CounterMeasures - A Security Blog � data leakage

ACTA, entrench & resist?

Rik Ferguson — Mon, 30 Jan 2012 17:03:09 +0000

It’s probably prudent to mention again that these blog posts represent strictly my own opinion, see my disclaimer here. In the security presentation game, we spend a lot of time talking about “bad actors”, today it has a somewhat different meaning.

The concerns with ACTA centre mostly around how the bill enforces liability on website for any links that point to disputed content and how ISPs may be obliged to dig deeper into their customers’ online activity. In the world of User Generated Content, the potential for any site to be forced to close down, in a Stalinesque way to become a “non-site” as it is obliterated from search results or even have its domain name seized, all as a result of the actions of its users, is seen as too great a threat to business online.

ACTA is in many senses the big brother of SOPA. SOPA would have had negligible effect outside of the US, as the proposed bill would only remove sites from the US visible part of the web (and even then there are plenty of ways around it). ACTA is proposed as a global “Agreement” which has been negotiated in closed-shops with only one side of the debate having been represented and no jurisdictional or democratic oversight. The closed shop appears to have been cynically and deliberately set up outside of existing structures such as the WTO perhaps to protect vested interests of large corporations and a subset, in fact a tiny minority, of governments.

Our business is not only about security, as far as I am concerned it is also about privacy and trust and this kind of legislation has a damaging effect on all three of those. Under ACTA, ISPs will become accountable for the actions of their subscribers and as such will have no option but to monitor the content that is being both posted and accessed by their customers. This represents a gross invasion of privacy and under much of the western world’s communications intercept laws is already currently at least a legal grey area, if not outright illegal. Under ACTA that same (as in SOPA) issue of sites that link to copyrighted content surfaces again with we sites facing similar risks and similar levels of accountability.

Under current copyright law (which itself should not be considered immutable) rights owners have the legal recourse to seek to defend their own property, however by the same token it should be recognised that “the internet” or even “that web site” does not fall under that definition. To propose legislation that would enable an entire site to be “disappeared” because of a link to copyright content is draconian in the extreme and undemocratic to boot.

The internet is not intellectual property, the internet is the crucible of modern innovation and in large part generated by “we the people”. US law, and many others besides, classify copyright as the right to revenue from the copying of original work in a fixed medium, the internet has surpassed this concept. If I link to a video you posted, in what sense am I “copying” and in what sense is that truly “tangible”? Is the rendering of a picture in my browser copying, or is it simply “display? How do we deal with the concepts of mash-ups, crowd-sourcing and social networks when antiquated laws must apply, and what happened to my freedom of expression?

Security is a much deeper concept that endpoints and data, security is my right to access and use the global resources available to me, unimpeded by the legal ramifications of the actions of other internet users. Legislation such as ACTA and SOPA would make this impossible. The mantra of online innovation should be adapt and survive, the mantra of rights holders is to often “entrench and resist”.

The only niche left for innovation & collaboration in an ACTA world is for ACTA compliance solutions that continually monitor your web properties for infringements (thereby monitoring also the content of any linked site as well) and remove any offending UGC promptly.

Polish Government under DDoS, Anonymous ACTA up again.

Rik Ferguson — Sun, 22 Jan 2012 22:54:55 +0000

Anonymous are again making headlines, as the majority of Polish government related web sites are taken offline in DDoS attacks over the weekend as a protest about an international agreement perceived as being cooked up in years of secret talks between governments and industry.

As the dust settles and the mutual back-slapping begins over the withdrawal of the SOPA bill in the US, an older and potentially uglier beast has once again reared its head in Europe. This particular beast is called ACTA (Anti-Counterfeiting Trade Agreement ) and you can certainly be forgiven if you haven’t heard of it before, even though it predates both SOPA and PIPA.

ACTA is what is known as a “plurilateral agreement” aimed at establishing international (not just US) standards on intellectual property rights enforcement. SOPA would have negligible effects outise of the US, but ACTA is a global agreement. It aims to create its own governing body outside of the existing World Trade Organisation, the World Intellectual Property Organisation and the United Nations. Preliminary talks began as far back as 2006 including Canada, the United States, Japan, the EU and Switzerland. Official negotiations began in 2008 with the addition of Australia, Mexico, Morocco, New Zealand, South Korea and Singapore. Alongside these national government representatives, an advisory body of large US-based corporations was involved, including the RIAA, the MPAA, International Intellectual Property Alliance and Pharmaceutical Research & Manufacturers of America.

The negotiations were classified as “Secret” in the US on the grounds that there was a risk of damage to national security. The process by which negotiations took place, without public scrutiny or judicial oversight and the way in which the details of ACTA only emerged as a series of leaks until a draft was eventually published in 201O, after the 8th round of negotiations, has attracted widespread criticism from academics and groups such as the EFF.

The major concerns regarding the actual content of the draft centre around a couple of important issues. Perceived infringement on communications privacy for Internet users, as ISPs are obliged to filter content in more depth as a result of their liability for the actions of their subscribers and an increase in liability for websites that link to copyrighted material (sound familiar?) . There has also been concern that the section dealing with border controls would authorise invasive searches of personal laptops or MP3 players in the search for copyright infringing material. It should be noted that EU legislation prohibits travellers from checks if the offending goods are not a part of “large-scale” traffic and US legislation amply demonstrates that unilateral implementation of invasive border searches is entirely to be expected.

So why Poland, and why today? Well, the government of the Donald Tusk made a surprise announcement ( two PDFs in Polish) on the 19th January that they would be signing ACTA one week later on the 26th, taking them down the road to ratification. Many Poles feel that this has been done without inclusion or open debate and without a mandate from the people. The strength of feeling is immediately visible in Twitter, with thousands of Poles making tweets of thanks to Anonymous for this initial and ongoing action. Even those not actively participating in the DDoS have contributed to the failures of multiple websites by attempting to access them in their browser to see if the site had been taken offline.

Whatever the rights and wrongs of the proposed agreement, it is certainly true to say that democracy is never served in secret, where the interests of only one side of the debate are represented. The Polish Minister for Administration and Digitalisation, Michal Boni has asked Prime Minister Donald Tusk to reconsider the decision before signing and a further meeting has been scheduled for the 24th Jan.

The mobile threat – Get Safe Online

Rik Ferguson — Tue, 08 Nov 2011 15:16:26 +0000

Yesterday saw the launch of Get Safe Online week in the UK, an annual event aimed at raising awareness among consumers and small business of the threat from online crime.

The focus of the launch event yesterday was mobile malware and I was asked to give a presentation and demonstration of how this threat manifests itself. The video that I made with the BBC illustrates just how invisible and damaging SMS fraud malware can be and the kind of financial damage it can inflict on the victim.

Smartphone scams: Owners warned over malware apps
Added on November 12th, 2011

The history of mobile malware begins back in 2004 with the appearance of Cabir, the forerunner of many later variants. Cabir was aimed at infecting Symbian based devices, it first emerged as a proof-of-concept but was rapidly picked up and abused by those with criminal intent. Cabir made money by sending premium rate SMS messages from infected devices. This means of turning a profit turned out to be so effective that by 2009 SMS fraud Trojans made up a large bulk of mobile malware and that trend has continued and grown with the rise of the smartphone. In fact, the first ever Trojan for Android based devices was also an SMS fraud trojan, known as ANDROIDOS_DROIDSMS.A

Malware exists for all major mobile platforms in fact, renowned mobile securtity researcher Charlie Miller announced yesterday that he had devised a way to embed functionality in apps for Apple’s iPhone which allowed them to download and run code after the intial application had been installed. His proof of concept app had been checked by Apple and was available in the App Store since September.

If you are interested in finding out more about the history of mobile malware you can download my paper on that very subject right here.

The TrendLabs mobile threats information hub can be found here.

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Over 10,000 Facebook account details hacked and published

Rik Ferguson — Tue, 18 Oct 2011 12:02:51 +0000

An update to this investigation is available here.
_____________________________________________________________________________________________________
A hacking group calling themselves “Team Swastika” have published what they claim to be the usernames and passwords for over ten thousand Facebook accounts on Pastebin, an online service for sharing large quantities of text data online. It should be noted that the PR agency for Facebook in the UK gave me the following statement, “This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of e-mail and password combinations that are not associated with any live Facebook accounts“.

Team Swastika are a new arrival on the hacking scene, having announced their “launch” only six days ago. although they have only one tweet to their name they have already caused concern by publishing database tables and user credentials stolen from the websites of the Indian Embassy in Nepal and the Government of Bhutan, apparently by SQL injection attack.

This latest publication of what they claim to be more than ten thousand Facebook user credentials is without context and with no indication of the means by which they were stolen. The posts themselves have already been removed by Pastebin but I managed to get a look at them before this happened…

Stolen credentials for Facebook accounts

The compromised user accounts come from all over the globe, and a quick glance through the list of associated passwords shows that the majority of affected users are not using complex passwords, with many being simply a derivation of the user name, a favourite football club or a short numerical password.

The ongoing effect of such a large scale compromise can be disastrous for affected users, particularly if the password is shared for multiple accounts. It can lead to compromise of the victim’s email account which can act as the skeleton key for many other online services, as any password reset procedure will normally pass through the account owner’s email inbox for verification. regaining control of a compromised account can be a costly and time consuming process, as this recent victim explains.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to achieve this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

I have not verified if the credentials as posted are legitimate, for reasons of privacy, but have passed the full list of affected accounts on to Facebook security so that they can warn and protect their users.

Making the most of Facebook privacy – Part III

Rik Ferguson — Tue, 11 Oct 2011 12:04:07 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part of this series can be found here, and part two here.

Lists – Control privacy when you post

Use the Facebook lists feature to divide your friends into lists. This is a great feature for protecting your privacy because it allows you to select an individual audience for each one of your status updates or wall posts, be aware though it is not possible to individualise the audience for your “Likes”.

Facebook offers three default lists; Close Friends, Acquaintances and Restricted. Dividing friends between “Close friends” and “Acquaintances” will influence how much or how little they show up in your news feed. Adding a friend to the “Restricted” list means they will only be able to see content that you make “Public”. Facebook has also introduced the concept of Smart Lists, these could be related to where you live, where you work, or where you went to school for example.

If you add a friend to any of the “Close Friends”, “Acquaintances” or “Restricted” lists, they will not be informed. However, be aware that if you add a friend to a Smart List that is related to a place of work or college for example, they will receive a notification that you have done so and will be able to approve that information for posting to their own timeline. You can also create custom lists and again your friends will not be notified if they are added to these lists. It is worth noting that when you share content with a specific list of friends, your friends will not see the name of the list you have shared it with, but they will see that you have chosen a restricted audience for your post and they will be able to see every individual name in that group.

Subscriptions

Subscriptions is a new Facebook feature that allows you to follow the public activity of people on Facebook, without having to add them as a friend. Of course this means that the possibility exists for people to follow your content, without you having accepted them as a friend as well. It’s one more reason to tightly control your privacy on Facebook. For example, default behaviour on Facebook if you defriend someone is that they will remain subscribed to you and able to see any public content and perhaps content that is shared by mutual friends too, unless you do something about it. If you want to enable or disable the permission for other users to subscribe to your content, go to your timeline and click the arrow to expand the view of your “favourites boxes”. You will see the subscriptions box, click the box and you will be able either to click the “Allow subscribers” box or, more advisedly a “Settings” button where you will be able to turn it off.

Events

Any “Public” event you have responded to will feature on your timeline and will be shared with the public, meaning that anyone viewing your Facebook profile will be able to see these events. To hide these events from your timeline, view your timeline, click “View Activity” and select “Events” from the activity type drop down menu that appears on the right. You may then hide any events you wish from being displayed on your timeline.

Check yourself out!

If you want to check how the changes you have made have affected the information you share you can view your own timeline as another Facebook user would see it, or as it is visible to the general public. To do this, select the downward pointing arrow just to the right of “View Activity”, select “View As…” and type the name of the friend whose view of your profile you wish to preview, or click the “public” link. This is a great way of identifying those last few pesky events, photos, videos or stories that may still be publicly visible. You can then find each unique event in your Activity Log and refine the audience to whom it is visible or remove it entirely from your timeline.

Five rules to remember…

1. If you post on someone’s wall then you cannot control the privacy of your post . The visibility of the comment is defined by the original post which may be less restricitve than you want, for example, “Friends of Friends”.

2. If you restrict the audience of a post in order that certain friends cannot see it that restriction should not be considered final. If someone later posts a comment that tags a Facebook user who was not a part of the original audience, then the entire thread and original post will be visible to that person. Be careful what you post.

3. If you post on, or respond to an invitation to a public event or a public page; you cannot control the privacy of your post. You can only hide it from your timeline after the post has been made.

4. If you post on a friends wall where their privacy setting is “friends of friends”, then any of your friends who are on your Restricted list will be able to see that post, because they are your friends.

5. This means that anything you post which is “Public” or “Friends of friends” (either by your own settings or those of the recipient) may show up in the ticker of people you do not necessarily know, have restricted or have defriended.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

Making the most of Facebook privacy – Part I

Rik Ferguson — Tue, 11 Oct 2011 11:07:29 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

Since the long list of new features recently unveiled has begun to be rolled out for all Facebook users; I have been receiving ever-increasing amounts of questions from friends, colleagues and Countermeasures readers concerned with how their online privacy may be affected. So I have put together this guide to Making the Most of Facebook Privacy in 2011. I refer to the forthcoming Facebook feature “Timeline” a lot in this post, but don’t be fooled these settings are available right now, even if you haven’t enabled Timeline yet.

Don’t Get Facejaked

So initially, let’s get to the recommended settings for locking down your Facebook security without having a negative effect on your enjoyment of the social network. Follow the three steps in this earlier blog article to help protect your account from unauthorised access, so-called “facejacking”.

Lock Out Leakage

With that out of the way, let’s go on to tweak your account and privacy setting to better protect the content you share and control the audience with whom you share it. Let’s look at “Account Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook Account Settings

App & Adverts

In this menu you should review the individual permissions that you have allowed the Apps that you have installed. Have a first pass through this list and remove any apps you no longer use. Then review individual permissions by clicking the Edit link next to each remaining App. Some permissions are required for an App to work but many optional permissions can be revoked here. At the same time, ensure that the App itself is not giving out too much information by changing the setting “Who can see posts and activity from this app” to “Friends” unless you have specific Apps that you wish to grant greater visibility.

Finally, in the Facebook Adverts section, change the Third party advert settings and Edit Social Advert settings to No one. The default setting here is Friends.

Protect Your Privacy

The changes to Facebook have radically changed the ways in which we can share content with our friends, friends of friends and the general public. There are two main ways to configure this privacy; when you post through the Facebook interface or when you post through a device or App that doesn’t allow per post privacy settings. To configure these settings select Privacy Settings which is accessed through the same drop down menu as above.

Facebook Privacy

The Default Privacy setting only applies to posts made through an interface or App that doesn’t support inline sharing controls. I recommend setting this to Friends, the default setting again is Public.

In the next part of this blog series, I detail some of the more specific settings for controlling how you share information and perhaps more importantly, how information is shared about you.

Part two of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

Security through governmental Obscurity

Rik Ferguson — Mon, 19 Sep 2011 13:08:15 +0000

by permission from dingler1109 Flickr stream

Another object lesson if one is needed that security by obscurity (and fairly transparent obscurity at that) simply doesn’t work.

At the tail end of last week, journalist and historian Bram Talman managed to publish the Dutch National budget for 2012 via Twitter, a document that is not due to go before the Dutch parliament until tomorrow.

While some of the news reports describe the incident as “hacking”, it is nothing complex at all. In Mr. Talman’s own words, he simply made an informed guess at the URL where the document would be hosted, typed it into a browser and there it was in all its glory

“Last year the name of the website was miljoenennota.prinsjesdag2010.nl. I simply replaced 2010 with 2011″

He later tweeted, the following day, that he had uncovered the budget of Utrecht in the same way.

While there are many technologies that can help with securing sensitive data, such as encryption, data leakage prevention, intrusion prevention and web application firewalls just for example; one of the key steps for making sure a confidential document stays that way, would be not_hosting_it_on_a_public_website…

According to the Irish Times, Mr Rutte the Dutch Prime Misister was quoted as saying, “The leak is extremely irritating and unfortunate,” he said. The IT company, Facetbase, said the cause of the embarrassment had been human error, which it very much regretted. Normally, said its head of crisis management, Peter van der Maat, a fake version of the new document would be put online until the real one was ready – but that had not happened.