Archive for January, 2009

Facebook attacks likely to rise

Posted January 30, 2009 at 10:41 pm in Privacy | 2 Comments

The Red Tape Chronicles over at MSNBC.com have posted an interesting story titled Facebook ID theft targets ‘friends’ that highlights an attack on Bryan Rutberg. The jist of the article revolves around Mr. Rutberg’s Facebook ID being hacked and then exploited for money. In typical playbook manner the hackers managed to crack his password, post a few fake messages to his profile stating an emergency and seeking financial help while changing the account’s password. They even managed to take an additional step and “de-friend” his wife so he would be unable to post a message stating his account had been hacked. The hackers managed to extract $1,200 out of their scam. This Nigerian attack isn’t that different from any other Nigerian attack carried out on any other format (MySpace, LinkedIn, etc.).

Mr. Rutberg, being an employee at Microsoft, should have taken a few security best-practices into mind. Before signing up for any service offered on the Internet one should recognize the risks involved. This is especially true for websites like Facebook where every facet of one’s life is involved. I know it’s tedious and annoying and time-consuming but read the privacy policies, the terms of service, and even the FAQ. Reading these documents in advance will shine light on what the service will and will not provide. I often find the FAQ to be the summarized version of many these documents if one is provided. It wouldn’t hurt to do a little research online about these services as well. I know it is often tempting to rush into something new because it’s trendy and everyone in your life is doing it but let me remind you that this is the same psychological principle used in Ponzi schemes where even the biggest “stars” on the planet lose their money.

The rest of this article I’d like to dedicate to Facebook. Facebook is a free social networking service that allows millions of people worldwide to connect with one another. This is also the same platform that hackers dream of. All critical and personally identifiable information is available almost instantly once an account has been jeopardized. How do hackers (crackers technically) hack a Facebook account? They use password crackers. Browse over to https://login.facebook.com/login.php. All you need is the target’s email account which is easily obtained with a few phone calls at most. You enter the email address and begin the arduous process of guessing the right password. If you have local access to the target’s system it isn’t hard to browse their cookies, especially the “login_x” cookie provided by Facebook. It should contain something like this: 

a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A20%3A%22john%40doe.com%22%3Bs%3A19
%3A%22remember_me_default%22%3Bb%3A0%3B%7D

As you can see amongst the hex, the email address the target uses to login into Facebook with is john@doe.com. Continue reading..

Sarbanes-Oxley Act of 2002

Posted January 15, 2009 at 6:21 pm in General | No Comments

The Sarbanes-Oxley Act of 2002 or the Public Company Accounting Reform and Investor Protection Act of 2002 isn’t a security compliance standard or regulation. It is a United States law that introduced major changes to the regulation of financial practice and corporate governance.  The law emphasizes corporate accountability and was in part a response to the corporate scandals of Enron, Tyco Internationl, Adelphia, WorldCom, etc. in which shareholders lost billions of dollars when the share price of these companies collapsed.

The Sarbanes-Oxley Act of 2002, more commonly known as SOX, was named after Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) who supported the bill. Continue reading..

Introduction to Cryptography

Posted January 4, 2009 at 1:20 pm in Encryption | No Comments

One of the most fascinating areas of information and network security, in my opinion, is the area of cryptography.  In truth, many aspects of cryptography still baffle me but it also the one area that really piques my interest.  I recall my first steps into the cryptographic realm and wondered how anyone was able to comprehend it all.  At the time, my mathematical foundation was weak so understanding the ideas presented to me were confusing.  Much of cryptography, from a mathematical perspective, has its roots in number theory which is the branch of pure mathematics concerned with the properties of numbers in general (integers in particular).  To be more precise, the sub-field of computational number theory which is the study of algorithms relevant in number theory, specifically fast algorithms for prime testing (3, 5, 7, etc.) and integer factorization, is where cryptography resides in the mathematical world.

So, what is cryptography and why should anyone care about it?  Cryptography is the art of transforming a message into an intermediate form that contains the same information as the original message but is hidden or secret to anyone who does not know how to reverse the transformation.  In layman’s terms, it is the science writing in secret code.  Before I supply an example let me use and clarify the proper terminology for this meaning.  A message exists in plain text which means anyone who understands the language the message was written in is able to understand it.  This is how all messages exist prior to the cryptographic process taking place.  The information is always used and understood in plain text form to one or more persons.  Once a message has undergone the cryptographic process of transforming it from a plain text message into a secret message, it is called a cipher text.  Let’s review this quickly.  A message existing in plain text undergoes a cryptographic process and becomes cipher text.

Continue reading..

Page 1 of 11