The Vault: Facebook privacy, printers are out to get you, and tinfoil hats

It is time for another security link round-up from your friends at Wharton Security. This week we’ve been reading about Facebook privacy, printer vulnerabilities, 9 reasons you should be paranoid, and a neat new USB thumb-drive.

Facebook settles with the FTC over privacy concerns

Everybody, including my mother, has a Facebook account these days. In addition to being a great website on which to play Farmville, Facebook is also the primary way that many people stay in contact with their friends (or their “social graphs” as the nerds call it).

Facebook has a reputation for over-sharing information people have marked as private when rolling out new functions. This sparked an investigation from the FTC for some actions the company did a couple years ago. Facebook has settled with the FTC and agreed to a 20 year privacy audit from the FTC. Furthermore, Facebook has created two new executive positions relating to privacy.

Mark Zuckerberg, Facebook’s Founder and CEO, has a lengthy blog post up reassuring everyone that Facebook takes your privacy very seriously.

Fun with printer hacking

Chances are the only time you think about your printer is when you need to load paper or run out of toner. However, printers are pretty impressive pieces of technology. They’re basically highly specialized computers sitting on your network.

Researchers at Columbia University have managed to hack certain LaserJet models of HP printers to do a variety of things: overheat the fuser until it smokes, and send copies of all printed documents to a third party.

How did they do this? Well, printers need firmware to function. This firmware is the operating system of the printer. Certain LaserJet printers (the list of models impacted hasn’t been released) allow for remote upgrades of the firmware. Sadly, the printer doesn’t check to see if the firmware update it is receiving is legit (using something called digital signatures). The printer just assumes any requests to upgrade its firmware are on the level and happily updates itself. The researcher were able to take advantage of this and remotely update printers with their own version of firmware which gives them full control of the printer.

The really scary part? Short of pulling apart your printer and examining the chips that make it work there is no way to know if your printer has been hacked. Scary, huh?

Luckily, HP says there is very little chance that this exploit can be leveraged in the real world, however, they are aware of the situation and working on a way to plug up this potential security threat.

Tinfoil hats

If those two articles aren’t enough to make you reach for a roll of aluminum foil this list of 9 things to be paranoid about might. Things they cover include warrentless GPS Tracking and wiretapping by the government, fake celltowers, and the woefully out of date Electronic Communications Privacy Act (the online world has changed a bit since the bill was adopted in 1986).

Crypteks

What could be better than a USB thumbdrive with 256 AES hardware encryption? One that comes with a mechanical lock that looks like it was ripped from the pages of The Da Vinci Code. The Crypteks USB drive (patent pending) is just that.

At the moment the Crypteks USB isn’t available but you can pre-order one via their Kickstarter page (I ordered myself the 8 gig version).

Posted in The Vault | Leave a comment

The Vault: Windows security, mobile devices, iOS 5.01, and Hacked!

Welcome to a new feature on the Security blog: The Vault. Every week Barry and I come across a variety of articles and blog posts about various aspects of security. Why not gather up all those links and share them with you, dear readers, instead of reading them and moving on?

With the backstory out of the way let’s make like Scrooge McDuck and jump into the Vault:

  • Kim Douglas, a writer on Microsoft’s Windows team, wrote a great article all about Windows security for the home user. The article covers a lot of ground, which makes it a little lengthy, but if you have a Windows PC at home it is well worth a read.
  • When you leave your house you aren’t leaving behind any chance of a security breach. We’re all using more and more mobile devices (I have three on my desk at the moment, though I might be a bit of an outlier) and they have unique security concerns. The Internet 2 Wiki has a list of great tips for securing your mobile device that isn’t written with a specific platform in mind. If you use an iPhone, Android, or Blackberry this list has something for you to think about.
  • Speaking of mobile devices, if you use an iPhone or iPad it is time to update your OS. Apple has just released OS 5.0.1 with a slew of security related fixes (including one for the Smart Cover bug)
  • Finally, James Fallows documents what happened when his wife’s Gmail account was hacked in an article for the Atlantic called “Hacked!”. It is a good read, and serves as a sort of crash course on why hackers do what they do.

Image of the vault lock from Mike Mahaffie’s Flickr Stream.

Posted in The Vault | Leave a comment

Apple, Adobe, and Microsoft release updates

One of the best ways to keep your computer (Mac or PC) is to stay on top of software updates for both your operating system of choice and the applications that you run (heck, even my Blu-ray player gets fairly regular updates from the manufacturer).

Programmers across the industry have been busy this week because three big companies released some critical updates this week:

  • Adobe released a critical update to Shockwave Player, which reminded me that Shockwave Player still exists. Shockwave was the way to do animation in a browser when it was first introduced, but has seen been superseded by Flash and HTML 5. Only install this update if you have Shockwave on your computer (chances are you don’t have it installed, this page will run a test to see if you have it or not).
  • Apple has updated their Java runtime for both OS X 10.7 (Lion) and OS X 10.6 (Snow Leopard). This update addresses lots of issues with Java on the Mac.
  • Microsoft usually issues patches on the second Tuesday of the month, which was just yesterday. This month’s batch of patches includes 4 patches 1 of which Microsoft categorizes as “critical” meaning you should patch your Windows systems with this as soon as possible.

For more information about these updates check out Brian Krebs’ great post on the subject.

Posted in Software Updates | Tagged , , , | Leave a comment

A couple security primers

Worms, viruses, two factor authentication, spyware, malware are just a few of the terms that get thrown around by computer security folks like myself. But what the heck do they mean?

Not everyone is familiar with these terms, but they are important. The fine people at Kaspersky Labs, makers of a number of different security products and services, have put together a Computer Security FAQ that explains a number of commonly used security terms.

Computer Security encompasses more than just terms, though. Google has a site called “Good to Know” which covers a wide range of topics including staying safe online, information about Google’s privacy policies and more. It is worth checking out, and you might learn a thing or two (even if the artwork is a little odd).

Posted in Security Tips | Tagged , , | Leave a comment

Securing your new iPhone 4S

If you are a happy new iPhone 4S owner (I know I am, as are about 4 million other people), congratulations! As soon as I received mine I transferred all the data from my old, and now obsolete, iPhone 4. As I watched the progress bar I realized just how much information about me I carry around in my phone:

  • My work emails
  • My 1Password database with all my accounts and their passwords
  • Pictures
  • All my contacts
  • All my appointments
  • A variety of notes about both business and personal matters

What if I were to lose my phone? Or worse yet, what if someone stole it! Those criminals would have a ton of information about me… or would they?

One of the first things I did when I got my new iPhone 4S was enable a passcode (these instructions will also work for older iPhones). Here’s how to do it:

  1. Tap on the Settings icon.
  2. Tap General
  3. Scroll down until you see the Passcode section.
  4. Tap on Passcode Lock.

Under Passcode Lock there are a number of interesting options. The first thing you’ll want to do is tap “Turn Passcode On.” You’ll be prompted to enter your new password twice.

Once a passcode is set tap on “Require Passcode.” This sets the delay between when you lock your phone and when the passcode is required to unlock it. I would recommend choosing “immediately” because I’m paranoid.

You should also set “Siri” to Off in the Passcode Lock settings, otherwise someone could use Siri (the iPhone 4S voice activated personal assistant) to send emails/text messages to people from your locked phone (not very secure). Keep in mind this doesn’t turn off Siri for your phone, it is just disables it when your iPhone is locked.

Finally, while you’re there slide “Erase Data” to yes which will erase everything on your iPhone when someone enters the wrong passcode 10 times in a row (chances are you’ll need many fewer attempts to unlock your phone).

Posted in iOS, iPhone/iPad, Security Tips | Tagged , , | Leave a comment

Apple updated Snow Leopard malware detection

Just a few days ago I blogged about a Mac specific malware app making its way around the web called Mac Defender.

Yesterday Apple released a security update for Snow Leopard (the most recent version of OS X) that addresses this problem.  It updates the list of malware apps that OS X checks before opening any newly downloaded files (this feature is called File Quarantine) to include a check for Mac Defender. Also of note, after this security update is applied this list of malware will be updated every day, to keep your Mac safe (you can also disable this feature if you prefer to live on the wild side, though I wouldn’t suggest it).

If a file you download contains a listed variant of Mac Defender you’ll see this alert:

I would highly recommend clicking “Move to Trash.” This is not the file you’re looking for.

But what if your Mac is already running Mac Defender? This update will detect any known variants already on your Mac and remove all files associated with it.

This is a great response from Apple, sadly there are already variants of Mac Defender that aren’t detected by this update. I think it is  safe to say this won’t be the last Mac malware we see in the coming months.

 

 

Posted in Mac, Malware/Viruses | Leave a comment

Macs and malware: MacDefender

Macs don’t get viruses and malware, right?

Not quite. While it is true that historically Macs haven’t suffered from the same level of attacks that Windows has, OS X is far from immune from these sorts of attacks.

At the moment a malware app called Mac Defender, and some variations on that name, is making its way around the web. Here’s how it works.

You visit a Web site that pops up a window that looks to be “scanning” your Mac for malware. Surprise! It finds that your Mac is infected (it isn’t). While this is happening the Web site uses a Javascript to download a compressed file that contains Mac Defender (or something similarly named). By default, OS X will decompress the file and start the installer. At this point you’re worried that your Mac has a virus on it, so you agree to install Mac Defender. Once installed it launches and looks like this (image from Intego’s security blog):

Macdefender

If you start a scan Mac Defender tells you that you have a bunch of viruses on your Mac, and if you want to remove them you’ll have to register and pay for Mac Defender. This is the point of Mac Defender: to get your credit card information. There are no viruses on your Mac, and even if there were Mac Defender isn’t actually scanning anything.

Apple has posted Mac Defender removal instructions but there are a couple of other things you should do.

Install antivirus software

If your Mac accesses Penn’s network University policy requires that you run antivirus software. You can download Norton AntiVirus 11.0.3 from the Penn Computing Web site for free (and you can install it on any of your Macs: work or home… as long as you’re a Penn student, faculty member, or staffer).

Disable open “safe” files in Safari

By default Safari automatically opens a variety of files after you’ve downloaded them (including compressed files like Mac Defender). It is a good idea to turn this feature off, and only open files that you deem safe (humans generally have better judgement than computers, even Macs!).

To disable this feature open Safari’s preferences and click on the “general” icon:

Safariopensafe

Uncheck “Open ‘safe’ files after downloading” and you’re set.

Posted in Mac, Security News, Security Tips | Tagged , , | Leave a comment

LastPass posts security notification

You might recall in our “The importance of good passwords” post we mentioned a password manager by the name of LastPass which promises to be the “last password you’ll ever need to know!”

Last night LastPass noticed some unusual activity on their database servers (those servers that contain all the LastPass users’ passwords). Since the LastPass folks are paranoid (a good thing when you’re storing people’s passwords) they are making everyone change their “master password” (that’s the password which unlocks the file with all your other passwords in it). At this point it doesn’t look like much, if any, data was compromised but better safe than sorry!

Read their notification for the full list of precautions that LastPass is taking to ensure their users’ data is secure. Kudos to LastPass for posting about this potential breach, and handling it in a transparent and comprehensive manner.

Posted in Internet, Security News | Leave a comment

New Toshiba drive erases itself (when it should)

Any security expert worth their salt will tell you one thing: your computer’s overall security depends on its physical security. Firewalls, antivirus, and a really strong password aren’t much help when a ne’er-do-well can get his (or her!) hands on your computer and skedaddle back to their hidden liar to extract all the drive’s secrets.

Toshiba has just announced a new hard drive (with the very memorable name of MKxx61GSYG) in their Self Encrypting Drive series that has a host of security features. Firstly, as the series name suggests, the drive encrypts itself automatically. That’s cool, but the coolest thing is this: the drive can be paired with a computer, and when it detects that it is installed in a computer other than the one it is paired with the drive can be set to either erase all the data it contains, or just a particular subset. We’re living in the future people.

The drive and also be remotely wiped via a number of commands, so if your computer is stolen and the thief attaches it to a network you there is a chance you can wipe the drive.

You can’t order yourself a MKxx61GSYG just yet, but Toshiba is working with electronics manufacturers to offer the drives as an option on any number of devices from copiers to computers.

Posted in Uncategorized | Leave a comment

Epsilon data breach and you

Last Friday Epsilon, a large marketing firm, notified their clients that “a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system.” In plain english this means someone hacked into Epsilon’s systems and stole a large number of email address/name combinations. These email addresses were also associated with whatever client paid Epsilon to send out email messages for them. Of course, it could have been worse: no password information was snapped up in this breach and Epsilon says a third party has confirmed no personally identifiable information, other than email/name, was involved in this breach.

Quickly the companies whose customer’s information was included in the Epsilon breach started sending out notifications. Some of the companies affected include:

I know what you’re thinking: big deal, some Internet ruffians now have my name, email address, and know I have an account at Citi (or do business with any of the businesses included on this list, scroll to the bottom of the post), what’s the problem?

The problem, in a word, is: phishing. Phishing refers to emails crafted to look legitimate, but which are, in fact, a clever ruse intended to trick the recipient into giving the phisher all sorts of information (generally phishers are looking for usernames and passwords, but they also phish for social security numbers, bank account information, and credit card numbers). The more information phishers have about you, the more targeted they can make their attempts. For example, the hackers who purloined Epislon’s email database know that someone on their list has an account with Citi. They don’t know the details of that account, but they can create a message that looks like it comes from Citi, and uses the full name of the recipient, in an attempt to get the Citi account information from the individual.

These targeted attacks are called “spear phishing,” and experts expect an uptick in spear phishing thanks to the Epsilon breach.

What can you do to protect yourself? We have several measures in place to protect your Wharton email account from phishing attempts, but inevitably some phishing emails will end up in your inbox (and your non-Wharton email accounts as well!). Here are a few things to keep in mind when faced with a potentially phishy email:

  • A reputable organization will never ask you to send password/confidential data to them via email.
  • Most phishing emails contain links to Web sites that mimic the look and feel of a legitimate Web site (like that of your bank). Before you click a link in the email message, hover your mouse pointer over it… a little popup will appear displaying the URL. If the URL looks strange, don’t click on the link. If you click on the link, make sure to look at the address bar of your browser and double-check that you are on the Web site you thought you were going to.
  • Check the sender: If the email is from some wacky email address, be on guard.
  • When in doubt: Ask. We’re here to help, if you aren’t sure if an email you’ve received is legitimate ask a member of Wharton Computing for their opinion.
Posted in Security Tips | Tagged , , , , | 1 Comment

University of Pennsylvania Logo
Copyright © 2014 The Wharton School, University of Pennsylvania