IT Crate Tutorial, Tips, Technology NewsWebsite Design and Development Company

Many organizations rely on security questions as a way to identify the true owner of an account. However, the recent success of a young Frenchman with limited computer skills in gaining access to President Obama’s Twitter account suggests it’s a flawed approach. Preset security questions are not the best way to protect an account, said Parry Aftab, a privacy lawyer and executive director of WiredSafety.

After months of investigation by police and the FBI, a French hacker accused of breaking into the Twitter accounts of President Barack Obama and singer Britney Spears was arrested earlier this week.

Francois Cousteix, a 25-year-old unemployed man from central France who is known online as “Hacker Croll,” is also accused of breaking into Twitter administrators’ accounts and copying confidential data — an attack that was acknowledged by Twitter cofounder Biz Stone last summer.

Cousteix is reportedly no technology genius, nor did he have nefarious intentions; rather, he simply wanted to point out Twitter’s vulnerabilities, according to reports.

Cousteix has confessed to the hacks and now must appear in court in Clermont-Ferrand on June 24. If convicted, he faces the possibility of two years in prison and a 30,000 euros (US$40,226) fine.

Twitter did not respond by press time to TechNewsWorld’s request for comment.

Guessing the Answers

Cousteix frequently perpetrated his attacks simply by guessing the answers to the security questions on his victims’ accounts and then using that information to change their Twitter passwords, AFP reported.

He also often posted electronic copies of the pages he hacked into as proof of his successful attacks, according to reports.

Though Cousteix didn’t attempt to profit financially from his Twitter attacks, he was already known to police for minor scams amounting to some 15,000 euros ($20,111), AFP reported.

‘The Thrill of the Hack’

In this case, Hacker Croll’s motivation appears to be primarily bragging rights.

“The sheer audacity of this hacker to crack into President Obama’s account shows that hackers love the thrill of the hack, the possibility to delve into something forbidden,” Washington, D.C., technology attorney Raymond Van Dyke told TechNewsWorld.

“Hackers love the thrill of the chase, overcoming barriers and entering the private world of others — even President Obama’s Twitter account is not secure against these culprits,” Van Dyke added.

Potential Reputation Damage

Whether or not he used his access for malicious purposes, Hacker Croll’s feat raises the question of what might have happened.

“On the face of it, access to someone’s Twitter account isn’t much of a big deal,” Keith R. Crosley, director of market development with Proofpoint, told TechNewsWorld. “In most cases, people are using Twitter as a public posting mechanism and everyone can see what you are posting and who your contacts are.”

Nevertheless, a compromised Twitter account can be a problem, Crosley asserted.

“First, of course, hacked accounts could be used to send messages — of many different kinds — that could cause confusion about the poster or damage that person’s reputation,” he pointed out.

‘Malware Distribution’

“Secondly, and more insidiously, the hacked account could be used to send a seemingly innocuous message that contains a link to malware or a malware distribution site designed to steal more information or passwords,” Crosley noted. “Since followers may view the message as trustworthy, since they feel they ‘know’ the sender, this can be a very effective vector for dissemination of such attacks.”

Finally, “having full access to the hacked account would give access to direct messages sent and received by the actual owner, and these ‘private’ messages might contain information that the hacker would find more valuable,” he added.

Figuring out a password on a site like Twitter could also give a hacker access to the user’s accounts on other platforms, Crosley noted, since many users choose the same passwords on multiple sites.

‘We Need to Stop Doing That’

Preset security questions are not the best way to protect an account, Parry Aftab, a privacy lawyer and executive director of WiredSafety, told TechNewsWorld.

“Most are answers to 20 typical questions — your pet’s name, your middle name, etc.,” Aftab explained. “All someone needs to do is know a little about you.”

For that reason, “we need to stop doing that,” she asserted. “One thing I recommend to companies is to allow users to set their own security questions and come up with their own answers.”

‘Easily Searchable Information’

Security questions can be useful if they are just one part of a larger authentication system, such as one that ties the account login to a known IP address, among other measures, Crosley asserted.

“However, some types of security questions don’t increase security,” he added.

In password reminder or password reset systems, for example, “if users make a poor choice of password reminder questions and their answers, they may be putting their accounts at increased risk of getting hacked,” he explained. “For example, the answers to many common reminder questions — such as those about relative’s names, one’s birthplace, etc. — might be easily gathered by looking at a Facebook profile or other easily searchable information.”

Password-Management Tools

Until more companies redesign their security systems, Aftab recommends that users answer preset security questions as if they were someone else — their sister or their best friend, for example. That way, the answers can be remembered easily, but hackers would have a much harder time guessing them.

Users should also avoid using the same password on multiple accounts, Crosley stressed; they should also change the passwords on particularly critical accounts frequently.

Password management tools like KeePass can also help solve many password problems, he noted.

Perhaps most important of all to realize, however, is that “it is *not* safe to keep usernames and passwords in a text or Word file on your desktop,” Crosley warned. “Many types of malware easily find such files and exploit what they find.”

A new study from security research firm Sophos finds that malware and spam attacks delivered through social networks rose significantly in 2009, and Facebook is perceived as the most dangerous social net of them all. At the same time, however, many businesses see social networking as a prime marketing tool that they’re hesitant to ignore.

Social networking sites are a threat to online security, and Facebook is the worst offender, a report from Sophos states.

The number of businesses hit by malware and spam attacks through social networks rose by 70 percent in 2009, the report found. More than 72 percent of businesses believe employees’ behavior on social networking sites could endanger security.

The issue of social networks is rife with contradictions — although social networking sites help malware authors spread their attacks rapidly, they have also been instrumental in spreading knowledge of disasters and political turmoil worldwide.

Facebook’s attitude is typical of the dichotomy plaguing the issue. On the one hand, it has tied up with McAfee to improve users’ security; on the other hand, company cofounder Mark Zuckerberg has recently stated that he thinks the desire for privacy online is fading.

The Sophos 2010 Threat Report

Over 2009, companies widely adopted social networking techniques such as blogs and social networks like Facebook and MySpace to connect with customers and spread the latest company news or product offerings to the public, according to the Sophos report.

About 2 percent of all online clicks in 2009 through 4,000 Cisco (Nasdaq: CSCO) Web security appliances were on social networking sites, Sophos found. Facebook alone accounted for the majority — 1.35 percent. “The business world would be foolish to ignore such a high level of activity and such a potentially lucrative resource,” the report reads.

However, that lucre comes at a cost: 61 percent of respondents to a survey Sophos conducted in December 2009 believe that Facebook is the worst security threat of all the social networking sites. More than 72 percent of the respondents to Sophos’ survey believe that employees’ behavior on social networking sites could endanger the security of their business.

Social network logon credentials have become as valuable as email addresses because people are more likely to open a message when it appears to come from a friend, Sophos warned. People should be wary of what information they post on social networking sites, Sophos said.

Creatures of Light and Darkness

Like just about everything else, social networking sites are a mix of bad and good elements. Although they can constitute a threat to security, they also provide valuable outlets for business to connect with their customers. Salesforce.com (NYSE: CRM) and Google (Nasdaq: GOOG) both allow application developers using their platforms to create Facebook apps, for example.

Further, social networks are often leveraged for the greater social good. Facebook and Twitter, for example, were instrumental in raising awareness of the outcome of the Haiti earthquake and in efforts to raise funds for that disaster.

Twitter and Facebook were also instrumental in disseminating knowledge of the Iranian election in May of 2009; the Iranian government clamped down on some social networking sites prior to the election, sparking protests from the opposition.

On the other hand, many Facebook users have been scammed when they responded to fake emails from friends asking for financial help, a common grift used by Facebook hackers.

Facebook is itself torn by the contradictions. On the one hand, it’s working hard to improve users’ security. “We work regularly with others across the industry to identify and respond to potential threats to our users,” Facebook spokesperson Simon Axten pointed out. “We’re constantly working to improve our systems and processes.” That work includes teaming up with McAfee to integrate a scan and repair tool into Facebook’s own security processes.

However, social networking sites are fighting an uphill battle. “Security is an arms race, and our teams are always working to identify the next threat and build defenses for it,” Axten told TechNewsWorld.

On the other hand, Facebook CEO Mark Zuckerberg stirred up a hornet’s nest recently when he said, in effect, that the importance of online privacy online is fading.

The contradictions around social networks in general, and Facebook in particular, are perhaps best summed up by independent security researcher Gadi Evron in a post on Trend Micro’s (Nasdaq: TMIC) Dark Reading blog: “Facebook, by its nature, is one of the worst security menaces ever created,” he wrote. “But its security team is top-notch.”

Oh, Squishy Humans

Social networks have become so woven into the fabric of our lives that many businesses now face a distinct disadvantage if they turn a blind eye to them or forbid staff to access them. “Not only will your workers circumvent your block and participate surreptitiously, but also your competitors will sneak an advantage and get closer to your customers,” Graham Cluley, senior technology consultant at Sophos, told TechNewsWorld.

His suggestion: Companies need to secure their users’ computers, educate their staff to use social networks more securely, and lobby the social networking sites to implement better security.

“Implement a solution that scans every Web page and link that your users click on,” Cluley explained. “Run security awareness seminars that explain how different kinds of attacks work on social networks.”

However, technology can only provide a basic level of protection. “The weak point isn’t the technology. It’s the squishy human sitting in front of the keyboard or the touchscreen,” Cluley said. “If attackers can fool users into believing that they are the users’ Facebook friends, many people will find themselves victims of social networking attacks.”

Recently, a friend of mine congratulated me for selling one of my wildlife photos. When I asked him what he meant, he sent me a link to a site that was prominently using a shot I had taken of some wolves. The problem? I had never given the site owners permission to use my photo, which they had “borrowed” from my Flickr page. I asked them to remove the photo, and they did–but not everyone out there is so reasonable. You can watermark your photos to prevent this sort of thing from happening. But is there any way to find your photos online to see they’re being used inappropriately?

It turns out that there are a couple of ways to keep an eye on your photos.

Your Photos Are Vulnerable

Before we go any further, though, allow me to emphasize that whenever you post a photo on the Internet, there’s a potential for theft. There is no way to completely protect a photo from being used without your permission. Even if your Web page uses a special script to disable the right-click “Save picture as” command, a determined photo borrower can simply take a screen shot of the Web browser. The only way to absolutely secure your photos? Never share them online.

Reverse Image Search

Suppose you have posted some photos on a photo sharing site, and you’re curious to see if someone has absconded with them. What you need is a way to perform a reverse image search–where a smart search engine looks for a photo by detecting identical content within the image itself, rather than keying on file names or metadata, which are easily changed.

That might sound like science fiction, and in fact it’s pretty close. But I’ve found a Web site out there, TinEye, that can actually perform reverse images searches today.

To use TinEye, you can upload a photo from your computer or point the site to a Web page that already hosts the photo. TinEye then returns a list of sites using the same image.

TinEye is far from perfect. It often identifies photos that are similar to–but not exactly the same as–the source image. Worse, TinEye’s database of photos represents only a fraction of what’s available on the entire Internet–so if you get zero results, that doesn’t mean your photo isn’t being repurposed out there somewhere.

A new zero-day bug has hit Windows 7. Here’s how to keep it from harming your PCs.

It was a notable accomplishment when Windows 7 was not impacted in any way by the vulnerabilities addressed in the six Security Bulletins released by Microsoft for the November Patch Tuesday. It would be even more impressive if Windows 7 proved invulnerable to the zero-day exploit that hit the next day.

This newly found bug was discovered by Laurent Gaffie and details were posted on the Full Disclosure mailing list. Microsoft is investigating the reported flaw which basically crashes a Windows 7 system when exploited. The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.

Windows 7 zero-day bugTyler Reguly, Lead Security Research Engineer with nCircle, explains “Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type ‘\\\’ in the search box. ”

The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2. There are currently a couple different proof-of-concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn’t provide any unauthorized remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.

With some SMB-based bugs, you can minimize the risk of exposure by blocking SMB traffic at the router or firewall–essentially making sure that no outside source would be able to attack systems on your network. Blocking TCP ports 135 through 139, and port 445 will prevent outside SMB traffic from entering the network.

With the firewall blocked, the threat still exists internally, but ostensibly the systems on the internal network should be more trusted than those on the Internet and hopefully nobody on the internal network would intentionally launch such an attack. You could block those ports on the internal network as well, but then systems would be unable to access file and folder shares on the network.

With this particular bug though, the firewall will not protect you completely from outside attacks. Reguly says “There is an Internet Explorer-based attack vector. By including a file stored on a share in the HTML of the web page the flaw can be triggered. But, once again the result is a denial of service.”

Until Microsoft completes its investigation of the issue and releases a patch, you will just have to be vigilant about avoiding suspicious or malicious links on web pages. Because of the limited value of a DoS for the attackers, odds are good you won’t see any attacks from this.

Microsoft has described Windows 7 as the most secure operating system it has yet developed but ‘most secure’ doesn’t mean impervious. Windows 7 is still significantly more secure than Windows XP, but news of the Windows 7 vulnerability certainly overshadows the fact that Windows 7 wasn’t impacted on Patch Tuesday.

Almost a third of the customers who have installed Microsoft’s free Security Essentials software have been found to be suffering from major malware infections.

Microsoft, which launched the free Security Essentials package for Windows in late September in eight major markets, revealed the figure as it prepares to roll out the software in China.

“What we’re seeing in the early downloads is that well over 30% of people who are downloading it are requiring a fair amount of cleaning,” said Amy Barzdukas, general manager, Internet Explorer and consumer security at Microsoft.

Delivering the opening keynote at RSA Conference Europe in London, Barzdukas also noted that the problems experienced by consumers varied widely by area.

“In China, we see a lot of malicious browser modifiers. In Brazil, there’s a lot of password stealers. In Korea, there’s a lot of polymorphous viruses. There’s no one size fits all in consumer security any more than in enterprise security.”

Microsoft’s move into the consumer security space has been controversial, with critics variously arguing that Microsoft will reduce competition in the security sector and that it should concentrate on making its core operating system more secure. However, Barzdukas said that Windows itself was only a small part of the problem.

“Fewer than 15% of the vulnerabilities that are being exploited today are in the browser or the OS. Instead they’re going into third party software and add-ons.”

Barzdukas also took a pot shot at Google’s rival browser Chrome, claiming that features of its design made it less secure than Internet Explorer 8.

“As you type in that omnibox, every keystroke that you type is sending a packet to Google.”