Computer Security Articles

Dutch GPS and navigation software giant, Tom Tom, recently took what I consider to be a small privacy step for the company, but a giant privacy step for mankind.

Faced with evidence that the Dutch police have been using anonymised trip data from Tom Tom users to assist in enforcing speeding laws, Tom Tom CEO Harold Goddijn last week published an official comment on YouTube.

In the video, Goddijn said:

We learned today…that the police in the Netherlands are using [our] information to identify road stretches where people in general, and on average, are driving too fast. They use [our data] to put up speed cameras and speed traps. And we don’t like that, because our customers don’t like it. We will prevent that type of usage of our data in the future.

Tom Tom seems to be recognising some potential privacy-eroding issues which other companies don’t or haven’t concerned themselves with in the past. (Not all viewers of the YouTube video agree with me – there are currently 34 dislikes but only 26 likes.)

Even so-called anonymous data, collected in good faith, may end up being anything but.

Possibly the most infamous, and outrageous, anonymity gaffe in recent history was perpetrated by AOL nearly five years ago. The company published some 20 million search terms – supposedly for web research purposes – with usernames replaced with arbitrary numbers.

The problem was that each username was replaced with the same number every time it appeared. The result ought to have been foreseen.

As you accumulate more and more search terms tied to specific individuals, you can make ever-more accurate deductions about their identities from the search terms alone.

After all, over months of searching, you probably give away multiple hints about your identity. You might narrow down where you live by repeatedly searching for businesses in your neighbourhood. You might search for cohorts from your school or college. You might check garbage collection dates in your street. You might even do a vanity search for your own name or property, which, in the AOL data, would have been the privacy-erosion equivalent of “Bingo!”

Indeed, the New York Times famously traced Thelma Arnold, and her dog Dudley, right to her home in Georgia by reversing the AOL search data to remove her anonymity altogether.

Google, too, is no stranger to controversy over its definition of anonymise. Google is proud of the fact that it “anonymises” IP addresses in its search logs after nine months, even though this involves simply blanking out the bottom eight bits of your IP address.

This just about sneaks into the definition of anonymise given in my New Oxford American Dictionary, namely: to “remove identifying particulars from test results for statistical or other purposes”. But it might not meet your definition. You probably assume that an anonymised log entry can’t be connected with you at all.

Keeping the actual details of every search term – even ones which actually include your name, or your address, or some sort of personally identifiable information – isn’t really anonymous. Tying these searches together with an IP identifier which narrows you down to 1 in 256 people (at the very best – many /24 networks are only sparsely populated, after all), and which probably identifies your ISP, your suburb and your phone exchange, is even worse.

So, be careful out there. Anonymised data may not be as anonymous as you thought. And anonymised data which you share with a vendor – such as your average speed across the Sydney Harbour Bridge, where you’re supposed to keep below 70km/hr – might end up getting used for purposes you wouldn’t consider “anonymous”.

Unless you are absolutely certain what will be shared, and how, and for what purpose, I recommend that you turn such sharing features off. And if a product or service requires data sharing to work at all, don’t buy into it in the first place.

At the very least, before enabling any “share data with vendor” option, ask yourself, and the vendor, what’s in it for you – in other words, work out the best result you can ever expect from the sharing. Contrast that value with what’s in it for the vendor, or for the intelligence services and law enforcement authorities in that vendor’s jurisdiction.

Make sure there is an obvious positive balance in your favour.

If there isn’t, then the vendor simply isn’t paying you enough for your data. It really is a commercial transaction!

This message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase “broken record” may come to mind.

Yes, more user information has been leaked and in a totally preventable fashion. A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personal details of over 21,000 Yankees ticket holders.

According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, e-mail addresses and other information like their seat numbers and which ticket packages they purchased.

Implementing data loss prevention (DLP) for sensitive customer data is easy to do. There are at least three ways this could have been prevented…

1. Encrypt the spreadsheet to prevent accidental disclosure
2. Implement endpoint DLP software to watch for the transfer of sensitive data to instant message, email and other communication tools
3. Scan outgoing email messages for personally identifiable information to prevent accidental disclosure.

Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs.”

Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.

To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.

Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.

They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?

Creative Commons image of New York Yankees helmet courtesy of Mr. T in DC’s Flickr photostream.

In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover mass-scale losses that affect large numbers of consumers from trusted brands.

While it is important to raise awareness about keeping your data safe online and alerting average internet users that they may be victims of data theft, most users are exposed to risk far more frequently and without their knowledge.

In a story published Tuesday on the Bank Information Security blog, Tracy Kitten detailed the exploits of Rogelio Hackett, Jr., who stole more than 675,000 credit cards. The resulting damages exceeded $36 million.

Hackett’s strategy? Find smaller organizations who have not coded their websites properly, allowing access to their data via SQL injection vulnerabilities. Based upon the reports I see from customers and other researchers, there are likely hundreds, if not thousands, of Hacketts out there systematically looking for low-hanging fruit.

Hackett may be sentenced to 12 years in prison for his crimes, but for every attacker who is caught, another one is ready to fill his shoes.

The FBI issued an security hubs.

In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.

Here’s a typical message that is currently being spread by well-meaning users across the social network:

In honor of the big wedding on Friday, use your royal wedding guest name. Start with either Lord or Lady. Your first name is one of your grandparents’ names. Your surname is the name of your first pet, double-barreled with the name of the street you grew up on. Let’s do this! Post yours here. Then cut and paste it into your status.

Regally yours,
Lady Edith Spanky-Rushmoor

Do you see the problem?

By playing the game, you might be unwittingly making life easier for identity thieves and hackers.

Look at it this way. Think of all the websites which ask you to give it a “secret question” which can confirm your identity in the event of you forgetting your password.

If you tell everyone your Royal Wedding Guest name then you are giving away information which might help someone break into, say, your email account.

So, here’s my advice.

Firstly, don’t post this kind of personal information onto the internet – the few seconds worth of amusement you may get by telling people your Royal Wedding Guest name are not worth the potential pain of having your identity stolen.

Secondly, when websites ask you for a “secret answer” to reset your password… lie. You don’t need to tell the truth when you’re asked by a website what your mother’s maiden name was, or the name of your favourite TV show. So, say something random but memorable that no-one is likely to guess like “Xena Warrior Princess” or “Artichoke Sandwich”.

If you use Facebook and want to learn more about threats, you should join the Sophos Facebook page where we have a thriving community of over 70,000 people.

Of course, if you do happen to be one particular couple getting married tomorrow, you’re not going to have any chance keeping your grandparents’ names secret..

Hat-tip: Thanks to Naked Security reader Paul who brought this particular issue to our attention.

Sony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.

Sony reassured users of the PlayStation Network that “all credit card information stored in our systems is encrypted”, but underlined that it cannot rule out the possibility that the credit card data was stolen.

The fact that encryption was being used on the credit card data is to be welcomed – as it reduces the chances of stolen information being used for fraud.

However, there still remains the question about just how strong the encryption is that Sony used on the credit card data.

Sony has once again missed an opportunity to reassure its customers. They should have said in the first announcement of the data loss that the credit card data was encrypted, and they should – in this latest communication – have provided details of the nature of the encryption that was used.

No-one outside of Sony knows how feasible it would be to decrypt the credit card information if it had been accessed by the hackers.

Maybe they’ll post more information tomorrow. If I were a user of the PlayStation Network I` wouldn’t be enjoying waiting for the answers..

Meanwhile, don’t forget that we do know that the personal information of the PlayStation Network’s customers was not encrypted – which means that hackers may have accessed your name, address, email address, birthday, password, and so on.

“The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

Not sophisticated enough it seems.

Learn more on the PlayStation Network’s blog.

And don’t forget, you are strongly recommended to change your passwords elsewhere on the net, if you were using your PlayStation Network password on other sites.

I have been skimming the glut of news stories covering the PlayStation hack following Sony’s statement yesterday.

The issues that keeps coming back to me are these:

1. Sony, like any company who keeps customer account details, is responsible for keeping this sensitive data safe.

So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.

Perhaps the data was indeed encrypted, but if it was, how come Sony haven’t stated this?

Let’s say I accidentally leave my front door ajar, leave the house for a few days, and return to find that I was robbed. People will say I am a bit of an dodo brain, but I will still get sympathy from friends and family and we will all blame the thief.

But, if I convince all my friends and family to trust me with their prized possessions, pile their valuables on my coffee table, and then leave the front door open, I doubt they will be very supportive when I meekly approach them saying, “whoopsie – someone took em. These things happen, right?”

So it is no wonder that so many people are annoyed. They have a right to be.

2. What the F*** happened at PSN?

Having read Sony’s statement, they thank their “valued” customers for patience/goodwill/understanding (annoying in itself since I doubt many feel patient, generous or understanding). They also tell you to be wary of scams, which is all well and good.

But they don’t tell us what happened.

I really REALLY want Sony to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn’t properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc

(Shall we place a bet on whether an APT was responsible? – sorry, couldn’t help it…)

It won’t get your data back, but at least we’ll all have some idea of how this happened. And it might do wonders to repair the trust issues it is bound to face with its stakeholders. More importantly, it will help other companies learn from Sony’s mistakes.

True, it can take some time to sort through all the bits and bobs before you provide a detailed explanation. But Sony set a rather slooooooow pace by waiting a week between its first announcement and yesterday’s statement.

So what can you do?

Read advice on your next steps, including changing your passwords and credit cards, from fellow Naked Security writer Graham Cluley.

Affected users have also been invited to get in touch directly with Sony if you have any questions.

Why not ask for a public explanation and apology? Feel free to share the response with Naked Security.

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

* Name
* Address (city, state, zip code)
* Country
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

More information can be found in Sony’s blog post.

The Sony PlayStation Network, used by millions of online videogame players around the world, has been offline since Wednesday 20th April.

You can still play games offline, but if you want to connect your PlayStation to play online games, stream movies, or go shopping you’re out of luck.

According to Sony, who have been updating their blog with developments regarding the outage, the company decided to bring the network down after an “external intrusion”.

The company clearly isn’t planning to bring the network back until it is confident that its infrastructure is secure – and although inconvenienced, game players should be grateful that Sony appears to want to make sure it’s done the job properly and that any vulnerabilities are fixed.

Precisely how much longer those game players will have to wait, and whether their trigger-happy fingers and patience will be able to bear it, remains to be seen.

Patrick Seybold, Sony’s Senior Director of Corporate Communications, says:

"Our efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure. Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.."

“Unfortunately, I don’t have an update or timeframe to share at this point in time. As we previously noted, this is a time intensive process and we’re working to get them back online quickly.”

Although Sony is doing a good job on its blog of reassuring players that they are working on securing and bringing back the network, they do not seem to have addressed the issue of whether any personal information (such as credit card details) might have been compromised by whoever attacked the PlayStation network.

The spectre of data loss is a worrying one - let's hope that nothing so sensitive has been lost, and that Sony will be able to share good news that may reassure its customers soon.

Reports surfaced late today that the Easter Bunny had a minor incident while hiding the last of his eggs during his traditional Easter mission.

Every year the Easter Bunny travels the world hiding brightly colored eggs and baskets with goodies for children to discover on Easter morning.

“It would be a tragedy if the locations of all the eggs and baskets were disclosed,” said an anonymous parent representing a children’s rights group.

Unfortunately it appears that the Easter Bunny had stored all of his data and maps of where his eggs were placed in one basket.

Fortunately Naked Security was able to reach a spokesperson for the Easter Bunny, who assured us that the locations of the treats were fully encrypted on Mr. Bunny’s netbook.

“The Easter Bunny takes the joy of children seriously, and despite the loss of his maps, Easter will proceed normally,” said the spokesperson.

Creative Commons image of Polish pisanki (eggs) courtesy of Jaroslaw Pocztarski’s Flickr photostream.

In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down… by Facebook.

The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos’s own Facebook community.

On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:

@ScamSniper
Scam Sniper
Notice: The Sniper Has Been Shot. Facebook Disables The Admins Of The Facebook Fan Page Scam Sniper. http://goo.gl/RdlVF
April 18, 2011 3:26 pm via webReplyRetweetFavorite

Later that day, the same fate befell The Bulldog Estate’s Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move:

@bulldognk
The BULLDOG Estate
The BULLDOG Estate Facebook Page Has been Closed by Facebook, They Dont Like bad press, Watch… http://goo.gl/fb/K3ODY
April 18, 2011 11:42 pm via GoogleReplyRetweetFavorite

The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn’t had the same luck.

Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate’s Facebook page was closed, and how it might be recovered.

Today Mazan received a standard response from Facebook, which still wasn’t specific about the reasons that The Bulldog Estate’s Facebook presence had been killed off:

"Hi Tony

You created a Page that has violated our Statement of Rights and Responsibilities, and this Page has been removed. Facebook Pages may only be set up for the purpose of promoting a business or other commercial, political, or charitable organization or endeavor (including non-profit organizations, political campaigns, bands and celebrities), and only by an authorized representative of the entity or individual that is the subject of the Facebook Page. By creating a Facebook Page, you represent and warrant that you are authorized to do so by the person or entity that is the subject of the Facebook Page. Among other violations, Pages that are hateful, threatening, or obscene are not allowed. We also take down Pages that attack an individual or group or that promote or glorify violence, intolerance, racism or discrimination. Continued misuse of Facebook's features could result in your account being disabled."

This “explanation” clearly hasn’t satisfied the many fans of The Bulldog Estate, who have created pages urging Facebook to reinstate The Bulldog Estate, and left messages on Facebook’s official safety pages.

“We helped countless members on Facebook and supported Facebook in trying to help Facebook users stay safe online, We do not advertise or make money from our help, our blog writers are volunteers, and our admins are volunteers,” Tony Mazan of The Bulldog Estate told Naked Security. “What we can not understand is why Facebook removed a real help group and yet there are thousands of rogue applications, thousands of hate filled pages, thousand of fake profiles. We are as real as it gets and get shut down.”

“Is it because Facebook security never gets comments like ‘We Love you’ or ‘thanks for always alerting us on time with user-friendly information’,” continued Mazan. “As one of our supporters said – you may shut the dog outside, but you will never silence the bark.”

Although the language used on The Bulldog Estate’s website doesn’t beat around the bush, it seems clear to me that the content they produce is beneficial and helps Facebook users avoid scams and other attacks.

Maybe Facebook needs to be a little less robotic in its shutdown of this scam-exposing community, and could work a little more closely with Tony Mazan and his colleagues to bring what is a helpful resource for its users?

Update: The Bulldog Estate reports that its Facebook page has now been restored, and that Facebook has apologised for its mistake.

Amid mounting criticism of Facebook’s attitude to its users’ privacy and safety, the social network has announced that it is introducing a two-factor authentication system in an attempt to prevent unauthorised logins to accounts.

The idea is that if you log into your Facebook account from a computer or mobile device that Facebook doesn’t recognise as one that you have used before to access the website, then you’ll have to enter a code to confirm you are who you say you are.

I’m glad to see Facebook introduce what sounds like an additional layer of protection for users, at least for those users who chose to enable the option. Two factor authentication doesn’t address the many other Facebook privacy and safety concerns that are troubling users, but it’s no bad thing.

Unfortunately the short mention of the feature on Facebook’s blog leaves some questions unanswered.

1. How can users enable the option? My guess is that users will find the option, once it has been rolled out to their accounts, under Account / Account settings / Account security, but it would have been nice if Facebook had told people. None of the Facebook accounts I have checked so far appear to have received the option, so I cannot confirm.

2. How often will the code change? It would be sensible if the code changed each time someone tries to access your Facebook account from an unknown computer, but Facebook doesn’t say in its blog post.

3. How will users receive the code? Again, Facebook doesn’t say. But my guess is that Facebook will send you the code via an SMS message to your mobile phone. That means, of course, that you have to trust Facebook with your mobile phone number which privacy-conscious people may be understandably wary of doing.

The one-time password system announced by Facebook last October also relied upon SMS messages – which raised some valid safety concerns.

So, it sounds like it may be a case of swings and roundabouts. A win for security and privacy on one hand is a loss on the other, as you have to trust Facebook with your phone number.

Remember, Facebook has been wanting your mobile phone number for some time and isn’t been above using scare tactics to get you to hand it over.

I, for one, won’t be handing over my mobile phone number to Facebook in exchange for this two-factor authentication system.

I might, however, have considered signing up for a small hardware token that I could keep on my keychain, and rely upon it produce a one-time code that can be entered at login alongside my username and password.

You may have seen such devices being offered by online banks and some of the major online games like World of Warcraft.

Of course, such authentication devices cost money and require infrastructure changes at the website’s end, but – hey! – if Facebook introduced something like that they could potentially charge a small amount of money for those users who want to take a stronger line on their privacy and online safety.

If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.

Update: Naked Security follower Neil Adam raises the valid point that you probably wouldn’t want a hardware authentication fob for every website you log into. If we did, we’d probably all have very lumpy trouser pockets.

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

If you’re an organisation that is making public an internal document, you best make sure that you have deleted or blacked out any personal, confidential or actionable information.

The act of obscuring the sensitive information is known as “redaction”, and – for obvious reasons – needs to be done properly if you care about privacy and avoiding a potentially damaging data leak.

In the old days – before PDFs and Word documents – you might have redacted a document with a thick black marker pen, ensuring that anyone who made a photocopy of the document wouldn’t be able to see the censored words. Things are different with electronic media, of course.

Unfortunately, time and time again we’ve seen sloppy security procedures make it far too easy for unauthorised parties to view information in electronic documents that should have been properly redacted.

The last example which has made numerous newspaper headlines, involves the British Ministry of Defence, which was found to have published a PDF document online, unintentionally revealing information about nuclear submarine security.

The PDF, entitled “SUCCESSOR SSBN – SAFETY REGULATORS’ ADVICE ON THE SELECTION OF THE PROPULSION PLANT IN SUPPORT OF THE FUTURE DETERRENT REVIEW NOTE”, was published on the parliamentary website following requests under the Freedom of Information Act. However, although sections were supposed to be protected through redaction – it was possible to copy-and-paste the blacked-out text straight out of it.

Quack quack oops!

As the Daily Star explained:

The bunglers turned the text background black - making the words unreadable - but crucially left them in place. That meant anyone wanting to read the censored sections just had to copy the text.

This was a real school-boy error to make – as anyone with even an -elementary knowledge of computers would know how to read the “redacted” content.

If you want to learn how to properly redact Adobe PDF files, here’s a great guide describing how to do it with Acrobat X Pro.

Good luck, and remember that simply marking text will not actually remove it from your sensitive PDFs. You also have to apply redactions!

We’ve already seen spam campaign theme that uses one of the famous Social Networking sites, Facebook. Like, Facebook Password Reset Confirmation, New login system, and Facebook updated account agreement.

CA ISBU came across an active spam email campaign containing a malware as file attachment, as seen on [Figure 1]. The spam mail informs the recipient that their password is not safe and it has been changed automatically by Facebook. It requires recipients to check the attachment containing the new password.

                                                                  [Figure 1 - Fake Facebook email]

The email contains the Subject: Facebook. The new password to your account. N8601

The email contains the Body:

——————————————————————————————————–

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for attention,
Your Facebook

——————————————————————————————————–

Other emails may contain the following Subjects:

• Facebook password has been changed.
• Facebook Support. Personal data has been changed! ID#####
• Password has been changed. ID####
  

The email contains a malicious zipped file attachment with the filename New_Password_IN#####.zip and New_Password_NU####.zip. This file is detected by CA as a Win32/Bredolab variant.

***where ##### is 4 or 5 random number.

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Servers belonging to Automattic, which makes the popular WordPress blogging software, say that their servers were hacked and that the company’s source code is believed to have been “exposed and copied,” according to a company blog post Wednesday.

The post, by Matt Mullenweg, Automattic’s co-founder, said that the company had a “low-level (root) break-in to several of our servers.” Whi While the company doesn’t know the exact target of the hackers, “potentially anything on those servers could have been revealed.”

Mullenweg said the company was operating under the assumption that its source code was copied and, while much of it is open source, the copied data did contain “bits of our and our partners’ code” that are sensitive.

Automattic has taken “comprehensive steps to prevent an incident like this from occurring again,” but Mullenweg declined to speculate on whether the hundreds of thousands of blog operators that use WordPress need to be concerned about security vulnerabilities. He encouraged blog owners to make sure they are using strong passwords to secure their WordPress installations, and to refrain from reusing passwords – generic “good housekeeping” advice that wasn’t specific to the breach.

This isn’t the first time Automattic has found itself in the crosshairs. In March, the company was the target of a large denial of service attack. WordPress installations hosted on infrastructure managed by Network Solutions were also the target of attacks in April, 2010 that redirected thousands of WordPress blogs to malware-laden drive by download Web sites.

Data breaches happen to organizations of all shapes and sizes. A critical aspect of such security incidents is the manner in which the company handles public relations (PR), keeping affected customers appraised of the situation. Twitter, if used correctly by the organization, can be a powerful vehicle for dealing with this aspect of the breach.

Consumers Turn to Twitter During Site Outages

Microsoft and Psychster Inc. conducted research to explore how to use Twitter to reassure users during a site outage. Though the study looked at generic IT crises, we can learn from its findings how to use Twitter as a mass-scale communications platform during a data breach. The relevant findings of the study included:

• “Half of the respondents would consult a Twitter feed to get information about an outage.”
• The Tweets “tended to reduce negative feelings about the outage and increase the perception that the responsible company cares.”
• Users were less likely to contact customer support of the Tweets acknowledged and explained the situation—“but only when the tweets were made by an employee/social media manager rather than the company or its executives.”

We can reinforce these findings by observing how airlines, such as JetBlue, have been using Twitter to assist customers dealing with flight delays. In addition to assisting with itinerary logistics, such communications reassure customers that the company is looking out for their interests.

Twitter Can Help With Data Breach PR

An organization should be able to use Twitter appraise its customers how it is handling the data breach. Such Twitter communications might include:

• Acknowledging that the security incident occurred
• Clarifying what the company knows about the breach (who, what when)
• Explaining what the company is doing to investigate the incident and protect the users
• Offering tips for what the users might consider doing to protect themselves in relation to the incident
• Offering additional ways to get in touch with the company’s representatives using phone, email, etc.

Exercise Care With Twitter for PR

A few caveats regarding the use of Twitter for breach-related PR:

• Since Twitter limits the number of characters that can be incorporated into a Tweet, the company should consider hosting longer messages elsewhere—but not on the breach-affected infrastructure—and including the links in the Tweets.
• The company needs to establish a Twitter account in advance of the incident as a way of confirming the authenticity of the account. Twitter is setting up a “Verified Badge” program, but it is currently closed to the public; still, see if you can find a way to get the badge.
• The company should use a strong password for its Twitter account. It should also consider the security of the mechanism Twitter would use to reset the “forgotten” Twitter password to make it more difficult for an unauthorized party to take over the account.
• The company should consider how non-customers—such as the press, the intruder and government officials—will perceive its Twitter communications.

More on Incident Response

For additional tips regarding security incident response, see:

• Tips for Starting a Security Incident Response Program
• Initial Security Incident Questionnaire for Responders
• How Not to Respond to a Security Incident

— Lenny Zeltser

The US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $ 1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),

HHS’s Office for Civil Rights (OCR) made the following statement in their press release:

“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!

The first ever fine for HIPAA violations, imposed on Tuesday, was $ 4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.

The really disturbing part, though, was that, after Cignet attempted to ignore the government’s enforcement action, not only did they deliver the 59 patients’ records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.

From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, “When they start putting doctors in jail, I’ll worry about encrypting my records.” Maybe these enforcement actions by HHS will change his mind.

Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.

Creative Commons image of Mass General pin courtesy of nursing pins Flickr photostream.

Last year, I wrote several Naked Security articles about computer security problems which can put travellers in harms’ way. The topics I covered were:

* The free WiFi service at San Francisco airport with Terms and Conditions which authorised the network operator to access your device and the information stored on it.

* The no-responsibility-for-your-property attitude of the private security company at Canberra airport – a company which nevertheless insists on separating you from your laptop for an indeterminate amount of time during screening.

* The chap at Sydney airport who used a kiosk computer in the the Qantas lounge and left behind a veritable audit trail of personal email information – including his name, employer, job and details of recent business meetings.

* Paul Craig’s live demonstration at Kiwicon of the woeful insecurity of many internet kiosks, even if you avoid the self-inflicted data leakage problems of the previous story by clearing browser history and logging out when you’re finished.

I’m now on my way back from the RSA conference in San Francisco – where I can tell you that the WiFi Terms and Conditions at the airport are still as onerous as they were last year – with an amusing fifth anecdote to add to my Travellers Beware series.

The crumpled-up PostIt note you see above was dropped in the lobby of one of the big hotels near the Moscone Center, the outsized conference venue near Union Square at which the RSA event is held.

The note doesn’t record the name of the person whose BlackBerry Enterprise Server connection it relates to. But conference delegates have a habit of leaving their nametags on, even back at the hotel. This seems to be a subcultural nicety of the conference circuit.

So you can often tie discarded data fragments – such as the pictured PostIt – back to a company, and in many cases, to an individual. (It’s not even rude if you’re caught trying to make out someone’s nametag across the lobby. That’s what nametags are for, after all.)

Making that sort of connection converts raw data into PII, or Personally Identifiable Information. And PII really needs to be kept private.

Don’t let yourself fall into bad data leakage habits whilst you’re on the road. And data doesn’t just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage.

And please choose decent passwords. If you’re a sysadmin, don’t fall into the habit of choosing trivial passwords because they’re easier to read out to users when they’re on the road. (As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you’ll find it much easier to describe arcane command lines and to read out complex passwords.)

The password in the pictured example is especially amusing. It brings a whole new excitement to the concept of a dictionary attack, since a (and not aardvark, as popularly imagined) is always the very first entry in any dictionary of the English language.

Watch how to choose a decent password here:

_{(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)}

If you’re concerned about privacy – your own and that of your valued customers – why not download our free Data Security toolkit?

Turns out that password protection just ain’t enough anymore. Councils need to encrypt laptops as well, and this was an expensive lesson for London councils of Ealing and Hounslow to learn.

According to the Information Commissioner’s Office (ICO), Ealing council provides an out-of-hours service staffed by nine work-from-home employees. This team are responsible for collating and recording information on clients from the Ealing and Hounslow councils on their laptops.

So far, so good.

Except that two of these council-issued laptops were stolen from an employee’s home. The ICO reports that the laptops contained details of almost 3000 individuals. Despite encryption being part of the council security policy, the laptops only had a password to protect the individuals’ privacy.

The good news is that there is no evidence to suggest that the data was accessed by an unauthorised third party. Nevertheless, Ealing and Hounslow councils were fined £80,000 and £70,000 respectively for breaching the Data Protection Act.

What occurs to me here is that once these fines are paid, who should be the benefactor?

Following the incident, both councils contacted the individuals whose data was at put at risk. I am sure these councils will be reviewing their security policy at a result of this action from the ICO, and let’s hope other councils realise the costly implications of having unprotected personal data on their computers.

If you want to learn about how to protect against data loss, you can request Sophos’s Data Leakage for Dummies or visit this page for information on how to avoid becoming a data loss headline.

A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.

Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.

Furthermore, the researchers found a way to publish content on the visiting users’ Facebook wall (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.

Here’s a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there’s no sound on the video)

When I first experimented last week on a test site created for me by Zhou and Rui I couldn’t precisely mimic what you see in the video. The demo website wasn’t able to extract the name of my test Facebook account, and it displayed a “failed” dialog box when it tried to post to my Facebook wall.

Now it’s possible that it didn’t work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an “evil” link seemingly via the app.

Ouch!

The good news is that the students practiced responsible disclosure, and informed Facebook’s security team about the flaw rather than release details of how to exploit users’ profiles to all and sundry.

Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.

Clearly Facebook’s website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there’s so much sensitive personal info about users being held by the site – potentially putting many people at risk.

Follow our guide for better security and privacy on Facebook to help lock down your profile from unwanted snoopers. You may also want to join the Sophos page on Facebook, to keep informed of the latest security threats.

But remember that ultimately if you don’t want your sensitive information to be leaked onto the net, you perhaps shouldn’t be uploading it in the first place.

You can learn more about the now fixed Facebook flaw in this article published by The Register this morning.

Full story: Naked Security – Sophos

Securely deleting data is a requirement of most regulatory requirements. But many organizations struggle with just how to do this in a way that is both secure and compliant. Some ways to do this include using software to overwrite the data, using a degaussing tool to electronically damage the drives, and physically destroying them.

View full post on SecureWorks Research Blog

Digital Trends – Online dating site Plentyoffish.com suffered a cyber-attack last week that compromised the users’ passwords, usernames and email addresses, according to a blog post by Plentyoffish CEO Markus Frind.

Full story: Yahoo! News: Security News