The Streetwise Security Zone Podcast Episode 11 – April 5, 2010

(Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe)

This Episode's Topics:

1 – Recent developments in the Streetwise Security Zone Podcast and Townhall
2 –Article in CSO Online Magazine  by Joan Goodchild on “10 reasons to quit Facebook”
3 – Case study of a financial institution breach that started with a compromised Facebook account
4 – A business strategy for using social media more securely (my views)
5 – PDF reader vulnerabilities are a big risk
6 – The arguments for and against reliance on standards compliance
7 – Social engineering threats from stolen accounts in Email and Facebook

1 ) Recent developments in the Streetwise Security Zone Podcast and Townhall

Due to technical difficulties, my plan to do a separate weekly live Townhall session that has recorded video for future viewing is not working out as well as I’d planned. So, for now, I’m going to combine the audio podcast recording with the live Townhall sessions that I try to do on Monday afternoons at 4pm Eastern. So, the video will not be recorded, but the audio will. This way, I can incorporate any comments or questions from the chat room as they come up, and it will all be available in audio form eventually in the podcasts. I don’t always get to publish the audio podcast right away and I have a number of episodes nearly completed that will be put up in the next few days. As always, comments are appreciated.

2) "10 Security Reasons to Quit Facebook" - The article by Joan Goodchild of CSO Online Magazine that included comments from Tom Eston and myself on the security reasons why baby-boomers are starting to quit Facebook, and one reason they may be staying. Here’s a link to the article:

http://www.csoonline.com/article/584813/10_Security_Reasons_to_Quit_Facebook_And_One_Reason_to_Stay_On_

3) Case study of a financial institution breach that started with a compromised Facebook account

It’s a very interesting story with some challenging implications for corporate security managers. Here’s a link to my post in the Social Media Security blog:

http://socialmediasecurity.com/2010/03/23/we-use-layered-safeguards-but-so-do-attacker/


4) A business strategy for using social media more securely

This is a little rant I did on how we need to use the concept of Zoning for corporate IT security a little more explicitly for social media usage by employees. It has a lot to do with recognizing that it may not be wise to allow everyone in the organization carte blanche and free reign in using the public social media tools like Facebook and Twitter in ways that can impact the organization – whether it’s posting or reading of articles or content. People in different roles should have different policy constraints and depending on what computers they are using, might have different technical constraints on being able to reach these sites. But there is also an opportunity to use other types of Web 2.0 solutions to achieve the business’s goals and allow younger employees to have the experience of using social media, but in more focused and controlled environments.

I encourage business managers to contact me about how I might be able to help with safely developing this type of progressive strategy in their organization.

5) PDF reader vulnerabilities are a big risk

PDF files have been a security problem for quite a while now, in that the Adobe Reader (and even other PDF readers like Foxit) are very powerful, but have not really been built with safeguards to protect the user’s computing environment. As a result, it’s often possible for attackers to create “malformed” or “malicious” PDFs that cause the reader to do things that put the user’s system at risk. Recently, it’s been demonstrated that the Adobe reader can be used to launch external applications in a way that would allow an attacker to load malware onto a user’s machine.

Here is a link to Steve Gibson’s Security Now Episode 243, that cover these risks in more detail:

http://www.grc.com/sn/sn-243.htm

And there are a couple of quick tips for Adobe Reader users that will probably reduce your risks when using this software:

1)    In the Adobe Reader preferences (Edit / Preferences on Windows versions; or Adobe Reader / Preferences on Apple Macs), click on the “Javascript” sidebar link, and uncheck the “Enable Javascript” checkbox. Javascript has very few legitimate uses in the Adobe Reader, but many security risks are related to this option.
2)    Also in the preferences window, click on the “Trust Manager” link in the sidebar, and uncheck “Allow opening of non-PDF     file attachments with external applications.” This is the most recent risk described in the two article links above.

Do also allow automatic updates for Adobe products. They often have critical security fixes in them that should be implemented as quickly as possible.


6) Arguments for and against reliance on standards compliance

The bottom line is that standards compliance is usually a good place to start if you expect that security is weak. It can strengthen a lot of areas without having to do much analysis. The downside of relying on compliance only (as opposed to doing full risk assessments for networks and systems) is that it is possible to be fully compliant with any standard and still have serious security vulnerabilities. So I recommend a mix of both standards and risk-based approaches.

This is inspired by the Threatpost.com article by Dennis Fisher listed here:

http://threatpost.com/en_us/blogs/security-programs-focusing-too-much-compliance-study-finds-040510

7) Social engineering threats from stolen accounts in Email and Facebook

It’s becoming more common now that a compromised Email or Facebook account will result in an attempt at scamming friends or contacts. Attackers will scan contacts to see who might be susceptible to an urgent request for assistance in the form of wired money (i.e. “Help, I’ve been robbed in Europe and need money for a hotel and airfare.) It’s very easy to scan emails and contact lists to put together a credible scenario that can pay off very well before anyone notices.

So, don’t ever take significant action based on information from one Internet source like an email or Facebook message. Always try to verify through some other means before sending money.

Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks.

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: [email protected]
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.