Hollywood Burglars Used Internet Without Hacking

These people aren't hackers by any stretch of the imagination. And their exploits weren't hi-tech. They were allegedly ordinary off-line thieves preying on Hollywood celebrities like Paris Hilton and Lindsay Lohan.

But what makes them different is their creative, yet simple, use of the Web to get information to commit their alleged crimes, according to The New York Times. They just took information off of ordinary web sites. No slick exploits. No cool hacks.

What's even more interesting is that they didn't snarf private information the stars might have unwisely posted on social networking sites. Instead they got information from common well-known sites about celebrities, such as TMZ to learn about their victim's comings and goings. When someone like Hilton might be at some gala, they knew that was their time to rob her house.

Granted, ordinary people who aren't celebrities don't have their every move publicized for the world to see on web sites. And, maybe well-known personalities can't do much to hide their movements or protect their addresses from online snoops. But this is still an interesting case of low-tech thievery using a hi-tech tool.

New SSL Vulnerability: Serious or Not?

Every now and then a new SSL vulnerability hits the headlines in the trade press. Even the slightest possiblity of weaknesses in SSL send shock waves through the security community. An exploit against SSL, so goes the convential wisdom, stabs right at the heart of e-commerce, because SSL is the basis for securing transactions over the web.

And, it happened again this week, when a pair of researchers at PhoneFactor, a two-factor authentication company, said they found a fundamental flaw in the SSL protocol, which would allow an attacker to use a Man-In-The-Middle (MITM) attack to hijack an SSL session and secretly execute commands.

The commands could be used to reset passwords, for example, in one of the multiple sessions comprising a single encrypted SSL transaction. Attacks have already been tested against both Apache and Microsoft IIS web servers communicating with different client applications.

Researchers from a consortium of tech heavyweights have been meeting behind closed doors since September to patch the flaw, which will require a fix for all SSL libraries and patches for any software, not just browsers, that use the encryption protocol.

But another security researcher, Moxie Marlinspike, an expert on SSL flaws, said the vulnerability would have no impact on e-commerce. Marlinspike said, first, the exploit involves injecting code and not intercepting traffic, making it of limited value to an attacker targeting online transaction. And, second, the attack requires client-certificate authentication, which is rarely used in SSL authentication.

Twitter Haven for Malware and Protection

Up to 500 web addresses posted on Twitter lead to sites with malware, according to the results from a tool created by Kaspersky Labs, a leading anti-virus vendor. This should come as no surprise, since it's common knowledge that social networking sites, Twitter aside, can be havens for malware, malicious links and other sorts of hacker mischief.

The tool, called Krawler, picks out about 500,000 URLs from Tweets daily and has examined about 30 million since its initial deployment in August.

Users need to be careful and wary with all social networking sites, but here are eight great tips from ReadWriteWeb on protecting yourself from malware on Twitter specifically:

1. Don't assume a link is "safe" because it's from a friend.
2. Don't assume Twitter links are safe because Twitter is now scanning for malware.
3. Don't Assume Bit.ly Links are Safe.
4. Use an up-to-date web browserKeep Windows up-to-date.
5. Keep Adobe Reader and Adobe Flash up-to-date.
6. Don't assume you're safe because you use a Mac.
7. Be wary of email messages from social networks

FBI Issues Warning on ACH Fraud

The FBI is warning small businesses, municipal governments and school districts of an increase in fraud involving legitimate online banking credentials, according to British banking newsletter Finextra.

The scam works through spear phishing attacks, where victims are redirected to a malware-laden site that drops a key logger Trojan on their desktop. Once the attackers get access to an account, they transfer funds through either traditional ACH or wire transfers.

The FBI is warning business users with online banking accounts to contact their financial institutions to make sure they have adequate security controls and fraud prevention tools in place.

The Financial Services Information Sharing and Analysis Centre, a banking group, is recommending its commercial banking customers should "carry out all online activity from a standalone, hardened and locked-down computer from which e-mail and Web browsing is not possible".

The Legendary Evil Maid Laptop Thief

This is a not-so-far-fetched scenario. In this post on TechRepublic's IT Security blog, the mythical evil hotel maid uses her equally mythical handy-dandy Evil Maid USB Stick to boot up your laptop from your hotel room, circumventing your TrueCrypt disk encryption, and steals data from your laptop.

And, she gets away with it without you ever knowing it. You don't suspect anything when you get back to the room. The laptop is off and closed, just as you left it, before you headed out a few hours before.

Substitute the mythical maid for an industrial spy who social engineers his or her way into your hotel room, and you have a real-live data theft scenario, coming to a theater near you.

While the example in the blog post is about a workaround to defeat TrueCrypt, the basic idea is that someone with physical access to a box basically owns it. Today it might be bootable USB key, but yesterday it was a bootable something else, like a live Linux CD, such as Knoppix.

So, what's the best defense?

As an occasional road warrior myself, I never let my laptop out of my sight. Yes, that's right. The best lock is an eye. Wherever I go, the laptop goes. And, it never stays in the room during the day, when the mythical Evil Maid might come by.

Avalanche More Than Name for Phishing Gang

A phishing gang that goes, not surprisingly, by the name of Avalanche has spawned a quarter of all phishing attacks in the first half of this year, according to a study by the Anti-Phishing Working Group, as reported in Network World.

The gang has been successful by registering domains at multiple registrars, some in small countries, and with stolen credit card numbers from those same countries, and then hop scotches around if one of the domains gets shuts down, the report says.

But, on the other hand, an indicator of phishing success, which the report calls "uptime," shows that registrars are getting savvy about Avalanche's tricks, especially because of its use of stolen card numbers. Apparently, as a result, Avalanche's uptimes, around 14 hours, are significantly lower than the phishing "industry" average, if you will.

Though not considered a phishing attack, rogue anti-virus programs are, like phishing, a form of social engineering, according to legitimate anti-virus vendor, Trend Micro. In this scam, which again resembles a phishing attack, a pop up window appears on a legitimate web site with a security warning. The unsuspected user then forks over cash to pay for protection, which never appears.

Five New Sins in Howard Book and Some Myths

Michael Howard, application security guru at Microsoft and author of some landmark books on software security, has recently added five new sins with this two co-authors, David LeBlanc and John Viega, in the new edition, 24 Deadly Sins of Software Security, of his outstanding handbook.

There really are six new sins, but since one old sin was dropped from the 19 in the old volume, the new total is back up to 24.

What I like about this book is that rather than being a textbook, it's more like a catalog for developers of the most common and nasty security weaknesses in application sofware. Unlike Howard and LeBlanc's other reference on the subject, Writing Secure Code, another famous reference on the subject, a developer can pinpoint the exact issue of interest, zoom down to specific code examples and find remedies in the most common programming languages.

The new sins of the 24 are the following:
Sin # 2: Web-Server Related Vulnerabilities
Sin # 8: C++ Catastrophes
Sin # 9: Catching Exceptions
Sin #15: Not Updating Easily
Sin #16: Executing Code with Too Much Privilege
Sin #18: The Sins of Mobile Code

Co-author John Viega, another noted author in the software security field, also recently wrote, The Myths of Security, a fascinating non-technical book on the fallacies peddled by the software security vendors. He zeroes in on anti-virus software, a subject he has an intimate knowledge of as CTO of the SaaS Business Unit at McAfee.

This book is a real wake up call not only to the general public about the pitfalls of anti-virus and other security products for home users, but to the arrogance of some geeks who think they're invincible because they'd never click on a bad link.

Between my new found awareness of my software sins and my arrogance as a geek, I was both humbled and enlightened by these two fantastic books.

Health Care Privacy Still Needs Intensive Care

Health care privacy, to say the least, is still critically ill, according to a recent study last week of health care IT security professionals by the Ponemon Institute. The survey found that 80 percent of health care organizations had experienced at least one breach of health records in the past year.

Added to that, 70 percent of respondents said their management didn't think privacy and data security were a priority.

The professionals surveyed expressed concern that with the push for electronic health records, security had to get more attention. Few dispute the value of centralized and easily available medical records -- something that could save lives -- but those records should only be available to those who need them, not crooks and identity thieves.

Hospitals and medical institutions continue to lag behind other industries in protecting data, privacy and IT security. And, despite the complaints about the effectiveness of PCI, the corresponding regulation for health care, HIPAA, has little teeth.

A breach at Express Scripts in St. Louis last year may have impacted as many as 700,000 people.

SearchSecurity.com ran an article last week explaining new HIPAA provisions and tips for implementing an effective HIPAA program.