Posts Tagged ‘cyber threats’

Social Security number code cracked, study claims

Recent News, Security Tools | Posted by Dave
Jul 06 2009
RANDOLPH E. SCHMID
Published: July 6, 2009

WASHINGTON (AP) — For all the concern about identity theft, researchers say there’s a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ Social Security numbers.

“It’s good that we found it before the bad guys,” Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report “because there is no foolproof method for predicting a person’s Social Security number.”

“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.

However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

The researchers say their report omits some details to make sure they aren’t providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed “a great experiment in self-revelation.”

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

“I was surprised by the accuracy of certain predictions,” Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, “attackers can exploit various public- and private-sector online services, such as online “instant” credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

“Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs,” Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

PNAS: http://www.pnas.org

http://newsok.com/social-security-number-code-cracked-study-claims/article/feed/55270?custom_click=pod_headline_national-politics

Tags: , ,
No Comments »

The Myth of the Virus Free Mac

Best Practices, Original, Viruses | Posted by Dave
May 19 2009

Over the past few days I have seen a few of these new PC/Mac guys commericals.  While I am not a big fan of Apple (that is a discussion for another day) I do think these commercials are pretty funny.  These newest commercials have had some statements that made me stop and listen.  Cut to a woman looking for a PC (Yes windows/linux/macs are all PCs).  She says “I want a computer that doesn’t get viruses” and all of the “PC Guys” walk away.

What??  I know I didn’t see that correctly.  Did Apple say they do not get viruses??  So I went back on my TiVo.  Yup that was exactly what they said.  A couple of commercial breaks later another Mac ad comes on and again they say they are not vulnerable to viruses.  You have got to be kidding me…  What ever happened to truth in advertising.  Obviously people don’t believe this..    So I posted on my facebook status “I just saw an ad claiming Macintoshes don’t get viruses, and I laughed my butt off.  Do people really believe this??”  Within one of my friends replied and the follow facebook conversation ensued..

Friend: You’re the expert, but I’ve had a Mac (a few different obviously) since I was 17. I’ve never once had a virus. Most people I know on PC’s have them constantly. Just sayin’.

Dave: And did you have a virus scanner installed?

Friend: No. But zero performance issues. Pc people amuse me though this is entertaining to me.

Dave: So… Let me get this straight.. No Virus detector, and you know you never had a virus??? Sooooooo…. Yeah….. Need I say more?? :)

About this time I was getting a bit annoyed about this.  This guy says he has never had a virus, but has never run a scan.  He knows because he has not had any performance issues.  And HE IS ENTERTAINED BY PC PEOPLE??!?!?  So I added the following

Dave: Besides been rockin the Ubuntu lately.. I still run at least ClamAV on it :)

Around this time another friend of mine chimes in (and this is one of my old BBS friends, a big linux guy)

Friend #2: people write linux viruses? since when?

Well I guess beliefs like this will keep me employed…

Fact: There are Macintosh viruses, malware, vulnerabilities, etc.

Meet OSX/Leap-A, this little worm is the first virus discovered for Mac OS X.  It was discovered back in early 2006.  Since then many Trojans, worms, OS specific vulnerabilities and other nasty mal-ware have been discovered.  The folks over Securemac are doing a great job at keeping everyone up to date.  In fact it may be a good idea if Apple would have their advertising group look at their entry from 12/2008

12.02.2008 News
Apple has officially acknowledged that Mac users should use anti-virus solutions in this technical note. As their market share continues to grow, so do the threats to the users.

Related Articles:
Washington Post: Apple: Mac Users Should Get Antivirus Software
The Tech Herald: Apple Encourages Anti-Virus Protection
CNet: Apple suggests Mac users install antivirus software
Apple Insider: Apple encourages Anti-Virus Software

Again, where is the truth in advertising.

For my Linux friends, yes Linux and Unix have Mal-Ware also.  Here is an old list from 2005.

Fact: There are more Windows malware, because there are more Windows machines

If you are going to spend the time to  build a virus, you will probably want to do the most damage.  Windows machines out number Macintoshes 10 to 1.  Simple math, more machines, more dangers.  However we are seeing a growth in Mac malware.  While Apple says this is due to an increase in Mac growth, I would tend to believe it is due to the lax security practices of the average Mac user.

Solution: Run Anti-virus

Anti-virus is an insurance policy, better to have it and not ever need it than to wish you had it when infected.  Make sure the software looks for virus, worms, and Trojans.  Securemac would be a good resource to find the best solution for you.

In conclusion be safe, remember virus authors know the weaknesses of a system and the attitude of the users.

Bonus -

Hats off to fellow St. Louisian Charlie Miller for hacking a MacBook Air in less than 2 minutes.  You can read about it at Infoworld

Tags: , , , , ,
9 Comments »

Social Networking making it easier for Hackers

Uncategorized | Posted by Dave
May 14 2009

Research from Kaspersky Lab shows malware on social networking sites such as Facebook and MySpace is 10 times more successful at infecting users than e-mail-based attacks. Enterprises and users need to adopt sound security practices to deal with the problem.
That hackers are using sites such as Facebook, LinkedIn and MySpace to launch attacks is no revelation. New statistics, however, show just how effective malware on social networking sites can be.

In its “Malware Evolution 2008″ report, published in February 2009, Kaspersky Lab revealed that malicious code distributed via social networking sites has a success rate of 10 percent in terms of infections, making it 10 times more potent than malware distributed via e-mail.

“In 2008 we increased the collection of malicious files relating to social networks by approximately 26,000,” said Stefan Tanase, a security researcher for the Kaspersky Lab Global Research and Analysis Team. “In 2008 alone we processed more of those samples than in the total of all years prior to 2008, making the growth rate exponential. Our collection of malicious software samples reached 43,000 at the end of last year.”

Resource Library:
Employee Web Use and Misuse: Companies, Their Employees and the Internet
Top 10: To Trust or Not
The Shortcut Guide to Business Security Measures Using SSL
New Web Threats for 2009

Tanase said he expects that number to hit 100,000 by the end of 2009. According to McAfee, 800 new variants of the notorious Koobface virus were discovered in March alone. Social networking sites have also been hit by malware hidden in seemingly legitimate third-party applications.

No particular site is more dangerous than others, Tanase said. Different sites are popular in different regions of the world, and attackers follow the users.

“It’s very hard for social networking sites to do better,” he said. “Their business is about having an easy-to-use Website, so that everyone can join. The problem is that usability and security don’t really go hand in hand most of the time.”

For enterprises, that means developing policies to control the use of social networks by employees. Organizations can instruct employees not to mention the company name on social networking sites, for example, and can couple that with education on configuring privacy settings and general Web safety.

“Blocking access to social networking site[s] is not going to work in the long run,” said Chenxi Wang, an analyst with Forrester Research. “As younger employees join the work force, they increasingly expect to have access to social networking sites from work, [so] having such a restrictive policy will damage the company’s [prospects of attracting] employees and ultimately may become a competitive advantage [to competitors].”

As for basic security advice, Tanase advised users to limit the code executed inside their browsers to trusted sources only and to make sure the operating system, anti-virus application and other software are fully patched and up-to-date.

“When talking about social networks, even though they are made of users wandering throughout cyber-space, we should not forget we’re actually talking about real people, actual human beings that have friends and relationships,” he said. “These relationships are usually based on trust, so the bad guys are trying to exploit this trust.” 

http://www.eweek.com/c/a/Security/Social-Networks-10-Times-as-Effective-for-Hackers-Malware-892010/?kc=rss

Tags: , , , , , , ,
No Comments »

Anti-Virus Sites have XSS vulnerabilties??

Best Practices, Recent News | Posted by Dave
May 12 2009

XSS flaws found in sites of multiple anti-virus firms

Dirty half-dozen

By John Leyden • Get more from this author

Security researchers have revealed that the websites of no less than six anti-virus firms are vulnerable to cross-site scripting flaws, of a type that might lend themselves to phishing attacks.

Some of the firms involved have admitted problems, while others say the issues raised have either already been fixed or are erroneous.

Nemesis, a gang of programmers and security bods that work mostly in chat room software development, reckons the sites of Symantec, Kaspersky, Eset (Nod32), AVG, F-secure and Trend Micro are all vulnerable, one way or another. The group has posted screen shots to back up its claims in an advisory here.

El Reg contacted the six firms involved on Monday evening, some of who have already got back to us. We’ll add statements from the others as and when they become available.

  • Trend Micro said the flaw highlighted by Nemesis is on a part of its site which is outsourced. The firm added that the flaw was in the process of getting fixed.
  • Eset said the site with the alleged flaw, eset.co.il, was run by its Israeli distributor. “The iFrame injection has been removed from eset.co.il and today (Tuesday) the site will be deeply scanned to fix all other possible vulnerabilities,” it said in a statement.
  • Symantec said the reported vulnerability on its site was discovered and fixed last month. “Symantec was notified of a reported security vulnerability on a webpage within Symantec’s website back in April,” a spokeswoman explained. “Upon notification of the potential vulnerability, Symantec immediately conducted comprehensive testing and fixed the vulnerability. Symantec takes the security of its website very seriously and can confirm that no company or customer information was exposed.”
  • AVG said there wasn’t any problem with its site. “We’ve investigated the issue as raised by The Register, and we can report that there is no vulnerability on the AVG website. We’re always looking at potential security issues – and extra ways to keep our customers’ data secure. As an internet security company, we often find that we come under attack from the bad guys.”

Broadly speaking the cross-site scripting flaws detailed by the Nemesis make it possible to present rogue iFrames from third-party servers as if they came from the sites of security vendors a surfer might be visiting. This type of vulnerability therefore lends itself to attacks that rely on impersonation, such as phishing. XSS flaws, more generally, also pose cookie stealing and other risks.

This class of vulnerability has popped up on the website of security firms over recent months. Most notable Romanian hacking group HackersBlog exposed XSS flaws on the websites of Kaspersky, BitDefender, F-Secure and Symantec in a two month campaign before the group got bored and disbanded in late March 2009.

Other incidents of similar problems on the websites of McAfee and Symantec have cropped up since to the point where its tempting to think that the problem has become endemic.

In other security-related news, AVG released a fix for a vulnerability involving how its software processes Zip files. An advisory on the flaw, discovered by security researcher Thierry Zoller, can be found here. ®

Tags: , , , ,
No Comments »