quitting facebook, facebook security, pdf vulnerabilities, pdf risks, social engineering, email risks, social media security, zoning, policy, financial institutions, dennis fisher, steve gibson, tom eston, scott wright, compliance
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.

Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Subscribe to this Podcast
via iTunes!

A series of audio sessions to help you get the most out of the Streetwise Security Zone

Streetwise Safe Web Surfing - Audio Training Program (1 hour)
Product ID: 00000003

Learn how to avoid loss of time and money caused by computer infections and the many online risks you face every day at work and at home. With all of the risks associated with Web Surfing these days, you really need a simp ... More »

Non-Member Price: $199.00 $189.00

April 2010 Posts


  The Streetwise Security Zone Podcast
Blog Entry

011 - Quitting Facebook, Adobe security tips, Social engineering from stolen accounts and more...

Thursday, April 15th 2010 @ 7:59 AM (not yet rated)    post viewed 14828 times

click to download this audio file

The Streetwise Security Zone Podcast Episode 11 – April 5, 2010

(Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe)

This Episode's Topics:

1 – Recent developments in the Streetwise Security Zone Podcast and Townhall
2 –Article in CSO Online Magazine  by Joan Goodchild on “10 reasons to quit Facebook”
3 – Case study of a financial institution breach that started with a compromised Facebook account
4 – A business strategy for using social media more securely (my views)
5 – PDF reader vulnerabilities are a big risk
6 – The arguments for and against reliance on standards compliance
7 – Social engineering threats from stolen accounts in Email and Facebook

1 ) Recent developments in the Streetwise Security Zone Podcast and Townhall

Due to technical difficulties, my plan to do a separate weekly live Townhall session that has recorded video for future viewing is not working out as well as I’d planned. So, for now, I’m going to combine the audio podcast recording with the live Townhall sessions that I try to do on Monday afternoons at 4pm Eastern. So, the video will not be recorded, but the audio will. This way, I can incorporate any comments or questions from the chat room as they come up, and it will all be available in audio form eventually in the podcasts. I don’t always get to publish the audio podcast right away and I have a number of episodes nearly completed that will be put up in the next few days. As always, comments are appreciated.

2) "10 Security Reasons to Quit Facebook" - The article by Joan Goodchild of CSO Online Magazine that included comments from Tom Eston and myself on the security reasons why baby-boomers are starting to quit Facebook, and one reason they may be staying. Here’s a link to the article:

http://www.csoonline.com/article/584813/10_Security_Reasons_to_Quit_Facebook_And_One_Reason_to_Stay _On_

3) Case study of a financial institution breach that started with a compromised Facebook account

It’s a very interesting story with some challenging implications for corporate security managers. Here’s a link to my post in the Social Media Security blog:


4) A business strategy for using social media more securely

This is a little rant I did on how we need to use the concept of Zoning for corporate IT security a little more explicitly for social media usage by employees. It has a lot to do with recognizing that it may not be wise to allow everyone in the organization carte blanche and free reign in using the public social media tools like Facebook and Twitter in ways that can impact the organization – whether it’s posting or reading of articles or content. People in different roles should have different policy constraints and depending on what computers they are using, might have different technical constraints on being able to reach these sites. But there is also an opportunity to use other types of Web 2.0 solutions to achieve the business’s goals and allow younger employees to have the experience of using social media, but in more focused and controlled environments.

I encourage business managers to contact me about how I might be able to help with safely developing this type of progressive strategy in their organization.

5) PDF reader vulnerabilities are a big risk

PDF files have been a security problem for quite a while now, in that the Adobe Reader (and even other PDF readers like Foxit) are very powerful, but have not really been built with safeguards to protect the user’s computing environment. As a result, it’s often possible for attackers to create “malformed” or “malicious” PDFs that cause the reader to do things that put the user’s system at risk. Recently, it’s been demonstrated that the Adobe reader can be used to launch external applications in a way that would allow an attacker to load malware onto a user’s machine.

Here is a link to Steve Gibson’s Security Now Episode 243, that cover these risks in more detail:


And there are a couple of quick tips for Adobe Reader users that will probably reduce your risks when using this software:

1)    In the Adobe Reader preferences (Edit / Preferences on Windows versions; or Adobe Reader / Preferences on Apple Macs), click on the “Javascript” sidebar link, and uncheck the “Enable Javascript” checkbox. Javascript has very few legitimate uses in the Adobe Reader, but many security risks are related to this option.
2)    Also in the preferences window, click on the “Trust Manager” link in the sidebar, and uncheck “Allow opening of non-PDF     file attachments with external applications.” This is the most recent risk described in the two article links above.

Do also allow automatic updates for Adobe products. They often have critical security fixes in them that should be implemented as quickly as possible.

6) Arguments for and against reliance on standards compliance

The bottom line is that standards compliance is usually a good place to start if you expect that security is weak. It can strengthen a lot of areas without having to do much analysis. The downside of relying on compliance only (as opposed to doing full risk assessments for networks and systems) is that it is possible to be fully compliant with any standard and still have serious security vulnerabilities. So I recommend a mix of both standards and risk-based approaches.

This is inspired by the Threatpost.com article by Dennis Fisher listed here:


7) Social engineering threats from stolen accounts in Email and Facebook

It’s becoming more common now that a compromised Email or Facebook account will result in an attempt at scamming friends or contacts. Attackers will scan contacts to see who might be susceptible to an urgent request for assistance in the form of wired money (i.e. “Help, I’ve been robbed in Europe and need money for a hotel and airfare.) It’s very easy to scan emails and contact lists to put together a credible scenario that can pay off very well before anyone notices.

So, don’t ever take significant action based on information from one Internet source like an email or Facebook message. Always try to verify through some other means before sending money.



Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Site Meter

 rate this post: very bad poor average good fantastic!

Copyright 2012. Security Perspectives Inc. All Rights Reserved.