security blog » Main Digg

iPad Security Hole

elamb.security — Thu, 02 Sep 2010 11:38:41 +0000

ipad security hole

This list of government emails is why the Department of Defense does not usually implement bleeding edge information technologies into operational environments. These DoD emails were taken from an iPad prototype and lists early adopters of the system. The iPad and AT&T had a gapping security hole dealing with Safari. The vulnerability allowed gray hat hackers the ability to harvest the e-mail addresses that iPad 3G buyers provided to activate their device.

My job as the resident “security guy” places me at the butt of jokes that serve as the passive aggressive means of venting the frustration that my co-workers feel about the strict military and DoD policies. Security is almost never appreciated until an information system’s security is broken or breached. And even then solutions only come after blame and public humiliation.

Why did so many important government figures decide to risk using the new iPad without proper military grade testing and scrutiny is the biggest question. I would expect a start up in Silicon Valley to grab an iPad the first day it comes out but not U.S. military organization in the middle of two wars.

more here:
http://money.cnn.com/2010/06/09/technology/iPad_email_breach/index.htm?postversion=2010061009
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed

facebook privacy

elamb.security — Mon, 02 Aug 2010 04:45:48 +0000

Privacy is really important but unfortunately the default setting of Facebook and other social networks is to push out all posts, links, and media content out to everyone on your “friends” and sometimes even “friends of friends”. The problem with this is that not everyone on your “friends list” are friends. Some maybe immediate family, distant family, co-workers and while others are complete strangers.

There maybe parts of your life you want to share with family that you don’t want co-workers on your friends list to see.

With Facebook you can manage all the content that you post by creating Lists. Once the list is created you can control who has access to what you post and upload.

How to Create Facebook Friends Lists:
1) Login and go to Account | Edit Friends
2) Click on “Create New List” and make a name for your new list
3) Once you have your new list you can add people to that list

Limiting Access to Content:
Anytime you post content you will be given the option of permitting or deny certain lists of friends (or even individuals) to what you are posting. At the bottom of every post near the “Share” button, there is a lock with an arrow to a drop down featuring: Everyone, Friends of Friends, Friends, and Custom. If you click Custom, it will allow you to choose the new list you created or even specific individuals.

With this built in access control feature you have pretty good control over your privacy.

Evil Plug-ins

elamb.security — Tue, 27 Jul 2010 05:59:58 +0000

I love plug-ins! I love them on Firefox, Wordpress, Dreamweaver and now on Chrome. It has crossed my mind that some of these plug-ins could be created and distributed by very smart people with criminal or mischievous intent. But the reality of bad plug-ins didn’t hit me until I noticed a link on digg.com about Stealing Logins using Google Chrome Extensions. I am no programmer but understand enough to see how cleaver it is.

Basically, someone creates a innocent looking extension or plug-in, they distribute it and the innocent looking plug-in/extension sends your personal information to where ever.

How can a person avoid this?! I guess the safest way would be to not use ANY plug-ins and extensions.. but that is over kill.
I know that I am pretty paranoid about Wordpress extensions/plug-ins but the open source community is pretty good about peer reviewing, testing and reviewing some of the more popular plug-ins. When it comes to software I depend heavily on reviews of others who have used the product. If there are no reviews (even on forums or dev/plug-in sites), I usually consider the app to risky.

Sometimes what I do is try the app/extension/plug-in on a site/blog I don’t care as much about. In the case of browser plug-ins, I use a single trusted browser with minimal plug-ins to do important sensitive/personal transactions. Most of the stuff I do on the web does not require so much scrutiny.

Unfortunately, there is always a risk with plug-ins, apps, and extensions. All we can really do is manage the risk, by being careful and suspicious.

Thanks Mr. Grech for the knowledge.

latest scam

Sherry R — Wed, 21 Jul 2010 18:26:54 +0000

From other examples of scams I’ve seen, I believe this to be a revamped attempt (I have never had an account with this bank). The e-mail I received is below. (I received it on June 20, 2010)

From the desk of: Tony Adams
Head of Operations
International settlement Dept.
Barclays Bank plc
Private Clients & International
Murray House
1 Royal Mint Court
London
EC3N 4HH

Attn: Beneficiary,
Re:Immediate Credit Card Payment Notification
Your Name And Your Contact Details Was Given To This Office In Respect Of Your Total lnherited/Contract Sum Owed To You Which You Have Failed To Claim Because Of Either Non-Compliance Of Official Processes Or Because Of Your Unbelief Of The Reality Of Your Genuine Payment.
We wish to bring to you the solution to this problem. Right now we have arranged your payment through our Credit Card Payment Centers, That is the latest instruction from the director incharge of remittance and also check executive officer private clients and International, David Roberts.
We at Barclays Bank Plc are willing to give you the best of our services so long as you are ready to comply with our working instructions as mandated. We have been instructed by our director to issue out $250,000 in claims that has been awarded to you as part payment for the 2nd quater of the fiscal year 2010, with the 2nd batch of the payment will be duely spread out before the 3rd and 4th quaters of this year.
This Card Center Will Send To You your payment directly to you credit card account which you will use to withdraw your money in any ATM Machine in any part of the world, So if you will like to receive your funds in this Way, Please let us Know by contacting us back and re-confirmation the information as listed below:
1. Full Name.
2. Phone And Fax Number
3. Address:
4. Attach Copy Of Your Identification
Also for your information, You have to stop any further communication with any other person (s) Or Office(s) To avoid any hitches in receiving your payment.
Note That Because Of Impostors, We Hereby Issued You Our Code Of Conduct, Which Is (ATMC-202) So You Have To Indicate This Code When Contacting The Card Center By Using It As Your Subject.
Waiting For Your Response.

Yours In Service,
Tony Adams
Head of Operations
International settlement Dept.
Private Clients & International
Barclays Bank plc

Internet Dating Scam

elamb.security — Tue, 20 Jul 2010 04:19:11 +0000

Dating Scammers are parasites residing in EVERY dating site. They prey on the emotional vulnerable for your money.

I originally started elamb.org for computer & Internet security issues. I found a few useful techniques on preventing and recovering from malware. After getting scammed I got interested in the helping people avoid fraud. I have found that people all over the world have the same experience I have had with these scams.

One of the biggest scams on the Internet right now are dateing scams. Scammers seem to be having great success on the dating sites and judging from what readers have submitted to this site, I believe it has to do with two primary factors:
1) Dating sites limited ability to stop scammers
2) Members of dating sites giving lots of money to scammers

Essentially, these two factors enables Internet date scams to exist and do fairly well.

The good news is that many of the major dating sites are doing better about informing their members of the date scam pandemic. Dating sites are beginning to for put up messages before they allow members to send any message to other members. Internet dating sites are also much better about discovering false profiles and shutting them down. They have begun to allow the users the ability to spot scammers and report them immediately.

The challenge is that anyone can create a false profile. Even legitimate members can create a fictitious profile and there is nothing that can stop them, however scammers can be easily identified by their practice of mass messaging hundreds of members over and over from a false profile. The success of Internet Dating scams are dependent on their ability to cast a wide net for profile phishing for the most emotionally vulnerable members of multiple dating sites.

Even with all the scammers and fraud, dating sites are still quickly becoming the best way to find a life partners. The caution that I would offer to members of dating sites is to take things slow and be VERY suspicious of anyone asking for money online also remember that most of the scammers are from Ghana, Nigeria and Russia but that is not to say they can not come from anywhere in the world.

Find an IT Security Jobs

elamb.security — Thu, 08 Jul 2010 14:48:32 +0000

So do you have any suggestions for someone starting out in IT Security? What certifications, knowledge, training, forums, do you suggest? They will pay for the A+ cert, Network + and Security + certification. Do you have any suggestions for someone just starting out in security? After CompTia what should I focus on. Although I’m not sure yet of my final career goals, I’d like to first get a job very quickly in IT security, hopefully with the government, state, or any local government; when I say quick I mean within the next few weeks Thanks Rob for whatever info you can suggest

Hello,

If you want a job fast I would suggest checking out simplyhired.com. I would also put my resume out on Monster.com, if you have not already done so. If you want a security job the security+ is the way to go, but also consider doing a search on monster and simplyhired to look at the skills and certifications that employers are looking for. Pay particular attension to keywords and phrases that they are using. You will know the keywords/phrase because they are repeated in nearly every resume for your chosen career path and/or job title.

How I get Jobs Fast
For example, in my career “system security engineer” and “information security officer” I see the following keywords/phrases over and over: security clearance, cissp, 8500, diacap. If noticed that when I have these keywords on my resume, I get calls almost DAILY from all over the US. Here is how you can do the same:
1) Find a good job title that fits what you do or what you want to do
2) Do a search for that job title [use google, simplyhired.com, monster.com, dice.com or any other search engine/job database]
– Read through the job results and try to find keywords/phrases that seem to be in most or all of the jobs listed
3) Try to get as many of the applicable keywords/phrases in your resume
– Either have the skills required for the chosen job title or begin working toward them
– I am not suggesting that you put lies on your resume, you’ll have to look for job titles that you have experience & skills in
– Don’t mess with stuff that completely out of your league or level of expertise, be honest on your resume
– Sometimes employers will take you if you are willing to learn the skills or earn the require certification/degree in a certain time frame. Put that on your resume.
4) Put your resume [with keywords/phrases in place] online, as many places as you can

Research Employer Demand in certain locations
I am from California and I have been trying for years to find a decent job (for what I do) there. They’ve got them in southern California but almost none in Northern. California seems to be lacking jobs and then they don’t want to pay comparable to the cost of living there. I noticed that Cali has a LOT of networking jobs. If you type in CCNP in simplyhired.com for Cali, you’ll find a lot of good paying jobs. The problem is that CCNP is a very difficult certification to get (or so I’ve heard).

I would recommend checking out what sort of IT skills employers are looking for in the area you want to work. For example, even though I have lots of certifications, most of the ones that I have [that are still active lol] won’t help me for moving back to Northern California. I researched it and found that they are mostly looking for Network Engineers [as of 2006-2010] and my Cisco routing and switching skills are still developing.

Play Capitalisms Game: Start a Business
Another option is to start your own business. This may sound daunting, but believe it or not my website elamb.org qualifies as a business. It took me about 1 year to get it making money, but now it makes between $400 – 800/month without me even looking at it. It has made as much as 2k and I know people who make more in a month then many people make in a year with their blogs. It is becoming harder and harder to be an employee. Companies do the bare minimum to take care of employees, the economy goes in a recession (or worse) and hard working people can not find a job and the value of the dollar flutuates on a downward spiral. It seems the only way to be comfortable in this new “capitalism” is to have multiple streams of income.

If you are interested, start at your states business page and here

Thanks,
Rob E.

dating scam

Sharon Dodson — Wed, 24 Mar 2010 05:45:59 +0000

Have been on dating website, and been speaking to ‘american’ who supposedly is going all over the world sorting out starting his computer company ‘John jacob computer resource centre’ which needs satelite access. This man was good, i checked the flight details he gave, spoke on the phone, and everything seemed ligit. He told me his credit card would not work in Nigeria (his last port of call) and he needed to get back to England. I sent £100 just to see him through for a couple of days, then by chance saw a nigerian scam site, went on and there he was. The thing is I followed all the rules, he didnt ask for money i offered, his photos were personal not posed, his writing was fluent, had an american accent, and all the nos he gave, including a british one worked. How are they getting all these photos? Can we trace the people of the photos they use. I’m now worried as i send him photos, does that mean that my picture will be used to scam people and how do i prevent this? For information his name is john jacob, johnniejake1@yahoo.com, more publicity needs to be done to stop these people, its not only the financial burden but also the emotional burden.

OFFICAL WARNING FROM THE FBI SCAM

Gene — Wed, 24 Mar 2010 05:43:32 +0000

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Email: muellerfbi@w.cn
ATTENTION: Fund Beneficiary,
OFFICIAL WARNING FROM THE FBI FOREIGN REMITTANCE/TELEGRAPHIC DEPT.:
It has been discovered that your inheritance/winning/check compensation FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the new account.
The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play. The FUND (US$12,000,000.00) was found to be deposited in a top bank in America in your name pending your consent to have it transferred to the new account. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in a Bank in USA. These transfers did not follow due process in line with the international FUND transfer rules and regulation.
We advice you to contact us immediately, as the funds have been stopped and are being held in our custody, until you are able to provide us with a Diplomatic Immunity Seal of Transfer (DIST) document within 3 days from the Country that authorized the transfer to certify that the funds that you are about to receive are terrorist/drug free or we shall have cause to impound the payment and subsequent prosecution. We shall release the funds to you immediately we receive this legal document and make sure that you get your payment without any further delay.
Be informed that FAILURE to have this cleared out or If you fail to provide the Documents to us, we will charge you and take appropriate action against you for not proving the legality of the funds. We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.
Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Spencer Lulu of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact us now for further clarification.
Note that you have 72hours to obtain this crucial Documentation. This has to be cleared! You are warned!
Faithfully Yours
Robert Mueller III
FBI Director
601 4th Street, NW
Washington, DC 20535ReplyReply AllMove…InboxAboutBill StoneBlackBookEbayEtsyExtraGIRLSMy ReadingMy YearbookPaid EmailsTagged

scam by tax people there

Cheryl Black — Wed, 24 Mar 2010 05:39:06 +0000

i wiuld like to know why your inland tax is making me pay a tax on my own money. i was getting o loan from mr kalvin donald. he and the two different banks he use lied to me about every fee i paid. union bank and zenith bank. so i cancelled the loan after i sent 8805.00 in fees for a 10,000.00 loan. this is money i sent to your country now the inlandtax want me to pay a nonresident tax on it. it would be no different if i sent the money and the next day it was sent back why would i pay a tax on it. western union web site said they report to you when there is 10,000.00 or more. and when i checked with western union thet said there was no record of the money being sent. and the tax place has told me if i dont pay the tax i will lose my my they will keep it and i cant get the last two number mtcn till i pay it i have been send money to your country for 10 mons now for this loan. and the banks lied about every fee i paid. i would pay a fee with the promise there would be no more and the next day there would be another fee to be paid and the fees was not cheap. zeith bank charged over 700.00 just to transfer the money and when i called their main branch they told me they over charged me alot of money. all i want from your country now is my money back without having to send anymore money there. i just dont trust anyone there any more when they tell me they dont lie and just send the money. please answer my email dont be like the EFCC and not answer or just tell me to pay the money. i send the EFCC proof that my lender and the banks have lied and they still tell me to pay i showed the EFCC that that james cotten forged a name to a tax paper and tried to over charge me the tax was 400.00 and he tried to get over 1600.00 for the tax and because he is friends with mrs farida warizi she just told me to pay the tax of 1600.00. thats not right. the banks in your country think they can do anything and not have to answer for it. because thats what been happen for a while now and the EFCC AND THE FBI there just let them. they help them scam people like me out of money.

thank you for reading this and i hope you answer me back
CHERYL BLACK

UPDATED IA STUFF + Procrastination

elamb.security — Wed, 27 Jan 2010 07:13:40 +0000

My greatest skill is procrastination. I really am the best, most skilled procrastinator I know. It takes all of my will power to stay consistent with anything, including this blog, which is why (among other things) I am not banking like Darren Rowse or Steve Pav, two of my favorite bloggers.

YOU SEE, I am such a good procrastinator that I JUST procrastinated on getting to the REAL subject of this article, security, IA updates.

A fellow IA Analyst wrote me with questions that got right to the heart of IA… change.

She asked about AFI 33-202.
And I said:

Right as I felt I had mastered the contents of 33-202, the airforce moved to 33-210 (to replace all its C&A stuff). I believe 33-202 is now obsolete and replaced with 33-200 & 33-202 and others.. last time I was with the AF, anyway.

What about IT LEAN?
I said:

As for IT Lean, you can find that on AF Knowledge Now site and I think they have links to it on EITDR. If you are interested in IT Lean you’ll be REALLY interested in 33-210:
33-210

But if you are working with the Air Force and want more on the IT LEAN process you should be digging into AFCAP, Air Force Certification & Accreditation Program, an AF version of IT Lean.

CNSS 1253:
A lot of people also ask me to send them a copy of the CNSSI 12-53. But it is actually OUT. Its the CNSSI 1253. I, personally, have not had any clear direction (currently NO direction) on how to start moving some of the CNSSI to the systems I work on. I suspect that the Govt. will start this within the next couple of years and start phasing out DIACAP.. but who the hell knows what a bureaucracy of their size will do next!

Lastly, my fellow IA Analyst asked me about EITDR
and I said:

You’ll find the EITDR POCs on the Air Force Portal or Knowledge Now. Log on to the Air Force Portal (if you don’t have an account get one.. you may have to get sponsor by the Govt to get it). Once on the AF Portal search for EITDR and they’ll have tons of stuff on it. Waaaaay more stuff than you want to read. You’ll also find the person you need to start the EITDR process with.