Good news and bad news…the good news is that new ideas on how to connect and communicate are still coming…enhancements to Facebook, Google Buzz…lots of good ideas.  The bad news is that folks seem to have forgotten that there are a lot of bad guys out there and you need to protect your social networks just as much as you need virus protection software for your pc and a firewall for your network.

Keep in mind that hacking has taken on a new strategy whereby the hacker gets in and keeps their presence quiet so that they can pick my opportunity to take advantage…no longer are they just attacking…hackers are in stealth mode and your social network is a great target.  Also note that hackers post successes for others to read…so that when one gets in, the rest can follow.

Social networks are the new big “Greenfield” opportunity for hackers.  People are forgetting that your network has a ton of info about you and a ton of info about your friends.   I have been seeing reports of Facebook hacking scams where a hacker gets in to your page, changes the password so that you cannot get in and then scams your friends by telling them you are trapped in some foreign country and need money.   Your friends respond by sending you money…only problem is that you don’t get the money…the hacker does.    Facebook has a form that must be filled out if your account has been compromised.   Make sure that you know where to find it on their site as it might come in handy some day.

Other tips include limiting the info that is on your page…don’t have your complete birthday (just the month and date are good enough) and don’t put your full name or address or cell number on the page.  Also watch out for information that you unwittingly include…such as your schools name on a sweatshirt or a license plate on a car.  Hackers are smart people…don’t forget that…and your friends already know how to get in touch with you.  Also make sure that you review the privacy settings…don’t just go with the default.

Google Buzz…you have to love the notion of using your email list to automatically create your social network.  I think that this is a great idea because the people that I email all the time are great candidates for my social network.  Only problem is that my contacts could become publically available.  Don’t worry as Google is fixing the issue, but this is a great example of a well meaning company making a mistake.  Google is getting real serious about social networking and Buzz won’t be the last we hear from them.

So what is the bottom line…for me it is that you have to pay attention to the details and make sure you information is protected no matter where it is stored.

Governor O’Malley has declared October to be cyber security awareness month.  The Federal Government has as well. What does that mean? Well, according to the Governor, it’s necessary to remind all Americans that we need to protect the security of cyberspace from the viruses, theft, hacking and loss of sensitive information that has become a daily occurrence.

So, how serious is the cyber security issue? Well… bad and getting worse. The main reason is that businesses that are running .com websites are not focused on securing them. Reports indicate that 91% of websites are vulnerable. If you think this is too high, then consider that G.1440’s experience is that 86% are vulnerable…meaning that basically 9 out of 10 are Swiss cheese.

Making matters even worse is that hacking has changed to be a stealth crime… business owners believe that they are safe as long as they aren’t aware of anything bad happening…this is very, very wrong…according to Verizon data breach report, 63% of business owners don’t know for months that they have been hacked. Hackers infect your site and then plot their next steps…even if your site is simple and just an online brochure, you can still be implicated in a crime where your business is used as a front for a hacker…and all without you knowing it. Sound crazy? Unfortunately, it isn’t farfetched at all and is happening today.

One last myth that must be exposed is that firewalls will prevent your website from being hacked…this is simply not true.

Basically, the .coms are not paying attention to this critical issue and need to start. The US Govt is spending 100 million on protecting government sites only to have them attacked by their own citizen’s computers and websites. Several officials that I have spoken to have predicted that scanning of .com websites will be mandatory – this will happen due to the need for all sites to be protected.

The Federal Government is clearly stepping things up and has just announced that the Department of Homeland Security is going to be hiring over 1000 security specialists.

What can you do to protect yourself?  For starters, ask the business owners you know if they are aware that October is Cyber security Awareness month and if they have had their website scanned for hacking vulnerabilities.

Next, only visit sites you trust – especially true for downloads as hacked websites will give you more than you asked for when you click a link to download…a click is just an opening for a hacker to send you whatever they want.

Remember to keep your browser security as up to date as possible as your computer can be infected just by visiting a website that has been compromised.   Keep your virus protection; spyware; id protection software up to date and consider the use of a link scanner… www.avg.com has a good one that is free. Lastly, back up your critical key files just in case.

It is a crazy world wide web right now and you need to take steps to keep yourself safe. Unfortunately, actually fixing the problem will require businesses to start scanning and repairing their websites. Hang in there… this situation will improve as more and more people become aware of it.

What if there was a big On/Off switch and one day…someone shut down the internet.  Well, it just might happen. A US Senate Cyber-Security bill being considered would give the President emergency control of the internet. It would allow him to declare a cyber security emergency and effectively shut down networks that are causing issues.

I guess the Feds have had enough. As we have been discussing for months now, most .com websites (approximately 9 out of 10) are very vulnerable to hacking…in other words… Swiss-cheese.  Hackers can and are having a field day. Here is some data from G.1440’s experience scanning and repairing websites…

1>   86% of the sites we scanned contained critical issues,

2>   53% of the sites contained a critical issue that is related to server setup – these can be easy to fix

3>   73% have been vulnerable to the two most popular hacking strategies…SQL Injection and Cross Site Scripting. Be sure to throw those two terms out for discussion at dinner tonight!

Unfortunately, businesses are not taking action to scan their websites and find/fix the holes and some of these same websites are being used to attack Federal government websites and/or infect the computers of people visiting these sites.

The Feds are spending over 100 million to protect just their .mil websites, but private businesses must do their part and they aren’t. So, the government is now being forced to take action and is considering a Giant On/Off switch that they will use to control traffic on the internet if an emergency arises.

The Senate Cyber security bill of 2009 will offer President Obama emergency control of the Internet and may give him a ‘kill switch’ to shut down online traffic by seizing private networks. A new version of the bill was introduced in mid August and will allow the president to “declare a cyber security emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat by working with critical infrastructure providers.

Giving control of the internet to the Federal government is giving some folks cause for concern. For example, the bill doesn’t define exactly what a cyber-emergency is…just that it is an “immediate threat”.

In May, President Obama acknowledged that the government is “not as prepared” as it should be to respond to disruptions and announced the creation of a yet to be filled ”cyber security coordinator” position.
What else does the bill provide for? Other sections of the proposal include a federal certification program for “cyber security professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

In case you are interested, here is a link to part of the bill -  <http://www.politechbot.com/docs/rockefeller.revised.cybersecurity.draft.082709.pdf>*

While it may be cause for concern, you have to admit that if we just kept our .coms up to snuff, the Feds wouldn’t have to step in.

If you like following the gossip on your favorite celebrities, and part of your routine is looking them up on the web, then you better pay attention…you might get more that you bargained for. In fact, it could be downright dangerous! One quick search could land you and your computer in hot water!

The internet bad guys are creating websites or infecting other sites with viruses and malware and then luring unsuspecting internet surfers to these sites using the most popular stars as bait. Click on a link for a Jessica Biel wallpaper and you could be infected on the spot. The good news is that the McAfee Company has researched Hollywood’s stars and found out which are the riskiest for you to click on.

Unfortunately for her fans, Jessica Biel heads the list…so if you search for her on the internet, you have a 20% chance of being infected with malware or a virus. According to the report, over 50% of the sites advertising “Jessica Biel screensavers” were infected.  Brad Pitt was the most dangerous last year, but Jessica has surpassed him…I wonder how happy she is about that! Beyonce was number 2 both last year and this year making her the most searched and dangerous over that period.

The stars on this list read like a who’s who…from Jessica and Beyonce…to Jennifer Aniston, Tom Brady, Jessica Simpson and Megan Fox. Interestingly enough, the Obama’s are ranked in the 30’s and are considered a relatively safe search.

So, how do you get infected? Simply search on one of these names, or their name with videos, screensavers, wallpaper and you have a good chance on getting more than you bargained for.

What does this mean to you? The bottom line is that searching for the latest celebrity news and downloads can cause serious damage to one’s personal computer.

How do you stay safe? Be sure to have virus protection, malware and spyware filters running on your computer and stay away from sites you don’t trust.   Downloading from some site you have never heard of is probably not a good idea.  Use the common sense rule. People often forget how complex and important their computer is to them…so be careful when downloading anything.

A good friend asked me if the companies that have had their websites infected are doing anything about it. The answer is probably not!   However, most of them don’t know that they are vulnerable…according to the Verizon Data Breach report, a whopping 63% of websites that are compromised; find out MONTHS later about the attack.

Businesses must start scanning and protecting their websites. I believe that this will become a federal mandate in the near future. Talk to you soon and happy surfing!

Surfing the internet is a part of our everyday life…..we turn to the “net” to get everything from information on our competitors to making dinner reservations……however, surfing has a new threat that you need to be aware of…..hackers are always looking for ways to wreak havoc on your computer and now they’ve found another strategy…..it’s called scareware and the things it could do to your computer should scare you.

Hackers are creating booby traps on the internet to infect your computer and then sell you bogus software to supposedly fix the infection. You will be stuck in a never ending series of pop-ups until you eventually click and buy the software they want you to buy. The software they sell you will not fix the problem, so you end up spending $40 to $80 dollars and end up with an infected pc. In many cases, clicking and buying just makes the pop-ups increase.

By late last year, more than 9,200 different types of scareware programs were circulating on the Internet, up from 2,800 at midyear, according to The Anti-Phishing Working Group.

You can pick up some scareware in many locations……on YouTube the bad guys are signing up and posting comments on videos with enticing links. You watch a video you like, click on the link to another video and bam….you have a bad case of scareware.

In a variation, the bad guys create Twitter accounts and begin broadcasting tweets with enticing links and when you click on the link, you get the same result.

To set a trap in search engines, the hackers post web pages that are optimized with popular key words. This is caused by websites that don’t do a good job of keeping their www sites safe. 91% of websites have vulnerabilities that can be exploited and only 1% have a prevention plan.

Last but not least, hackers buy ad space on popular websites. Generally, they will use an intermediary such as an agency. They mix booby trapped ads with clean ads.

Many of these schemes are originating overseas, however some start right here in the US. In 2008, Microsoft and Washington State Attorney General Rob McKenna filed civil lawsuits against Branch Software and Alpha Red, both US companies, charging that they were marketing scareware.
The top-level suppliers, however, continue to operate with impunity, mainly based in Russia. And new affiliates crop up every day, full of fresh ideas to spread increasingly invasive promotions…

So what can you do? AVG’s free LinkScanner tool will help to prevent you from clicking on malicious Web links. AVG has a quality product and it is free.

What should businesses do? They need their www sites to be scanned to find the traps that have been set. Visit G.1440 to learn more about how to protect your business.

This article was contributed by guest blogger Tim Kulp.

In 2008, SQL Injection attacks were up 134% from 2007 according to IBM’s X-Force report (http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf). Previous years have seen Cross Site Scripting as the main attack vector but this year hackers went for the web application’s jugular by attacking the very data foundation of the system. 

SQL Injection attacks occur when a user placing SQL commands directly into the controls on a web page, like a textbox. These commands tell the database to do something other than the action intended by the developers. An example SQL Injection would be to delete all the rows in a table, return schema information about the database or access data such as user information. Crafty attackers can even use SQL Injection as their initial attack method but then snowball the attack into a collaboration of Cross Site Scripting (XSS) and Clickjacking. When you examine the possible damage done by a SQL Injection, the outcomes can be frightening.

The good news is the SQL Injection attacks are easy for developers to defend against. The first and most simple protective step is to use Stored Procedures to call the database instead of direct SQL statements. Instead of dynamically building out a SELECT statement with dynamic WHERE clause, use a Stored Procedure with parameters. Another measure to stop SQL Injection, and perhaps the most important one, ALWAYS validate the data that is coming into the system. Many development frameworks have Anti-SQL Injection capabilities such as the ASP.NET Regular Expression validator control and the Custom Validator control. Check incoming values for SQL comments or key words such as DELETE, CREATE, DROP, etc… Remember, check more than your textboxes when validating. Hackers will not use the site how you expect them to and will craft their own HTTP POST messages to force values that are not possible using your site.

When in doubt, try SQL Injection on your own site or hire a contractor to check your site for you. There are many automated tools on the web that will check for SQL Injection flaws in a site and many of them are free. In the end remember, validate requests, use stored procedures and log every action that is coming into and out of your data store.

Web applications are currently the hot targets for hackers. With SQL Injection being a popular and easy attack, developers must make sure that they are protecting their sites. Being aware of threats and proactive in securing your site will reduce your attack surface leaving the developers, users and business happy and safe.

Cell phones tend to be a forgotten technology when considering devices that need to be secured in Information Security. Think for a moment about how your users actually use their cell phones. Do they have mobile applications that give their phones access to proprietary information? Do your users have their email and calendars synchronized with your mail server? If someone broke into their phone, what could the attacker find out about your company? The cell phone, with its ever growing feature set, is quickly becoming the easiest door way into your corporate information.

Today cell phones are much more than phones. Blackberry, iPhone, Samsung Instinct: these phones allow application access, internet browsing, email, SMS, and even updating your Facebook status. All of this translates to an enormous attack surface for would be hackers. When you add communication methods such as Wi-Fi and Bluetooth, the mess gets even more complicated. The dangers are not only from hackers, pick pockets and general thugs can simply grab the phone and run. The data contained on cell phones is growing in volume and importance, so what can we do to protect our company’s against data theft?

1. Audit

Determine who has phones, what is on those phones and what your enterprise communication system can do. Systems such as the Blackberry Enterprise Solution has many security features built into the product to respond to a phone being stolen. (http://na.blackberry.com/eng/ataglance/security/) Familiarize yourself with what your enterprise communication system (BES, Windows Mobile, etc…) offers in the realm of security. Can you remotely wipe the data on the device? Can you control what applications can be loaded?

2. Educate

After you know what you need to protect and what you can do to protect the devices, ensure that the users understand the possible threats they might encounter. Most users do not understand that the cell phone is basically a mobile computer and is exposed to all the same threats as any other computer. Teach users that their cell phone cannot only be a door way into the business but their personal lives as well.

3. Threat Model

Setup attack scenarios and model them on a white board. Use these models to determine where your defenses are weak as well as where they can be totally circumvented. The more you attempt to break in to your own systems the more possible attacks you will find. Use these successful attack scenarios to drive your business policies and decisions regarding cell phone security.

The role of the cell phone has changed drastically over the past few years. As Information Security professionals our job is to ensure we secure all doors into our systems. Today’s cell phones are giving their users unprecedented access to information from banking to the weather but with this new connectivity comes new attack surfaces. Cell phones can be secured with proper planning. Knowing your exposure level, teaching users about how much information their phone actually has and then testing your security will improve your ability to react to attacks in the future.