008 - Accidental college web breach, Twitter phishing, Defensive marketing tools, Wave and more...

The Streetwise Security Zone Podcast Episode 8 – November 9, 2009

This Episode's Topics:
1 - News with timeless observations and guidance
2 - Social Media Security Podcast security brief (Death by Twitter Phishing, Internet Posting Policies, Google Wave's insecurity)
3 - Surviving in the Wild West of the Internet

SHOW NOTES

I produce this podcast as part of the Streetwise Security Zone. For those of you who don’t know, the SWSZ is a collaborative website that uses social media in many forms to educate people about working securely and efficiently, in the office and at home.

In each episode, I usually cover some security news, but not in a way that becomes dated. I try to take at least one recent, real-life news event and give some insight into how the situation can affect you in a business environment – and how to make sure your own workflow can deal with such situations.

You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. 

Because I’ve started doing the Social Media Security Podcast, which borders on being occasionally technical, I try to interpret our most recent podcast and put it into a more and non-technically oriented security brief that contains information and guidelines that everyone can understand and act on .

I also like to cover any industry events I’ve taken part in, and tie them into my mission of helping organizations to get their jobs done more securely and efficiently.

News:

Worm infects “jailbroken” iPhones, and Twitter spreads the news fast

Graham Cluley points out in a Twitter update that if news from security companies travelled that fast, we’d be in a lot less trouble. That’s my vision, actually, that we in the Streetwise Security Zone find and vet news that affects security of businesses and the majority of individuals.

The Facebook phishing continues

Fake email messages are asking users to follow links, login to Facebook and reset passwords. Unfortunately, the link doesn’t go to Facebook. Instead, it captures your login credentials when you try to log in.

A dangerous Firefox bug with general security guidance on security updates and patches

A Firefox browser bug was discovered that allows content from one page (loaded in an iframe) to manipulate content seen from  a different site’s page. By the time you hear this, the specific bug will probably be fixed in an update. But this acts as a reminder that we need to keep software up to date (turn on automatic updates and allow them to load when requested).           

Case Study: A University Accidentally Leaks Social Security Numbers to the Web

A Hawaii university suffers a breach of web infrastructure exposing 4500 students’ Social Security Numbers. The breach occurred due to human error in putting a sensitive internal report in a publicly accessible web page. If the people involved had been trained in how to handle sensitive information in their jobs, this would have been unlikely to happen.

Social Media Security Podcast Security Brief:

Social Media Security Podcast #4 is available at http://www.socialmediasecurity.com/category/podcasts

Death by Twitter – and other phishing attacks like the IQ test DM - were really a problem in the last week or so. Sensationalized headlines can lead people – even seasoned security professionals – to start spreading the news to others (retweeting in Twitter is too easy to do). The IQ test phishing attack showed up this week as a Direct Message in Twitter, asking you to click a link to take the IQ test. Following this link results in going to a page that asks you to log into Twitter. However, once your credentials are entered, they are used to start attacking your followers via Direct Messaging… and on it goes. It’s not infecting your computer, but once your userid and password are stolen, a lot of bad things can happen without your knowledge.

Open Source Intelligence is a complicated term that refers to defensively (or sometimes offensively) monitoring brand and personal data on social networking sites. Tom Eston explains how to use methods like Google Dorks – which are just special search queries, designed to root out posted information about you or your organization.

Posting Policies – Cisco policy. Having such a security policy for posting on the Internet can be really useful for marketing or PR departments to provide guidance for employees on what is considered acceptable content for them to post on the Internet about the organization. H also needs to be involved too.

Google Wave – What the heck is it? I still don’t know. It’s been called a very cool way of integrating “updates” (like tweets or facebook status updates), personal messages (like email), and multi-media objects (like video), in a Web 2.0 style. Tom and Kevin describe it as a combination of Twitter, Facebook, Email and Instant Messaging.

So what’s the problem? – It turns out that making all these things work together with “User Generated Content” in such an unstructured way is inherently insecure. Everything that makes it easy to collaborate this way also makes it easier for the bad guys to post dangerous content that sucks input from users or launches malware attacks on their computers or devices. It’s also another way for data to leak uncontrollably from your domain. While you may not be able to stop data from leaking, or bad software from creeping in, with any technology, education is once again the only way to keep people on track and working within your policies.

Google Wave also demonstrates Google’s propensity to design functionality and features first and security later. This approach always causes an endless loop of patches and updates, usually after damage has been done.

Recent Events: Small Business Survival in the Wild West of the Internet

I recently gave a talk at the Small Business Association of Ottawa on “Small Business Survival in the Wild West of the Internet.” The talk presented an analogy and comparison between today’s business environment and the Wild West.

If you’d like a transcript and/or slides of this presentation please email me at scott@streetwise-security-zone.com . The talk, that was supposed to be 20 minutes, but it lasted almost an hour, due to questions. Sorry about that. This demonstrates how thirsty people are for information on how to protect themselves in the Internet based business environment

Wrap-up:

Feedback is welcome and encouraged. Please rate this podcast on the site, or in iTunes. I’d appreaciate it. And please spread the word to others.

The only way we can really gain a handle on securing our work environments is to collaborate – discussing what works, what to watch out for, and where to get trusted information.

In fact, if you like what you’ve heard on this podcast or seen on my website, I’d love to be able to provide your team with even more personalized service – whether it’s risk assessments, security audits, security training or virtual Chief Security Officer services – please have somebody from your organization contact me.

As a bit of a stimulus for comments, I’d like to ask you to let me know what kind of a security-related book or training tool you think your place of work would be most interested in having as a resource – Would you rather see a hardcopy book, an e-book, an audio book, a set of videos on DVD, or maybe a “play at your own speed” web-based tutorial with audio and slides? All of these things are possible, but I’d like to focus on what you think would be most valuable.

As always, you can email me at scott@streetwise-security-zone or call me at 1-613-693-0997. You can even follow me on Twitter at “streetsec”.

If you’re not already a member, please join The Streetwise Security Zone at:

http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html

You can subscribe to this podcast on iTunes at:

http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305

Thanks for listening!

Until next time, Stay Streetwise.

- Scott

rate this post: