Category: security

Can The Industry Stop break-ins on Facebook?

FacebookAfter my last post, a reasonable question is whether we in the industry have been goofing off on the job.  After all, how could it be that someone got their account broken into?  Everyone knows that passwords are a weak form of authentication.  Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards.  So why are the rules different for Facebook?

They would say, I’m sure, that they do not hold the keys to your financial data.  Only that may not be true.  Have you entered credit card details into Facebook?  Then in that case maybe they do hold the keys to your financial data.  Even if you haven’t entered any financial data into Facebook?  Are you using the same password for Facebook that you are for your financial institution?  Many people are, and that is the problem.

Passwords have become, for want of a better term, an attractive nuisance.  It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket.  Yes, the problem is getting worse, not better.  My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”.  What a lovely enhancement.  Right up there with enhancing the keyboard I am typing on to give me electric shocks.

Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal).  Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID.  (The better part is that no one can simply break into one account and gain access to all of these other sites.  The worse part is that if you have some other OpenID, you can’t use it with these sites.)

OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user.  This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide.  Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).

SAML and Higgins to the rescue?  OAUTH?  Blech.

Beware Facebook Scams! Protect yourself!

CybercrimeAs Facebook now has more accounts than there are people in the United States, it should come as no surprise that it is possible to break into some of those 300 accounts.  This happens.  Well, what happens next when an attacker breaks into a Facebook account?  Several things are likely.  First, the attacker will retrieve as much information about the individual and his or her friends as possible.  There are several key pieces of information that prove valuable:

  • Birthday and Hometown are enough information for an attacker to reliably predict social security numbers of people born after 1989.  You can hide this information from your profile by going to your profile, clicking on the little box in the upper right of the Information tab, and deselecting birthday and home town.
  • Email address is useful to feed into a phishing/spam engine.
  • Telephone # and IM account information is enough to either use or sell to other scammers.

Next, an attacker may try to directly contact friends to scam money out of them.  While such attacks are unlikely to take the form of a 419 scam where the attacker tries to play on greed, they will more likely play on peoples’ sympathies.

Here is an example:

0Wn3d Friend: Hey
0Wn3d Friend: How are you doin?
Target: good evening, Friend!
Target: i’m doing well, and you and your family?!
0Wn3d Friend: Not too good
Target: oh?
0Wn3d Friend: We are in a very deep mess
0Wn3d Friend: Glad you are here
Target: what happened?
0Wn3d Friend: We are stranded in London England
Target: WHAT?!  how so?
Target: where?
Target: (in london)?
0Wn3d Friend: Kentish Town
0Wn3d Friend: We got mugged on our way back to the hotel at a gun point
Target: oh geez
Target: have you gone to the police?
Target: do you have a phone?
0Wn3d Friend: Yes,We were able to file a report to the cops and that is been Investigated
0Wn3d Friend: They made way with all we got here
0Wn3d Friend: Cash,bank cards and also the cell phone
Target: ok.
Target: i have a few friends outside of london.  are you in a hotel?
0Wn3d Friend: Yes
Target: do you still have your passports?
0Wn3d Friend: Yes,I’m still safe with the Passport
Target: ok.  how long are you supposed to be in London?
0Wn3d Friend: That has been the problem
0Wn3d Friend: I seriously need your urgent help getting back home
Target: what hotel are you in?
0Wn3d Friend: Sector Hotel
0Wn3d Friend: I have a flight back home in the next 3hrs but the hotel management won’t let go
Target: do you have the hotel’s address & phone #?
0Wn3d Friend: I don,t have the #
Target: i’ll need an address
0Wn3d Friend: 151 Kentish Town Road, London, NW5 2CG
0Wn3d Friend: I’m having problem with the hotel on the bills

What happens next is that the attacker asks for a credit card.

So how do you know it’s a scam?  First, Amazingly, Google is your friend.  If you enter just a few details from this example, you’ll see that Kentish Town and the Sector Hotel show up as a scam. The other odd thing about this exchange is that the person claims to have been mugged at gun point in London.  I’m not saying it doesn’t happen, but it’s rare.

More importantly, ask yourself why this friend is contact you, and not calling a relative for help.  To be sure, if this person really is a friend, you should already have a phone number for that person.  Call him or her, but do not rely on contact information from the attacker.  Calling a number they give you can cause you to lose a lot of money.  If they answer the phone and have no idea what you’re talking about, you know it’s a scam.  If they don’t answer, call a relative of theirs or ask for more details.  In this case the person said they filed a police report.  Get the report number from the person, name of an officer who took the report, and independently call the police.    Do not rely on anything in the facebook profile of the friend.  You should assume the attacker has already manipulated all of that information.

Most importantly, never send credit card information over the network in such circumstances.

Ok, so you’ve figured out it’s a scam.  Congratulations!  What do you do next?  Report it, and fast.  Facebook is pretty responsive when it comes to shutting down accounts.  In one case I’ve reported, they reacted within 10 minutes.  To report abuse on facebook, click on Help at the bottom of the page, and right at the top you will find the following:

Hacked accounts and spam

Click on that text, and it will help you report the information.  You will need the URL of the profile of the friend who you are reporting.  To get this, type the friend’s name in the search bar.

Don’t feel bad that you are reporting a friend, either.  This is a case where your friend is being maliciously used, and you are doing your part to putting an end to it.

Ground Southwest?

AirplaneThis Monday’s Wall Street Journal reports that Southwest Airlines has been flying 82 planes for years with parts of unknown quality in potentially critical locations.  The report states that the pieces in question are supposed to “protect movable panels on the rear of the wings from hot engine exhaust.”  That’s an obfuscated way of saying that the parts protect the aircraft’s flaps. Flaps are deployed at both takeoff and landing.  If those fail, several bad things can happen:

  • If flaps on one wing fail to extend as expected, when the other side deploys, the plane could pitch.
  • If the flaps on both sides fail to deploy, the plane will not slow to a normal landing speed.
  • In the most unlikely event that the integrity of the flaps themselves fails, all manner of bad things could happen.

Most failure modes involving flaps are probably recoverable in and of themselves. However, these sorts of failures happen close to ground, leaving little time to react to problems.

The authors write in the article, however, that, “Both Southwest and FAA agree that the parts, some of which have been on the planes for up to three years without causing apparent problems, don’t pose an imminent hazard.”

While it’s good that they’ve not spotted a failure, many failures go undetected for years, during which metal fatigue sets in.  Often there are indications of impending failure, such as cracks.  Southwest has indicated that they will increase their inspections between now and the time the parts are replaced.

Here’s the rub: because the construction method of these parts is untested, one wonders whether inspections are sufficient to mitigate the problem.  This leaves the FAA with a dilemna: make life miseerable for hundreds of thousands of passengers while SWA corrects the problem or take a risk with the lives of a few hundred people.

One way or another, SWA should face a stiff penalty for putting travelers at risk, and forcing the FAA into this situation.

Dick Cheney Orders CIA to not inform Congress?

The news media is reporting a story that former Vice President Dick Cheny ordered the CIA to not inform Congress about a secret, and presumably controversial, program.  While there are almost no details about what the program is, there are, nevertheless a few interesting items of note.

First and foremost, constitutionally, outside his personal staff, the vice president of the United States has no authority to order anyone to do anything.  That doesn’t stop the president from delegating power to him or anyone else, and if all we are reading about is true, it demonstrates the enormous amount of trust President Bush placed in Mr. Cheney, and the disdain Mr. Cheney had for the democratic process, and for Congress.  Perhaps he would say that he was protecting America’s security by withholding such information, but in the end we have to ask what sort of a government we had that he could do this and get away with it.

Supposedly, the program in question has to do with some form of surveillance.  When the Director of CIA discovered the program, he reportedly terminated it immediately and reported its existence to Congress.  Any such breathtaking speed within the halls of government indicates that someone didn’t want to be stained with illegal activity.  And hence this calls for an immediate investigation of what the program was, who had the authority to authorize it, and if it was illegal, who had the responsibility to stop it.

And if the program was illegal, someone must go to jail, preferably multiple someones, both from the civil and appointed/elected ranks.  This is important so that civil service employees can’t simply say that they were following orders, and so that current and future politicos know that they cannot get away with violating peoples’ civil rights, and that their day to face justice will come.

New Research: Social Security Numbers (SSN) are Entirely Predictable

CybercrimeNew research published in yesterday’s Proceedings of the National Acadamy of Sciences has dramatic implications for Americans and identity theft.  Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at Heinz College of Carnegie Mellon.  He has spent the better part of two years with his colleague Ralph Gross, looking at social security numbers as both identifier and authenticator, something we have all known was a bad combination.  Professor Acquisti demonstrates just how bad of an idea it has been in the last twenty years.  In that time there have been two significant policy changes that have made numbers extremely predictable based on two pieces of information:

  • birth city
  • date of birth

The policy changes involve release of something known as the Death Master File (DMF), which was intended to prevent someone from expropriating a dead person’s identity, and the Enumeration at Birth (EAB) initiative, which has had the effect of allocating SSNs shortly after birth.  These combined with the facts that SSNs have structure based on location, and that the less significant components are serialized in allocation, and it makes for a predictable SSN.

This gets worse.  While it may be possible to fix this problem for future generations that use SSNs, either by randomizing all or lesser components, or by not filing applications upon birth, the millions of people who have assignments in this time period are in an extremely difficult spot, because the workaround is a change of number.  This argues for a new form of identity that separates authentication and identity, but the effort to do so requires that the finance, education, and medical sectors (not to mention government)  change their means of identifying individuals.  This will be no easy task.

This research is a remarkable piece of work by Professor Acquisti and his colleagues.