Posts

Do you know who your friends are?

It sounds like a plot out of  a summer spy movie, but security researcher Thomas Ryan tested what would happen when posting a fake profile of a real-life Abby Scuito. The results? Over 300 “friends” in the military, information security, and intelligence fields, a few job offers, and invitations to security conferences.

Ryan, the co-founder of Provide Security, said the goal of the study was to determine how effective social networking sites like Facebook, Twitter, and LinkedIn would be as tools in covert intelligence-gathering activities. He crafted “Robin Sage”, a 25 year old Navy cyber threat analyst who graduated from MIT. Even though the profile had some red flags, like a 25 year old having “10 years experience,” it took less than a month to make connections with many in security related fields. Virtual friends shared photos, personal information, invited Robin to conferences, and a few even expressed interest in hiring her.

If Robin were a foreign agent, she would have had access to a lot of very useful information, said Ryan, who is scheduled to present his findings at the upcoming BlackHat security conference in Las Vegas.

Even if you are not in the spy game, what can you learn from this?

  • Like your momma said, “If it sounds too good to be true, it usually is.”
  • If you don’t know them, don’t friend them.
  • Always be mindful of how information posted online could be used against you by identity thieves. For example, how many answers to your security questions for your bank account can be gathered from your Facebook profile?

Social networking has the potential to bring friends together regardless of distance, just be careful who you invite to the party.

Article Inspiration: CIO.com – Fake ‘Femme Fatale’ Shows Social Network Risks

Links of the Week: Data Security Edition

There were some great articles on CIO.com this week relating to Data Security. Here they are plus a selection of the best IT Data Security articles in the last week:

  • Heartland CEO: QSAs Let Us Down
    In the review of what led to the Heartland credit card breach, Heartland’s CEO Robert Carr points to the PCI compliance auditors that passed the company before the breach – “PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
  • Opinion: Heartland CEO Must Accept Responsiblity
    A counter point to the previous article. Mike Rothman asserts that by attempting to blame the QSAs for the data breach they are learning nothing, and not addressing the root issue – “To be clear, you cannot outsource thinking. You cannot outsource security.”
  • 8 Dirty Secrets of the IT Security Industry
    Are IT Security vendors really interested in improving your network’s security? Joshua Corman from IBM’s Internet Security Systems division details 8 trends in the IT Security market that help undermine a network’s security.
  • Social Engineers’ 9 Favorite Pick-Up Lines
    Social Engineers leverage the trust people have in the familiar to gain access to facilities and networks. These 9 examples illustrate how easy it is for that trust to be abused. How many would you (or your employees fall for)?
  • Hackers have Social Networking sites in their crosshairs
    In a recent study Breach Security, hackers are attacking Social Networking sites with increased frequency, accounting for 19% of online attacks in 2009.
  • Twitter used to control botnet
    It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance?

Tech News: Seesmic Desktop Edition

  • Seesmic Desktop Beta available: Thanks to the great video podcast, Tekzilla, I found a great twitter client in the style of TweetDeck that improves on the original in several ways. You have to sign up for their mailing list to be added to the beta test, but it is completely worth it.
  • Hack Twitter, Get a Job? The teenage hacker that recently published a few twitter worms was hired by exqSoft, a web application developer. Says the exqSoft CEO: “Any publicity is good publicity.”
  • The Pirate Bay found guilty: In a decision that will likely have legal implications far outside their native Sweden, the admins of The Pirate Bay were found guilty of ‘assisting in making copyright content available’ and were fined $3.6 million and sentenced to 1 year in jail. Not so fast – this verdict will definitely be appealled.
  • Stanford to offer free iPhone app development courses: If you have always wanted to learn how to make an app for the current hotness, Apple and Stanford want you!