Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Fraud, Passwords, and Pwnage on the Interwebz

This past weekend I was lucky enough to attend Microsoft'sBlueHat Conference in Redmond WA and Security B-Sides Seattle. The combination of some of those talks succeededin keeping some persistent issues alive in the hopes of finding asolution. We live in a world dominatedby the Internet and rapidly changing technology. Most people regularly use at least some formof social media online whether it's Facebook, Twitter, Reddit, etc., and it'saccessed and updated from a home computer, tablet device, or smartphone. And while the Information Security world isfar more cognizant of what transpires online your average user reallyisn't. And it's sad to think they eitherdon't care, or have a "it will never happen to me" attitude. I'm not sure how much of my online life ismade up of paranoia, anti-social behavior, or just that I feel what I do isnone of anyone's business but my own. Idon't have a real Facebook account, I have a "sock puppet" account. I have atwitter account, but if you look at it, it's all angry rants. I try to minimize my web footprint as much aspossible, but I love my email accounts. Yes, that's right -plural. Allare different user names, with different email services. Each is associated with various logins todifferent services on the Internet. Sowhat about the average user?

The talks at BlueHat started with Ellen Cram Kowalczyl'stalk on Fraud and Abuse in which she talked about how prevalent fraud is andhow easy password recovery question answers can be recovered from online data. Examples of randomly generated passwords were presented and one attendee was able torecite it back to her. She ended hertalk with a Internet scavenger hunt for answers to what could be passwordrecovery questions for an online account. A simple Internet search can deliverinformation about your mother's maiden name, your first car, last attendedschool, and even the food you hate most. How do you deal with multiple passwords? Do you use LastPass? Write them down and store them securely? Doyou use KeePass? Check out Life Hacker's post of the top five.

Are the majority of password recovery question answersreadily recoverable from the information the average user posts to theirFacebook account? I bet the average ispretty high that the answers are there. Maybe answers are even from a quick tweet about something randomlyposted to the web. It seems everyone'slives are on display somewhere online in today's web-centric world. Sure you can change the answer for thesecurity question to something false, but what happens when you forget theanswer? Interestingly enough I signedinto my Facebook account this weekend and I had two strikes against me; Isigned in with a laptop I've never used before and I forgot the bogus answer tothe security question. The addition ofthe laptop being used for access is a step in the right direction, andpreviously I had only encountered with certain credit card providers. For the average user Facebook has implementedsome interesting new changes to their password recovery system. Alex Rice presented these changes in his talk SocialAuthentication. So for someone who doesuse Facebook often, besides just a security question as a means of useridentity authentication to an account, it can be done through tagged photos, orthrough reaching out to friends. It's adynamic way in which to add new layers to the security and password recoveryprocess.

What happens when you get hacked because someone addedsomething to your account? It happenedto Mat Honan of Wired and he discussed it in his talk about the "Epic Hack" inwhich all his Apple devices were wiped as a sideline just to steal his Twitteraccount. Have you read the Wiredarticle hit about how easy it was for a couple of teenage kids to leverageinformation from Twitter to Amazon to Apple and gain access to Mat's Twitteraccount? If you haven't read thatarticle, go do it now. Then think abouthow your email, Internet purchases, and credit cards are linked. How can you protect yourself? Mat's biggest lesson learned from hisexperience was to backup your heard drive. But was that the right lesson learned?

Score one for women as when paranoia kicks in, we're harderto social engineer than men as presented and experienced by ChristopherHadnagy. He walked though a socialengineering engagement in which a successful phishing email was leveraged togain further system access by calling up the victims and walking them thoughinstalling a payload to "clean their systems". One woman refused to click the link and told him if something needed tobe installed to clean her system, it wasn't going to happen until a tech camedown to her office to do it while she was there. Kudos! Lesson learned by someone. But she was the 1% stage two didn't work on .

So what is the solution? Here's where my paranoia has left me:

Social Media:

My Facebook account is a sock puppet account. Very few friends have access to it, and whileit's locked down as much as I can lock it down, any and all profile informationis false information. Twitter is setupas vaguely as possible.


Everyone talks about randomizing your passwords – mixingupper and lowercase letters, numbers, special characters and making thepassword longer than 16 characters. Thisis all well and good for web services that allow it, but there are some outthere that don't allow special characters, or limit the length to under 16characters. More alarming is after workingnumerous internals that do have complexity rules enabled for passwords it's amazinghow quick random passwords can still be cracked by John the Ripper or Cain& Abel. Checkout this article on how even the super long passwords can now be cracked in notime at all.

Internet Purchases:

Apple and Amazon are probably my favorite and most usedretailers. I am however blessed withgood credit and have multiple credit card accounts. My Apple and Amazon accounts are linked todifferent email accounts, with different credit cards, and I'm in thoseaccounts regularly. Constant vigilance,good credit history, and penny pinching are my friends here. Mat Honan was hacked by what was added to hisaccounts and it happened fast. What isthe answer here? Call your favoriteservices and find out what can be added to your account. Find out if you can restrict this ability. Or if you can set up an additional securityquestion that is not the norm.

Social Engineering:

How do you protect yourself from a phone or face to face encounterof social engineering? I'm so paranoid that sometimes it's just not funny. I lie. If you're someone I don't know and you randomly start talking to me, Iwill lie to you about so many things. I'll lie about my name, my age and therefore birthdate, where I live,etc. Depending on the social situation,I'll lie about everything. I have anentire alter ego with quite an information rich background that's false.

The overall message taken back from BlueHat and B-Sides Seattle is to open discussions on security awareness and security policies as a whole. But where does this leave the average user? The rate in which technology changes and getsadopted has outstripped common sense. Andonce you post something to the Internet it's there for all to see. In the case of pictures, you can try, but youwill never remove all traces of it off the Internet. Security awareness training in the work placewill keep people vigilant at work, but will they carry that vigilance to theirpersonal lives at home. What about theretired who spend time online? Where istheir security training?

I don't have the answers. I have what has worked for me personally so far. What do you do to secure you privatelife? And while I'm sure many of you arethe computer tech of the family come the holiday season, are you also thesecurity trainer? I've found I've becomethe security advocate in my family.