SpiderLabs Blog

Fraud, Passwords, and Pwnage on the Interwebz

Written by Therese Mendoza | Dec 19, 2012 12:44:00 PM

This past weekend I was lucky enough to attend Microsoft's BlueHat Conference in Redmond WA and Security B-Sides Seattle. The combination of some of those talks succeeded in keeping some persistent issues alive in the hopes of finding a solution. We live in a world dominated by the Internet and rapidly changing technology. Most people regularly use at least some form of social media online whether it's Facebook, Twitter, Reddit, etc., and it's accessed and updated from a home computer, tablet device, or smartphone. And while the Information Security world is far more cognizant of what transpires online your average user really isn't. And it's sad to think they either don't care, or have a "it will never happen to me" attitude. I'm not sure how much of my online life is made up of paranoia, anti-social behavior, or just that I feel what I do is none of anyone's business but my own. I don't have a real Facebook account, I have a "sock puppet" account. I have atwitter account, but if you look at it, it's all angry rants. I try to minimize my web footprint as much as possible, but I love my email accounts. Yes, that's right -plural. All are different user names, with different email services. Each is associated with various logins to different services on the Internet. So what about the average user?

The talks at BlueHat started with Ellen Cram Kowalczyl' stalk on Fraud and Abuse in which she talked about how prevalent fraud is and how easy password recovery question answers can be recovered from online data. Examples of randomly generated passwords were presented and one attendee was able to recite it back to her. She ended her talk with a Internet scavenger hunt for answers to what could be password recovery questions for an online account. A simple Internet search can deliver information about your mother's maiden name, your first car, last attended school, and even the food you hate most. How do you deal with multiple passwords? Do you use LastPass? Write them down and store them securely? Do you use KeePass? Check out Life Hacker's post of the top five.

Are the majority of password recovery question answers readily recoverable from the information the average user posts to their Facebook account? I bet the average is pretty high that the answers are there. Maybe answers are even from a quick tweet about something randomly posted to the web. It seems everyone's lives are on display somewhere online in today's web-centric world. Sure you can change the answer for the security question to something false, but what happens when you forget the answer? Interestingly enough I signed into my Facebook account this weekend and I had two strikes against me; I signed in with a laptop I've never used before and I forgot the bogus answer to the security question. The addition of the laptop being used for access is a step in the right direction, and previously I had only encountered with certain credit card providers. For the average user Facebook has implemented some interesting new changes to their password recovery system. Alex Rice presented these changes in his talk Social Authentication. So for someone who does use Facebook often, besides just a security question as a means of user identity authentication to an account, it can be done through tagged photos, or through reaching out to friends. It's a dynamic way in which to add new layers to the security and password recovery process.

What happens when you get hacked because someone added something to your account? It happened to Mat Honan of Wired and he discussed it in his talk about the "Epic Hack" in which all his Apple devices were wiped as a sideline just to steal his Twitter account. Have you read the Wired article hit about how easy it was for a couple of teenage kids to leverage information from Twitter to Amazon to Apple and gain access to Mat's Twitter account? If you haven't read that article, go do it now. Then think about how your email, Internet purchases, and credit cards are linked. How can you protect yourself? Mat's biggest lesson learned from his experience was to backup your heard drive. But was that the right lesson learned?

Score one for women as when paranoia kicks in, we're harder to social engineer than men as presented and experienced by Christopher Hadnagy. He walked though a social engineering engagement in which a successful phishing email was leveraged to gain further system access by calling up the victims and walking them though installing a payload to "clean their systems". One woman refused to click the link and told him if something needed to be installed to clean her system, it wasn't going to happen until a tech came down to her office to do it while she was there. Kudos! Lesson learned by someone. But she was the 1% stage two didn't work on .

So what is the solution? Here's where my paranoia has left me:

Social Media:

My Facebook account is a sock puppet account. Very few friends have access to it, and while it's locked down as much as I can lock it down, any and all profile information is false information. Twitter is setup as vaguely as possible.

Passwords:

Everyone talks about randomizing your passwords – mixing upper and lowercase letters, numbers, special characters and making the password longer than 16 characters. This is all well and good for web services that allow it, but there are some out there that don't allow special characters, or limit the length to under 16characters. More alarming is after working numerous internals that do have complexity rules enabled for passwords it's amazing how quick random passwords can still be cracked by John the Ripper or Cain& Abel. Checkout this article on how even the super long passwords can now be cracked in no time at all.

Internet Purchases:

Apple and Amazon are probably my favorite and most used retailers. I am however blessed with good credit and have multiple credit card accounts. My Apple and Amazon accounts are linked to different email accounts, with different credit cards, and I'm in those accounts regularly. Constant vigilance, good credit history, and penny pinching are my friends here. Mat Honan was hacked by what was added to his accounts and it happened fast. What isthe answer here? Call your favorite services and find out what can be added to your account. Find out if you can restrict this ability. Or if you can set up an additional security question that is not the norm.

Social Engineering:

How do you protect yourself from a phone or face to face encounter of social engineering? I'm so paranoid that sometimes it's just not funny. I lie. If you're someone I don't know and you randomly start talking to me, I will lie to you about so many things. I'll lie about my name, my age and therefore birthdate, where I live, etc. Depending on the social situation, I'll lie about everything. I have an entire alter ego with quite an information rich background that's false.

The overall message taken back from BlueHat and B-Sides Seattle is to open discussions on security awareness and security policies as a whole. But where does this leave the average user? The rate in which technology changes and gets adopted has outstripped common sense. And once you post something to the Internet it's there for all to see. In the case of pictures, you can try, but you will never remove all traces of it off the Internet. Security awareness training in the work place will keep people vigilant at work, but will they carry that vigilance to their personal lives at home. What about there tired who spend time online? Where is their security training?

I don't have the answers. I have what has worked for me personally so far. What do you do to secure you private life? And while I'm sure many of you are the computer tech of the family come the holiday season, are you also the security trainer? I've found I've become the security advocate in my family.