At what point do we as a society realize this is getting out of hand? As more and more stories surface of Twitter accounts being hacked, Facebook accounts being sold on the cybercrime black market, Gmail accounts being compromised, etc, one would think sooner or later, folks would start getting the message that putting your private information online is not a good idea.

I’ve just happened across Blippy, a Twitter-like site, where users can sign up to publish all their online purchases. I mean, really?? We already know that retailers track your purchases and use it for marketing purposes. Why in the world would you publish all your credit card transactions to the world??

I have a Twitter account ( Follow me ) that I use for one purpose: publishing my blog posts and other security related articles I come across on the web. That’s it! I doubt anyone cares to know what I do with my every waking moment nor do I care to tell.

Good luck though. Sigh.

Microsoft is warning users that a Trojan is masquerading as the company’s popular free Microsoft Security Essentials package.

“One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software,” Microsoft said in a post on the MMPC’s Threat Research & Response Blog. “So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials.”

The masquerading rogue security tool goes by the name Security Essentials 2010, which is very similar to the actual name of Microsoft’s suite, though the real suite does not have a date in its name.

Read full story: http://www.esecurityplanet.com/features/article.php/3867556/Trojan-Pretends-to-Be-Microsoft-Security-Suite.htm

If it ever happens……

Download link: http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf

As a follow up to my previous post on online banking security products, a UK company, Network Intercept,is now selling a product called Secure-Me, which could be distributed on a USB key and  fires up a “secure” web browser which encrypts all traffic traveling to and from a user’s device. The product also features malware scanning, file encryption capabilities, virtual keyboard, and keystroke interference software to thwart hardware and software key-loggers. It currently supports Windows XP, Vista, Windows 7 and Mac OS X operating systems and  Android, iPhone, Symbian and Windows Mobile platforms.

Below are my comments to an article posted in CIO Online magazine. Interesting read, especially for security folks:

Actually, I enjoyed the article. I found it very informative. Security in business is a means to an end, NOT the end itself. As a security professional, I can totally appreciate most of the responses here but that’s not the view from the board room. To be effective at the executive level, we have to be able to speak their language and do our best make clear the value of security to the business bottom line. In some cases, that’s fairly easy to do ( as it was when I worked in the financial world ), other times it’s more challenging. Ranting and raving is not the solution, we have to adapt to the business needs as best we can.

Article: http://www.csoonline.com/article/550413/From_the_CIO_Why_You_Didn_t_Get_the_CISO_Job

keimpx is an open source tool, released under a modified version of Apache License 1.1. It can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

• Combination of user / plain-text password.
• Combination of user / NTLM hash.
• Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

• Spawn an interactive command prompt.
• Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
• Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
• List users details, domains and password policy.

You can download keimpx 0.2 here:

keimpx-0.2.zip

source: http://www.darknet.org.uk/2010/02/keimpx-open-source-smb-credential-scanner/

Although Google has acknowledged some of the privacy concerns with Buzz and is taking [baby] steps to address them, the Electronic Privacy Information Center (EPIC) on filed a complaint with the Federal Trade Commission about Google Buzz last week. “The primary issue is that users who signed up for Gmail have now found themselves users of a social networking service,” said Jared Kaprove, EPIC’s domestic surveillance counsel, in a phone interview. “E-mail is not completely private, but it’s ordinarily thought of as a private process.”

The problem, as framed by the Electronic Frontier Foundation, “is that your e-mail and chat contacts are not necessarily people you want to advertise as friends via a public social network.”

Google could have saved itself all the trouble by making this an opt-in service. But alas, no.

Social Network attacks are becoming more popular as daily we receive news of accounts being compromised or credentials stolen and sold. What do you do when you find yourself fallen victim to such as attack? NetworkWorld has some suggestions:

Acknowledge the attack to anyone who might have been adversely impacted; Be detailed: Tell them what message they might have received as a result of the malware/phishing and what might have happened as a result; Caution your contacts: Use this as an opportunity to remind everyone that just because they think a message comes from someone they know, there really is no way of telling for sure. If they ever do click a link that then leads to a login page or to a video codec install, they should close the page immediately and contact their friend via some other method to inquire (and possibly alert them) about the seemingly malicious link.

When Twitter accounts are phished, the 140 character limitation makes it a bit harder to convey the message. Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief “I’m sorry”. Don’t ever include a link in that apology; after all, it was clicking on a link that got folks in trouble in the first place.

IronKey has come up with a USB drive that can be used to access accounts virtually without involving the operating system or applications that cause so many of today’s security problems. The drive runs a walled or ‘hardened’ Linux virtual environment inside the PC’s OS. It comes complete with its own browser hardwired to access only a particular bank service, and incorporates RSA Secure ID tokens for authentication.

This allows users  simply plug the drive into any PC, and without the need for any additional drivers or software, after which the host PC was given a precautionary scan for malware, including specialised banking Trojans such as Zeus. The virtualised environment run from the drive could resist browser based  attacks, session hijacking, and accessed the bank via a hosted service network run either by IronKey or from a dedicated server. This solution is currently mainly targeted for companies that want increased protection in access their accounts but it could very well be the future.