011 - Quitting Facebook, Adobe security tips, Social engineering from stolen accounts and more...Thursday, April 15th 2010 @ 7:59 AM (not yet rated)
The Streetwise Security Zone Podcast Episode 11 – April 5, 2010
(Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe)
This Episode's Topics:
1 – Recent developments in the Streetwise Security Zone Podcast and Townhall
2 –Article in CSO Online Magazine by Joan Goodchild on “10 reasons to quit Facebook”
3 – Case study of a financial institution breach that started with a compromised Facebook account
4 – A business strategy for using social media more securely (my views)
5 – PDF reader vulnerabilities are a big risk
6 – The arguments for and against reliance on standards compliance
7 – Social engineering threats from stolen accounts in Email and Facebook
1 ) Recent developments in the Streetwise Security Zone Podcast and Townhall
Due to technical difficulties, my plan to do a separate weekly live Townhall session that has recorded video for future viewing is not working out as well as I’d planned. So, for now, I’m going to combine the audio podcast recording with the live Townhall sessions that I try to do on Monday afternoons at 4pm Eastern. So, the video will not be recorded, but the audio will. This way, I can incorporate any comments or questions from the chat room as they come up, and it will all be available in audio form eventually in the podcasts. I don’t always get to publish the audio podcast right away and I have a number of episodes nearly completed that will be put up in the next few days. As always, comments are appreciated.
2) "10 Security Reasons to Quit Facebook" - The article by Joan Goodchild of CSO Online Magazine that included comments from Tom Eston and myself on the security reasons why baby-boomers are starting to quit Facebook, and one reason they may be staying. Here’s a link to the article:
3) Case study of a financial institution breach that started with a compromised Facebook account
It’s a very interesting story with some challenging implications for corporate security managers. Here’s a link to my post in the Social Media Security blog:
4) A business strategy for using social media more securely
This is a little rant I did on how we need to use the concept of Zoning for corporate IT security a little more explicitly for social media usage by employees. It has a lot to do with recognizing that it may not be wise to allow everyone in the organization carte blanche and free reign in using the public social media tools like Facebook and Twitter in ways that can impact the organization – whether it’s posting or reading of articles or content. People in different roles should have different policy constraints and depending on what computers they are using, might have different technical constraints on being able to reach these sites. But there is also an opportunity to use other types of Web 2.0 solutions to achieve the business’s goals and allow younger employees to have the experience of using social media, but in more focused and controlled environments.
I encourage business managers to contact me about how I might be able to help with safely developing this type of progressive strategy in their organization.
5) PDF reader vulnerabilities are a big risk
PDF files have been a security problem for quite a while now, in that the Adobe Reader (and even other PDF readers like Foxit) are very powerful, but have not really been built with safeguards to protect the user’s computing environment. As a result, it’s often possible for attackers to create “malformed” or “malicious” PDFs that cause the reader to do things that put the user’s system at risk. Recently, it’s been demonstrated that the Adobe reader can be used to launch external applications in a way that would allow an attacker to load malware onto a user’s machine.
Here is a link to Steve Gibson’s Security Now Episode 243, that cover these risks in more detail:
And there are a couple of quick tips for Adobe Reader users that will probably reduce your risks when using this software:
2) Also in the preferences window, click on the “Trust Manager” link in the sidebar, and uncheck “Allow opening of non-PDF file attachments with external applications.” This is the most recent risk described in the two article links above.
Do also allow automatic updates for Adobe products. They often have critical security fixes in them that should be implemented as quickly as possible.
6) Arguments for and against reliance on standards compliance
The bottom line is that standards compliance is usually a good place to start if you expect that security is weak. It can strengthen a lot of areas without having to do much analysis. The downside of relying on compliance only (as opposed to doing full risk assessments for networks and systems) is that it is possible to be fully compliant with any standard and still have serious security vulnerabilities. So I recommend a mix of both standards and risk-based approaches.
This is inspired by the Threatpost.com article by Dennis Fisher listed here:
7) Social engineering threats from stolen accounts in Email and Facebook
It’s becoming more common now that a compromised Email or Facebook account will result in an attempt at scamming friends or contacts. Attackers will scan contacts to see who might be susceptible to an urgent request for assistance in the form of wired money (i.e. “Help, I’ve been robbed in Europe and need money for a hotel and airfare.) It’s very easy to scan emails and contact lists to put together a credible scenario that can pay off very well before anyone notices.
So, don’t ever take significant action based on information from one Internet source like an email or Facebook message. Always try to verify through some other means before sending money.