Perfecting Email Security

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Oct 102012

Perfecting Email Security

Science Daily
by Inderscience Publishers
September 10, 2012

Email Security

Millions of us send billions of emails back and forth each day without much concern for their security. On the whole, security is not a primary concern for most day-to-day emails, but some emails do contain personal, proprietary and sensitive information, documents, media, photos, videos and sound files. Unfortunately, the open nature of email means that they can be intercepted and if not encrypted easily read by malicious third parties. Even with the PGP — pretty good privacy — encryption scheme first used in 1995, if a sender’s private “key” is compromised all their previous emails encrypted with that key can be exposed.

Writing in the International Journal of Security and Networks, computer scientists Duncan Wong and Xiaojian Tian of City University of Hong Kong, explain how previous researchers had attempted to define perfect email privacy that utilizes PGP by developing a technique that would preclude the decryption of other emails should a private key be compromised. Unfortunately, say Wong and Tian this definition fails if one allows the possibility that the email server itself may be compromised, by hackers or other malicious users.

The team has now defined perfect forward secrecy for email as follows and suggested a technical solution to enable email security to be independent of the server used to send the message: “An e-mail system provides perfect forward secrecy if any third party, including the e-mail server, cannot recover previous session keys between the sender and the recipient even if the long-term secret keys of the sender and the recipient are compromised.”

By building a new email protocol on this principle, the team suggests that it is now possible to exchange emails with almost zero risk of interference from third parties. “Our protocol provides both confidentiality and message authentication in addition to perfect forward secrecy,” they explain.

The team’s protocol involves Alice sending Bob an encrypted email with the hope that Charles will not be able to intercept and decrypt the message. Before the email is encrypted and sent the protocol suggested by Wong and Tian has Alice’s computer send an identification code to the email server. The server creates a random session “hash” that is then used to encrypt the actual encryption key for the email Alice is about to send. Meanwhile, Bob as putative recipient receives the key used to create the hash and bounces back an identification tag. This allows Alice and Bob to verify each other’s identity.

These preliminary steps are all automatically and without Alice or Bob needing to do anything in advance. Now, Alice writes her email, encrypts it using PGP and then “hashes” it using the random key from the server. When Bob receives the encrypted message he uses his version of the hash to unlock the container within which the PGP-encrypted email sits. Bob then uses Alice’s public PGP key to decrypt the message itself. No snoopers on the internet between Alice and Bob, not even the email server ever have access to the PGP encrypted email in the open. Moreover, because a different key is used to lock up the PGP encrypted email with a second one-time layer, even if the PGP security is compromised past emails created with the same key cannot be unlocked.

Story Source:

The above story is reprinted from materials provided by Inderscience Publishers, via EurekAlert!, a service of AAAS.

Note: Materials may be edited for content and length. For further information, please contact the source cited above.

Journal Reference:

Duncan S. Wong, Xiaojian Tian. E-mail protocols with perfect forward secrecy. International Journal of Security and Networks, 2012; 7 (1): 1 DOI: 10.1504/IJSN.2012.048491

Note: If no author is given, the source is cited instead.

Disclaimer: Views expressed in this article do not necessarily reflect those of ScienceDaily or its staff.

Direct Link: http://www.sciencedaily.com/releases/2012/09/120910112525.htm

Protect Your Facebook Account from the Latest Hack

Articles of Interest, Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Jan 162012

Protect Your Facebook Account from the Latest Hack

Want to prevent criminals from hacking your Timeline? Ignore those alarmist Facebook status updates and follow these steps instead.

PC WORLD

By Dan Tynan, ITworld

Jan 16, 2012 3:58 pm

Concerned about the security of your Facebook account? You should be. As the Wall Street Journal recently reported, “social spam” is the new black among the black hats. But that doesn’t mean you should believe every silly rumor and/or status update you see about it.

Lately I’ve been seeing the following status update crop up on the walls of some of my otherwise savvy friends:

Hello friends, as you all know I like to keep my FB private except to those I am friends with. So if you all would do the following, I’d appreciate it. With the new FB timeline on its way this week for EVERYONE, please do both of us a favor. Hover over my name above. In a few seconds you’ll see a box that says : “Subscribed”. Hover over that, then go to “comments and likes” and unclick it. That will stop my posts and yours to me from showing up on the bar side for everyone to see, but most importantly it limits hackers from invading our profiles. If you repost this I will do the same for you. You’ll know I’ve acknowledged you because if you tell me that you’ve done it I’ll “like” it.

This is, of course, donkey manure. It is yet another hoax some dork without a life started propagating across Facebook a few weeks or months ago. It’s harmless, but it is also full of misinformation. To wit:

First: Though Timeline will be rolled out to all Facebook users sometime soon, I think the privacy concerns are overblown. Unless you have a dark Facebook history you’re trying to hide, there’s no cause for alarm (and if you do have a dark Facebook history, you’ve got bigger problems than Timeline). (See also “Master Facebook’s Timeline With This Handy Guide.”)

Second: Yes, you can follow the instructions to manage what you subscribe to and from whom. But all you’ll achieve is banishing your friends’ likes and comments from your News Ticker. Period, full stop. You’ll still see their posts in your News Feed or on their walls; it does nothing – nada, zilch, squat – to protect you from hackers.

You want to protect yourself from being hacked? Do this.

Make sure you’ve enabled Secure Browsing

That uses an encrypted (https) connection instead of the standard one, which scrambles your data so that creep sitting behind you in Starbucks can’t use Firesheep or a similar network sniffer to steal your Facebook logon out of the air.

Turn on Secure Browsing in Facebook

If you don’t already have this turned on, here’s how to do it: Go to your Account Settings. Click the Security icon on the left and select Secure Browsing * Edit. Put a checkmark in the box next to “Browse Facebook on a secure connection (https) when possible.” Click Save Changes, and you’re done. Easy peasy.

Turn on Login Notifications

This will alert you when your Facebook account has been accessed from a new device. Follow the same steps as above, only select the next item on the list. If somebody who isn’t you is accessing your account, you’ll get an e-mail.

Add a security code to new devices

If you want to be extra cautious, go to item number three in the Security Settings and set up Login Approvals. This will send a new passcode to your mobile phone every time you log into Facebook from an unknown device, which you’ll then have to use as your login password. It’s a bit of a hassle, so only do this if you’re really concerned about Facebook security (or more paranoid than the average bear).

Change your password early and often

Yes, I usually ignore this too. But if you get alerts about somebody accessing your account who isn’t you, or see weird posts and messages on your Facebook page that you didn’t put there, odds are good somebody hacked or guessed your password. First step in the recovery process is to change your password ASAP. Follow the usual advice about using upper/lower case letters, numbers, oddball characters, etc. Yes, it’s annoying, but it’s also just as annoying to hackers, and that’s the point.

One caveat on the above: If somebody’s already hacked your email account, they’ll also be getting all your password recovery emails. So you’d better secure that first, following the same steps.

Do not fall for the Remove Facebook Timeline scam. (Source: ZDNet’s Zero Day blog)

Be wary of scams

For example: the bogus “Remove Facebook Timeline” scam that is now circulating. Clicking “Continue” or “Like” on that one could allow the scammer to hijack your account. If you see an alarming message in somebody’s Facebook status updates, visit Snopes.com or just Google it and check it out before buttering it all over your page too. Odds are it isn’t what you think.

Be smart

Going out on the InterWebs without adequate security software – anti-virus, anti-malware, anti-you-name-it – is like wandering into a tigers cage slathered in Everett & Jones barbecue sauce. If your PC has been compromised by a keylogger or remote access Trojan (RAT), none of these defenses will do you much good. There’s a word for people who go online without adequate protection, and that word is “lunch.”

Direct Link: http://www.pcworld.com/article/248246/protect_your_facebook_account_from_the_latest_hack.html

Dumb hacker tweets FourSquare location while hacking Ashton Kutcher

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Jan 162012

Dumb hacker tweets FourSquare location while hacking Ashton Kutcher

Computerworld

by Darlene Storm

January 16, 2012

Idiots, the world is full of them and sometimes that includes stupid social media hackers. Poor password practices allow Twitter accounts to be compromised every day, but yesterday several high profile Twitter accounts were hacked, Ashton Kutcher, the Huffington Post, and actor Eric Stonestreet. What makes this interesting is the degree of stupidity committed when hijacking Kutcher’s account . . . at the very least, tweeting via a FourSquare check-in would be consider a dumb hack.

Ashton Kutcher is known to many people as the star of Dude, Where’s My Car?, That ’70s Show, Two and a Half Men, and as Demi Moore’s husband. After the breakup with Moore, Kutcher is rumored to be in a romantic relationship with actor/singer/screenwriter Lorene Scafaria. Kutcher has over 9 million followers on Twitter and the alleged “new” relationship is what the hacker focused on to cause havoc. Of course all of the fake tweets have been deleted, but Ashton Kutcher (@aplusk) had both his FourSquare and connected Twitter acounts hacked. Those deleted false tweets were preserved and posted on Celebrity Tweet which has the classy tagline of “Stalk Celebrities on Twitter!”

No you can’t find her house with the above links as they were deleted. While the hacker may have thought tweeting locations to Kutcher’s alleged new love interest was clever, the hacker was not bright enough to realize his or her own location was broadcast via FourSquare. It took Kutcher about six hours to realize his accounts were compromised, but then he tweeted:

Those tweets have also been deleted, but Kutcher’s one warning remains. Whoops, it seems the not-too-smart social media hacker may be about to be Punk’d.

It’s certainly not the first time Kutcher’s Twitter account has been compromised, but as an angel investor in many tech projects including Foursquare, it’s unknown if this hack might be additionally embarrassing for him. As seen by his quick cyber-sleuthing of this hacker, he’s generally clever. Softpedia reported that Kutcher implemented a sneaky promotion for FourSquare in an episode of Two and a Half Men where “Kutcher plays an internet billionaire who sold his company to Microsoft.” In one episode, “his laptop is plastered with stickers from startups, several of which he’s an investor in. Stickers for Foursquare, GroupMe, Hipmunk, Chegg and Flipboard are visible. Kutcher has invested in Foursquare, Hipmunk and Flipboard.”

As for the other ‘high profile’ compromised Twitter accounts yesterday, after a hacker tweeted lame comments, @HuffingtonPost tweeted an apology, “Sorry about that, Twitterverse! We know we’ve been hacked and are working to resolve the issue as quickly as possible.”

Stonestreet, an actor who plays Cameron on ABC’s Modern Family, discussed his hacked Twitter account while on the Golden Globe red carpet. According to Zap2it, Stonestreet told Ryan Seacrest that he didn’t know his Twitter account was hacked and promoting diet pills until followers “started tweeting to ask him if he took the diet pills himself.” When Seacrest asked what could be done about the hacker, Stonestreet replied, “Hunt him down and punch them in the face. Just kidding.” But @ericstonestreet tweeted, “my account was hacked. but any of you that took that as a chance to be a d**k can kindly see yourself out the door.”

Direct Link: http://blogs.computerworld.com/19585/dumb_hacker_tweets_foursquare_location_while_hacking_ashton_kutcher

Android vs iOS vs BlackBerry: Which is the most secure holiday gift?

Articles of Interest, Firearms, Weapons & Personal Safety, Social Media, Technology & Digital Security No Responses »

Jan 022012

Android vs iOS vs BlackBerry: Which is the most secure holiday gift?

Which smartphone and tablet OS provides the best security?

Steve Hunt and the Neohapsis team provide a guide for holiday gift-givers (or any gadget lover).

CSO Online / Security & Risk

By Steve Hunt and Neohapsis

December 14, 2011

CSO —

As the holiday season approaches, smartphones and tablets are some of the most in-demand items for anyone with even a hint of gadget love in their DNA. Coverage of these exciting new tools is full of hype about new features (SIRI) and also new fears (Carrier IQ). With the sheer volume of marketing and fear being thrown around—eclipsing even the number of holiday songs on the radio—it can be hard for even well-informed users to discern meaning from marketing when it comes to security on mobile devices.

[Also see 5 questions to ask about tablet security | Creating a smart mobile device security policy]

It’s a bit like gifting a car: The right choice can greatly improve the recipient’s life, while a bad choice could leave them with problems for years to come. This guide is to help you with the security side of the decision, to enable you to take it into account and make the right choices for that special someone (or special self!)

Neohapsis Labs (an independent security think tank based in Chicago) has looked into the general security issues and distilled them down to this short guide (a more detailed report will be released early next year). While there are many available choices of device, the main security decision is what platform to get. There are some main contenders at present (iOS, Android, Blackberry) and a few aspiring players (e.g. Windows Phone, Meego, WebOS, Bada). We are not covering Symbian due to Nokia’s recent decision to move to windows phone 7 in 2012. We will focus on the differences between the platforms and not go into any cross-platform issues such as widespread use of mobile analytics packages to track users for advertising purposes.

Android

Google’s Android operating system is the most widely deployed platform on tablets and smartphones at present, with a large number of vendors providing their own customized versions. Integrating smoothly with many Google services, Android is rapidly evolving with the latest version (the very well reviewed Ice Cream Sandwich) offering a slew of new features.

Unfortunately, when it comes to security, Android still has a long way to go. The large delay in releasing fixes for security issues is problematic as it requires a different release for each carrier, manufacturer and model. As a result, many Android devices are stuck using old and insecure versions of the operating system.

When it comes to applications, the primary source of applications is the Android Market, which contains tens of thousands of applications, most of them free. These applications are uploaded by developers and go through no review before being published, allowing fast turnaround, but leaving the door open for malicious apps to linger until Google hits the remote kill switch to remove them from devices (as has happened numerous times). Alternatively, curated markets such as the Amazon Appstore show promise for preventing malicious apps getting in—however they also have drawn complaints for the slow rollout of application updates.

Because it uses a very flexible model for applications, Android apps can do things that cannot be done on the other platforms. A user is notified what an application will be allowed to do at install time, and can choose to install it or not. Once installed, third party apps can (if authorized at install time) read and send messages, make and receive calls, access the internet and turn the microphone or camera on and off.

Because users are not very good at either reading or understanding the implications of these permissions, Android applications have been caught sending and receiving premium rate calls and messages, recording users keystrokes or sounds, tracking user locations, or even containing botnet-style malware as might be found on a desktop machine. There are quite a few third party solutions available that purport to secure your device, but their effectiveness is in many cases under question.

The flexibility of Android makes it a great choice for a highly capable user, but it can require quite a bit of knowledge to keep secure in the long run—often this will require that users root the device and install their own custom updates directly if the carrier does not provide them. Clearly not for the technical novice!

Blackberry

While Android is taking the biggest bite out of the consumer market, Blackberry has been very much the jewel of the business world. With its users being likened to drug addicts for their dependence upon the device, RIM’s Blackbery devices have earned the designation Crackberry. Even President Obama couldn’t part with his device, reportedly much to the irritation of the Secret Service and delight of Research in Motion.

Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.

[Also read Al Sacco's Mobile predictions for 2012: Security, payments, Windows phone and more on cio.com]

Blackberry App World, the source for third party applications, offers a degree of review over all submissions. However, source code is not reviewed by RIM, and only so much can be understood of application behavior. While Blackberry hasn’t been targeted by nearly the same amount of spyware or malware as Android, there have been instances of nefarious applications and spyware-trojaned carrier updates.

The ability to lock down and secure Blackberry devices is definitely a plus, but because much of it was designed with enterprises in mind it can get a bit complex for a standard user unless they are careful. The release of more consumer oriented devices based upon Blackberry 10 shows promise, but as it is unreleased at present, this one should stay on hold for individual users for now.

IOS (iPhone / iPad / iPod Touch)

In a market where the market leader is represented by a green robot, and the trailer (Blackberry) is likened to a notoriously addictive drug, the company with second-place market share has a level of customer loyalty and satisfaction often described as a cult. (All of which gives you some idea about how seriously people take these devices!) We are, of course, talking about Apple’s iOS, the platform where it seems every new addition will sell more than the predecessor no matter what they do.

iOS is a slower-moving and far more tightly controlled platform than Android, with features designed to give a consistent, fluid, and controlled experience. As a result, the platform is great for doing things within Apple’s designs, but beyond that it is by design inflexible. Because of the level of control Apple exerts over iOS, users cannot patch vulnerabilities until Apple releases an update – which in sometimes takes months and in many cases older devices are not compatible with the updates and so are never patched.

[See a security-approved smartphone!]

For applications there is the Apple app store, which Apple can be quite restrictive over. There have been many reported instances of applications being rejected for mysterious/unknown reasons, most famously Google’s voice app in 2009. Because applications are all granted the ability to do everything allowed (with the exceptions of some things such as notifications and reading location) there are no complex permissions for users to keep track of and manage. While there has been at least one instance of a malicious app getting into the App Store, the most notable example was only a researcher’s proof of concept.

Also of note though is the parallel ecosystem surrounding Jailbroken (where users have forcibly removed Apple’s software protections) Apple devices. Jailbreaking gives users the ability to give devices new features, protect themselves from issues which Apple has not yet fixed, and install unapproved (or pirated) applications. At the same time, however, the removal of these protections potentially leaves users more vulnerable from a security perspective, as happened with the ikee worm in 2008.

iOS devices are a good balance when it comes to security, but this does come at a cost of flexibility that more experienced smartphone/tablet users may not like.

Windows Phone 7 and Other Aspirants

There are numerous other potential contenders in the smartphone space, most notably Microsoft’s Windows Phone 7, but also including the Linux Foundation’s Meego and Samsung’s Bada. Symbian (formerly pushed by Nokia) and WebOS (formerly from HP) may in future rise or reappear as contenders, but at this stage they have both been dropped by their main proponents and open-sourced and so we will wait and see.

The other platforms all have their own pluses and minuses when it comes to security, and they seem to have learned from the experiences of the big players. However, they also all have much smaller market shares so we will not discuss them here. In particular we will be keeping a close eye on Windows Phone 7 as the relationship between Microsoft (big software) and Nokia (big hardware) may provide some interesting results for enterprise consideration.

Conclusions

So, which platform should you buy from a security standpoint? For most users the answer will be iOS, but for the technically experienced Android can work if they are careful. However, if a user is willing to jailbreak they can get many of Android’s benefits anyway. Blackberry may be a good choice from a security standpoint, but generally those who want a consumer device will prefer the others for non-security reasons. Windows Phone and the other platforms may be good in future, but at present there probably has not been enough exposure to make this risk a good long term bet, especially after what happened to the touchpad.

In short, our recommendation for each type of phone user:

Non-technical person: iOS (iPhone/iPad/iPod touch)

Techie: iOS/Android

Business user: Blackberry / iOS (but check what the company standard is first)

Note: Others have reached similar conclusions on these points; for instance see Symantec

Security industry veteran Steve Hunt is CTO of Neohapsis Labs.

Read more about wireless/mobile security in CSOonline’s Wireless/Mobile Security section.

Direct Link: http://www.csoonline.com/article/696493/android-vs-ios-vs-blackberry-which-is-the-most-secure-holiday-gift-?source=ctwartcso

ALERT: New Java Attack Rolled Into Exploit Kits

Dec 112011

New Java Attack Rolled Into Exploit Kits

Krebs On Security

Nov / 2011

A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools.

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.

A few weeks back, researcher Michael ‘mihi’ Schierl outlined how one might exploit this particular Java flaw. Over the weekend, I stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl. Below is a recording of a video posted by one of the members that shows the attack in action.

Java exploits are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked Web site into a virtual minefield for Web users who aren’t keeping up to date with the latest security patches. Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package, and the site could silently install malware (according to a miscreant selling access to the exploit, it does not run reliably against Google Chrome for some reason).

Because Java is cross-platform, this attack could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X (Apple issued its own update to fix this flaw and other Java bugs earlier this month). For now, though, I’ve only heard about it being used to target Windows PCs: It is slowly being incorporated into the BlackHole exploit kit, one of the most widely-deployed exploit packs on the market today.

Reached via instant message, the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing license holders. For all others, the exploit can be had for a $4,000 price tag, in addition to the cost of a BlackHole license, which goes for $700 for three months, $1,000 for six months, or $1,500 per year. The author of BlackHole also sells his own hosted solution, in which customers can rent bulletproof servers with pre-installed copies of his kit for $200 a week, or $500 per month.

Article Video

I stand by my advice urging those who don’t need Java to junk it; most people who have it won’t miss it. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.

Direct Link: http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/

Older Entries