Internet and online security professionals deal with hacking and cracking activity on a daily basis. With new technologies emerging every day the new security challenges arise and new vulnerabilities become available that allow black hat hackers to create and execute new scripts that can cause serious problems to the whole networks. Our mission is to let you know about the latest scams and to warn you about new exploits that can have a severe impact on your online business.
28th August 2007

Privacy invasion and security measures: the borderline to preserve the dignity of human beings…

Privacy became more of a wish in our times than something that does really exist. Let’s
briefly look at the bigger picture of this [tag]privacy invasion[/tag] issue. We’re under total , not only from different cameras, but also from space. You can be videotaped anywhere and anytime.

And it’s not just government , take a look at such relatively new features as Google’s “StreetView” and other video programs where your house (and all its PRIVATE land) can be photographed from the space and the photo can be seen by anybody curious enough to peak in your private life. Note that you didn’t give anyone permission to take pictures of your private property. And if your property is behind the fence, then without the space video-invasion it would be difficult to look inside your property without your direct permission (or breaking the law).

But that’s only part of the problem. Don’t you love airport security checks where you have to take off your shoes (be thankful that not your pants)? Sure, it’s explained by the greater good, and it might be necessary, but what I’m worried about is that people are losing the very sense of privacy. If you think about it, any security measures can be explained by a greater good. But where is the border between the security requirements and the total violation of human rights?

Though the line about taking of your pants is a joke, X-ray naked scans can become a reality for the nearest future. It was already tested in UK and US. It looks like everything has been done so people forget even the idea of privacy. I mean how people can maintain self-respect if they can be virtually stripped for no reason at all?

And don’t kid yourself that your naked photo will be stored separately from the file with
your name, address, etc. It’s just doesn’t matter, because all this information can be easily analyzed and records can be matched. In other words, your naked picture can be easily matched to your name.

Do you still have illusion of privacy? May be you think something like this, “I might be scanned, but at least my thoughts remain private”? Don’t kid yourself. Look at government wiretapping that is often done without a warrant. Can it really help to find potential terrorists or it’s just a great substantiation for the eavesdropping on all your calls? May be both, but my guess is that terrorist are capable to encrypt their calls much more effectively than average citizen who has no idea about wiretapping and eavesdropping.

And even that’s not all! Some advocates of “privacy compromise” suggest that all end users should have a second layer of authentication including our biometrics.
Biometrics is just another set of parameters that can be added to the huge data banks that are already used to make a decision about every aspect of your life. It might be and extra security layer for the commerce security. (Though who said that the biometrics can’t be stolen the same way as any other data from the hacked databanks?) But if used for the access to the public services it certainly one further step to the elimination of privacy.

Another suggestion is that we should completely give up our anonymity and authenticate everything, from computers and applications to every ingress and egress connection, in order for the authorities to be able to track down the source of hacker’s attack.
That might help to track down hackers, but combined with space video surveillance, and wiretaps it puts us under almost total 24/7 control.

I’m saying “almost” because now you at least don’t have a computer chip built in your passport. But it’s going to change very soon. Bush administration suggested to implant radio frequency ID (RFID) chips (that can be read remotely) into each passport issued after October 2006. And other governments (including UK and Britain) have similar plans. This means that your name, nationality, sex, date of birth, place of birth,
photograph (and in the nearest future biometrics) will be readily available anytime for anyone with a badge.

What is worse, this information can be stolen by identity thieves by aiming powerful antennas at the person. The encryption keys used to somehow protect the privacy, are not sufficiently secure…

So for those who think that authentication for every network packet is necessary, I say it’s better be done using other measures such as IP v6. It’s not perfect, but at least it allows us to preserve some privacy. Otherwise we totally give up all our rights and let government track virtually all our steps. And it doesn’t mean that we have something to hide, we just want to preserve human dignity that separates us from the animals.

Where is the borderline between security measures and giving up all our rights, and when will be the end of this madness? Here’s something we need to remember: there couldn’t be any freedom or democracy or human dignity in any country if there is no privacy left in it and if its people are under total surveillance.

posted in Main, Online Privacy | 2 Comments

22nd August 2007

Wireless and mobile security is the modern Achilles’ heel for business executives

According to the recent article published in Boston Herald, eavesdroppers are rather successful in bypassing seemingly sophisticated data encryption, authentication and other methods used to boost [tag]wireless security[/tag].

The reason for popularity of (in addition to tons of inherent insecurities in wireless models) lies in the serious improvement of modern hacking wireless equipment. Modern antennas allow hackers to reach access points even if they are 10 or 20 miles away from those points. That means that hacker can now easily avoid the most significant limitation he faced not long ago. He doesn’t have to sit anymore on the same parking lot (figuratively speaking) used by the company that was chosen as a target for wireless attack. Instead, he can now safely conduct his intrusion without the danger of being physically noticed and identified by the security staff of that company.

Of course the fact that most users have difficulties with initializing security features available in most current Wi-Fi gadgets (or even sometimes don’t know where to find those features) is also very helpful for hackers.

Another possible reason of popularity for is that people are less used to wireless spaming (and hacking) yet, and are more likely to open the message or attachment sent from the un-known recipient.

Aside from the habitual reasoning there is another possible cause for the higher possibility of opening un-known attachments in the wireless devices compared to the wired ones (and thus getting the former infected).

According to the research published by Cisco and the National Cyber Security Alliance, the feedback from 700 businessmen from all over the world indicated that the root of this problem can be a small size of screen used in wireless handheld devices.

And one more interesting fact from the same research. 81 percent of all business executives around the world are already using some sort of wireless device. From 700 businessmen participated in the research (as a representatives of executive group), chilling 76% had trouble distinguishing between legal messages and those that can compromise their wireless devices!

You can read the whole story here: Mobile workers still struggling with security

Now just think about it! If the same proportion will be true for the rest of executives, then over 60% of all executives in the world not only use wireless devices, but also don’t care too much about wireless security!

And if the wireless device of such person is compromised, then the whole corporation can be at risk…

This is definitely something that hackers would want to explore. And this is a serious topic to think about for all business executives. They should educate themselves at least in basics of wireless security, or it might be too late…

posted in Main, Wireless Security | 0 Comments

21st August 2007

Internet Security Vulnerabilities on an application layer of OSI model

Though the implementation of IPv6 can somewhat increase the security of the lower layers of OSI, the main stream of actual hacking happens on the application layer of the model.

We will talk about firewalls and intrusion detection systems in future articles, as well as the ways to further secure your hosts with live response toolkits and forensic image toolkits that can help you to define possible kernel rootkits, etc.

The network reconaissance is helpful if hacker plans to attack particular network. But in
reality this approach is used less often today.

The main trend of [tag]internet security[/tag] attacks for 2006-2007 is to use “wholesale approach”.

That means no network, organization or individual serves as a specific target. Instead the
target is every machine that is exposed to certain vulnerabilities.

Another trend that is clearly seen is the combination of different techniques. If in
2004-2005 intruder would (mostly) use either email with embedded virus or worm, or use the exploit that would give him a direct access to the system, now the intermediate hacks are more popular.

They are used to get initial access to the system and as a platform for backdoor downloads.

To facilitate the distribution of the malicious code, the combination of several techniques and methods is used. Quite often large are utilized for the initial distribution of the spam emails. In order to avoid current malware filters, no virus is usually embedded in the email. Instead, the reader is sent to the malicious url. The web-based url is used for automatic download of the exploit.

Such spam email campaigns can target over billion email addresses thus ensure the large amount of opened and clicked-trough emails. Huge targeted audience ensures a large  base for the of users infected with a new virus through such spam attack.

So what applications are currently targeted more often for the attacks?
According to Symantec Internet Security Threat Report for the second half of 2006 (Volume 11), mostly targeted group for attack were web browsers and third party web applications.

Among web browsers, IE holds the crown and accounts for 77% of web-broser-targeting attacks.

Another confirmation that direct attacks are more often replaced by “wholesale” approach  is derived from the fact that home users are the targets in 93% cases of latest attacks!

Which is logical, since the home users is the least educated group of computer users (as far as internet security is concerned) and can be rather easily tricked by the combination of spam and web-based located urls hosting payloads with middle-level of security threat.

In other words, they can be easily tricked to open spam emails, download the malicious code and thus get their computers infected.

posted in Internet Security Paradigms and Models, Main, OS Security | 0 Comments

19th August 2007

OSI, TCP/IP and the inherent flaws of both models

I was recently asked which future [tag]internet security protocols[/tag] / models can help increase the overall security of the Internet.

Before I can answer this question, let’s take a brief look at the current OSI model (and
it’s simplified most often used TCP/IP version) that is the base for the overall data
transfer between systems on the Internet. The  is tightly bound to the security (or rather, insecurity) of those protocols.

TCP/IP protocol was originally created to suit the needs of ARPANET, closed network which was essentially what we call today intranet. Since it was not a public network, but rather peer-to-peer communication between several US universities, not everybody had access to it, so there was not much thought given initially to the security of this protocol. The main task of the protocol was to efficiently deliver data between the remote locations.

Later this network grew up and became Internet, but TCP/IP protocol still was used as a main way of communication. However, it was not a closed network anymore. So because of the initial “friendly” architecture, now we have ip spoofing to deal with. This technique allows hackers to effectively conduct ping sweeps and port scans, and gives them ability to effectively hide the ip of the host that originated the attack.

Smurf attacks and arp-redirects also probably wouldn’t be possible if this model would be originally created with a security in mind (or rather, the enhanced version of this
protocol would be created for the public network).

The trace of the “friendliness” of the TCP/IP model could be better seen on layers 2-4 of the model.

The insecure nature of Ethernet still amazes me. Broadcasts allow anyone on the network to easily access the information passed between any other machines on the same bridge. The logic is that everyone will behave ethically and not eavesdrop on conversations that are not meant to them. Well, it could would work for closed networks, but it certainly doesn’t work for the Internet where you in effect trust all your private communications to the complete stranger.

And the relative ease of arp redirects where any machine can claim to have any MAC address it wants, is nothing more than just more advanced version of misuse of the same trust…

Same goes for DHCP servers and DNS servers…

Though many believe that actual hacking happens on the application layer, it would be much more difficult to accomplish without the preliminary reconnaissance of the target subnet. Besides, all the sniffing also happens on the network layer. And if username/passwords are sniffed, then no hacking is really needed – you already have everything you need.

So if we want to achieve more secure Internet, the first logical conclusion would be to somehow boost the security of TCP/IP protocol.

IP version 4 is completely insecure, so big hopes were cherished for the introduction of IP version 6. At least it will allow to positively identify the source of attack.
Plus, ping sweeps won’t work anymore simply because of the size of subnets that would have to be scanned. And broadcast will be changed to multicast, thus reducing the number of hosts that will be able to intercept communication. Plus it would be more difficult for worms to spread.  Of course the mandatory inclusion of IPSec in the IPv6 could theoretically be helpful too.

(Though on practice, the deployment of this protocol will take at least a few years, and most likely no encryption will be initially implemented.)

Unfortunately, this protocol has its own weaknesses too. One thing I hate is that now you can’t filter all ICMPs, because it’s neighbor discovery totally depends on it. And ICMPs are well known as one of the most popular sources for DDOS.

In total, IPv6 should have more positives then negatives as far as Internet security is concerned.

But we also need to see what could be done to increase the security on the application layer.
We’ll talk about it next time.

posted in Main, OS Security | 0 Comments

16th August 2007

Be Aware Of Online Predators on Social Networking Sites!

Today I received an email forward that actually contains something interesting. It tells the story of police officer and little girl (she is 14 years old). The police officer was able to find the girl without getting data from police databases. All he used was either the data freely available on the child’s profile or the information he got from the girl herself during their friendly online chats. Of course this email is probably a hoax (meaning it described the situation that didn’t happen in the real life), but at least this was a useful hoax for once.

It’s worth to share it with your children, because it can help you to explain to them once and for all why it’s not a good idea to talk in the virtual world about the details of their personal lives that could be used to identify them in real world.

The virtual reality provides the false feeling of safety and anonimity, where many memebrs of social networking sites share tons of personal information in their profiles, and of course they like to chat and give away even more information during those conversations.

In this particular example, girl thought that her online friend was a teenager, and he lived far away from her, so she was rather relaxed and shared with him such details as the name of her softball team, her place in this team, etc. After all, the “boy” doesn’t know her real name and he doesn’t live in her town… And why did she thought that he was a teenage boy and lived in another state? Because he said so…
 
This story is probably not real (I’ve yet to hear about the special police officers that are hunting [tag]online predators[/tag]), but it could happen in real life. It’s absolutely realistic for to find the girl based on all the information that police officer was able to collect in a short period of time. And it would be great if such police department would be organized in real life.

Ok, here is the story as I received it. Unfortunately there was no name so I don’t know whom to credit for this great educational piece that could save your children:
————————————————
“EVERYONE NEEDS TO READ ALL OF THIS and HAVE CHILDREN READ IT TOO!

After tossing her books on the sofa, she decided to grab a snack and get on-line. She logged on under her screen name ByAngel213. She checked her Buddy List and saw GoTo123 was on. She sent him an instant message:

ByAngel213:
Hi. I’m glad you are on! I thought someone was following me home today. It was really weird!

GoTo123:
LOL You watch too much TV. Why would someone be following you?
Don’t you live in a safe neighborhood?

ByAngel213:
Of course I do. LOL I guess it was my imagination cuz’ I didn’t see anybody when I looked out.

GoTo123:
Unless you gave your name out on-line. You haven’t done that have you?

ByAngel213:
Of course not. I’m not stupid you know.

GoTo123:
Did you have a softball game after school today?

ByAngel213:
Yes and we won!!

GoTo123:
That’s great! Who did you play?

ByAngel213:
We played the Hornets. LOL. Their uniforms are so gross! They look like bees. LOL

GoTo123:
What is your team called?

ByAngel213:
We are the Canton Cats. We have tiger paws on our uniforms. They are really cool.

GoTo1 23:
Did you pitch?

ByAngel213:
No I play second base. I got to go. My homework has to be done before my parents get home. I don’t want them mad at me. Bye!

GoTo123:
Catch you later. Bye

Meanwhile…….GoTo123 went to the member menu and began to search for her profile. When it came up, he highlighted it and printed it out. He took out a pen and began to write down what he knew about Angel so far.

Her name: Shannon
Birthday: Jan. 3, 1985
Age: 13
State where she lived: North Carolina

Hobbies: softball, chorus, skating and going to the mall. Besides this information, he knew she lived in Canton because she had just told him. He knew she stayed by herself until 6:30 p.m. every afternoon until her parents came home from work.

He knew she played softball on Thursday afternoons on the school team, and the team was named the Canton Cats. Her favorite number 7 was printed on her jersey. He knew she was in the eighth grade at the Canton Junior High School . She had told him all this in the conversations they had on- line. He had enough information to find her now.

Shannon didn’t tell her parents about the incident on the way home from the ballpark that day. She didn’t want them to make a scene and stop her from walking home from the softball games. Parents were always overreacting and hers were the worst. It made her wish she was not an only child. Maybe if she had brothers and sisters, her parents wouldn’t be so overprotective.

By Thursday, Shannon had forgotten about the footsteps following her.

Her game was in full swing when suddenly she felt someone staring at her. It was then that the memory came back. She glanced up from her second base position to see a man watching her closely.

He was leaning against the fence behind first base and he smiled when she looked at him. He didn’t look scary and she quickly dismissed the sudden fear she had felt.

After the game, he sat on a bleacher while she talked to the coach. She noticed his smile once again as she walked past him. He nodded and she smiled back. He noticed her name on the back of her shirt. He knew he had found her.

Quietly, he walked a safe distance behind her. It was only a few blocks to Shannon ’s home, and once he saw where she lived he quickly returned to the park to get his car.

Now he had to wait. He decided to get a bite to eat until the time came to go to Shannon ’s house. He drove to a fast food restaurant and sat there until time to make his move.

Shannon was in her room later that evening when she heard voices in the living room.

‘ Shannon , come here,’ her father called. He sounded upset and she couldn’t imagine why.

She went into the room to see the man from the ballpark sitting on the sofa.

‘Sit down,’ her father began, ‘this man has just told us a most interesting story about you.’

Shannon sat back. How could he tell her parents anything? She had never seen him before today!

‘Do you know who I am, Shannon ?’ the man asked.

‘No,’ Shannon answered.

‘I am a police officer and your online friend, GoTo123.’

Shannon was stunned. ‘That’s impossible! GoTo is a kid my age! He’s 14. And he lives in Michigan !’

The man smiled. ‘I know I told you all that, but it wasn’t true. You see, Shannon , there are people on-line who pretend to be kids; I was one of them. But while others do it to injure kids and hurt them, I belong to a group of parents who do it to protect kids from . I came here to find you to teach you how dangerous it is to talk to people on-line. You told me enough about yourself to make it easy for me to find you. You named the school you went to, the name of your ball team and the position you played. The number and name on your jersey just made finding you a breeze.’

Shannon was stunned. ‘You mean you don’t live in Michigan ?’

He laughed. ‘No, I live in Raleigh . It made you feel safe to think I was so far away, didn’t it?’

She nodded.

‘I had a friend whose daughter was like you. Only she wasn’t as lucky. The guy found her and murdered her while she was home alone. Kids are taught not to tell anyone when they are alone, yet they do it all the time on-line. The wrong people trick you into giving out information a little here and there on-line. Before you know it, you have told them enough for them to find you without even realizing you have done it. I hope you’ve learned a lesson from this and won’t do it again. Tell others about this so they will be safe too?’

‘It’s a promise!’

That night Shannon and her Dad and Mom all knelt down together and thanked God for protecting Shannon from what could have been a tragic situation.”
—————————————-
As you can see, girl could be in serious danger. In addition to telling the stranger all that identifiable information she also told him that she’s home alone until particular time (6:30 pm in this example).

Internet is a powerful tool that brought a lot of convinience in our lives. But it also generated new types of danger that were not existing before. And it’s your responsibility as a parent to protect your child from them.

So if you still don’t know what your children are doing online, you better check it out.

At the same time don’t forget about offline predators who can meet with your child face to face. If your child is educated and knows what to do and how to react in dangerous situation, s/he is more prepared, and has better chance to avoid trouble.

To help you with this task, I’m glad to give you “17 Proven Time Tested Safety Secrets To Protect Your Child From Sexual Predators“, the report written by Preston Jones and Joyce Jackson. Just right click the link above with a name of the report in it, and you will be able to download it to your computer.

posted in Main | 0 Comments