Social Media Security Podcast 18 – RFID and Facebook, Hacking Facebook Places, MySpace Privacy

This is the 18th episode of the Social Media Security Podcast recorded September 3, 2010.  This episode was hosted by Tom Eston and Scott Wright and is our 1 year anniversary episode!  Thanks to everyone that has supported the podcast over the last year…we really appreciate it!  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Security pros use layered techniques, but so do attackers

For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.

As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)

To make a long story short the attackers did the following:

  1. They captured the Facebook credentials of an individual who worked for a financial institution
  2. They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
  3. They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
  4. The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
  5. They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
  6. They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.

The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.

So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.

What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!

What would you do next if you were a security manager at this financial institution?

Social Media Security Podcast 5 – Google Reader, Privacy, Wave, ChromeOS and Foursquare

skullThis is the 5th episode of the Social Media Security Podcast recorded November 20, 2009.  This episode was hosted by Scott Wright and Tom Eston. Kevin Johnson will be joining us for the next podcast.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes! Thanks for listening!

Social Media Security Podcast 4 – Death by Twitter, Open Source Intelligence, Policies, Google Wave

skullThis is the 4th episode of the Social Media Security Podcast recorded November 6, 2009.  This episode was hosted by Scott Wright, Tom Eston and Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • More scams on Twitter including the recent IQ quiz attack.  Disinformation on social networks…someone died example..are you sure they are really dead?
  • Tom talks about his Open Source Intelligence Gathering talk that he recently gave.  How do you find information posted about your company on social networks and why should you look?  Now is probably a good time for your company to create a social media strategy and then develop a Internet postings policy around this strategy.
  • Cisco has a great Internet posting policy to reference when created one for your company.
  • Scott talks about creating a postings policy for your company.  Here is a link to the Forrester book titled “Groundswell” that talks about creating a social media strategy.
  • Kevin talks about Google Wave.  What is it and why would we want to use this?  What are some of the security issues with Google Wave?  Check out the great research that theharmonyguy has been doing on Google Wave.
  • Developers! Please start coding securely from the beginning of the project! ktksbai.
  • Be sure to follow us on Twitter to stay up-to-date on all the latest news in the world of social media security!

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

Social Media Security Podcast 3 – Phishing and Koobface, What is CSRF, Protected Tweets

skullThis is the third episode of the Social Media Security Podcast recorded October 23, 2009.  This episode was hosted by Scott Wright, Tom Eston and Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Tom and Scott talk about phishing on social networks. How can you tell the difference between a fake friend request and a real one? Here is a screen shot of a fake friend request and a real friend request.  Just by looking at the email…it’s really hard to tell the difference isn’t it?  The only way you can tell the difference is to look at the URL the link is going to by looking at the message source (code and/or mail header info).  We advise you check your Facebook Inbox for legitimate friend requests, don’t click on friend request links in email.
  • Tom gives a primer on Koobface. What is the Koobface worm and how does it spread?  If you want to learn more about Koobface check out this very good paper created by TrendMicro on how Koobface works.
  • Kevin gives a great non-technical overview of CSRF (Cross-site request forgery).  Want to see a real CSRF attack demonstrating stealing private Facebook profile information? Check out this video and blog post.  Here is the great talk by Jeremiah Grossman about exploiting business logic flaws that Tom mentioned.
  • Interested to know more about CSRF? Check out Security Now! Episode 166.
  • Are your protected tweets able to be searched by Google?  Tom clarifies that this article was not true at all.  However, there are some important things you need to know about protected tweets and why making your Twitter account private doesn’t buy you much.
  • Due to popular demand we are going to try recording the podcast bi-weekly!
  • Be sure to follow us on Twitter to stay up-to-date on all the latest news in the world of social media security!

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

New Research Released on Koobface

Today Trend Micro released probably the most comprehensive research yet on the Koobface social network worm.  This research details how Koobface works, the malicious payloads it carries and how this worm has spread to all the major social networks.  The most recent victim being Twitter.   Most alarming is that Koobface will still continue to evolve and is the beginning of a new generation of malware targeting social networks.

Check out the article and download the PDF for the full report.  We will also have this link posted in the “Research” section of the site.

Understanding Koobface and other "Drive-By Download" type threats

Koobface is a classic “Drive-by Download” type of threat, which can be a difficult thing for anti-virus programs to deal with. The catch is that you’re being fooled into giving a program explicit permission to run. Should an anti-virus program second-guess that decision? Good question.
Read More »

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

If you’d like to know what a Honey Stick is, and why it’s important to understand what they are telling us, click HERE.

Scott Wright
The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

Site Meter