Sunday, August 15, 2010

Spoofing Calls and Texts: The Dangerous Side of Services

Phone keypad
Image via Wikipedia
What many see as nice features and services, those who are a bit more security conscious see the potential for harm.
One such service is called spoofing.  This allows you to call someone using a completely fake phone number or any phone number you choose, and mask your identity even including faking your voice.
While this can be a useful service for those who need to mask their phone number for some reason, although it is simpler to just have your number show up as a Private Caller, you can also use this to impersonate someone else’s phone number.
Let’s say you want to lure someone to some destination.  You could easily call them with the phone number of the destination you want to lure them to, change your voice to that of the opposite gender, and tell them there is some kind of urgent reason for them to go to that location.
Would that person automatically call back the spoofed number you left to verify.  Maybe, maybe not.
Would there be any record that you did this?  How would it be found?
Personally, I see frightening potential for misuse of this kind of service.
You can also send a text message to any phone using the on-line text page for the various wireless carriers.
I tested it using Verizon’s texting page by sending text messages to myself from Lars’ phone number (Lars is one of our examiners.)  The messages were delivered with his name, but as “Unverified Sender”.  Would a child catch that distinction if the message came from “Mom” as an unverified sender?
If you are in a position to educate parents and kids about cell phone safety and text messaging safety, please let them know that this kind of stuff is possible.

Tuesday, August 10, 2010

Private Browsing: Not so private after all.

Firefox private browsing UI

Image by Vurter via Flickr

In an article published this morning over at ZDNet, by Tom Espiner, it appears that clicking on that Private Browsing mode in your Internet Explorer, Firefox, Google Chrome or Safari may not be all that private after all. 

The private browsing features in Internet Explorer, Firefox, Chrome and Safari are not as protective as they promise to be, according to new research.

Privacy modes are designed to protect a browser user from having their online activity tracked by websites or by other people who use the browser on the same computer. However, the way the features are set up means that traces of data can still be found even when the tools are used, according to researchers from Stanford and Carnegie Mellon universities.

The team developed methods to test browser privacy and gave details as to how they pieced together browsing histories. They focused on people with access to the PC after the browsing session, calling these people 'local attackers' in a paper that is due to be presented at the Usenix security conference (PDF) on Wednesday.

Local attackers can access the DNS resolution history in a cache on a machine that uses the latest versions of Internet Explorer (IE), Firefox, Chrome and Safari, enabling the intruder to reconstruct if and when a user visited a website, according to the researchers.

In addition, operating systems swap out browser memory pages during private and non-private browsing sessions, leaving traces of both types of sessions, they said. Other points of entry are browser add-ons (such as plug-ins) and extensions, which leave traces on the hard disk.”

Here is a link to the full article over at ZDNet.Co.UK

Monday, August 2, 2010

Buying a business? Change all the keys, not just the physical ones.


Image by Bohman via Flickr

I get calls from folks asking me about people getting into their networks when they have recently purchased a business from someone else, or when an employee has recently left, willingly or otherwise.

In larger businesses that have in house IT support, they probably have the IT people take care of this.  But in smaller businesses that do not have internal IT support folks, here are some things to consider when changes in personnel happen:

  1. Get all the passwords.
    First of all, require that the leaving owner or party provide all passwords for everything they have access to and test them for accuracy.  Now it is not a huge deal if you run into something that is password protected, since nearly all passwords can be broken by a knowledgeable IT person, but it can be very inconvenient and sometimes expensive.  Encrypted hard drives could leave you hanging in a big way.
  2. Get the name of the IT support company.
    If you are purchasing a business that has computers and or servers that you rely on to do your business, make sure you get the information on the who has been taking care of the computers at the business.  It may be a company or it might be the old owner’s family.  Either way, you need to know this.
  3. Check out the current IT support company or get a new one.
    Call the IT support company or person and find out if they know the current passwords.  Check them out just like you would if you were hiring them off the street.  Get references and check them.
  4. Sign agreements with your IT support company.
    Anytime you use an IT support company, you should have them sign a non disclosure agreement.  Why? Because they have access to ALL your information.  This is especially true if you are a law firm, in the medical profession, counseling or financial area and handle confidential information.  This should also be true for any internal IT support people.
  5. Does anyone have remote access permission?
    Find out if anyone accesses the network or computers remotely as part of their work and who they are.  If it is the IT support company, again, make sure you know who you are dealing with and have proper safeguards in place for your and your clients’ confidential information.
  6. Account for all the data.
    Make sure you know where all the data is.  Are there off-site backups?  Portable drives? It’s okay to be thorough.  Think of data laying around on portable drives, USB thumb drives, backup tapes or in off-site back up centers as bags of money.  You would want to account for all the money, right?
  7. Are you buying a web site or other off site service as part of the deal?
    Where is it and who is the hosting company?  Who is the registered owner of the domain name if you want acquiring a web address or email address domain as part of the deal?  Can your website be taken down or modified by someone without your permission?  Virtual assets like web sites, email addresses, on-line stores, blogs and even twitter accounts are becoming a common part of acquiring a business.  Make sure you account for all the assets, not just the physical ones.

That is a very short list, but is the minimum you should do to protect yourself and your data and your reputation.  The cost of computer hardware is nothing compared to the cost of data you need to run your business or the liability of a data leak to someone else outside of your business.

If all of that seems to be out of your technical range, and it is for a lot of folks, hire a reputable IT company to come in and do a security check for you.  They can handle things like documenting all of the computer stuff, checking on who your domain is registered to, changing the passwords, checking for any type of external access to your network via PC Anywhere, Log Me In Free, VNC, Terminal Server, etc.  They can and should also check any router you have to verify any open ports that may provide access to your business network.