Content

Half of WikiLeaks sourced from P2P

Saturday 29 January 2011 - Filed under Information Leak

As if we didn’t need anymore evidence to support the blocking of p2p in the enterprise.

Have an opinion? Let me know in the comments.

Story from eweek.com:

As much as half of the secret documents posted by WikiLeaks may have been siphoned from peer-to-peer users who incorrectly configured their file-sharing software, according to evidence gathered by a security firm.

Allegations against WikiLeaks have spotlighted a key avenue for data leaks: peer-to-peer (P2P) networks.

According to Tiversa, which specializes in monitoring P2P networks, WikiLeaks has mined popular applications such as Kazaa and LimeWire for data in the past—despite statements from WikiLeaks that it does not actively search for information. As an example, Tiversa contends that on Feb. 7, 2009, it detected four machines in Sweden searching and downloading information via P2P.

Those searches ultimately led to a computer in Hawaii with a survey of the Pentagon’s Pacific Missile Range Facility there, Bloomberg News reported. Tiversa reportedly captured the download of the PDF file by one of the Swedish computers. According to Bloomberg News, the document exposed details of infrastructure changes involved in adding a new sensor system. The document was reportedly renamed and posted on WikiLeaks in April 2009.

There were other examples as well, such as Army intelligence documents posted by WikiLeaks in 2009 that were exposed to searching on P2P networks in September 2008. Then there was a spreadsheet posted by WikiLeaks in late 2009 detailing potential targets of terrorism in Fresno County, Calif. The document was reportedly exposed accidentally by a California state employee in August 2008.

WikiLeaks denied Tiversa’s claims in an e-mail to Bloomberg News. Regardless, this was hardly the first time P2P networks were found to be home to sensitive information. In February 2010, the U.S. Federal Trade Commission notified nearly 100 organizations that personal information, including customer and employee data, had been shared from the organizations’ computer networks and was available on P2P file-sharing networks.

“The massive exposure of sensitive data on P2P networks is not a new issue; however, the awareness of its breadth is,” said Scott Harrer, brand director at Tiversa.

Organizations of every size need to be diligent about file-sharing use, he said, adding that large brands with armies of suppliers or a dispersed workforce need to have proactive tools in place to detect and mitigate data loss via P2P.

“Over 90 percent of the data disclosures that we see on P2P emanate from suppliers, partners and remote employees,” he said.

Some organizations look to data leak prevention (DLP) technologies to solve the problem.

“Historically, the way to deal with protecting against data leaks over P2P was simply to shut it down with old-style application control products,” said Robert Hamilton, senior product marketing manager for DLP at Symantec. “Now, with the consumerization of IT and the blending of work and personal life, it has become harder to simply turn off P2P. Increasingly, people are expecting and asking for access to P2P applications and are using them on personal time. So the new goal is to allow employees to use the P2P applications, just not with confidential data.”

There is however no shortage of organizations willing to ignore the issue of insider data loss or theft, said Mike Spinney, a senior privacy analyst at the Ponemon Institute.

“The focus is too much on technology and not enough on people,” he said. “In 2009 we did a study on data loss that occurs, for example, when employees are fired, laid off or voluntarily change jobs. It was very high. Fifty-nine percent of those with whom we spoke said they took information with them when they left a job.

“Granted, some people will do this anyway—they will regard proprietary information as their parting gifts—but for most people it wasn’t a malicious act but simple ignorance,” he continued. “They weren’t aware of any policy forbidding them from taking the information, and they felt entitled because they had a role in creating it. So, I can’t stress enough the importance of creating meaningful use and governance policies, communicating the policies effectively across all corporate strata, and enforcing the policies.”

Story from from eweek.com
http://www.eweek.com/c/a/Security/WikiLeaks-P2P-Searching-Claims-Highlight-Filesharing-Security-Risks227943/

 ::  Share or discuss  ::  2011-01-29  ::  Joshua Spencer

Why Should I Care About HTTPS on Facebook?

Thursday 27 January 2011 - Filed under Social Media

A interesting article covering a 30-second idiots-guide style primer to the benefits of HTTPS.

Have an opinion? Let me know in the comments.

From Lifehacker.com:

HTTPS is a significantly more secure version of HTTP, which is the protocol you generally use to load up your webpages (whether you’re aware of it or not). HTTP stands for Hypertext Transfer Protocol, so HTTPS stands for the same thing but with Secure on the end of it. This is because, as Wikipedia will tell you, HTTPS is “a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.”

Why You Should Care

So yeah, you get it: HTTPS provides additional security, but what does that actually mean when you’re browsing the web every day? It basically means you’re protecting your private information from people who want to steal it using readily available tools like Firesheep. Why Should I Care About HTTPS on Facebook (or Other Web Sites)?It means when you enter your password or your phone number or anything personal on Facebook—or any other site offering HTTPS—that data will be encrypted as it flies through the great tubes of the internet.

Think of it like this: you’re having a private conversation with your new boyfriend or girlfriend, and your ex—unbeknownst to you—is a few tables over listening to every word. That’s the sort of risk HTTP poses, whereas HTTPS would be more like if you and your new romantic interest were speaking a new language that only the two of you understood. To your stalker of an ex, this information would sound like gibberish and s/he wouldn’t get any value from listening if s/he tried. HTTPS is a way for you to exchange information with a web site securely so you don’t have to worry about anyone trying to listen in.

Okay, I Want HTTPS Right Now!

Good choice! Enabling HTTPS in Facebook is very easy. Just visit your Account Settings page, select Account Security (it’s the third option from the bottom), and you’ll find a checkbox to enable HTTPS under the Secure Browsing header. That’s all you have to do. NOTE: This feature hasn’t been rolled out to all accounts and so it may not be available to you yet. We’re told it’s going to take a few weeks, so you should have it by mid-February at the latest.

Why Should I Care About HTTPS on Facebook (or Other Web Sites)?What about everywhere else? Well, HTTPS is enabled by default on most sites that take sensitive information like your credit card number so you’re generally good to go when buying online. Every browser has its own way of representing whether a site is secure, but generally you’ll see a lock icon in your browser’s address bar. There are varying degrees of security, however, since sometimes emails have attachments coming from insecure sites (more info on that here). If you want HTTPS everywhere, the Electronic Frontier Foundation’s (EFF) aptly named HTTPS Everywhere is a Firefox extension to provide that functionality. They also recommend KB SSL Enforcer for Chrome users, but have found that it isn’t implemented as securely (which could be a limitation of the Chrome extension framework).

So that’s HTTPS in a nutshell and why you should start using it as much as possible. Hope that helps!

Story from Lifehacker.com

http://lifehacker.com/5745086/why-should-i-care-about-https-on-facebook-or-other-web-sites

HTTPS is a significantly more secure version of HTTP, which is the protocol you generally use to load up your webpages (whether you’re aware of it or not). HTTP stands for Hypertext Transfer Protocol, so HTTPS stands for the same thing but with Secure on the end of it. This is because, as Wikipedia will tell you, HTTPS is “a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.”

Why You Should Care

So yeah, you get it: HTTPS provides additional security, but what does that actually mean when you’re browsing the web every day? It basically means you’re protecting your private information from people who want to steal it using readily availably tools like Firesheep. Why Should I Care About HTTPS on Facebook (or Other Web Sites)?It means when you enter your password or your phone number or anything personal on Facebook—or any other site offering HTTPS—that data will be encrypted as it flies through the great tubes of the internet.

Think of it like this: you’re having a private conversation with your new boyfriend or girlfriend, and your ex—unbeknownst to you—is a few tables over listening to every word. That’s the sort of risk HTTP poses, whereas HTTPS would be more like if you and your new romantic interest were speaking a new language that only the two of you understood. To your stalker of an ex, this information would sound like gibberish and s/he wouldn’t get any value from listening if s/he tried. HTTPS is a way for you to exchange information with a web site securely so you don’t have to worry about anyone trying to listen in.

Okay, I Want HTTPS Right Now!

Good choice! Enabling HTTPS in Facebook is very easy. Just visit your Account Settings page, select Account Security (it’s the third option from the bottom), and you’ll find a checkbox to enable HTTPS under the Secure Browsing header. That’s all you have to do. NOTE: This feature hasn’t been rolled out to all accounts and so it may not be available to you yet. We’re told it’s going to take a few weeks, so you should have it by mid-February at the latest.

What about everywhere else? Well, HTTPS is enabled by default on most sites that take sensitive information like your credit card number so you’re generally good to go when buying online. Every browser has its own way of representing whether a site is secure, but generally you’ll see a lock icon in your browser’s address bar. There are varying degrees of security, however, since sometimes emails have attachments coming from insecure sites (more info on that here). If you want HTTPS everywhere, the Electronic Frontier Foundation’s (EFF) aptly named HTTPS Everywhere is a Firefox extension to provide that functionality.

So that’s HTTPS in a nutshell and why you should start using it as much as possible. Hope that helps!

From Lifehacker.com
http://lifehacker.com/5745086/why-should-i-care-about-https-on-facebook-or-other-web-sites



1 comment  ::  Share or discuss  ::  2011-01-27  ::  Joshua Spencer

Last Decade’s 10 Most Dastardly Cybercrimes

Tuesday 18 January 2011 - Filed under cybercrime

Looks like this decade has alot to live up to.

Have an opinion? Let me know in the comments.

Story from wired.com:

“It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.

2000

MafiaBoy

Once upon a time, “distributed denial of service attacks” were just a way for quarreling hackers to knock each other out of IRC. Then one day in February 2000, a 15-year-old Canadian named Michael “MafiaBoy” Calce experimentally programmed his botnet to hose down the highest traffic websites he could find. CNN, Yahoo, Amazon, eBay, Dell and eTrade all buckled under the deluge, leading to national headlines and an emergency meeting of security experts at the White House.

Compared to modern DDoS attacks, MafiaBoy’s was trivial. But his was the cyberstrike that put the internet’s security issues on a national stage, and inaugurated an era where any pissed off script kiddy could take down part of the web at will.

2002

California Payroll Database Breach

On April 5, 2002, an unidentified hacker penetrated a California server housing the state government’s payroll database, gaining access to names, Social Security numbers and salary information for 265,000 state workers from the governor on down. The breach itself was small potatoes, but when it emerged that the California Controller’s Office had waited two weeks to warn the victims, angry lawmakers reacted by passing the nation’s first breach disclosure law, SB1386.

The law requires hacked organizations to promptly warn potential identity theft victims. Its passage pulled the rock off the string of major corporate breaches that companies would have preferred to hush up. Today, 45 states have enacted similar laws.

2003

Slammer

In 2003, fear came in 376 bytes. The lightning-fast Slammer worm targeted a hole in Microsoft’s SQL server, and despite striking six months after a fix was released, the malware cracked an estimated 75,000 unpatched servers in the space of hours. Bank of America and Washington Mutual ATM networks ground to a halt. Continental Airlines delayed and canceled flights when its ticketing system got gummed up. Seattle lost its emergency 911 network, and a nuclear power plant in Ohio lost a safety monitoring system.

Slammer wasn’t the biggest worm ever, but in its aggressive, relentless spread, it exposed the secret interconnections that corporations were foolishly allowing between important private networks and the public internet.

2004

Foonet

Years before there was a Russian Business Network, a small ISP hosted in a suburban basement in Ohio gained the dubious reputation as the first black-hat hosting company. It was a safe spot for hackers and packet monkeys to attack an unsuspecting internet. Foonet’s hosted clients included Carder Planet — the dedicated “carder forum” for credit card hackers — and its IRC servers were where legendary German hacker Axel “Ago” Gembe controlled his Agobot network of compromised Windows boxes.

After two FBI raids, in 2004, Foonet’s founder and some of the staff were indicted for a DDoS-for-hire scheme that collaterally slammed Amazon.com and the Department of Homeland Security. Foonet’s owner, Saad Echouafni, skipped out on $750,000 to flee the country, and remains on the FBI’s wanted list today.

2006

The Los Angeles Traffic Signal Attack

When Los Angeles traffic engineers went on strike in August 2006, the city decided not to take any chances: They temporarily blocked most access to the computer that controls 3,200 traffic signals throughout the City of Angels. Two of the striking engineers hacked in anyway. From a laptop, Kartik Patel and Gabriel Murillo picked four key intersections and changed the timing on the traffic signals so the most congested approach would hit long red lights.

The timing tweaks wreaked havoc in a city already flirting with gridlock, according to the Los Angeles Times, snarling traffic at the Los Angeles International Airport, backing up the Glendale Freeway and paralyzing Little Tokyo and the streets of the downtown Civic Center. It evidently took several days for managers to figure out what was going on.

In December 2009, the engineers were sentenced to probation.

2006

Max Vision

In 2006, a former computer security researcher turned professional black hat weighed and measured the computer underground, and found it wanting. So in a two-night hackfest from his San Francisco safe house, Max Vision (aka Iceman) trained his guns on the online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.

When he was done hacking in and wiping out their databases, he absorbed their content and membership into his own site, CardersMarket, turning it into the largest English-speaking criminal marketplace on the web — 6,000 members strong. The hostile takeover got the attention of the feds who’d thoroughly infiltrated some of the sites he hacked, and a year later FBI and Secret Service tracked Iceman to his hideout. He’s now awaiting sentencing for stealing 2 million credit cards that rang up $86 million in fraudulent charges.

2008

RBS Worldpay Heist

The first time we learned that the payment processor RBS Worldpay had been hacked, it sounded like no big deal: The company announced in December 2008 that it had seen fraud on only 100 of the 1.5 million payroll and gift card accounts compromised in the breach. But it turns out the hackers were able to raise the withdrawal limits on 44 of those cards to as high as $500,000. Then they dispatched a global army of cashers to slam the accounts with repeated rapid-fire withdrawals.

More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8, 2008, resulting in a one-day haul of $9.5 million in cold, hard cash. In November, the United States indicted four of the alleged ringleaders, who are in Estonia, Russia and Moldova. Good luck with that.

2005 – 2008

Albert Gonzalez

He called it “Operation Get Rich or Die Tryin’.” For nearly four years ending in 2008, 28-year-old Albert “Segvec” Gonzalez and his accomplices in America and Russia staged the biggest data thefts in history, stealing credit and debit card magstripe data for sale on the black market. Using Wi-Fi hacking and SQL injection, the gang popped companies like 7-Eleven, Dave & Buster’s, Office Max, TJX, and the credit card processor Heartland Payment Systems, which alone gave up 130 million cards.

The intrusions didn’t just make Gonzalez a millionaire — he buried $1.1 million in his parents’ backyard — they exposed slipshod security in America’s card-processing infrastructure, and positioned the former Secret Service informant to break a new record: longest U.S. prison term for hacking. His plea agreements envision a 17- to 25-year sentence. It could be worse. One of Gonzalez’s overseas accomplices got 30 years in a Turkish prison.

2009

Conficker

Bots were probably the biggest black-hat innovation of the decade, and the biggest and best was Conficker. From the start, the Conficker botnet had a trouble managing expectations. But just because the worm didn’t destroy the internet, as predicted by the mainstream press, doesn’t mean it wasn’t an impressive achievement.

Packing state-of-the-art encryption, and sophisticated peer-to-peer update mechanism, Conficker tantalized security researchers and resisted attempts at eradication, inhabiting at its peak as many as 15 million unpatched Windows boxes, mostly in China and Brazil.

Experts think it’s the work of an organized team of coders, and there are hints that it originated in Ukraine. And like most of the hacking out of Eastern Europe, the software has a profit motive: It’s been seen sending spam, and serving victims a fake anti-virus product that offers to remove malware for $49.95. Dude. It used to be about the mayhem.

2009

Money Mules

Another innovation from the former Soviet empire were the so-called “money mule” scams that emerged in 2009. Using specialized Trojan horses like Zeus and URLZone, the perps target small businesses that use online banking, stealing the victim’s credentials and initiating wire transfers from their accounts, usually totaling tens or hundreds of thousands of dollars.

In some cases, the Trojan horse even covers up the crime by rewriting the victim’s online bank statement on the fly; other times, the hacker just wipes the hard drive to keep the target off the internet for a while. The stolen money goes to mules that’ve been recruited through bogus work-at-home offers, and whose job it is to withdraw the cash and send the bulk of it to the scammers via Moneygram. It’s the perfect crime; one the FBI says has racked up $100 million in thefts, and counting.”

Story from from wired.com
http://www.wired.com/threatlevel/2009/12/ye_cybercrimes/#previousa1019a208da4f98baff5e71eb20cbd6d

 ::  Share or discuss  ::  2011-01-18  ::  Joshua Spencer