Sunday, November 15, 2009

Hollywood Burglars Used Internet Without Hacking

These people aren't hackers by any stretch of the imagination. And their exploits weren't hi-tech. They were allegedly ordinary off-line thieves preying on Hollywood celebrities like Paris Hilton and Lindsay Lohan.

But what makes them different is their creative, yet simple, use of the Web to get information to commit their alleged crimes, according to The New York Times. They just took information off of ordinary web sites. No slick exploits. No cool hacks.

What's even more interesting is that they didn't snarf private information the stars might have unwisely posted on social networking sites. Instead they got information from common well-known sites about celebrities, such as TMZ to learn about their victim's comings and goings. When someone like Hilton might be at some gala, they knew that was their time to rob her house.

Granted, ordinary people who aren't celebrities don't have their every move publicized for the world to see on web sites. And, maybe well-known personalities can't do much to hide their movements or protect their addresses from online snoops. But this is still an interesting case of low-tech thievery using a hi-tech tool.

Tuesday, November 10, 2009

New SSL Vulnerability: Serious or Not?

Every now and then a new SSL vulnerability hits the headlines in the trade press. Even the slightest possiblity of weaknesses in SSL send shock waves through the security community. An exploit against SSL, so goes the convential wisdom, stabs right at the heart of e-commerce, because SSL is the basis for securing transactions over the web.

And, it happened again this week, when a pair of researchers at PhoneFactor, a two-factor authentication company, said they found a fundamental flaw in the SSL protocol, which would allow an attacker to use a Man-In-The-Middle (MITM) attack to hijack an SSL session and secretly execute commands.

The commands could be used to reset passwords, for example, in one of the multiple sessions comprising a single encrypted SSL transaction. Attacks have already been tested against both Apache and Microsoft IIS web servers communicating with different client applications.

Researchers from a consortium of tech heavyweights have been meeting behind closed doors since September to patch the flaw, which will require a fix for all SSL libraries and patches for any software, not just browsers, that use the encryption protocol.

But another security researcher, Moxie Marlinspike, an expert on SSL flaws, said the vulnerability would have no impact on e-commerce. Marlinspike said, first, the exploit involves injecting code and not intercepting traffic, making it of limited value to an attacker targeting online transaction. And, second, the attack requires client-certificate authentication, which is rarely used in SSL authentication.

Sunday, November 08, 2009

Twitter Haven for Malware and Protection

Up to 500 web addresses posted on Twitter lead to sites with malware, according to the results from a tool created by Kaspersky Labs, a leading anti-virus vendor. This should come as no surprise, since it's common knowledge that social networking sites, Twitter aside, can be havens for malware, malicious links and other sorts of hacker mischief.

The tool, called Krawler, picks out about 500,000 URLs from Tweets daily and has examined about 30 million since its initial deployment in August.

Users need to be careful and wary with all social networking sites, but here are eight great tips from ReadWriteWeb on protecting yourself from malware on Twitter specifically:
  1. Don't assume a link is "safe" because it's from a friend.
  2. Don't assume Twitter links are safe because Twitter is now scanning for malware.
  3. Don't Assume Links are Safe.
  4. Use an up-to-date web browserKeep Windows up-to-date.
  5. Keep Adobe Reader and Adobe Flash up-to-date.
  6. Don't assume you're safe because you use a Mac.
  7. Be wary of email messages from social networks

Wednesday, November 04, 2009

FBI Issues Warning on ACH Fraud

The FBI is warning small businesses, municipal governments and school districts of an increase in fraud involving legitimate online banking credentials, according to British banking newsletter Finextra.

The scam works through spear phishing attacks, where victims are redirected to a malware-laden site that drops a key logger Trojan on their desktop. Once the attackers get access to an account, they transfer funds through either traditional ACH or wire transfers.

The FBI is warning business users with online banking accounts to contact their financial institutions to make sure they have adequate security controls and fraud prevention tools in place.

The Financial Services Information Sharing and Analysis Centre, a banking group, is recommending its commercial banking customers should "carry out all online activity from a standalone, hardened and locked-down computer from which e-mail and Web browsing is not possible".