XBox Live via an OpenWRT router

One of the concerning requests of Xbox Live connectivity, is to enable UPnP or ‘Universal Plug and Play’ on your home router.

The UPnP protocol has a long standing history of security problems, not the least of which being that it allows unauthenticated devices to connect to and through your home network. In the past, I have advocated for this to be switched off by default in consumer grade routers and I explain the UPnP threat in another post.

Getting back on track, my security conscious view for our home network does nothing for a teenage boy who received an Xbox Live subscription for his birthday and, while some aspects of the Live subscription work, others – such as game sharing will fail. With this in mind, we need to setup port forwarding, rather than implement UPnP, to connect said teenager to his gaming buddies and keep our network free of the risks introduced by enabling UPnP.

Continue reading “XBox Live via an OpenWRT router”

Credential Security …again

So, with another major collection of user credentials being uncovered (and reported in the mainstream media), there is a slight increase in interest in people, their data, and the credentials they use.
For those who may not yet have caught up with the news (or those reading this in the future and wondering which massive credential theft I’m referring to), this is the uncovering of the work done by ‘Cyber Vor’ who managed to snare around 1.2 billion (yes, with a B) unique user credentials.

So, with another major collection of user credentials being uncovered (and reported in the mainstream media), there is a slight increase in interest in people, their data, and the credentials they use.

Don't put all your (credential) eggs into one basket
Don’t put all your (credential) eggs into one basket

It’s anyone’s guess as to how long this breach will remain in the news cycle, so I thought I’d throw out an article quickly as New Zealand is currently in the throws of pre-election posturing and I imagine some political hopeful will say something controversial and the media will swing away to cover that within the next day.

For those who may not yet have caught up with the news (or those reading this in the future and wondering which massive credential theft I’m referring to), this is the uncovering of the work done by ‘Cyber Vor’ who managed to snare around 1.2 billion (yes, with a B) unique user credentials.

Continue reading “Credential Security …again”

Social Scams and Why They Work

Over the last week, as New Zealanders begin to change their jandals (flip-flops / thongs) for shoes, I’ve noted a significant increase in the number of “warnings” being posted in my social network feeds. This is not uncommon and it’s not unique only to my network of contacts as these articles point out.

Scam ImageNow, for the most part, folks in my social stream tend to only get caught on an infrequent basis by these messages. I do my best to flick a link back if it’s an obvious hoax, as do others who we share as common contacts. I have been caught myself and have more than once shared something which, if I’d relied on more than wishful thinking, would/should have been filtered out.

So – why do these attacks work, why do the hoaxes perpetuate, and what can we do as a community to reduce our chances of passing on misinformation to our networks?

The simple answer is diligence. Continue reading “Social Scams and Why They Work”

Expiring Passwords

Image Credit: Louise Docker / Flickr (CC:by)Today there was a question pitched by one of the guys at work as to why we bother having such things as a password expiry / enforced change. My answer (in true Rob fashion), rambled a little (ok, a lot) but I’ve consolidated it below and made it generic to suit anyone facing the same line of questioning…

The reason passwords are set to expire, is it limits the exposure of compromised credentials. Continue reading “Expiring Passwords”

Authenticating Users – The Struggle to Raise the Bar

Photo Credit: Ibrahim Asad / Flickr (CC: by)Interesting quote from an article that I was reading this morning:

“When creating a patient portal that provides access to electronic health records, healthcare organizations must educate patients about the need for authenticating their identities, says Sharp HealthCare CIO Bill Spooner. […] Spooner notes that some patients have complained that the authentication method for its patient portal is cumbersome.”

It’s not the fault of the user, they’ve not been educated as to why the bar should be higher (and they don’t necessarily understand the potential consequence of a low bar). It’s not the fault of the business, after all things have been “good enough so far” so why spend money changing something that doesn’t look like it’s broken?

It’s (almost) nice to know there are others struggling with the balance between usability, user acceptance, funding and the changing landscape of threat.

Tabnabbing – An Even More Evil Phishing Attack

Image by Flickr user 'Toasty' http://www.flickr.com/photos/toasty/1276202472/Wow – I’ve just finished reading a recent blog post by Aza Raskin (creative lead for Firefox) and he presents an interesting new phishing attack vector for us to be(a)ware of, that of ‘Tabnabbing’.

For many of us, phishing attempts, (that is – attempts by ‘evil’ sites or emails to pretend they are from legitimate sources and then dupe the user into revealing login credentials or other useful information) are fairly easy to spot. Some are stupidly obvious such as the now well known tale of the government official who needs to get large sums of money out of the country, others are less blatant and use shortened URL services or minor misspellings to trick people into clicking their links. But now, joining the ever growing list of ways to socially engineer an inattentive user into revealing useful information, is some very clever javascript which seeks to fool us when we’re not looking!

The attack is structured as follows:

  1. The attacker gets a user to browse to a staging site
  2. When the user switches focus to another tab, the staging site then changes the favicon, and the content displayed on the page to something which the user will be familiar with – in his example, Aza uses a Gmail login or ‘credentials expired’ page.
  3. When the user next scans their open tabs, they recognise the familiar tab and switch to it – believing it to be the genuine article.
  4. Because it’s an existing open tab, they implicitly trust that the domain is what it should be – and from there the credentials are captured – and the user is redirected back to the legitimate site, oblivious that they’ve been scammed.

Continue reading “Tabnabbing – An Even More Evil Phishing Attack”

spyPhone or iPhone?

BlackHatI’ve just finished reading this interesting article on an iPhone vulnerability which (could) propagate via SMS messaging and is due to be revealed at Black Hat in Las Vegas on Thursday (US time).

While currently unpatched, I imagine it’s got the attention of the team at Apple (though they haven’t responded – yet) so, in the meantime – be careful what you should you receive a txt message with a small square as the contents, the vulnerability allows the attacker to take control of many of the devices functions – including the microphone and camera. 😯

Can Security Policy live in a Business World?

I’ve had a couple of decent articles come through my various feeds this morning in regards to IT Security and how companies are gaining traction for the acceptance and adoption of policies.

Image by Flickr user ianlloyd
Image by Flickr user ianlloyd

I’ve had a couple of decent articles come through my various feeds this morning in regards to IT Security and how companies are gaining traction for the acceptance and adoption of policies.

Another point of interest raised by Forrester is the shift in spending toward security, but rather than defensive spending, the money is tending toward protecting the DATA. In an age where the security perimeter has shrunk from the outside of the business, to the connected systems, to any accessing device and right down to cheap, plentiful and high capacity USB storage devices, a perimeter approach seems unnecessarily costly to say the least (of course, this must be tempered with assurance of systems availability).Where this falls down however is in the belief structure of an organisation. Don O’Neill states :

“Cost is a function of perceived value.”

Thus, if you are unable to convince your financial stakeholders to invest in security, you are unlikely to be able to implement worthwhile preventative measures. On the flip side of this argument, it your company is entrenched in a border protectionism mindset, then a shift to focus on data protection (whilst maintaining systems availability via reduced defensive spending), again – you’re unlikely to succeed in implementing worthwhile preventative measures.

Image by Flickr user thenickster
Image by Flickr user thenickster

However, all is not lost – the other article discusses how we can use Social Psychology (PDF 213KB) to help encourage colleagues and influencers to adopt policies that we’d like to implement. For the most part, this is done via encouraging prosocial behaviors – that is, getting people to adopt the behaviors that they believe others are following. For instance, if I were to wish to encourage a Corporate to focus on data protection I would cite other companies such as Microsoft who are reducing their corporate firewalls on the perimeter, and doing more to authenticate users prior to allowing data to be used (i.e. check I’m an employee before you let me open, read, edit, print, email this document).



The Network World article goes on to suggest some measures to encourage adoption:

  • Post statistical information about the rate of compliance with various security measures where people can see the information…
  • Use comparison statistics about compliance rates to encourage healthy competition among work groups…
  • Provide individual information to each user in a periodic report…
  • Have rotating messages appear about different applications…

The article ends with a call to action – so be sure to actually click through

I’m sure that readers will have lots of ideas for how to apply Cialdini’s research findings. I suggest that everyone pitch in using the comment feature of this column to share these ideas…After all, 82% of all readers are cooperating with….

With all of the above in mind then – what can we do as Security Professionals to help protect our people from themselves and the big bad and nasty outside world? Well, like many others, my current soapbox is to get people to secure their files and encrypt their hard drives – do you have an area you’re focusing on? Discuss…

Tanking Twimailer (and Trying Topify)

Dump TruckYesterday Alain E. posted the following comment on my Twimailer article

It is like Topify.com before less interesting. And in addition their twitter account is not even working. I personnally tried both and prefer Topify (first because their have a much nicer site) because their emails are better and allow follow back right from the message. In addition, I had too many down time with twimailer…

To be honest, I’ve not had any issues with the [Twimailer] service to date, but this comment sparked my interest – which peaked when I read this article on Read Write Web. It appears that Twimailer has been sold (for a somewhat paltry sum) to an unknown, who is in turn trying to flick off the service to another buyer less than a week after acquiring it.

As a result of this article, I have gone into my Twitter settings, changed my email back to the one used prior to the Twimailer service AND changed my password. I’d suggest that others do the same.

It may seem a little reactionary, but as I use my identity not only for my private tweets but also in support of my work, the potential threat of hijack is too high a price to pay for continued support for a service which has failed to inform its network of some pretty key changes in it’s organisation. Sorry Twimailer, it’s over between us, I’m moving on – and trying Topify

So my thanks once again to Alain for peaking my interest, and to the guys at RWW for keeping across these technologies – these are the reasons that you get my subscriptions to your Twitter and RSS feeds.

Photo Credit: USFarmer / Redman

Security Companies on Twitter

twittercathakzSince moving from the R&D field into the amorphous world of IT security, I’ve been trawling the web to find good resources to add to my list of feeds and help me learn more about what we do as a collective, and how those stories are sold to the non-security folk.

It was with some interest that I clicked the  link IT security vendors worth following on Twitter when today’s Network World security email arrived in my inbox. The article itself makes for some interesting reading, as does the Ãœber list of IT and Network companies using Twitter.

For myself, I’m currently struggling with the streams I already follow and, while applications such as TweetDeck allow me to create groups of twitterers, the sheer volume of tweets I deal with day to day has convinced me to cherry pick some of the selected “best of” tweeters for inclusion on my watchlist. They are as follows:

And of course, you can always follow me on Twitter as @NZRob