Operation n

Something I picked up in a newspaper and seen on the BBC website.

“Millions of Facebook users at risk of fraud
One in four users of social networking sites leave themselves open to crime by revealing personal details. About 2.7 million members of sites such as Facebook an Myspace expose contact details or dates of birth on their profiles - often all the information identity fraudsters need. And among 18 to 24 year olds, the proportion putting themselves at risk rises more than one in three, a survey shows. Legitimate users of the sites are also taking advantage of the details - as many as two in five use them to look up old flames.
The poll, released today to mark the start of ‘Get Safe Online’ week, is intended to highlight the dangers of online identity fraud.
It also shows that 13 per cent of Britain’s 10.7 million social networkers posted information or photos of other people without their consent. But, proving it is not only fraudsters who exploit the information, 39 per cent of 25 to 34 year olds admitted searching for an ‘ex’ on the sites. And nearly a third of users have looked up their boss, colleagues or a job candidate.
Tony Neate, managing director of GetSafeOnline.org, said: ‘Although some of these details may seem harmless, they provide rich pickings for criminals.’ People need only take a few simple precautions to protect themselves, he added.” Getsafeonline.org is a joint initiative between the Government, the Serious Organised Crime Agency (SOCA) and private sector sponsors, HSBC, Microsoft, eBay, Symantec and Cable & Wireless to help individuals and smaller businesses be aware of how to protect themselves against internet security risks.”

Additionally, my mantra with social networking sites is to reveal as little information possible. And the following article demonstrate what can happen as a result..

“Troops told of Myspace terror plot
Soldiers are being warned against revealing their military connections on networking websites fr fear they may be targeted by al-Qaeda. Army units were told in a restricted memo to be ‘particularly careful on Facebook, Myspace or friends reunited’. It is thought to be the first time MI5 has warned troops about the danger of posting personal details on the Internet.
The threat they face came to light earlier this year when an alleged plot to kidnap a British Muslim soldier and behead him live on the Internet was uncovered. The latest memo states that al-Qaeda cells are increasingly using the Internet to find potential targets. The Royal Marines group on Facebook has 1023 members, with many profiles revealing soldiers’ details and information on their families and whereabouts.”

For most of us here, we are looking to hack and crack systems. But spare a thought to those poor souls who have try to ensure their code stands up to the hack attack. And coming from a developer background, I should *really* know more about the security aspects of coding.

As you may know there are a number of different programming languages out there. The most commonly used programming languages for web applications are PHP and perl. Both have potential security pitfalls as they mix the ability to send and receive data through web applications with performing system level tasks.

There are number of gotchas that coders can look for. With PHP, OWASP have their own top 5. There’s even a hardening php project. But the best guide I’ve seen so far is i-love-jack-daniels along with these brief PHP thoughts. With Perl, there is CPAN’s perlsec pod and cgisecurity has a good reference as well. One of the things you can apply whilst you code is tainting as described by developer.com, which should flag up issues with any dodgy variables and program arguments.

There some programming languages which offer a framework that handles security more implicitly but it still takes a daft developer to insert some dangerous code. Anyhow, Microsoft have a security guide for asp.net applications, whilst Java have their own.

Generally speaking, a developer should do their own code audit and code review before it is released. Naturally, there’s always pressure from sales, marketing, MD’s, etc. but in an ideal world, things should be done PROPERLY.

When it comes to database security, there’s more to it than plain old SQL injection within a web application. There are issues in the underlying database systems themselves. One good resource is about.com, which have articles about inference (i.e. finding information by inference without the need of extra privileges) and privilege escalation. Another one is arguably from the guru of database security, David Litchfield. This site has a few links and whitepapers about different databases, though it looks more specific to Oracle. A solid one-pager can be found at governmentsecurity.org.

There’s a bit of push on the phone-cum-PDA front. First all, vnunet mention that Research In Motion (dubiously abbreviated as RIM) are unveiling a ’streamlined’ version Blackberry Enterprise Server for smaller organisations. Meanwhile
Silicon give some good background to the blackberry. They also allude that as blackberry increases in hardware and functionality, they are likely to be more applications available aside from the standard email and internet connectivity. This includes a tie-in with facebook.

I have seen the BES in action. I have to say it is a bit of a monster with a lot of configuration features. You can create policies for blackberries to be set to if using it in a corporate environment. In fact, the way I saw it setup, the default policy had no restrictions enforced.

Well today I found some old school hacking tactics come into play as two students got caught and were prosecuted for changing their grades at Calstate University. To be fair that looks to be an inside job and this was only discovered after a routine audit 2 years previously. Though I think 20 years prison and $250000 is a tad harsh.

Anyhow following on this, there is a course where if you did that you might actually get a distinction, yes I am referring the new breed of postgraduate degrees in ethical hacking. According to vnunet, abertay university are first to offer an ethical hacking course. However, I know someone who graduated from the Internet security group at Royal Holloway in London.

Would be interested if anyone else around the world offer such a specific degree. Let us know!