Posts Tagged ‘facebook’

A quick “heads up” that I will be presenting on the topic of Social Media Threats on Friday, March 7, at the Delaware Valley Chapter of the Information Systems Security Association. Here’s a link for more info:

www.issa-dv.org/meetings

Also, I’ll be presenting on Access Management and Federated Identity Management on Thursday, March 20, at the Harrisburg (PA) Chapter of ISACA (previously known as Information Systems Audit and Control Association). Link below:

www.isaca-harrisburg.org

So if you’re looking for some CPE’s and will be in the area, please drop by and say “hi.”

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

PhoneSpyware

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

  • don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
  • don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
  • just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

Here’s a link to a short, 15-minute video on the subject of “Social Media Threats” that I did today for Hacker Hotshots. I had to step out of a customer workshop and use my iPad for the web cast so the lighting and camera angle are far from ideal but, hopefully, you will at least get an idea of what’s out there waiting for you on the Interwebs…

I’ve posted a video of the full presentation I gave in Munich earlier this year on social media threats but now if you want the abbreviated format, please join me at Hacker Hotshots on Thursday, July 18, at noon (EDT) for a short web cast.

Here’s a link to the web site where you can register:

http://www.concise-courses.com/infosec/20130718/#

One of my favorite quotes is “if you aren’t paying for it, you are the product, not the customer.” The reason I like it is that it very succinctly and accurately describes the relationship we as end users have with many of the online services we have come to rely on ranging from email to social media.

We don’t pay for gmail accounts or Facebook accounts or LinkedIn accounts so that means we are the products, not the the customers of these services. So what happens if your account gets hijacked and you need a way to take back control? Can’t you just call customer service and have them restore things as they should be? Not really and that’s because products don’t get to complain — customers do.

So, what can you do to get your account back? One thing is to do some work up front that will make the need less likely and, failing that, make recovery less painful.

One bit of prevention is to make sure you choose a strong password.

Another is to set up two-factor authentication for your account (assuming the service provider supports this — Google and Facebook do, for instance) so that if anyone tries to log in from a new, untrusted device a code will be sent to your mobile phone via SMS (as one example) which must then be entered in order to complete the login process. This way an attacker would not only have to steal your password but also your phone in order to break in. Not impossible, but certainly harder.

Still another precaution you can take is to leverage Facebook’s new “Trusted Contacts” feature which lets you designate 3 to 5 friends who can then be leveraged to provide you with a security code to get back into your account. It’s sort of like giving parts of spare keys to your neighbors so that they can help you get back in if you lock yourself out.

Since the service is brand new there’s no telling just yet how well it will work but it certainly sounds promising. Here’s a good article from PC World that goes into more detail, if you’re interested …

http://www.techhive.com/article/2037098/facebooks-trusted-contacts-lets-friends-bail-you-out-of-a-hack-attack.html#tk.nl_today

Here’s an article from the Greater Wilmington Business Journal covering the keynote I gave on social media threats yesterday at the Wilmington IT eXchange.

http://www.wilmingtonbiz.com/industry_news_details.php?id=5198

Thanks to the 130 or so people that came out and packed the house and a special thanks to Dr. Tom Janicki and Dr. Bryan Reinicke, for the invitation to speak and hospitality while I was there.

Welcome to Inside Internet Security — the blog. I qualify it that way since it is named after a book I wrote about a dozen years ago which, in a sense, served as the launch pad for what has been an amazing personal journey through the intricacies of IT security in the age of the Internet.

It seems somehow appropriate to commence this new (for me) means of outreach through social media with an exploration of some of the security risks inherent in this format. So in that spirit, I offer up a link to a keynote talk I did in September of 2011 at the New York Institute of Technology’s Cyber Security Conference for your consideration in hopes that it will provoke some thinking on the topic.

In this talk I discuss some of the vulnerabilities in the social networking format as well as cite examples of real world attacks and compromises that have occurred on Facebook and LinkedIn along with some discussion of the weaknesses that exist in current authentication technologies such as passwords and biometrics. (There were some technical difficulties with the audio at the start but it smooths out soon.)

Enjoy …

https://i0.wp.com/www.nyit.edu/images/uploads/calendar/cybersecurity-200_1.gif

NYIT Cyber Security Conference: How Secure Are We? Identify Management and Social Networking Threats