Photo from Julien Lozelli's photostream on Flicker - Creative Commons

“The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…
 
If information is sensitive, do not allow access to it from the internet.
 
If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively
 
Never use simple passwords, for any reason, ever.
 
If you have a document worth almost half a million dollars… Encrypt it.

Page 1 of the Google search results for "Kanye West Death"

A rumour started this morning that Kanye West had been killed in a “bizarre car accident”, the origin of this rumour has apparently been traced back to the 4chan message boards (although that blog posting appears now to have been removed from Mashable). It didn’t take very long at all for this to be become the top trending topic on Twitter and also the top search on Google as worried fans searched for real confirmation.

It’s no surprise that in very short order we are already seeing poisoned search results being returned on page 1 of the results that could lead the unwary to trouble. Just because something didn’t happen, doesn’t mean it won’t be abused for criminal purposes, be careful where you click,

Richard Dawkins, the evolutionary biologist and popular science author, famed for his no-holds-barred approach to what he sees as the unsubstantiated claims made by religion, certainly has all the proof he needs to believe in the cybercriminal underground.

Members of the discussion forum over at RichardDawkins.net all received a message, purporting to be from the forum admin which incongruously invited them to join a warez site. 

Image from www.twitter.com/fadviral

The apparent hack has been confirmed by the site admins with a message posted on the front page.

Image from RichardDawkins.net

No word yet from the web site admins on how much personal data may have been put at risk during this intrusion.  If the hackers had access to the forum admin account, they very probably had access to a large amount of user information including hashed passwords (or even worse clear text passwords?) and email addresses. My advice to anyone with an account on that particular forum would be to consider the password you used, and if it is common to any other services, then change it immediately.

At the time of writing the forum remains offline.

Image from limewire.com

This is of course not the fault of LimeWire and there’s no reason why Mark Gorton, chairman of Lime Group, should have been lambasted at today’s hearing. It is also not the first time sensitive information has been leaked over peer-to-peer networks (think motorcades, nuclear facilities, presidential helicopter, terrorist threat assessments, mortgage data, M&A plans, healthcare data) the list is virtually endless. This is all of course without considering the extremely elevated threat from malware over (often) unscanned P2P connections to untrusted devices sharing illegal software and data. It has long been the case that distributing malware along with your warez over file-sharing networks is almost de rigeur.

In many ways, the nature of the data that was leaked is secondary to the potential conclusion that can be drawn from the reaction to this latest event.

According to the Computerworld article “The disclosures prompted the chairman of the committee Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. “For our sensitive government information, the risk is simply too great to ignore,” said Towns”

Does this mean that installations of P2P software are not already banned on sensitive networks? Does this mean that machines that routinely, or even occasionally, handle sensitive data are not deployed in a locked down configuration where the user has no administrative rights? Does this mean that government network admins do not have visibility over who is using rogue software on their networks? It certainly seems that way and this just reinforces the message about low-hanging fruit in my previous post.

If you are concerned about the proliferation of rogue services or unwanted applications inside your environment (not to mention malware) take a look at the Threat Management Solution.

The results of an investigation carried out by Sky News should be enough to worry anyone who is put in the unfortunate position of having to entrust their computer to a stranger.

Researchers from Sky News set up a laptop with a keylogger and webcam enabled surveillance software. They gave the laptop a very common, easy to diagnose and remedy fault, by slightly unseating a memory chip. The laptop was then taken to various computer repair shops around London and the results monitored.

Almost unsurprisingly some of the shops gave misleading diagnoses and overcharged for the repairs. I say unsurprisingly because this immediately puts me in mind of all the well-known horror stories about car repairs rip-offs.

Knowledge = Power = Money and it is certain, and now proven, that some people will abuse their position of power to maximise their financial return. 

More worrying though was the subsequent data theft from this rigged laptop that followed once it had been repaired. The laptop was also honeytrapped with a collection of lady-in-a-bikini photos and personal data including bank logins and passwords for online services. This data was reportedly copied onto a USB stick by staff at one of the shops and the banking logon details were also used to try and access the online banking service.

This is far from being a localised issue as the Edison Chen sex photo scandal over in Hong Kong proved earlier this year, where as ABC News put it:

“Say Britney Spears, Lindsay Lohan, and Paris Hilton took it all off for Justin Timberlake and his camera, who promised the tabloid queens that no eyes but his own baby blues would ever see evidence of their tryst. Say J.T. kept some of those photos on his laptop. Say that laptop fell into the wrong hands.

You might have a sex scandal on the level of what’s rocking Hong Kong right now.“

An important lesson to take from all this (other than the “never trust a tradesman” one I mean) is the need for a secure place for people to store their personal data.

More and more enterprises are making investments in various types of device encryption technologies, but these kinds of stories demonstrate the need for this technology to filter into consumer and small business products as well.

As information becomes more digitised, like the photos and the logins;  and computers ever more portable (think netbooks and PDAs) the potential for mischief grows. The odds of a mobile device being handed over to a third-party for service or repair are increasing. If that device contains personal or corporate sensitive information then we need to provide people with technologies that enable them to keep their own data secure while still allowing the repair shop access to the machine to diagnose faults.

Importantly, if the problem is a software related one, then this security cannot be achieved through full disk encryption which is an all or nothing encryption methodology.

Consumer security suites need to offer people the ability to keep their most sensitive data in a secure location on the hard drive, while still allowing  the engineers to get their heads under the digital bonnet to fix software related issues.

Perhaps more crucially, we as consumers need to start actually using the features we pay for.

That’s fine for Mr. Kawasaki’s personal peace of mind, but you have to ask yourself, with that many followers, is it sensible  to auto post unmoderated feed content? Is this going to happen again, with a more believable tweet?

________________________________________________________________________

Guy Kawasaki, the well-known venture capitalist and columnist was the victim of what appears to be a very targeted attack on Twitter today.

A single malicious tweet was inserted into Mr. Kawasaki’s profile without his knowledge

The obfuscated link seemed incongruous on Mr. Kawasaki’s profile only because it was using a different URL shortening service to the one he normally uses. Other than that he is a person who regularly posts many links, so his 139,000 followers will be very tempted to follow them and that’s exactly the kind of thing that makes this sort of attack attractive to cybercriminals.

In this case, following the link would be a Very Bad Idea, because it will lead you to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors (although Trend Micro customers would already have been protected from visiting the known malicious site using our Smart Protection Network).

The first site you land at is below

Click to enlarge

The image with the blue text shows how many people have followed this link, it would normally display an image designed to look like a media player window, but the site has been hit so hard that the bandwidth limit for the image server has been reached (note the text is in Russian and English)

If you click the media player to view the video, you are redirected here:

Click to enlarge

Again, the image server bandwidth has been used up indicating how many other people have passed this way, but it should look like that media player again… You click it and hit paydirt!

Clcik to enlarge

There it is, the video you have been waiting for, but wait, you need to download an updated Codec… (sound familiar yet?)

Check out the TrendLabs malware blog for an in-depth analysis of the code involved in this interesting dual-platform attack.

 ”I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection <…> one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.”

He supported the claim with several screen shots such as the one below, showing that he had accessed the accounts of celebrity Twitterers such as Barack Obama, Lily Allen, Ashton Kutcher and Britney Spears. The interface gives the administrator (or the hacker) access to a large amount of personal information stored in the Twitter accounts database, for example Lily Allen’s mobile phone number…

So question number one for Twitter has to be, why is this kind of information available to account administrators? Surely it’s enough to be able to reset this type of data, without being able to view it? Shouldn’t it be stored in a secure format so that curious employees and malicious intruders both cannot get access to it?

But the real concern, over and above that for me, is the function visible in the next shot where the hacker was inspecting Barack Obama’s account.

What reason is there for a Twitter employee having a function labelled “Become“, and how happy will Twitter users be knowing that at any time someone can assume their identity at the click of a button?

Despite Twitter’s assurances that “no account information was altered or removed in any way“, I am fairly certain that several high profile users will be having to modify their email addresses and mobile phone numbers as a result.

The actress Salma Hayek has reportedly had her MobileMe account broken into.

Images that would appear to prove the exploit, along with details necessary to reset the account password have been published over on the well known web site 4chan.org.

The anonymous poster also left the information:

Her email address is [removed]@mac.com
Go to me.com, forgot password, type [removed]@mac.com
Her birthday is Sept. 2
Answer to change password question is: [removed]

 

So another high profile victim to further illustrate the ease with which many online accounts can be compromised.

It’s not just celebrities who need to be more careful though, New european-based research from Trend Micro revealed that over one in 10 teenagers think it’s “cool” or “funny” to pretend to be someone else online, and one in seven 12 to13 year olds admit to having used somebody else’s identity whilst on the internet. It also shows that more than four out of 10 teens have hacked into another person’s profile to read emails, or logged onto another person’s social networking profile. Boys are almost twice as likely as girls to log into someone’s social networking profile.

 
One in three teens have admitted to being tempted to try hacking or spying on the internet to make money; girls are three times more likely than boys to enter into someone’s online shop or bank accounts without the owner knowing.

 
Most of us are guilty of being far too trusting and far too free with our personal information online, we give away little snippets (or great chunks in some cases) of our personal lives in what is essentially a public or at best only semi-private forum, making the work of criminals such as carders and ID fraudsters far more simple. In fact I have seen social networking sites spoken about in underground carding forums as a “free date of birth look-up service” along with a wealth of tips on how best to exploit these kinds of platforms.

We need to become far more aware of the value of our personal information and importantly the information we have about our friends. We also need to become far more conversant with the privacy controls available on social and professional networking sites and actually use them. There is no need to fill out that questionnaire “25 Things About Me” and post it on your profile, there is no need to share your entire employment, educational or address history. There is no need to share your “Porn Star Name” (first name = name of your first pet, family name = mother’s maiden name), isn’t that exactly the kind of information needed to reset your email account password, or access your financial data? And there is no need to volunteer the email addresses of friends and family when asked to recommend a “joke” website or application to 10 friends

When your personal information becomes public it is out of your control and soon out of sight. Criminals can and do use this stuff to break into your online accounts, just ask Salma Hayek or Sarah Palin!

Next time, before you hit “Post”, ask yourself this “If a stranger called me on the telephone asking for this information, would I tell them?” If the answer is “No”, then step away from the mouse.