January 26, 2012

Cell Phone Espionage

Image from How Stuff Works
Recently, I read the article “iPhone Espionage” on INFOSEC Institute by Keith Lee. With a sexy title like that, I couldn’t resist. The article delves into the technical aspect of iPhone espionage (honestly, some of it is above my understanding), but what really stood out was the first step in how your own phone is turned against you. It starts with basic access to the phone.
“All an attacker needs is 3 second with your phone and to connect it to a usb (sic) cable. It could take even less time, depending on the speed of the computer as well as whether the attack is staged. This would seem like an awesome attack vector but it’s only viable if you have physical contact with the iPhone or with some social engineer to get the victim to connect the iPhone to an embedded device (e.g. mobile charger?).”[i]
Cell phone stalking software
Once somebody has physical access to your phone, they could easily install stalking software.  Watch the clip below from the WFMY News 2, which shows how “with a simple program, someone could take control of your phone, listen to your calls, read your e-mails all while tracking your every move.”[ii] Even when your cell phone is turned off, the stalking software can remotely activate the phone’s speaker to eavesdrop without your knowledge.

Notice around the video's 2 minute mark, one of the ways the stalking software gets on your cell phone is by somebody having physical access to your phone or “with some social engineer to get the victim to…”[iii] upload the software from visiting a site.
Juice-jacking

A free charging station in India.
 Image from Mobile Active
As mentioned in the “iPhone Espionage” article, if you could get the victim “to connect the iPhone to an embedded device (e.g. mobile charger?)…”[iv] the phone could be modified into a spy tool. If you are a frequent traveler, you may have seen a mobile recharging station when you were out and about. The charging station allows you to recharge the phone battery via the USB connection instead of plugging into an electronic outlet.  Back in August 2011, the risk of these recharging stations was reported more in depth by Brian Krebs in his blog post “Beware of Juice-Jacking.” An item of interest discovered was that “certain devices, if you power them completely off, then charge them, they don’t expose the data.”[v]
To the basic cell phone user, this can appear a bit frightening. Fortunately, you don’t need to be a technical wiz to use simple security steps in preventing your phone from being turned into a spying tool.
Simple steps to protect your phone.
-          Only let people you trust use your cell phone.
-          Don’t visit unfamiliar links with your phone.
-          Use the supplied power cord in lieu of using the USB connection to power up your phone.
-          If you’re in a sensitive meeting, remove the battery from the cell phone.




[i] Keith Lee (October 31, 2011) “iPhone Espionage” INFOSEC Institute. Retrieved from http://resources.infosecinstitute.com/iphone-espionage/?utm_source=Newsletter&utm_medium=email&utm_content=B&utm_campaign=December+Newsletter (accessed 25 January 2012).
[ii] “WFMY News 2 – Cell Phone Stalking” (May 7, 2008) WFMY News 2. Retrieved from http://www.youtube.com/watch?v=WPt2i24cA5I (accessed 25 January 2012).
[iii] Keith Lee, Ibid.
[iv] Ibid.
[v] Brian Kreb (August 17, 2011) “Beware of Juice-Jacking” Krebs on Security. Retrieved from http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ (accessed 25 January 2012).
Enhanced by Zemanta

January 23, 2012

Chinese Phishing Expedition

Within the past couple of weeks, the security field has seen multiple articles circulating about Chinese hackers targeting the U.S. government smart cards. Of course Chinese hackers targeting anything that is U.S. government related does not come as a big shocker. It is almost considered common knowledge that the Chinese are deploying various cyber attack techniques against the U.S., specifically the Department of Defense and State Department. The New York Times reported that “Chinese hackers have deployed a new cyber weapon… that targets smart cards used by government employees to access restricted servers and networks.”[i] This new cyber weapon generating the latest buzz is a newer variant of the computer virus, Sykipot; however, the deliver method is nothing new.
The attack starts off with a personalized email to known government employees enticing them to open an attachment or click on a link that downloads the malicious code. The malicious code, “which contained a keystroke logger, enabling hackers to steal PIN numbers for smart cards.”[ii]
According to a report by Chicago Homeland Security Examiner, Cynthia Hodges, “E-mails sent to key DoD employees, for instance, in which the researchers refer to as the ‘drone campaign’ included attachments with content related to U.S. unmanned combat air vehicles (UCAVS) with the purpose of stealing documents related to the Pentagon’s drone strategy.”[iii]
This sounds like the old fashion spear phishing technique. Of course saying “Chinese Hackers attack” sounds way more exciting than “DoD employees fall for spear phishing attack...again.”
Wikipedia defines phishing as “a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication…Targeted versions of phishing have been termed spear phishing.”[iv] Phishing is often used by amateur and professional hackers and scammers alike, because it works. It targets the weakest point of any security network, the human. It appears that the targeted government agencies should use this as an opportunity to strengthen their employee security awareness.
Tips to help you not become a victim of phishing.
1.       Read the header of the email. The “from” line can easily be (and often is) spoofed, but if you dig a little deeper in the email header, you can figure out where that email came from. There is a good tutorial on how to read email headers at http://email.about.com/cs/spamgeneral/a/spam_headers.htm.

2.       Don’t click on links. Examine the links. Copy and paste the link into an Internet Search engine such as Google or Bing.

3.       Don’t open attachments from unknown sources. It is so simple, so basic, yet how many are guilty of doing this?

4.       If you receive an unexpected attachment from a known source, contact the sender directly.

5.       Analyze the topic and body of the email. Is it rather generic? If it is from a known sender, does the sender typically send email like this?

6.       Keep your anti-virus software updated. New malware and viruses are constantly being released. Your anti-virus software cannot know the latest threats if it doesn’t get its update.







[i] Nicole Perlroth (January 12, 2012) “Malicious Software Attacks Security Cards Used by Pentago” The New York Times. Retrieved from http://bits.blogs.nytimes.com/2012/01/12/malicious-software-attacks-security-cards-used-by-pentagon/ (accessed 23 January 2012).
[ii] (January 17, 2012) “Chinese hackers target DoD, DHS smart cards” Homeland Security News Wire. Retrieved from http://www.homelandsecuritynewswire.com/dr20120117-chinese-hackers-target-dod-dhs-smart-cards (accessed 23 January 2012)
[iii] Cynthia Hodges (January 12, 2012) “Chinese hackers targeting Homeland Security smart cards” Examiner. Retrieved from http://www.examiner.com/homeland-security-in-chicago/chinese-hackers-targeting-homeland-security-smart-cards (accessed 23 January 2012).
[iv] “Phishing” Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Phishing (accessed 23 January 2012).
Enhanced by Zemanta

January 20, 2012

Scammed by Facebook Security?


Image from Switched
According to recent reports, there is a new phishing scam circulating the popular social network site, Facebook. This phishing angle has victims believing the message is from Facebook Security.

The deception starts off with a compromised Facebook account where the scam artists change the profile picture with the Facebook logo and renames the account “to a variation of ‘Facebook Security’ written with special Unicode characters [that replace letters like a, k, and t].”[i]  After disguising the account, the scammer sends a chat message to all the compromised account’s contacts stating “Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by:” and then provides you with a website address to visit, which ends with ”.vu”, according to a blog post by David Jacoby, Kaspersky Lab Expert.

The link takes you to a website with the look and feel of a typical Facebook page. The site asks you to provide your name, email address, password, security question, and other personal identifiable information. It seems legit, since they need to verify who are, right? Well, after providing all that information, the site prompts you for your credit card, expiration date, and security code. Why does Facebook need this to verify who I am? Answer: They don’t.

In related news, Social Beat recently posted “How Facebook is fueling a new breed of social scams”. According to this post, “the average social scam wave reached approximately 1.5 million clicks.” With large numbers of success for just your average, run-of-the-mill social scam, no wonder scam artists are flocking to social media. This article takes a deep look at how you are likely to see more phishing attacks in your near future, without really providing any guidance on what you can do to keep yourself secure. Well, I have few simple tips.

Facebook Security Tips:

-  Use a strong password and change it regularly (recommend every 3 months). Don't be the compromised account scammers use.

- Don’t share your password.

-  Log out when you’re done. Don’t just exit or close the browser, because this doesn’t actually log you out of the account.

-  Don’t click on links you don’t know.

-  Only friend people you actually know.

-  Use a browser add on like Web of Trust or Firefox’s NoScript to keep your account from being hijacked.

[i] Lucian Constantin (January 13, 2012) “Facebook chat phishing attack impersonates Facebook security team” Computer World. Retrieved from http://www.computerworld.com/s/article/9223432/Facebook_chat_phishing_attack_impersonates_Facebook_security_team?taxonomyId=17#disqus_thread (accessed 20 January 2012).

Related articles
Enhanced by Zemanta

January 10, 2012

Skimmer Scam

A few weeks ago, a California based grocery store chain issued a release admitting that their self-service checkout stations in 24 different stores throughout the San Francisco Bay Area, were illegally modified with credit/debit card skimming devices.  According to the release, “Lucky Supermarkets uncovered the scam, which has impacted other retailers globally, during its routine inspection of card readers…,”[i] which is better than how the arts and crafts outlet chain, Michaels found out about the tampering of their point of sales (POS) equipment. Back in May 2011, Michaels learned some of the PIN pads at their POS station were tampered with when they were contacted “by banking and law enforcement authorities after some fraudulent debit card transactions were reported…”[ii]  Various Michaels stores in about 20 different states thoughout the United States were compromised.[iii]
What is a skimming?
According to Online Guards, “skimming is the process where original data from your cards magnetic strip is electronically copied to create a duplicate card without your knowledge. “[iv] Naturally, a skimmer is a device that is used by scammers to accomplish this fraud. It is a common fraud that is gaining popularity. This method has been used at gas stations and ATMs in the past, but I’ll go further into depth on these skimming targets in a later post.
How can this happen?
A news clip from Saanich, BC, Canada, shows how quickly the tampering can occur. It only takes a matter of seconds.
Skimming Protection.

In an article by Dark Reading, “some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today…”[vii] Until that happens (doubt it will be any time soon!), you can follow these simple steps.

- Monitor your accounts for unauthorized transactions and report them immediately!

- Don’t use your PIN. Run your debit card as credit card instead. “Without your PIN number, direct access to your bank account is impossible…”[v]

- Use credit cards instead of debit cards. Credit cards offer a bit more protection than debit cards. The Washington State’s Department of Financial Institutions advises users “The Truth in Lending Act protections for credit cards… cap[s] a consumer's liability for unauthorized transactions at $50, [For debit cards] the [Electronic Fund Transfer Act] law limits liability to $50 if the debit cardholder notifies the bank within two business days after discovering the theft. If you don't notify your bank within those two days, you could lose up to $500, or perhaps more.”[vi]
- If the equipment looks questionable, don't use it. Report it immediately to the store employees.
[i] Lucky Supermarkets (December 20, 2011) “News Release – Luck Supermarkets Engages in Comprehensive Consumer Protection: Update on Credit/Debit Card Readers in Luck Self-Checkout”. Retrieved from http://docs.ismgcorp.com/files/external/12-20_updated_news_release.pdf (accessed 10 January 2012).
[iv] “ATM Skimmer & POS”. Online Guards. Retrieved from http://www.onlineguards.com/topics_atmskimmer.html (accessed 10 January 2012).
[v] “Consumer Alert: Skimming Scammers Skating Shopper Savings.” Better Business Bureau (June 9, 2011). Retrieved from http://sandiego.bbb.org/article/consumer-alert-skimming-scammers-skating-shopper-savings-27812 (accessed 10 January 2012).
[vi] “Debit Card Frequently Asked Questions” Washington State Department of Financial Institutions. Retrieved from http://www.dfi.wa.gov/consumers/education/debit_faq.htm (accessed 10 January 2012).
[vii] Ericka Chickowski (May 13, 2011) “Michaels Breach Evidence of Growing POS Skimming Trend” Dark Reading. Retrieved from http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229500604/michaels-breach-evidence-of-growing-pos-skimming-trend.html (accessed 10 January 2012).


Enhanced by Zemanta

January 9, 2012

Social Malware

Computer Worm
The security firm, Seculert warns about a new variant of the computer worm, Ramnit, which is expected to have stolen approximately 45,000 Facebook usernames and passwords. Primarily, Facebook accounts from the United Kingdom and Frances were the latest victims of this malware, but it is still spreading. In this world of connectivity, it is only a matter of time before the worm shows up at a computer near you!
According to Microsoft, Ramnit “spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.”
Seculert suspects “that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends… In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services to gain remote access to corporate networks.”
Since email is so 1990s and Facebook has over 800 million active user accounts, hackers, scammers and spammers are going to where they’ll get the highest payload. They’re adapting to the environment, so you need to adapt to the changing threat.
Simple ways to keep your account safe?
- Change your passwords frequently and make it complex.

- Don’t use the same password on multiple sensitive accounts (i.e. bank accounts, work accounts).

- Don’t click on unknown links in posts and emails.
For my visual learners, Mashable created a short little video about this malware for your viewing pleasure. Enjoy!
Source: “Ramnit Goes Social”. Retrieved from http://blog.seculert.com/2012/01/ramnit-goes-social.html  (accessed 9 January 2011)
Enhanced by Zemanta

January 7, 2012

NSA's Best Practices for Home Network Security

In mid-2011, the National Security Agency's (NSA) Central Security Service (CSS) released their eight page "Best Practices for Keeping Your Home Network Secure" guide. Who better to tell you how to secure your home computer than the agency charged with the "Information Assurance" mission in protecting the government computer networks and information systems?

According to the guide, the"cyber threat is no longer limited to your office network and work persona. Adversaries realize that targets are typically more vulnerable when operating from their home network since there is less rigor associated with the protection, monitoring, and maintenance of most home networks. Home users need to maintain a basic level of network defense and hygiene for both themselves and their family members when accessing the Internet."

While "adversaries" from a government perspective are hostile nations and international terrorists, from the basic home computer users' perspective, the adversaries are scammers, con-artists and any other person after our personal valuables.

If you're a big computer geek, the guide will provide nothing new. For the basic home computer user, it could seem a little daunting but it provides the good, basic overview in what you need to keep your home network secure.If you're looking for a step-by-step instruction guide in how to set up your network security, you'll be sorely disappointed. It does provide good computer security fodder through the provided guidelines, such as:
  •  Keep your operating system (OS) updated.While it is a great idea to install software patches and updates, if you're still operating on an old OS you may want to upgrade. After a while, the software manufacturer will stop supporting antiquated OS, which means no more patches, leaving your system vulnerable to changing, advancing threats.

  • Keep antivirus, firewall and other software updated.
  • Create limited user accounts. The first basic user account on any computer is the administrator account, which has full access. The NSA recommends that a "non-privileged 'user' account should be created and used for the bulk of activities conducted...to include web browsing, email access, and document creation/editing." Doing these basic activities as an admin gives a hacker an easy way to penetrate.
  • Passwords. Use long, complex ones. The guide recommended at least 10 characters. Some government systems increased their requirements to 15. Change them often (about every 3-6 months is good). Make sure you have a password on all network devices.
  • Use full disk encryption. This goes for your laptop as well. If you lose your hard drive, at least the sensitive information that you stored on it is safe.
The guide does provide some operations security (OPSEC) internet behavior suggestions. For my non-military readers that have never enjoyed the death-by-powerpoint-presentations on OPSEC, let me simply state it is "denying an adversary information that could harm you or benefit them." (The Operations Security Professional's Association). To the basic computer user, this would be denying spammers, scammers, and other crooked people trying to obtain your valuable assets (i.e. bank account information, your identity).
Enhanced by Zemanta