoon of elective learning sessions, exhibits by vendors and UNCW students and professional networking. Hope to see you there …