Posted on Mon, Jun 14, 2010 @ 02:25 PM
Network World reported that all the major web browsers on Windows and Mac OS X are vulnerable to a new type of phishing scam: "tabnapping." A combination of the words kidnapping and tab as in screen tabs, tabnapping happens when an already open tab is secretly switched unbeknownst to the user. As an example, when I work I typically have several Internet Explorer (IE) tabs open. Say one of them was to my bank and I left that tab and went to my email account, when I go back to my bank page it says the page timed out so I have to log-in again. But what could happen is someone switched the page and I am actually logging-in to a page that diverts my identity log-in to a scammer.
Prevention
Here are some things you can do to avoid being tabnapped:
- Don't log-in on a tab that you haven't opened yourself. If you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab
- Get on the latest release of your web browser. Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
- Look at the URL in your browser's address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to "spoof," or fake the URL, it won't match the bogus log-in screen. That's your cue to close the tab immediately.
Posted on Mon, Jan 11, 2010 @ 02:22 PM
A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.
Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.
For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.
The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.
To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!
Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "
The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols. So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.
Posted on Wed, Nov 11, 2009 @ 12:45 PM
The Internet Corporation for Assigned Names and Numbers (ICANN), the governing body that is a steward for the Internet domain naming conventions, announced in October that they will expand the domain name system (DNS) to include non-Latin characters (non- English) for the first time. So in addition to English domain names, starting in 2010 there will domain names in Chinese, Arabic, Russian and other languages over time.
Domain names-the Internet addresses that end in ".com" and other suffixes-are the key addresses behind every Web site and e-mail address. Since their creation in the 1980s, domain names have been limited to the 26 characters in the Latin alphabet used in English-A-Z-as well as 10 numerals and the hyphen. Technical tricks have been used to allow portions of the Internet address to use other scripts, but until now, the suffix had to use those 37 characters.
This is an exciting event for the hundreds of millions of online users whose native language is not English. However, how will this impact network security going forward?
The well-known security researcher Dan Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address.
This would allow the attacker to trick someone visiting CityOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker's fake website. This is called DNS Hijacking.
That vulnerability has since been patched, but the DNS protocol itself in many ways remains fundamentally insecure. With the advent of non-Latin domain names, could we be heading into a nightmarish scenario with rogue cyber terrorists?
DNSSEC is a proposed protocol that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain.
With the domain name system vulnerable, a website's "forgotten password" feature also becomes an easy target to hackers. By hijacking the CityOnlineBank email.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user's email address. This password would then be intercepted by the attacker when it is sent not to the real CityOnlineBank email.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.
So the broadening of the Internet to include non-Latin characters is a great thing for the world, but could usher in a new round of security troubles.
Posted on Wed, Sep 30, 2009 @ 12:26 PM
In a recent article posted to Dark Reading, a couple is suing their bank for failure to protect their account resulting in a fraudulent wire transfer. Apparently someone stole the logon credentials to the couple's on-line account, obtained a loan of ~$26,000 which was deposited into the couple's business account. From there the money was transferred to a bank in Hawaii and on to Austria.
The couple is suing the bank largely based on allegations that the bank failed to properly secure the couple's account. In the article, Mr. Bruce Schneier states, "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."
This intrigued me and so I went to his blog (http://www.schneier.com/blog/archives/2009/09/eliminating_the.html) to find out more. It is, or was at the time of the blog entry, Mr. Schneier's opinion that the only way to combat this type of fraud is to make the bank liable for fraudulent transactions. With all due respect, I have to disagree. Promoting this point, in this particular case, is a bit like putting the cart before the horse.
What the article does not tell you are at least a few important points regarding this case:
- How did the thieves obtain the logon credentials? Did either the man or woman (both?) write them down in plain sight; was their PDA stolen; did they use something easily guessable; etc.? It seems that no one is contesting the validity of the credentials so my first question is how they were obtained. If the couple did not take adequate risk protections then where is their responsibility and liability?
- Were there other, similar transactions (obtaining a loan of similar amounts) in the banking history of this couple? Maybe the bank's fraud transaction system did notice it, but since others had occurred (with similar characteristics) it was not ,a red flag.
- Were there any regulatory or legal statutes broken by the bank? If not, then that could imply they were doing their due diligence. We don't know the results of their last security audit from regulators - did they pass with flying colors, were there shortcomings in on-line security measures and/or countermeasures?
Mr. Schneier goes onto suggest that banks become more like credit card companies with regard to identifying and stopping fraudulent transactions. As he correctly points, out credit card companies have "...developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants." And you can bet that these security technologies are a large investment - money that many banks don't have. I don't know exactly how Citizen's Financial Bank ranks in terms of revenue but it is probably a safe bet they are not as large as major credit card companies. And while the credit card companies may not be drowning in fraudulent transaction losses, their feet are not completely dry. Their solutions and technologies do reduce the chance of fraud but they are not perfect - especially if someone has a legitimate credit card number.
Suppose someone stole a credit card that you (against all advice) had not signed. A thief uses the card to purchase a big-ticket item and when you get the bill, you rightfully contest the charge. Is it the credit card companies fault that a legitimate card was used? No. Is it the fault of the store clerk who did not check for a signature? Maybe. If they had questioned the "card holder" they probably would have forged the signature anyway. Is it the fault of the original card holder who should have signed the card, thereby giving the clerk an opportunity to compare signatures, making the purchase more difficult? That's my belief.
Without knowing the extent to which the original bank account holders did their own due diligence to protect their account, and without knowing the extent of the banks security measures, I don't think we can just put the blame on the bank.
I do agree with Mr. Schneier on one point: "It's an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk." My point exactly. If it turns out the account holders (who have a major role in protecting their account) did not do this, then they should be held responsible.
The full article can be found here regarding this case: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=220100950
Posted on Thu, Dec 18, 2008 @ 02:59 PM
I’ve had a nagging question for some time now. It comes to mind when an incident happens like the one in Estonia (see Wired magazine: http://www.wired.com/politics/security/magazine/15-09/ff_estonia). I read the aforementioned article and thought, "My God, if this was done on U.S. soil we’d have an international incident on our hands! The press would have a field day if another country tried to bring a halt out to our financial systems.” If I’m thinking this, then surely more people are equally amazed and intrigued as I am, right?
It turns out, maybe not--at least not in the numbers I would have expected. Granted I don’t watch TV, (I do have a Netflix account but I do not subscribe to any cable service, by choice) but there was hardly a whisper outside tech circles about this particular incident.
That being said, when one takes a step back and looks at the big picture, this seems to be a common theme. Cyber crime just doesn’t draw the attention that physical crimes do. I believe the biggest problem is an apparent apathy for technological crimes. It’s what we could call "Darfur Syndrome".
By this I mean we as a people disconnect from that which we cannot relate to. Identifying and caring about something small and substantial is easy, like a friend or family member for example. But when the number of people grows and the common bond becomes less apparent the personal connection is lost and disinterest begins to take hold.
We don’t “see” cyber crime. We see figures and definitions that mean little as we have no context for them. We can put armed robbery in context. It's right there on the tv screen--masked men with guns and hostages challenging our basic fears. A DNS attack on a server in a small European country that one may or may not know of doesn't have the same effect. While physical harm in the first instance is daunting, few people can relate to the devastating effect of stolen identity.
So I pose a question to those reading this post. How do we get an average person to care about security issues we all face but few pay any attention to? What can we do to raise the seriousness of such crimes?
Posted on Wed, Nov 26, 2008 @ 12:00 PM
A by-product of almost every transaction made by people today is personal data being stored electronically somewhere - usually in several different places such as a retail outlet, bank and credit card companies.
According to the Federal Trade Commission, in a 2006 Identity Theft Report by Synovate, during 2005 8.3 million American citizens were victims of identity theft. And while identity theft is a federal crime there are no federal laws to protect personal data on a national basis. Some of the laws currently in force deal with specific industries: Gramm-Leach-Bliley Act (GLBA) applies to financial entities, Health Information Portability and Accountability Act (HIPAA) is for healthcare, Federal Information Security Management Act (FISMA) is for government entities, Payment Card Industry/Data Security Standard (PCI/DSS) for the credit card payment industry and so on. Individual states have also been busy enacting various laws to help protect their citizens from identity theft and related incidents. One example is the State of Maryland House Bill 208. This law requires businesses that have personal information to notify the residents of Maryland in the event the business' computers are breached and the personal data may have been exposed. The Maryland law also requires businesses to "...implement and maintain reasonable security procedures and practices..." But these, and other State laws, are only valid at the State level.
What our country needs is a national data protection law -- one that can be used as a basis for protection and that individual states and industries could opt to expand. This law would define baseline protections that must be afforded to personal information regardless of who is collecting, storing and using the data. Such a law would also mandate that the government would have to define exactly what data elements are to be considered "personal". For those of you familiar with the laws above know, what is considered "personal" to HIPAA is not the same as GLBA. However, some similarities do exist and from these a common definition of "personal" data can be established. These similarities can also be found in the pending bills before the US Congress. An on-line search at the Library of Congress for the phrase "data protection" returned several pieces of legislation that are yet to be voted on, eleven of them containing the exact phrase. Many of these documents seemed to focus on the notification aspect of after a breach has occurred however Senate Bill 495 (S. 495) is fairly comprehensive in the protection of sensitive personal data. But what this bill and others does not do is definitively list the data elements to be protected.
The proposed legislation reviewed for this article revealed that (with one exception - S. 495) a person's name, address, and phone number would be required to be protected along with a list of other elements if used in combination with the required elements. Among these "combinatory" elements were social security numbers, financial account numbers, PIN numbers, driver license numbers, and biometric data to name a few. Senate Bill 495 only requires the person's name to be protected and as part of the "combinatory" elements lists "social security numbers, passport numbers, and driver license numbers all of which are ‘non-truncated'". Senate Bill 1558 (Federal Agency Data Breach Protection Act) did not specifically list a person's address or phone number but all of the data elements listed were required. S 1558 also included the phrase other linkable information to the individual which could be taken as address and phone number, among other items. Individual industries can then add more pertinent elements as necessary. From the "common" list of elements an appropriate protection scheme can be built.
Enacting a national data protection law may help us with the international community as well. The European Union (EU) has established a data protection directive, and several countries within the EU have adopted their own individual data protection laws. Australia, Japan, Canada, and other countries have all adopted similar legislations -- some wrapped into a national privacy law but the protection portions still exist. Occasionally it is reported in the news that certain negotiations between the US and other countries, normally involving trade, are held up while discussions are held concerning the lack of adequate protection of personal data from non-US citizens. A national data protection plan may help these negotiations progress. It certainly couldn't hurt.
I certainly support the various laws (federal and state) that have been enacted thus far. They are necessary for prosecuting criminals and assisting victims of identity theft. We need to go to the next step and enact a data protection plan, on a national scale, that can be expanded as needed by state or industry. My plan would be similar to many of the requirements found in Senate Bill 495 however I would like to see a better definition of the required elements and the "combinatory" elements. It would not include phrases like "non-truncated". This national data plan would apply to all entities (public, private, and governmental) so that the data is protected regardless of who has it. Such a plan would help us reduce the number of victims and the severity of consequences of identity theft and aid in negotiations with other countries to boot. Are we ready for a national data protection law? For the reasons stated above I think so.
UPDATE - Massachusetts enacts data protection law
I see where the Massachusetts state legislature has enacted a data protection law for their residents. Basically the law states that anyone (not just in the State) who gathers certain information on Massachusetts residents must take certain protective measures for that data. So if a Massachusetts resident were to purchase something on-line from a site in Tennessee the seller would be responsible for protecting some, if not, all of the data on the buyer. While I applaud Massachusetts on taking this stand this has the potential of causing mass confusion for business owners. When other states develop their own data protection laws, and why shouldn't they, they may use the Massachusetts law as a model but there will certainly be some minor changes/tweaks/etc. to satisfy each state legislature. Looking down the road this has the impact of causing business owners to be aware of, and build the infrastructure to accommodate 50+ (including US territories) sets of data protection laws - the costs of which could be enormous. The possibility of this furhter emphasizes the need for a baseline, national data protection law. States could increase the protections but could not decrease the minimum measures required to protect US residents data. Again I call for the US Federal Government to be proactive rather than wait for confusion and headaches 50 such state laws will cause. To read more on the Massachusetts law - go to Massachusetts Data Protection Law