Destroying a Digital Life
Thursday, August 9, 2012 - 13:23

Last Friday, Mat Honan (writer for Wired and Gizmodo) had his digital life destroyed. Hackers, whose only desire was to take over Mat's three-letter Twitter account, gained control of his Google, Twitter and Apple accounts by social engineering the customer support staff at Apple and Amazon. Mat has detailed the story of how the hack happened (he was ultimately able to talk to the hackers involved). In summary, the attackers contacted Amazon and Apple customer service, gained control of Mat's Apple accounts and then were able to gain control of Mat's Gmail and Twitter accounts. (Mat's Twitter account used the same password as his Gmail account.) The hackers deleted Mat's Gmail account, began sending out offensive messages on his Twitter account, and used Apple's "Find my Mac/iPhone" feature to remotely erase Mat's laptop and iPhone.

 

There are numerous lessons we can take away from this incident. First and foremost, companies like Apple and Amazon have a responsibility to better protect customer data and do a better job of validating customers when they call in for help. The fact that Apple allowed a password reset to Mat's account based on a billing address and last four digits of a credit card should be very concerning, considering this data is very easy to get. (The hackers were able to obtain this information from Amazon in the space of two or three phone calls). Both Apple and Amazon have since suspended over-the-phone password reset requests.

 

Second, there are things we can do to help mitigate both the likelihood of this happening as well as the impact if it had happened. In Mat's case, had he been using Google's two-factor authentication for email access, the hackers would have failed. Wired has a comprehensive list of steps one can take, but here are a few to consider.

 

  1. Use two-factor authentication on your Gmail accounts.
  2. Use unique, strong passwords for different accounts. This can get difficult to track, so think about using a password escrow tool like Keepass, Lastpass, or 1Password.
  3. Don't link accounts together. For example, if you have two Twitter accounts, log into them separately. Don't combine them.

 

 

July 9th is the "Drop Dead" date for the DNSChanger Trojan
Friday, July 6, 2012 - 08:21

Last November the FBI and Estonian took down a cyber criminal ring operating a botnet that altered user DNS settings with malware called DNSChanger.  Since then, the FBI has continued to manage the botnet network and attempt to notify individuals who were infected.  As of today, there are approximately 300,000 systems still infected. 

 

The FBI will be turning off the botnet on Monday, July 9.  When they do so, computers that are infected will no longer be able to access the Internet.  Over the past 8 months and in an effort to help Duke users remove the malware, the Duke University IT Security Office and Duke Medicine Information Security Office have notified any students, faculty and staff who have reportedly have the DNSChanger malware installed on their computers.

 

We would encourage anyone who is concerned about possibly being infected, to visit http://www.dcwg.org/, and run the detection tool to validate the state of your system.  If you are infected, there are several options on the "Fix" page to help you restore your system to working order.

 

If you have any questions about DNSChanger, please feel free to contact the Security Office at security@duke.edu.

 

 

Social Networking: Who Wants to Get Fired?
Friday, June 29, 2012 - 10:53

Are you using social networking tools such as Facebook and Foursquare? Have you reviewed your privacy settings recently?

 

If you haven't, you may want to take the time to do that now. Facebook, Twitter, Foursquare and many other social networks all have default privacy settings of "Public". Everything posted with default public settings is readable the world. This means that not only can anyone read it, but also that everything you post can be easily indexed and aggregated by other sites. A recent example has made the potential consquences of this plain for the world to see.

 

Enter WeKnowWhatYoureDoing.com.

 

The site indexes public Facebook status updates containing key phrases or words. It can tell you who hates their boss. It can tell you who's hungover. It can tell you who's using drugs right now. It can tell you who just got a new phone number. It can even show you who's home and where that home happens to be. Thankfully the creators of the site are doing it for demonstration purposes and are sanitizing the information somewhat. There's no reason they have to do this, however. They're just being kind in their demonstration.

 

Want to avoid seeing your updates on the site? Here are a few tips:

  1. Check your privacy settings. Often. - Make sure you know what information you're making public. Check every privacy setting and make sure you understand exactly what it does. Click through all of the menus on sites like Facebook. Do this regularly, because Facebook will change these settings from time to time without notice. (For example: Photos from mobile phones recently became public by default on Facebook because of a change Facebook made to one privacy setting.) On other sites like Twitter, privacy is a binary option. It's either on or off with no in between. If you decide to leave your privacy settings off, move on to the next tip.

    2.  

  2. Filter yourself. - If you're posting public updates on any site, or even if you're only posting "private" updates, think twice before you post. The Internet is forever. Once you've put it out there, if a site like Google or The Wayback Machine indexes it, there's no taking it back. Countless celebrities and businesses have been burned by twitter updates in the last year when they've said too much, deleted the information and then found hundreds of screenshots were taken in the few seconds before they could hit delete. Not only is the Internet forever, it's also really fast.

    3.  

  3. Privacy on social networks is a misnomer. - Even when you're posting private updates, consider the point of the tool you're using. It's meant to be social. It is meant to spread information quickly and easily to a lot of people. If you're posting something you don't want everyone to know, consider how much trust you're willing to place in each person you're connected with. In the case of Facebook, consider how much you trust the friends of friends. Your information is only as private as your friends choose for it to be.

    4.  

  4. Remember who their customers are. - This is something we harp on in our office. It is important to understand who the customers of these social networks are. The easiest way to do that is to follow the money. How much money did you pay to join Facebook? Twitter? Foursquare? That's right, you didn't pay anything, which means that you are not the customer. You are the product. More specifically, your information is the product. Consider that every time you put a new piece of information into one of these networks. Think about how you'd feel if that information were packaged and sold.

 

Social networks can be fun and useful tools. However, as sites like WeKnowWhatYoureDoing.com illustrate, they require users to be aware and knowledgable of what they're submitting to these networks. Be careful out there! The world is watching.

Pages

More