Government Gmail Use: Is It Wise?

January 14, 2010 — Mrs. Mecomber

I saw this excellent article by Paul Strassman (writing a guest post for Larry Dignan) at ZDNet. I admit, though- I did not know that government officials– in this case, the Department of Defense– use Gmail for their government correspondence. Holy cow!

Federal Chief Information Officer Vivek Kundra has been a consistent advocate of increasing the government’s use of commercially available technologies, such as Gmail. In fact, as the District of Columbia’s chief technology officer, Kundra implemented Google Apps, including Gmail, for all District employees.

A number of Department of Defense (DoD) organizations are already using Gmail. Meanwhile, Google has made secure Gmail the default choice in light of the cyberattack the company detailed on Tuesday.

…Once you can wiretap, you can eventually figure out how to distinguish Gmail traffic from other traffic, and reverse engineer how Gmail data is replicated across servers.

There is no defense against a hostile party with full physical access to your server room. That is why Google’s only logical option is to withdraw all physical servers from China.

There are two Google data centers in China, almost surely co-hosted on shared facilities and not owned by Google. Similarly, there is a co-hosted facility in Russia. Unless a facility is owned and operated by Google it would be always suspect, and even then it would not qualify to operate DoD classified mail.

DoD should therefore not consider Gmail as a viable option because it cannot be trusted. Only a secure DoD Private Cloud, isolated from the Internet, can be seen as an acceptable option.

It’s a contentious issue- the comments on the post are filled with such incredulity as I express. And an update to the post was issued later today, when Google spokesman spoke out:

The premise of Mr. Strassman’s post is without merit: there’s no need to withdraw servers that store Gmail information from China because there aren’t any there.

I think Mr. Strassman’s post IS merited… because while Mr. Strassman does mention the recent cyberattack on Google’s Gmail as an impetus for moving DoD mail away from Gmail, the premise IS that the DoD, and truly all government offices, should have their own secure email system outside of the “cloud” maintained by global business. It’s just good sense. It blows my mind that the DoD has email with Gmail! Doesn’t the government have their own system?! It mirrors the same bafflement that I have regarding the SSL issues with online banking websites– their security is pitiable, whereas my photo-sharing account is tighter than a drum. Crazy!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Posted in crime, email programs, Google, news. Tags: , , . 2 Comments »

Banks Need to Tighten Online Security

December 16, 2009 — Mrs. Mecomber

This news does not surprise me. I have long lamented the weak security measures of banks and credit card companies. For one, I am astounded that banks require you to make weak passwords– 8 to 10 characters, all letters and/or numbers. That is SO easy to crack! My Photobucket account has a better password than my bank online account.

Banks have recently tried using “one-time” passwords for “added” security. But the news is that hackers find these a piece of cake:

Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns.

Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report said.

Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, said Avivah Litan, Gartner analyst and the report’s author.

Gartner’s warning comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials. In August, NACHA- the Electronics Payments Association issued an alert, warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses. Cybercriminals used the stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks, NACHA said in its warning. NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network.

Just a few days earlier, a similar alert was sent to members of the Financial Services Information Sharing and Analysis Center. The alert identified organized cybercrime groups in Eastern Europe as predominantly responsible for illegally siphoning millions of dollars off corporate accounts and sending the money overseas via popular money and wire transfer services.

Last month, the FBI’s Internet Crime Complaint Center noted that as of October, cybercrooks had attempted to steal approximately $100 million from U.S. banks using stolen log-in credentials. On average, the FBI is seeing several new cases opened each week, the complaint center said. In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI noted.

I am suspicious as to why banks and credit card companies are SO SLOW to adopt tighter security. With the technology and ability already out there, why are banks not taking advantage of it? Why are they so reticent to make our money and transactions more secure?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Posted in business services, crime, security news. Tags: , , , . Comments Off »

Hackers Prefer Opera

September 9, 2009 — Mrs. Mecomber

This news isn’t very surprising, not to me, an Opera fan:


One-in-four hackers runs Opera to ward off other criminals

Hackers using multi-exploit attack “toolkits” take defensive measures of their own against other criminals, a security researcher said today.

“Exploit kit operators do use mainstream browsers, but they’re much more likely to use Opera than the average user, because they know that the browser isn’t targeted by other hackers,” said Paul Royal, a principal security researcher with Atlanta-based Purewire.

While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.

Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.

Purewire obtained this insight, and others, by infiltrating hackers’ systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed “LuckySploit,” said Royal. “We forged a ‘refer’ field and put in a little JavaScript,” he explained, “and that revealed the hackers to us via their IP addresses.”

So basically, a security experts group put out some bait for hackers– exploit tool kits with some javascript code. The hackers went for it, and their computer information was sent back to the security group. Besides grabbing IP numbers and country of origin where they could, the security group saw that hackers use the Opera browser. It’s safer than the other browsers (Firefox, Internet Explorer, etc). But it’s not that Opera is BUILT any safer than the others– it’s safer only because so few people use it, that it’s not worthwhile to attack or exploit it.

Well, if it works for me… ! I guess I’ll even take a left-handed mode of safety, as long as its safety.

Also– no browser is really, really safe. A browser is an open door to your computer, just because by necessity there must be that transfer of information between Internet servers (where the websites for you to surf sit) and your computer. There are things you can do to minimize that risk of intrusion: use a firewall; use an anti-virus and keep it updated; don’t use Internet Explorer browser; avoid risky sites (such as music sites, viral video sites, etc); turn off Active X, javascript, and image rendering. Some of these are extreme measures- it’s really up to you to determine your risk.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Posted in browsers, crime, Internet, security news. Tags: , , . 3 Comments »

Serious Twitter Vulnerability Still Not Fixed

September 3, 2009 — Mrs. Mecomber

If you Twitter, this news article will very of significant importance to you. Basically, there’s a security vulnerability with the Twitter software/website, where a hacker could easily gain control of your account. Twitter announced a fix for the vulnerability a few weeks ago, but apparently it didn’t work. This is from eWeek:

A cross-site scripting vulnerability affecting Twitter security is still open despite the microblogging service’s attempt at a fix, a software developer says. If exploited, the bug could enable an attacker to take over a victim’s Twitter account.

A software developer is claiming Twitter’s fix for a critical cross-site scripting bug is no good, meaning users are still vulnerable to an attack that could allow an attacker to take over their accounts.

The bug was first reported by techie James Slater. According to Slater, the vulnerability allows malicious JavaScript to be inserted into tweets by adding the code to a field of the API used by Twitter developers. By embedding links in tweets, developers can direct Twitter users to their Websites.

More information on the Twitter vulnerability can be found here. At the heart of the issue seems to be that Twitter’s API does not filter malicious URLs.

“Twitter made one of the most basic mistakes in developing Web applications—never blindly trust data that is provided from the outside world! Their form did no—or some very, very basic—checking on what you enter in the box,” Slater wrote.

He said although Twitter claimed to have fixed the problem after he pointed it in a blog post Aug. 25, the fix did not address the issue.

“With a few minutes’ work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it … it can be arranged so that if another Twitter user so much as sees one of these tweets—and they are logged in to Twitter—their account could be taken over,” Slater wrote.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Posted in crime, Internet, news, security news. Tags: , , . Comments Off »

The Spy in Your Cell Phone

May 18, 2009 — Mrs. Mecomber

Raise your hand if you have a love/hate relationship with your cell phone.

*raises hand*

While having a cell is a great convenience (I have a cheapo Tracfone), they are expensive. And insecure. I’ve known for a long time that cell phone transmissions are insecure– they are truly radio transmissions, and can be intercepted and received by persons other than the ones making and receiving the phone call. And it’s illegal for anyone to tap into and record phone conversations– except for government entities, like the FBI. They do it all the time, without a warrant.

I did not know that spyware is readily available on the Internet, and is being used by crooks to stalk and spy on people. There’s a revealing video at YouTube called Tapping Your Cell Phone that’s quite an eye-opener. The embedding function is disabled for the video, but you can view it at the YouTube website. The video is some kind of cheesy 20/20 or Dateline show– it’s very sensational and overdone. But the basic point is true: your cell phone calls can (and probably are being) monitored, whether by accident by some radio aficionado, or by a stalker, or by the FBI. Cell phones are not safe and secure means of communication- don’t be fooled.

With all this technology, and a good deal of it becoming more personal for us and to us, we really need to remember that it is a weakness. Sure, it’s so convenient; but all this communication technology and other stuff like RFID and barcode scanner technology that lists and monitors our goods and food is a weakness– it’s digital information that is easily tampered with, easily malfunctioning, and easily monitored. It can be used against us. This YouTube video never comes out and say HOW spyware is installed on a cell phone, but it is implied that a hacker has to get access to your phone to install the software. I would also assume that some of those ringtones and other junk you can download into your phone may have spyware. And Bluetooth-enabled phones don’t need any installed software on the phone for spying on them.

So does this mean I am going to ditch my Tracfone? No. I’ll still have it; I use it for emergencies and the convenience outweighs the threats. Here are some ways to secure your cell phone:

  • Never leave your cell phone laying around, where someone can tamper with it.
  • Remove the battery.
  • Remove the SIM card.
  • Place the cell phone in a foil bag or wrapper. This is a little extreme, and it means you cannot receive phone calls as well as make them until you remove the phone fromthe foil; but it’s a great way to block all radio transmissions and a way to block your movement.
  • Shutting off the cell phone does little. The FBI, for example, is able to activate the speaker to your phone even though your phone may be turned off.
  • Place the cell phone in a ziploc bag. Sounds are distorted through the plastic. This is a great way to still have your phone on and you are able to hear it ring, but a hacker cannot hear your non-phone conversations.
  • And one final bit of trivia for you: did you realize that cell phone capability on airplanes was non-existent before the 9/11 incident? How could all those passengers have made cell phone calls to their loved ones if airlines hadn’t permitted cell phone calls back then??

Thanks to WXPNews for the link to the video.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Posted in crime, news, surveillance, technology. Tags: , , . Comments Off »
«
»