Don’t Fall For Facebook Scams

Have you seen these Facebook wall postings?    “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.” 

Are you curious?  This is a classic social engineering scam luring users into signing up for premium mobile services and spamming their friends, promising to show a list of profile visitors.  It even instructs users to disable ad-blocking programs.

It all starts with a little spam message or wall posting from one of the victims;  “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.” –> [URL]”  Following the URL link takes the new victim to a site on an external domain (like ilikefacebook.in).  The site displays fake Facebook-style notifications claiming to be example of alerts users will receive whenever someone views their profile.  The logo for a well-known malicious app called Profile Spy is also present on the page.

Users are also told that in order to sign-up for the Profile Spy application they need to like and share the application.  After the victims have heavily spammed their profile with messages promoting this scam, they are taken to a window claiming that they also need to take a survey.  “Then the ‘verification’ launches you into one of those endless surveys (you get a choice of 6) the point of which is to collect your cell phone number so you can be billed $9.99 per month,” GFI Labs warns.

This scam has been seen on Facebook as far back as mid 2010, and around 29,000 users clicked the “Like” button and 27,000 the “Share” button in its first month.  This scam has spread to other social media outlets and pops up in Twitter fairly often as well.  There is no feature on Facebook which allows viewing profile visitors, and considering the privacy implications, it will probably never be allowed.  Any message or application that claims otherwise is most definitely a scam.

Change Your Facebook Password

It appears that third parties, in particular advertisers, have accidentally gotten access to Facebook accounts including user profiles, photographs, chat, and the ability to post messages and gather personal information.  Fortunately, they may not have realized that they have these abilities.  According to Symantec, over 100,000 applications can leak access tokens that remain valid for some period of time.  They might  sit in log files of various advertisers just waiting to be abused.

Facebook is planning to move away from access tokens and adopting OAuth 2.0,an open standard co-authored with Yahoo, Twitter, Google, and others, and HTTPS.  Until then, we can do something to invalidate the access tokens:  Change your password!  Do it regularly, unless you don’t care about your Facebook privacy and don’t use the same password anywhere else…

You can change your facebook password by clicking the upper right “Account” menu and choosing “Account Settings”.  The 4th option down allows you to change your password.

There Goes The Neighborhood

Well, there goes the neighborhood.  Websense recently conducted an analysis of Canada’s online security risk profile, and all trends point to Canada as the new online crime breeding ground.  Criminals may be making the move to Canada, as IP addresses in China and Eastern Europe are now being closely scrutinized.  According to WebSense, attackers are on a quest to move their networks to countries that have better reputations.

Canada saw a huge increase in the number of servers hosting phishing sites, jumping 319% in the last year.  This tremendous increase is second only to Egypt in terms of the growth of sites hosting crime ware.   Canada is also the only country that showed an increase in bot networks over the last eight months, up 53%.  In 2010 Canada was ranked 13th in the world for hosting online crime, and in 2011 Canada jumped to 6th place, behind United States, France, Russia, Germany and China.

WebSense wants to know if this is surprising to anyone? Why or why not?

Microsoft Skype?

Microsoft is reportedly buying Web video conferencing service Skype Technologies in an $8.5 billion deal.  The Wall Street Journal’s All Things Digital website reported that the deal has already been completed, and would be announced on Tuesday.

Skype announced plans for an initial public offering last year but more recently delayed them while considering other options.  Skype is controlled by an investor group including Silver Lake, the Canada Pension Plan Investment Board and Andreessen Horowitz.  Skype is not a money winner, and would have no immediate impact on Microsoft’s finances.  It would however, clarify Microsoft’s intentions to compete with rivals such as Apple and Google in the smartphone space.  Microsoft’s stock has been pretty flat, as investors worry about its ability to counter new rivals or adapt to new technology.  Might be just what they need to get back in the game.

-=[Busted]=- 6 ID Theft Scammers

Six people have been taken into federal custody for their roles in an identity theft scheme that defrauded banks out of more than $3 million after an investigation by the FBI, United States Postal Inspection Service, and the Internal Revenue Service; Criminal Investigative Division.

On May 4, a federal grand jury in Los Angeles returned a 29-count indictment charging them in connection with involvement in the scheme to defraud financial institutions by using stolen identities of people with good credit scores to establish lines of credit, and then using the money for personal expenses. Each of the six is charged with bank fraud. One is also charged with making false statements to banks, and two are charged with aiding and abetting the false statements.

They carried out the fraud by obtaining stolen personal identifying information, including dates of birth, Social Security numbers, credit profiles, FICO scores, and driver’s license numbers, to
complete fraudulent applications for business lines of credit at Bank of America and Wells Fargo Bank.  The stolen identities were also used to provide bogus corporate officers of shell corporations that did not actually exist.  They then concocted profits for the bogus businesses and transmitted false tax documents to make it appear as though the businesses were fully operational.  The defendants rented virtual office space and installed rental equipment on premise.  They also went as far as to recruit folks to pose as employees in order to convince bank employees that the corporations were legitimate during on-site inspections.

Once the applications were approved by the banks, funds were deposited into corporate bank accounts linked to the credit lines, usually in the amount of $100,000 each.  Within a few days, the defendants liquidated the credit lines by issuing checks payable to the themselves.  The money was shared among the defendants, draining more than 70 credit lines through this scheme.

If convicted on all counts, the defendants face maximum statutory sentences ranging from 750 years to 870 years.

Sony’s “3rd Breach”

SC Magazine reports that Sony has experienced a third breach in as many weeks.  This one is NOT as serious as either of the previous breaches, but if you are a Sony customer, it is still worth knowing about.

It appears that Sony found an old server from 2001 that was setup to gather sweepstakes entries, still connected to the Internet.  The data on that server involved the personal information of 2,500 sweepstakes contestants according to Reuters, which first reported the news. The data did not include credit card, Social Security numbers or passwords.  Enough intelligence is present to launch a significant spam and fraud campaign using email, snail-mail and phonecalls, though.

Sony has announced that as a result of these recent breaches, it plans to deploy software monitoring and configuration management tools, increase encryption, improve intrusion detection capabilities, and add new firewalls.  In addition, the company plans to hire its first-ever chief information security officer.

I hope that position resides in the GTA of Ontario, Canada.  I happen to know a guy…

Chrome & Win-7 Security By-Passed

French security company Vupen says that it’s hacked Google Chrome, sidestepping the browser’s built-in “sandbox” AND also evading Windows 7’s integrated anti-exploit technologies.  The claims have not yet been confirmed by the vendors.

The exploit is one of the most sophisticated pieces of code that Vupen has created so far, according to their blog.  The exploit can be served from a malicious Web site, and if a Chrome user surfed to that site, the exploit executes various payloads to download an executable from a remote location, launching it outside the sandbox at “Medium integrity level”.  It is silent (no crash after executing the payload), it relies on undisclosed (‘zero-day’) vulnerabilities and it works on all Windows systems.

Vupen posted a video demonstration of its exploit on YouTube.  That is what I call “fugly”.  I hope that Vupen keeps this code wrapped up tightly until both Microsoft and Google have had a crack at patching against it.

ComputerWorld

Powerless Security

I found this report both concerning, and comical.  Forgive me, I realize neither computer theft nor data theft are laughing matters, but bear with me…  A laptop computer containing “a fair amount of records” was stolen and an on-board camera was damaged while a ploice cruiser was left at an auto dealership for service in New Hampshire.

The theft and damage to the “brand new” cruiser occurred when the crusier was parked overnight at a Chevrolet dealership, left for work on decorative trim.  The police chief said he’s been advised that it’s unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord.  How is that for a protective strategy?  I hope anyone that chided me for giggling understands now.  What would stop a thief from simply hitting up a used parts distributor for a battery or power supply?  I’ll bet there are refurbs at Tiger Direct.  The data that can be expected to be on this laptop is probably quite valuable to the criminal element compared to the cost of a laptop battery.  There are also convertors that allow one to connect laptop interfaces to standard IDE or even USB connections…

Mike Jones, manager of the dealer’s auto body department, said he was expecting a police officer to pick up the cruiser after hours which is why it was left outside overnight.  He said if he knew it wasn’t going to be picked up, the cruiser would have been brought inside.  “We thought someone was coming to get it,” he said. “With a phone call we would’ve taken care of it.  Obviously we don’t want any thefts here.”  So…  Why didn’t Mike just make a phone call to confirm?  Last time I checked, my phone worked both ways…

SeaCoastOnline

Michaels Stores PIN Pad Tampering

Michaels Stores Inc. locations in Chicago and possibly other locations have been reportedly breached through PIN Pad tampering.  Credit and debit card information was compromised, the company announced Thursday.  Although not quite as large in scope as the Play Station Network hack, my wife and friends like and shop at Michaels stores.

Banking and law enforcement officials contacted the popular craft supply chain after some fraudulent debit card transactions were reported.  Authorities believe the transactions may be linked to legitimate transactions in Chicago-area Michaels stores.  If you have purchased goods at Michaels using credit ro debit cards, monitor your statements closely, and change your PIN code to be on the safe side.  It takes 5 minutes, and costs you nothing.

AllHeadlineNews

Security Karate Basics

In order to avoid “boiling the ocean”, most security industry “best practices” inevitably offer the same combination of high-level recommendations for vague IT security problems:

• Improve paper-based IT security policies and guidelines.
• Apply patches to systems.
• Use strong passwords.
• Conduct Security Awareness training.
• Etc.

While these considerations are fundamentally important, these “best practices” alone typically contribute little to the tangible improvement of overall security.  The media coverage of successful attacks versus solutions to improve IT security has caused many IT and Security professionals to dangerously accept the situation as “just the way things are”.  This is compounded by the media’s tendency to provide the latest silver bullet to solve all of our security problems in the form of product recommendations.   Don’t get me wrong, there are many great security technologies and products out there, but simply implementing one or more of these on top of a weak foundation does not provide better security.

All organizations face the dangers of falling behind on patches or being susceptible to zero-day, un-patchable, and sophisticated threats.  To build a strong foundation, today’s IT professionals must take a step back and look beyond the failures of their Anti-Virus, IPS, firewalls, and other point solutions.  They need to ask what could be done to go above and beyond generic security and technology implementations.

One lesson that I have learned over the years from my instructors in both Tae Kwon Do and in Karate, is; if you want to defend yourself well, focus on the basics.  A flying Superman punch looks real cool, but can be countered easily with a simple, well-timed snap-kick.  Build a solid foundation in the simple movements, even after you have mastered them.

To effectively protect an organization, always work under the assumption that there will be an attack.  Assume that the attack methods used will be unforeseen.  Anticipate that an attack may eventually result in a breach.  The goal is not to prevent every possible attack, but to build a foundation that is resilient enough to withstand known and common attacks, to detect and identify other attacks as early as possible, and to contain the damage that a breach could cause.

Continue reading →