Tag Archives: Social Networking

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

Advertisements

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Haiti Relief Scams

It’s been a while since I talked about Haiti.

First of all, I’m delighted to report that Jeff’s father turned up very much alive.

Less happily, Tom Kelchner of Sunbelt has flagged a story in USA Today that claims that more than 170 complaints have been received by federal law enforcement agencies relating to earthquake relief scams. Scams specifically mentioned include:

  • SEO poisoning directing search-engine users towards sites laced with rogue anti-malware
  • Door-to-door collectors for fake charities
  • 419-type emails from alleged victims or officials
  • SMS scams where text messages invite potential victims to ring a number to get more misinformation
  • Similar scams using social networking sites such as Twitter and Facebook.
  • Fraudulent charity web sites.

One fake charity I found particularly galling, as a Brit, was the one that claimed to be a British affiliate of the American Red Cross. Come on, guys, we’ve had our very own Red Cross since 1870 (some years before the foundation of the American Red Cross), though it wasn’t called called the British Red Cross Society until 1905. Of course, there’s no particular reason why most Americans should know about the British Red Cross as a matter of general knowledge, but this does illustrate the importance of checking the validity of a charitable organization before you contribute to it. Of course, you also need to be sure that where the charity is real, the collection mechanism is also genuine!

USA Today recommends Charity Navigator (http://www.charitynavigator.org/) and the American Institute of Philanthropy (http://www.charitywatch.org) as a means of checking the charitable status of an organization.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Schneier Prognostications

I’m afraid I’ve been preoccupied with other things for the past week or two, and I’ve had to keep my blogging down to  a minimum. And this isn’t going to be longest article of my life.

However, the “Hype-free” blog (http://hype-free.blogspot.com) is generally worth keeping an eye on, even when an article is just a few links (making this article a link to some links, so I suppose if I was to advertise it in email, it could be described as a chain letter).

In fact, these are pretty interesting links: the first six are “face-offs” between Bruce Schneier and Marcus Ranum on topics such as social networking and security metrics. Additionally, there are a couple of Schneier’s Open Rights Group security talks.

I’m not an uncritical admirer of Bruce Almighty: I take exception to some poorly-grounded and misleading statements he’s made in the context of malware and anti-malware. But he’s on the money often enough (and entertaining enough)  to make these videos worth a look.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Privacy, AVG, Facebook, Uncle Roger Thompson and all

My last post (http://avien.net/blog/?p=209) on Roger Thompson’s article about privacy concerns, “public” information and so on raised some interesting discussion.

Ironically (or perhaps appropriately) a lot of it was on Facebook.

I carried on the theme on the ESET blog, if you’re interested. “Your Data and Your Credit Card”, at:

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

Note that due to a couple of system crashes, a link to Allan Dyer’s excellent article disappeared in the first published version, but is fixed now:

http://articles.yuikee.com.hk/newsletter/2009/12/a.html 

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Security Smörgåsbord

Wow! December already – well, it’s been a fast and furious year, kicking off with the media fest that was the Conficker worm, through various other disasters and debacles all of which have only confirmed to many of us in the industry that our utopian malware free world is not likely to arrive any time soon (sorry David, you’ll have to delay that retirement for a while).

Things haven’t slowed down much, and over the last days a few things have caught my ever roving eye,

Firstly, there was a rather amusing spat caused by software company Prevx firstly accusing Microsoft security patches for causing a ‘black screen of death’, (which of course was fixed by their own patch), and later retracting the statement when it became clear that it wasn’t the security patches, but more likely the actions of malware on the systems that causes the problem. (Link: http://news.bbc.co.uk/2/hi/technology/8388253.stm). One has to wonder how the Prevx patch was supposed to really fix the problem if they had no real idea of the cause – at least, they hadn’t checked whether it really was the fault of MS.

Secondly, there was the rather splendid news that the URL shortening service bit.ly – among the most popular shorteners for users of sites like Twitter – has signed up with three major security vendors (Sohpos, Verisign and Websense) to try to block spam and malicious links on their site. This can only be a “Good Thing” (TM). (Link: http://www.wired.com/epicenter/2009/11/bitly-partners-with-security-firms-to-block-spams-scams-from-twitter/). Some of the other services offer previewing of the links, but this is extra annoyance for users and also pushes the decision on whether to visit the site to the user (not a Good Thing).

Thirdly, there is some heartening news from Facebook in that they’re going to offer more granular control over content privacy. There have been quite a few articles and papers on this subject, (including one by yours truly) so it’s good to see that the issues have been considered. I don’t know that it will solve all of the problems, but it may well highlight the privacy issue to more FB users who perhaps weren’t aware that, say, joining a Network exposes their content to all the members of that network unless they specifically block that (Link: http://blog.facebook.com/blog.php?post=190423927130). Social networks are great things for keeping up with people, particularly if you’re a continent hopping researcher with friends all over the world, but the rapid explosion in their use has led to frequent lapses in security and the discovery that – as is often the case – security and privacy issues have been secondary to service development and uptake.

Lastly, and I hope you’ll forgive me for the quick tune on my own trumpet, I’m happy to announce that K7 Security Solutions are now available in German, and can be found at http://k7.de (Disclosure of interest: I am also the CTO of K7 Computing Ltd).

Andrew Lee CISSP
AVIEN CEO