010 - iPhone risks, Christmas online shopping scams, Open Wi-Fi Hotspot liabilities and more...

The Streetwise Security Zone Podcast Episode 10 - December 1, 2009

(Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe)

This Episode's Topics:

1 - iPhone risks

2 - Christmas online shopping scams

3 - A Case Study on the liability risk of running an open Wi-Fi hotspot

4 - Social media security risks from Google and Foursquare

5 - Conducting security reviews and internal audits sooner, rather than later

6 - A new downloadable instructor pack for teaching security awareness to your staff or clients

Introduction

It’s time for another episode of the Streetwise Security Zone Podcast. I’m your host, Scott Wright. I’m a professional information security consultant in Ottawa, Canada, and this podcast is part of the Streetwise Security Zone experience, intended for Small Business and IT Managers who don’t have a lot of security resources at their disposal. The Streetwise Security Zone is a place where you can come and browse articles and participate in discussion forums. Now, I’m just one guy with a consulting business, and don’t have as much time as I’d like to spend on creating content and discussion threads. But, I’d love for you to join and make the community part of your daily routine. The more people contribute, the more value everybody gets out of it.

I know that sometimes people don’t like to talk about security because it exposes a bit too much about themselves and their vulnerabilities. That’s always been a problem in this industry. But when you join the Streetwise Security Zone, you can make up an anonymous nickname, and select an option to hide your real name and email address. So, you can discuss sensitive topics anonymously.

We currently have, as of December 1, 2009, 135 members in The Streetwise Security Zone. There’s lots of free content that I’ve created already, like the Non-Trivial Streetwise Security Edutainment Quiz, which is a Powerpoint presentation you can download and it runs like a pre-movie quiz. So, you can use it before presentations to get the audience engaged. You don’t have to sign up for anything to download the quiz, but I’d like you to consider joining, or just signing up for the weekly security tips newsletter.

News

In news, we’re starting to see a few new security problems with iPhones. Most of the time they are due to what’s called jailbroken phones, where people essentially hack their own iPhone to make it work on networks other than what it’s supposed to, or they want to enable new features that the iPhone wasn’t configured to do. The problem with doing this is that it requires you to set up a communication channel into the phone’s internals by setting up a tiny server inside the phone that you can send commands to in order to have it change the internal configurations. However, there have been some problems with the security of the server software, which actually allows somebody to break in and do things like steal address books or even hi-jack the entire phone.

So, if you have an iPhone, and you decide to jailbreak it, or hire somebody to do it, you should realize that you are bypassing the phone’s supported security features.

Seeing as we are getting close to Christmas, it’s a good time to remind people that they should be extra cautious about emails they receive that look like they are from online merchants or shipping companies they may have used for Christmas shopping. These can be very convincing phishing scams. Because so many people use major merchants and shipping companies, when scammers send out a message from BestBuy Customer Service or UPS, it catches a lot of people. The result is stolen credit card numbers or passwords, or even an infected PC. Don’t forget that you can’t rely on antivirus programs to protect you 100% from many of today’s new threats. So, if you can, verify information in these messages before you act on them.

Case Study - Open Wi-Fi Hotspot Liabilities

http://community.zdnet.co.uk/blog/0,1000000567,10014530o-2000331761b,00.htm?s_cid=260

People are starting to get fined for having an Open Wi-Fi hotspot. Many businesses find it helpful in attracting patrons by operating an open Wi-Fi or wireless networking hotspot, which means that anyone with a laptop computer can come in and use the establishment’s Internet connection. In the UK, a pub was fined 8,000 pounds for allowing patrons to download illegal copies of content like movies and songs from file-sharing networks.

It’s not clear that this will be a problem for businesses in other countries, but it is something to think about. When you give others access to the Internet – even by having an open wireless router running at home – you could be enabling a number of risks, including one of liability for the actions of others taken using your connection. If they do something illegal, the authorities may come looking for the internet account used to commit the crime. When they isolate it to your connection, they may not know or believe that it was actually a neighbor or visitor who was the culprit. So, you do have to be cautious about operating a Wi-Fi hotspot.

What you should do, if you can, is set up encryption on the device that prevents people from being able to use it without getting permission – and the key or passcode needed to access it. Of course, if the key never changes, then customers can start to realize that, and may start to take advantage of it.

Some businesses, like hotels change their Wi-Fi key every day, so they know people have to come to them for a new key. They may even hire a third party service to manage the connection and deal with these types of risks. While this doesn’t always prevent patrons from abusing the service, it can discourage them, and can demonstrate that you are demonstrating some due diligence, if the law does come to you during an investigation.

Social Media Security Podcast Notes

In the November 21^st Social Media Security Podcast with myself and Tom Eston, minus the regular Kevin Johnson, we discussed a lot of Google-related risks. Because Google really is one of the biggest social media services, they get lot of coverage. In fact, there is now a podcast called This Week in Google on the TWIT podcast network at TWIT.tv. They talk about a lot more than just Google, though, for the same reason we do. Social media and Google are really part of a bigger topic called Cloud computing – which, in my view, is really refers to a loose collection of services that offer to store information, or perform helpful services online. Of course, there are many privacy and security issues when you start to put your information into these systems and trust their owners to take care of it.

Google Reader - Koobface Risks

So, in the Social Media Security podcast, we talked about a new variant of the Koobface worm that is being used to infect people through Google Reader. The Google reader is a news reader that you can use to organize and view feeds from many websites at one time. So, if you get an invitation to view a news feed that somebody else has shared through Google Reader, you might be seeing a phishing attack that tries to get you to accept a Flash video driver upgrade, or it might tell you that you are infected with a virus. As with any phishing or drive-by download attack, you have to be careful not to act on things that pop up without thinking about the risks. Is it YOUR antivirus program that’s giving you the message, or a fictitious one? Is it really FLASH that is telling you you need a Flash video driver upgrade, or is it a fake? So, be careful with popups.

Google Dashboard Risks

We also talked about Google Dashboard. This is actually a cool facility you can find at www.google.com/dashboard. It shows you all the Google services that you use within your Google account – if you have one. Most people do at this point. The scary thing to realize is that, if your Google password is stolen, the attacker will use Google Dashboard to see what services it gives them access to. It can be dozens of places you may not have thought of.

It’s a good reason to use a strong password so it can’t be guessed. But it’s also a good reason to change your Google password often. If you notice strange changes in your Google account, it could be that your password has been stolen and the thief has made some changes to monitor your activity in the account – maybe to collect passwords for other accounts on the Web, or just sensitive information you may keep in your Google account. Isn’t the Cloud wonderful?

FourSquare.com Risks

There is a new game/service online called Foursquare.com. To me, it looks like an elaborate loyalty program. People compete to be the most frequent patron of real businesses in your community, and every time they go there, they “check in”, which gives them more points. At the same time, it allows their friends to see where they are, where they shop and how close by they are, in case they want to meet up.

Like many new web-based business models, it’s a bit hard to understand the attraction, but it is becoming really popular. But keep this in mind. While not everyone can see you, normally, if you choose to connect your Foursquare.com account to something like Twitter, your whereabouts can become pretty widely known. This can be a problem if thieves are targeting your house, or if you have a stalker who wants to find you in a physical location outside your home. I refer to things that happen in the real world as being in “meatspace” as opposed to “Cyberspace”. So, cyber-stalkers can become meatspace stalkers.

Featured "Security Views" Blog Post

I recently posted a blog article about doing security reviews and audits sooner, rather than later. Here’s the text of the article…

Putting off a security review or internal audit because you might find a problem? 

New Downloadable Streetwise Security Awareness Training - Instructor Pack

I just wanted to let people know that I have put a new item into the Streetwise Security Marketplace – my online store. It’s a full-size Powerpoint slide deck for delivering a general security awareness course. It comes in a compressed archive that contains a set of handout workbook questions you can have students fill in as they go along, or during workbreaks. The course usually takes about 2 or 3 hours to deliver, and incorporates some of the concepts of the Streetwise Security Awareness Program, including the Basic Information Security Awareness Guidelines that I use, and a short description of the 5 step Workflow-based Risk Awareness Process, which can be run as an extended workshop.

This training package is what I call an Instructor Pack, and is intended for IT Managers who want to get their staff educated. If you can do the presentation, the slide content is all there. Or, you can hire or designate a trainer or presenter who is comfortable with the content. The benefit is that you don’t have to spend the 40 hours that I put into creating a professional set of slides that cover all the latest types of risks people need to be aware of, and how to get them thinking more carefully about what they do on line.

If you are a professional trainer or consultant, you will find the slide deck useful as another tool in your bag of tricks. I’m allowing this slide deck and associated workbooks to be used by consultants for up to 5 training sessions per year. If you have more than that,  please contact me to arrange for a more fair compensation.

The whole package costs only $99 US, and you can pay via PayPal or credit card, and download it right away. As with all the information products in The Streetwise Security Marketplace, you get a 30 day money-back guarantee. You can also earn affiliate commissions by referring others to buy the product online. So, go to http://www-streetwise-security-zone.com/marketplace.html  and you will find it there, along with other information products related to security awareness.

Conclusion

So, that’s it for this episode of the Streetwise Security Zone Podcast.

If you are interested in getting into podcasting in general, I want to let you know about a new community, created by Bo Bennett, founder of the iGroops hosting service that hosts The Streetwise Security Zone community. Bo’s new community is called www.SoYouThinkYouCanPodcast.com and it looks great. I just joined and am starting to contribute what I know and think about podcasting. So, check it out.

How You Can Help

If you enjoyed this podcast, please subscribe via iTunes, and I’d appreciate it if you could go there right now and enter a review comment and rating. The ratings on iTunes really do help people to find us.

In addition, if I could ask for one last favor in return for providing all the content on my blogs and in this podcast – please use the DONATE button on the bottom left of the Streetwise Security Zone homepage. Once the community is supporting itself from membership fees and sales of downloads and programs, I plan to remove the DONATE button. But for now, every donation is greatly appreciated and allows me to continue to maintain and upgrade the content on the site and in this podcast.

If you have comments or questions about this podcast, or would like to send me your favorite security tip that I can put into future podcasts, please contact me at:

scott@streetwise-security-zone.com or call me at 1-613-693-0997 and leave a message.

I’m Scott Wright, and until next time, stay streetwise!

rate this post: