Category Archives: security

Beware sexy honeybots spear phishing on social media

220px-Robin_SageIf your connected life includes access to sensitive, proprietary or confidential information, be thoughtful about who you friend, follow or connect to online.

When fake femme fatale can dupe the IT guys at a government agency, you could also be spear phished.

If this all sounds familiar, you might be thinking of “Robin Sage,” when another fictitious femme fatale fooled security analysts, defense contractors and members of the military and intelligence agencies around the DC area.

Everything is new again.

[Image Credit: Wikipedia]

Leave a comment

Filed under blogging, security, social media, technology

Apple releases first transparency report on government requests for user data

Apple, one of the least transparent companies in the world, has released a transparency report on government requests for user data.(PDF). Requests from the United States of America dwarf the rest of the world — and that’s without including the ones that Apple cannot tell us about, due to gag orders and National Security Letters.

apple-transparency-table

Notably, Apple has indicated that it will join other tech companies in seeking the ability to disclose such requests:

“We believe that dialogue and advocacy are the most productive way to bring about a change in these policies, rather than filing a lawsuit against the U.S. government. Concurrent with the release of this report, we have filed an Amicus brief at the Foreign Intelligence Surveillance Court (FISA Court) in support of a group of cases requesting greater transparency. Later this year, we will file a second Amicus brief at the Ninth Circuit in support of a case seeking greater transparency with respect to National Security Letters. We feel strongly that the government should lift the gag order and permit companies to disclose complete and accurate numbers regarding FISA requests and National Security Letters. We will continue to aggressively pursue our ability to be more transparent.”

Apple did break new ground with the report, as FT reporter Tim Bradshaw observed: it was the first to disclose requests for device data.

device-data-requst

The U.S. government leads the rest of the world in device data requests by law enforcement as well, though not by as wide a margin: Australia, the United Kingdom, Singapore and Germany have all made more than 1000 requests, according to the disclosure.

Be careful about what you put in that iCloud, folks.

Apple’s transparency report ends with an interesting footnote: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

For those unfamiliar with that part of the law, it has been the subject of intense criticism for years from privacy and civil liberties advocates, particularly since the disclosures of mass surveillance of U.S. telecomm data by the NSA entered the public sphere this past summer.

3 Comments

Filed under journalism, security, technology

Hi! Click here to stop from getting phished on Twitter

Today, Twitter finally started rolling out dual-factor authentication for its users. Twitter will allow users to use text messaging to a mobile phone to confirm their identity upon log-in.

In a post and accompanying video on the company blog, Twitter product security team member Jim O’Leary (@jimeo) explained how Twitter’s version of 2-factor authentication will work:

…when you sign in to twitter.com, there’s a second check to make sure it’s really you. After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com.

To get started, visit your account settings page, and select the option “Require a verification code when I sign in”. You’ll need a confirmed email address and a verified phone number. After a quick test to confirm that your phone can receive messages from Twitter, you’re ready to go.

Twitter has lagged behind Google, Microsoft, Facebook and institutions that allow online banking in providing this additional layer of protection. It’s showed: Twitter has been plagued by phishing scams for years.

Recently, however, high profile hacks of Twitter accounts at the Associated Press, the Financial Times and The Onion have put more focus on adding this feature. As Twitter adds more e-commerce deals and becomes more integrated into politics and business, improving security will only become more important.

Today’s announcement is a much-needed improvement. Here’s hoping it gets rolled out quickly to the hundreds of millions of users who can’t get someone at Twitter on the phone after they clicked on the wrong link.

Hat tip: The Verge

2 Comments

Filed under article, government 2.0, journalism, microsharing, security, social media, technology, Twitter

Hacks at Twitter, New York Times, WSJ and Washington Post highlight need for better security hygiene

email_header_710Earlier tonight, I received an email I would just as soon not have gotten from Twitter, along with 250,000 Twitter users who had their password reset. Twitter security director Bob Lord explained why I’d received the email on the company blog:

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

Mike Isaac has been following the story the hack at Twitter at AllThingsD, if you want the latest news tonight.

After the password reset, I went through revoked Twitter authorization access to a number of unused apps, something I’ve been doing periodically for years now. That habit is among Twitter’s security recommendations.

I’m thinking about other social media accounts now, too. Shortly after Nicole Perloth began covering IT security for the New York Times, she shifted her practices:

“Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.”

She talked to two top-notch security experts and wrote up a useful list of good digital security practices. Unfortunately, it may be that it takes getting hacked and embarrassed (as I was on Twitter, on Christmas Eve a couple years ago) to change what how people approach securing their digital lives.

I don’t recommend that sort of experience to anyone. I was lucky, was tipped nearly right away and was able to quickly get help from the remarkable Del Harvey, head of the Twitter Safety team.

It could have been much, much worse. I’m thinking of Mat Honan, a Wired journalist who experienced an epic hacking that came about through a chain of  compromised accounts at Amazon, iTunes, Gmail and Twitter. After a lot of work, Honan managed to recover his data, including some precious pictures of his child. In the wake of the hack, he turned on 2-factor authentication on Google and Facebook, turned off “Find my” Apple device, and set up dedicated, secret accounts for password management. Honan isn’t alone in the tech journalist ranks: he just happens to have a bigger platform than most and was willing to make his own painful experience the subject of an extensive story.

A jarring reality is that even people who are practicing reasonably good security hygiene can and do get p0wned. Unfortunately, the weakest point in many networks are the humans — that’s reportedly how Google ran into trouble, when key employees were “spear phished” during “Operation Aurora,” targeted with social engineering attacks that enabled hackers to access the networks.

The last paragraph of Lord’s post suggests that a similar expertise was at work at Twitter, although he does not specify a source.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

It’s been true for a decade but it’s even clearer in the second month of 2013: practicing basic information security hygiene is now a baseline for anyone else online, particularly those entrusted with handling confidential sources or sensitive information.

Chris Soghoian was clear about the importance of journalists and media companies getting smarter about keeping sources and information safe in 2011. Tonight, I am not sanguine about how much has changed since in the news industry and beyond.

Two days ago, the New York Times disclosed that hackers had infiltrated …the New York Times. The next day, The Wall Street Journal has disclosed similar intrusions. Earlier today, Brian Krebs reported that the Washington Post was broadly infiltrated by Chinese hackers in 2012. The Post confirmed the broad outlines of an attack on its computers.

If you’re a journalist & you’re not using a password manager+unique, long random passwords per website: stop, install and configure one now.

— Christopher Soghoian (@csoghoian) February 2, 2013

If you have a moment this weekend, think through how you’re securing your devices, networks and information. If you use Twitter, visit Twitter.com and update your password. If you haven’t turned on 2-factor authentication for Facebook and Gmail, do so. Update your Web browser and use HTTPS to connect to websites. disable Java in your Web browser. Think through what would happen if you were hacked, in terms of what numbers you would call and where and how your data is backed up. Come up with tough passwords that aren’t easily subject to automated cracking software.

And then hope that researchers figure out a better way to handle authentication for all of the places that require a string of characters we struggle to remember and protect.

3 Comments

Filed under journalism, security