Tag Archives: Data security

Phishing Gets Smaller, Smarter

It’s intriguing how phishers are targeting smaller and smaller groups. Not only does it indicate that the bigger banks and institutions are becoming more secure (or their customers smarter) but it indicates that the phishers must be employing increasingly sophisticated methods of harvesting email addresses. Or is there something else afoot?

The Bakersfield Californian yesterday reported an attack on the Kern Schools Federal Credit Union which has, according to its website, 140,000 members and 10 branch offices. That’s actually not a lot of people to target, in spamming terms. Still, up to 25 members got the email and reported it to the union. One must assume many more received it and didn’t report it. The Bakersfield paper went on to say:

As large financial organizations become better at fighting off such phishing attacks, scammers seem to be targeting smaller regional banks and credit unions. Smart phishers are finding sources of e-mail addresses and using them to get in touch with bank customers. “They’re figuring out how to beat the probabilities of targeting people,” said Peter Cassidy, secretary general of The Anti-Phishing Working Group. “I guess this is the same discipline that marketers use.”

In many cases, that’s meant targeting people whose e-mail address is public. “In the past, phishers used to go after mainstream consumer Web sites with millions of users, but now the targets are becoming much smaller and more localized,” Dan Hubbard, senior director of security and technology research at online security firm Websense Inc., said in a statement.

An interesting feature of this chapter in the phishing saga. My guess is that these attacks are from quite different gangs than the original East European/ex Soviet groups that started all this. But I could be wrong. But here’s a thought: Could the customer data have been gathered from a data security breach? Clearly these breaches are a growing worry for financial institutions of any size, as high profile cases have illustrated. Indeed, last December Kern hired a company called Ingrian to secure its members’ data:

“As we looked at the NCUA legislation and the ongoing incidence of security breaches taking place, we decided that it made sense to augment our existing security capabilities by implementing encryption inside our enterprise,” explained David DuBose, vice president, information technology, Kern Schools Federal Credit Union. “After evaluating the alternatives available, we became convinced that Ingrian’s approach—providing a centralized appliance that intelligently manages encryption, keys, and policies—gave us the most secure and most cost-effective way to protect sensitive data.”

i think perhaps it’s time for banks to look proactively at how many of its customers are getting targeted and see whether there is a correlation with missing data (the Privacy Rights Clearing House counts nearly 10 million people — Americans, I assume — whose data has been stolen or otherwise compromised this year.) If there is any correlation between phishing attacks and stolen data, then perhaps banks and other institutions need to be more proactive in warning customers, rather than just posting tardy warnings or warning ‘brochures’ that are in a format (PDF) many customers won’t know how to open and way too big (3+MB) for anyone not on broadband to download.

A Directory Of Firewalls

Hardware firewalls are not included in this list. For an excellent comparison of some of these programs see PCPro’s article.

  • Kerio Blurb:  Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network. Kerio Personal Firewall is a necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems. Within an organization, Kerio Personal Firewall prevents a single computer from attacks initiated by internal users. Remote workstations and laptops running KPF are protected from Internet born attacks. Price: Free to $45
  • Tiny Personal Firewall Blurb: Tiny Personal Firewall 5.0 (TPF5) represents the next generation security solution which integrates several protection layers for the ultimate safety of the desktop and server computer running Microsoft Windows operating system. Price: $50
  • Agnitum Outpost Blurb:  With hacker attacks, data theft and privacy violations rampant on the Internet you need a comprehensive solution to safeguard your PC. With Outpost Firewall Pro, you get award-winning firewall software that takes care of your online security needs. Price: $40
  • Intego Netbarrier (Mac version also available) Blurb:  NetBarrier 2003 was designed to protect PC users from the perils of the Internet. Its four-level line of defense provides optimal security so that you can use the Internet without leaving yourself vulnerable to its dangers. Price: $50
  • ISS BlackICE PC Protection Blurb:  This BlackICE PC Protection scans all inbound Internet traffic for suspicious activity on home or small business systems. Price: $40
  • Kaspersky Anti-Hacker Blurb:  Kaspersky Anti-Hacker blocks the most common hacker network attacks by continuously filtering incoming and outgoing traffic. The program detects most types of DoS attacks, as well as Ping of Death attacks, Land, Helkern, Lovesan and SMBDie. In addition, Anti-Hacker detects attempted port scans that often precede mass attacks. When an attack occurs a notification is immediately sent to the user. Price: $40
  • TheGreenBow Personal Firewall Blurb:  TheGreenBow Personal Firewall is the first Personal Firewall made in Europe, addressing equally home/private users and professional users and corporations. Price:  E35
  • McAfee Personal Firewall Blurb:  What makes our firewall special? Enhanced Intrusion Detection, a fast Setup Assistant that enables your protection in minutes and Smart Recommendations that take the guesswork out of responding to attacks. Advanced Trojan Detection helps prevent rogue desktop spyware from “phoning home” personal data. And Visual Tracing tracks hacker attacks back to the source, helping you to notify the proper authorities. Price: $40 (annual licence)
  • Norton Personal Firewall Blurb:  Symantec’s Norton? Personal Firewall 2004 keeps hackers out and personal data in. It makes robust firewall protection easy by automatically hiding your PC on the Internet and blocking suspicious connections. Norton Personal Firewall also protects your privacy by preventing confidential information from being sent out without your knowledge. Price: not available
  • TrendMicro PC-cillin Internet Security (comes as part of anti-virus package) Blurb:  Trend Micro PC-cillin Internet Security helps make the detection and removal of viruses more precise and powerful. The enhanced Personal Firewall helps prevent intrusion from hackers and the new breed of Network Viruses. Trend Micro? Damage Cleanup Services can now be triggered as soon as a virus is caught to keep your system functioning properly. Price: $40 per year
  • Sygate Personal Firewall Pro Blurb:  Small-Medium Businesses and Consumers need leading edge protection for their computers and workstations to protect their valuable information and keep unwanted hackers out. Our Award-winning Sygate Personal Firewall Pro includes a comprehensive Intrusion Protection System (IPS) which includes IDS, DoS protection, and Trojan protection which sets this program high above other personal firewall solutions. Price: $40
  • ZoneAlarm Blurb:  Easy-to-use firewall blocks hackers and other unknown threats. Stealth mode automatically makes your PC invisible to anyone on the Internet. Price: free to $50

Let me know of any I’ve missed or any errors.

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

It’ll Soon Be Firewall Day

This Thursday, in case you didn’t know, Personal Firewall Day. I was pretty excited about the idea too until I realised there were no parades and opportunities to dress up. Still, it’s a great way of trying to persuade people that having a firewall in place on your computer is no longer a luxury, or something that nerdy types do. Everyone needs a firewall. ZoneLabs, who make probably the best (and free) firewall on the market, point out that

— Vast numbers of home and business computers are unprotected while on the Internet. In fact, many consumers upgraded to new computers over the holidays–they need to be quickly protected with the latest patches and security updates, or they’ll be vulnerable right out of the box.
— The FTC reports 9.9 million cases of identity theft in the U.S. last year, making it the fastest growing crime in America, affecting an estimated 500,000 to 700,000 people per year.

The bottom line is that it’s very easy to get infected — within seconds, literally, of connecting to the Internet — and it’s very hard to get uninfected. Future versions of WIndows — including the next XP ‘service pack’, which ships this year — will have a firewall activated by default, so this problem may not be around that long, but it pays to be safe.

Mail: Some Mac Tips

 This from Graham Holliday, a Mac user, on some Mac alternatives to what I’ve been discussing in previous weeks:
Owning a Mac really is the first step for any serious antivirus activist it would seem…. “Mac users face just 50 recognized viruses today, while PC users have 85,000 threats to their security. London-based firm mi2g says: “Mac customers running Mac OS X, an implementation of BSD, benefit from BSD’s proven reputation as being one of the most secure operating systems available.” [MacWorld]
When you mention one of your favourite topics (firewalls), you often mention Zone Alarm. You might also like to mention the free (sharware) for Mac Brickhouse. Macs have an inbuilt firewall, but this makes it easy to set up for normal tech-averse folk.
BTW found Mac RSI software here.
Thanks, Graham. Very helpful.