Posts Tagged ‘twitter’

A quick “heads up” that I will be presenting on the topic of Social Media Threats on Friday, March 7, at the Delaware Valley Chapter of the Information Systems Security Association. Here’s a link for more info:

www.issa-dv.org/meetings

Also, I’ll be presenting on Access Management and Federated Identity Management on Thursday, March 20, at the Harrisburg (PA) Chapter of ISACA (previously known as Information Systems Audit and Control Association). Link below:

www.isaca-harrisburg.org

So if you’re looking for some CPE’s and will be in the area, please drop by and say “hi.”

Advertisements

Here’s a cool/creepy thing to keep in mind … when you post to social media or take photos with your phone, it is entirely possible that your laptop or mobile device is also adding location data to your work. This could be a very useful feature if where you are adds context to your posting, such as where you were when you took that awesome shot of the sunset over the ocean (which ocean?  which beach? what season?) or if  you just tweeted about a great slice of pizza others may want to know where so they can get one too.

On the other hand, if you weren’t aware that this information was being captured and made available for all to see, you might not think it was such a great idea. For instance, you could be passing time in a doctor’s waiting room tweeting about last night’s game and not realize that you’ve just told the world that you have a medical problem of a somewhat sensitive nature.

For a real world example of this, I used a tool at http://teachingprivacy.icsi.berkeley.edu:8080/#project to view the comings and goings of one of the giants of the IT world. I’ve redacting his actual Twitter handle out of respect for his privacy but what I found was publicly available information that anyone could easily obtain. The screenshots below reveal what I found with just a few clicks …

TwitterTrack1

 

As you can see our subject is quite the world traveler but he spends most of his time on the West Coast.

 

 

 

 

 

TwitterTrack2

 

 

Zooming in on the red “hot spot” from the previous image shows that he is probably based in Silicon Valley.

 

 

 

 

TwitterTrack3

 

 

Zooming in further still shows a Google map with one of the tweets coming from a urologist’s office.

 

 

 

 

Maybe he was just there to work on their computers but, still, it’s probably not what he had in mind to blast out to the Twitterverse when he wrote that tweet.

A similar bit of stalker magic is available from WeKnowYourHouse.com which correlates tweets using the words “home,” “house,” etc. with the geolocation from Twitter to assert, with reasonable confidence that you live at the following address …

WeKnowYourHouse

Pretty creepy, huh? Consider yourself forewarned and double-check those settings to make sure that you aren’t guilt of revealing TMI…

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

PhoneSpyware

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

  • don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
  • don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
  • just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

Here’s a link to a short, 15-minute video on the subject of “Social Media Threats” that I did today for Hacker Hotshots. I had to step out of a customer workshop and use my iPad for the web cast so the lighting and camera angle are far from ideal but, hopefully, you will at least get an idea of what’s out there waiting for you on the Interwebs…

I’ve posted a video of the full presentation I gave in Munich earlier this year on social media threats but now if you want the abbreviated format, please join me at Hacker Hotshots on Thursday, July 18, at noon (EDT) for a short web cast.

Here’s a link to the web site where you can register:

http://www.concise-courses.com/infosec/20130718/#

I got a question recently from Tyler Dukes at the Raleigh News & Observer related to work on the “Stump the Geeks” column. A reader had developed his own, rather elaborate scheme for assigning unique passwords for each web site (a laudable goal). Here’s what he wrote:

Q. I’ve developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:

1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.

2. I simply change the “n” to any number for the ID and the “nn” to any number for the password.

3. Now I can store a Web site ID and password as, for example, “Macy’s 522.”

Say Macy’s wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macy’s Web site described as “Macy’s 522.” If you don’t know my basic structure, the “522” means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.

Am I lulling myself into a false sense of security, or is this scheme a viable solution?

The short answer is “yes.” Nice try but there are some problems with this approach. 

The article in the paper summarized some of the issues but I thought I would go ahead and put out my full answer here…

The password scheme described is certainly better than using the same password for every system but not really something I would feel comfortable hanging my hat on. First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack (i.e. trying all possible password combinations) is not nearly as large it would be if special characters like (e.g. *, &, !, %, $) and mixed case alphas were used. Also, the length of the password is not so long that an attack couldn’t be successfully completed in a reasonable amount of time. The key to better security with passwords is complexity. Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters. These should also change every few months and not be reused on other system. Any scheme that you reuse also runs the risk that if someone discovers your password on one system that they might be able to infer what it would be on others.


Of course, the problem with doing what I just recommended above in terms of password complexity is that, in general, making a password hard to guess, also makes it hard to remember. Rather than writing passwords down, which introduces yet further risks, it’s best to either use a password storage “vault” or, better still, a single sign-on tool that combines the vault with a capability to automatically enter the password for you. With this sort of software all you need to do is keep up with one complex password (rather than many) and then the program does the heavy lifting of generating strong, unique, random passwords that you never even have to know.

Finally, for even better security, a second mechanism can be added to the password (“something you know”). In this case you would also be challenged to prove that you have some unique device in your possession (“something you have”) or some physical characteristic unique to you (“something you are”). The latter involves biometrics such as fingerprints, retinal scans, voice recognition and the like. The former is perhaps more practical in many cases if the thing you “have” is something you are likely to keep with you most of the time anyway, such as a cell phone. This sort of two-factor authentication would involve logging in with your userid and password as always and then you might face a second challenge such as entering a one time PIN that has been sent as a text message to your phone or entering a temporary password that his been generated by an app on the phone. Google, Facebook and others offer this sort of scheme. Twitter, at this point, does not, although there are reports that this capability will be coming in the not too distant future. When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been see with a number of high profile Twitter feeds.

Since the time I wrote that Twitter has, indeed, come out with a two-factor authentication scheme — a welcome and long overdue enhancement. It’s not perfect but it is an improvement. If you use Twitter, you might want to take a look.

Here’s an article from the Greater Wilmington Business Journal covering the keynote I gave on social media threats yesterday at the Wilmington IT eXchange.

http://www.wilmingtonbiz.com/industry_news_details.php?id=5198

Thanks to the 130 or so people that came out and packed the house and a special thanks to Dr. Tom Janicki and Dr. Bryan Reinicke, for the invitation to speak and hospitality while I was there.