Linkedin “Intro” iOS app…slurp slurp slurping ur emails sitting on our servers

Bishop Fox (formerly Stach & Liu), a very well respected ICT security firm, has some issues with Linkedin and their latest app offering called Intro. It seems that there is a bit of a risk using this app as it forces all your iOS based device emails to go through Linkedin servers.

http://www.bishopfox.com/blog/2013/10/linkedin-intro/

If the findings of Bishop Fox are correct the implications for any data reliant business could be quite severe. Even if it is only the metadata they are looking at, it is still a gross invasion of privacy and in terms of regulatory compliance could well spell trouble as well.

This is why, when looking at new business practices like “bring your own device”, there are inherent risks that the business needs to be aware of. In this case it isn’t even a BYOD issue. It is one of trust being possibly hugely violated by Linkedin. When you look implementing new technologies there are reasons why you test the technology, understand the technology in some depth, understand the implications of the technology and security surrounding the technology.

Just sitting back and hitting next on the installer without some research is a path to pain.

And a possible violation of your organisations ICT policies.

I would also suggest looking into suitable data/email encryption  technologies as a standard business practice.

Advertisements

PC Support Scammers – widening the business model by ripping off more people

I’m pretty much a support guy. I say this with the knowledge that something I build will either require maintenance to continue operating effectively or that it will break. So I like to ensure that what I do build is supportable. I take great pride in working with people who are also able to fix gnarly. hideous problems. Nothing worse for a client to loose their production systems, whereby their business starts to loose money. Huge headaches for them. One of the reason proper fixers get paid well is because we tackle the problem with a number of tools and most importantly our own knowledge and skills, gained over many years of dealing with the unexpected.

What about the home user? I certainly do not expect home users to have the same use and view on computing resources as an enterprise does. I also do not expect a home user to take on people like me or my colleagues to fix their home PC. However I do expect that when they do have a problem they can turn to someone who is professional, capable and not a rip off artist.

However when a company contacts a home user “proactively” to report an issue, that raises my ire. Most of us in ICT are aware of this scam, where a company cold calls a telephone number and scams the person on the other end by creating concerns regarding their home computer. Until recently it has usually been people with Windows machines. Well now we can include Apple Macs on the list. The scammers are growing. This nothing more than out right fraud.

Note – this is not pro or anti Apple, what it is is anti-scammers, who I hate as much as spammers.

The erstwhile Register has the full story here.

How high up in the list of priorities should your patching be? Tales of woe and gnashing of teeth stopping this endeavour? Or heroes on the front line?

We all know about “Patch Tuesday”, Microsoft release date for patches to it’s operating system, .net and other software. We all have plans around this activity and many of us have processes set up to facilitate these updates. Well, ok, most of us do.

However your ICT estate does not comprise of MS alone. You will have other kit that has software running it. You might even have linux servers as well as switches and routers available from a variety of vendors.

Do you know if these are up to date?

I recall a conversation regarding patching with a group of data centre techies and managers. We addressed the MS side quite easily and with little headache for the most part. However, after an audit, it was apparent that the linux servers had not been patched in years, and by years I mean more than six or seven. Mainly because it was felt that they didn’t need patching when they were rolled out, linux being considered more secure.

However patching is not only about killing exploits. It is also about increasing the efficiency of the software as well as hardware. So these servers were running flavours of linux that were very much out of date, that in some cases had vulnerabilities. All were impacted in terms of running the latest revision of firmware, drivers, and OS.

Then we have the other parts of the estate – switches, routers, firewalls, load balancers, storage devices. Certainly all these can be compromised and result in embarrassing the IT department. As IT professionals we certainly don’t want that, right?

So how do you weigh the risks? There are costs involved, obviously, as well as possible impact on production. I recall one organisation running a update on their back up software that resulted in a pretty major catastrophe by taking the storage array off line.

Keeping up to date with your vendor’s updates is vital as is understanding what the update will do both during the up date and after. Will it break applications for example (with storage), will the device reboot and leave your network unprotected (firewall)? Hopefully the answer is no. However if there is one thing that you should do, if at all possible is test the updates first before releasing. Unless it is a hugely critical security update (and even then I seriously suggest testing before release, and have a back up plan to hand when it goes wrong) you can take time to do this.

If you have to wait for a suitable window in which to do an update then that is ideal to also do testing. Testing tells you if the update is stable, it gives you an opportunity to learn about any changes and certainly should tell you if you can expect any major issues.

Sure patching is a pain and no one really likes to do it because the pain it can cause but as indicated above there are steps that do help reduce or limit that pain. However you need to weigh up the pro’s and con’s as a business.

Ultimately you are protecting the business.

So is it time to drop Internet Explorer as a corporate tool?

Another month and another IE security vulnerability. The browser that just keeps on giving. To the criminal gangs able to exploit this browser.

The latest is yet another javascript vulnerability as reported by>  http://www.alienvault.com/open-threat-exchange/blog/latest-internet-explorer-0day-used-against-taiwan-users

Microsoft do have a little fix tool out for this> http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

Apparently a more comprehensive fix is scheduled for the next release of patches on Patch Tuesday (8th of October 2013).

Or…use Firefox with noscript and adblock in your corporate environment. Unless you want to be the next target for a bunch of hackers for hire.

Social Engineering gets crooks inside bank

http://www.bbc.co.uk/news/uk-england-london-24077094

It seems that a criminal group tried to access Santander via a remote device. The social engineering bit was a phoney third party engineer who was able to gain access to the branch computers and install a device (apparently a KVM “keyboard video mouse” switch) that would have been able to allow remote access to the computers.

KVM switches are mainly used in server rooms to allow one monitor to access multiple servers located in one rack. Sometimes users will have switches like this if they have more than one physical computer but only one monitor.  One question here is where the device was installed. Of course the most pertinent question is how the engineer gained access to the branch.

Luckily for Santander the device was never activated and that could have been down to internal procedures regarding the release of kit into live environments…as it stands we do not know.

As the story is still breaking, and although the perpetrators are in custody, there are questions here that need to be addressed and evaluated to ensure that banks, and other businesses that use third party companies to support their ICT infrastructure have the right measures in place to prevent such an occurrence.

What these are will be dependent on the company but there are some fundamentals that every company can follow…

  • Due diligence on the third party company
  • Be wary of unsolicited visits
  • Do not give any information out to anyone unless you are satisfied (and verified) their authority
  • Train your staff on how to deal with social engineers and more importantly to identify such attacks.

This is a good starting point (which also deals with phishing attacks) –

http://www.us-cert.gov/ncas/tips/ST04-014