Scary Facebook Security Glitch or Bad Software?

As if there hasn't been enough publicity about the security evils of Facebook, this one is really off the wall. In this case, a woman from Georgia and her two daughters wound up in the account of some strangers when logging onto Facebook from their mobile phones.

All kinds of private information was exposed about the strangers. And, AT&T, the wireless provider for the family's mobile phones, said the glitch was due to a "routing problem," according to this news item two hours ago from the Associated Press.

The issue has far reaching implications beyond Facebook, since other sites, not just the famous social networking site, could be affected by such routing errors.

Basically, the issue wasn't due to problems with the Facebook web site, but possibly poorly configured network equipment and poorly coded network software. The issue might be hard for a hacker to exploit, since the routing error was random and one-off, something hard for a malicious user to engineer.

Interestingly enough, Facebook announced a partnership this week with McAfee to offer security software.

Summary of 2010 Security Predictions

It's that time of year again, when everybody is out there with their annual predictions for IT security this year.

This little summary from Michael Kassner's post on Chad Perrin's IT Security blog at TechRepublic covers not only Kassner's own thoughts but also covers predictions from eWeek, Verizon, Help Net and IT PRO.

Then there was this from Andreas M. Antonopoulos posted at both Network World and Computer World, and from Larry Seltzer at PC Mag, who also cited reports from Symantec, F-Secure, Websense and Trend Micro.

Common themes? Well, it seems to run the gamut, but cloud computing, mobile security and malware were all common topics.

Adobe on Hacker Radar in 2010

This should come as no surprise, but a recent report by McAfee, predicting threats for this year, says Adobe will be popular with hackers. In fact, according to the report, Adobe and Flash will beat out Microsoft software, finally, for the hacker attack vector of choice.

That's good news for Microsoft, which has been, until now, the favorite whipping boy for hackers.

Interestingly enough, the report also cites the tried-and-true oldest trick in the book, malicious e-mail attachments, as still another favorite attack vector. E-mail is also popular because it's a great way to burrow into corporate networks, past their finely tuned firewalls and DMZs. All an employee has to do at some company is click on the attachment and, well, the game is over.

And could one of those attachments be a malicious Adobe document? No way.

FBI Investigating Citibank Hack

The FBI is looking into a breach at Citibank by a Russian cybergang, the Wall Street Journal reported today. The gang apparently began breaching Citibank over the summer and was uncovered by investigators in the US who noticed suspicious traffic from IP addresses used by the Russian Business Network.

Citibank denies any breach took place. The Russian Business Network is a well-known hacking group that has developed tools for breaching US government systems.

What concerns security experts is the potential for widespread damage to the banking system. They say that if hackers could get into one bank and manipulate data, they could easily get into others, creating chaos in banks and financial markets.

And, this is where hackers seeking financial gain -- the root of most hacking today -- might be crossing the line into cyber threats against national security. Supposedly, according to the Wall Street Journal article, this is what got the NSA and DHS in on the party, exchanging informaton with the FBI.

From the other side, as well, the attack may point to a revival of former members of the Russian Business Network, which has been quiet for the past two years. Investigators say a tool developed by a Russian hacker called Black Energy may have been used in the Citibank cyberheist.

White House Taps Schmidt for Cyber Security

President Barack Obama has picked Howard Schmidt to be the national cybersecurity coordinator, according to the Associated Press. Schmidt has a 40-year career in cybersecurity, spanning law enforcement, private industry and even briefly in the Bush administration.

The announcement hasn't yet been public, according to the AP, quoting a senior White House official on condition of anonymity. Obama was personally involved in the search and picked Schmidt after an extensive search. Though he won't report directly to the president, he'll have regular and direct access.

Cybersecurity is a key issue facing Obama but has taken a back seat to his health care program and the war Afghanistan.

Schmidt wrote an interesting book, covering his long career, Patrolling Cyberspace, which I enjoyed immensely. It was a nice short book packed with a lot of history about the beginnings of hacking, much of which has been forgotten. He was definitely a visionary, seeing the problem long before law enforcement took it seriously.

The book also got a favorable review from M. E. Kabay in his regular Network World column.

Hollywood Burglars Used Internet Without Hacking

These people aren't hackers by any stretch of the imagination. And their exploits weren't hi-tech. They were allegedly ordinary off-line thieves preying on Hollywood celebrities like Paris Hilton and Lindsay Lohan.

But what makes them different is their creative, yet simple, use of the Web to get information to commit their alleged crimes, according to The New York Times. They just took information off of ordinary web sites. No slick exploits. No cool hacks.

What's even more interesting is that they didn't snarf private information the stars might have unwisely posted on social networking sites. Instead they got information from common well-known sites about celebrities, such as TMZ to learn about their victim's comings and goings. When someone like Hilton might be at some gala, they knew that was their time to rob her house.

Granted, ordinary people who aren't celebrities don't have their every move publicized for the world to see on web sites. And, maybe well-known personalities can't do much to hide their movements or protect their addresses from online snoops. But this is still an interesting case of low-tech thievery using a hi-tech tool.

New SSL Vulnerability: Serious or Not?

Every now and then a new SSL vulnerability hits the headlines in the trade press. Even the slightest possiblity of weaknesses in SSL send shock waves through the security community. An exploit against SSL, so goes the convential wisdom, stabs right at the heart of e-commerce, because SSL is the basis for securing transactions over the web.

And, it happened again this week, when a pair of researchers at PhoneFactor, a two-factor authentication company, said they found a fundamental flaw in the SSL protocol, which would allow an attacker to use a Man-In-The-Middle (MITM) attack to hijack an SSL session and secretly execute commands.

The commands could be used to reset passwords, for example, in one of the multiple sessions comprising a single encrypted SSL transaction. Attacks have already been tested against both Apache and Microsoft IIS web servers communicating with different client applications.

Researchers from a consortium of tech heavyweights have been meeting behind closed doors since September to patch the flaw, which will require a fix for all SSL libraries and patches for any software, not just browsers, that use the encryption protocol.

But another security researcher, Moxie Marlinspike, an expert on SSL flaws, said the vulnerability would have no impact on e-commerce. Marlinspike said, first, the exploit involves injecting code and not intercepting traffic, making it of limited value to an attacker targeting online transaction. And, second, the attack requires client-certificate authentication, which is rarely used in SSL authentication.