Archive for the ‘Security’ Category

The Open Society

Posted: April 22, 2011 in Security

I have been just as guilt of this as some. Posting something on FB and not realizing the repercussions.

However, it has come to my attention recently, that sites such as FB create risks far above and beyond what data a particular app may be storing about you and who might have access to that data.

It is worse than that. So much worse. I’d like to tell you a little bit about what I have learned over the past few weeks. It may cause you cull your friends list down to people that you actually know, not just those that invite you to be their ‘friends’ in ‘Farmville.’

Hackers and identity thieves are using facebook. They are harvesting data and utilizing it in ways that many cannot or could not foresee. Individuals are being socially engineered by some very craft folk who can be a bit sneaky.

Firstly, having your phone number or address on FB is just bad. It makes no realistic sense to have it listed on there. Secondly, posting where you are at RIGHT NOW with your blackberry or other smart phone is at times tacky, at times a bit snarky and show-offy, and downright risky. Great, you aren’t home! Guess, Mr. Thief now knows where you live and that you are somewhere else. Perhaps far enough away that with traffic it will be at least a couple hours before you could be home.

But wait, only my friends can see that. I trust them. It is no big deal. I recently culled my friends list. I know many other people are doing the same. Perhaps you accepted a friend request from someone who plays MW. You have no real idea who that person is. Maybe you checked out their FB profile. They appear to be an interesting person. It says they live a couple hundred miles away, maybe they do, maybe they don’t. The honest truth is that you know ZERO about that person. Perhaps they are a friend of a friend, in which case you can at least have third party knowledge about them and their character. Let us hope so.

I know of a few incidents where individuals were victims of some interesting social engineering. Do a search for Robin Sage. Read the newspaper articles about it. Perhaps watch the DefCon or BlackHat videos from the person who perpetrated this event and why he did it. You will have a whole new appreciation for vetting your digital friends.

And through none of this have I even mentioned the fact that allowing your boyfriend, girlfriend, significant other, etc access to your FB page. Giving them your password, and then being amazed when as the result of a bad break-up or argument, that your FB page is defaced or suddenly you have tons of ‘friends’ that you don’t even know. Ouch.

As time passes, and more and more potential employers perform the very same actions regarding character research that many of you are already doing, some of the things posted on that FB page are going to come back to haunt the individual. Many of us, and I include myself, immediately upon meeting someone, or shortly thereafter go check out FB to see if that person has a FB page. We do our own reconnaissance of the person to see if the things they like or do are in contrast or similar to our own. Is this really a person that I might want to be friends with? Employers and other individuals do the same. We all want to share. FB and similar sites allow us to do so. I suppose blogging is no different. In the end, recognizing the risks and performing our own due diligence is the only logical action to pursue.


Security in a Hectic World

Posted: April 22, 2011 in Security

As part of my educational continuance, it has come to my attention that providing an industry related blog will count toward Continuing Education credit with CompTIA. This is not of utmost importance at the moment, but why procrastinate. The thing to do is start now.

I have given speeches recently for one of my classes regarding password usage, the fact that email isn’t safe, if it is digital it probably still sits on someones file server somewhere, and the purely relative protections provided by antivirus and malware protection, albeit better than none at all.

I have probably viewed over 40 hours of conference footage within the past couple weeks. I have been amazed by the material provided by great individuals such as Fyodor, Adrian Crenshaw, Dave Kennedy and others.

In the wake of competing in the state CCDC competition and finishing runner-up, I have put it upon myself to learn as much as I can about information security as I can possibly fit into the hours in the day and what space remains between my ears.

I welcome any readers to this blog and hope to hear from those interested in the field about any materials they think may be of assitance. From those not in the field, don’t hesitate to ask questions, if I don’t have the answers, I will endeavor to help you find them so we both learn.

Good day.