Image via Wikipedia

When you take a photo of yourself in your house and then post it via Facebook or twitpic, you assume that no one will really know where you are taking that picture. Well, you may be wrong. Social media security is in a very nascent development stage. There are a number of theats already to social media such as malicious applications in Facebook or trojans in shortened URLs that the average user does not know about or where to turn to for advice.

A new threat could be giving up your location when you post a picture from inside your house. A team of scientists dicovered that with some smartphones, a user’s latitude and longitude can be attached tothe picture you post in the metadata. That’s pretty scary. See the news story ” Tips to Turn Off Geo-Tagging on Your Cell Phone”  (http://abcnews.go.com/Technology/celebrity-stalking-online-photos-videos-give-location/story?id=11443038) “Many people are not aware of the fact that there are geotags in photos and videos,” said Gerald Friedland, one of the scientists.

A website that has been setup to show the dangers of this capability is www.icanstalku.com. So what can you do about this? Do you want to be stalked?  ON the IPhone, go to Settings, General, then Location Services and disable the applications you do not want to use Geo-tagging, such as Camera.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

888-572-2911

Related articles

• How to handle a cyberstalker (cnn.com)
• Cyberstalking threat hits UK (lv.com)
• Teen Charged With Cyberstalking After Creating Fake Facebook Account (dreamindemon.com)
• Geo-Tagging: The Dangers Of Posting Pictures Online (newyork.cbslocal.com)
• The Dangers Of Geo-Tagging In Harlem (harlemworldblog.wordpress.com)
• GeoTag Photos with GeoSetter (jakeludington.com)

Network Solutions, one of the largest domain registrars recently announced a data breach. Malicious code was found on its e-commerce server which may have captured transactions from thousands of websites and capturing half a million or more credit cards. The company said they found the code during a routine check. Since the breach occurred between March 12 and June 8th, how routine was the actual checks? I wonder when their last vulnerability assessment or Information security risk assessment was conducted? Data loss prevention is sorely lacking in just about every industry.

Here is what the company said “At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer,” a statement from the company reads. All these statements around hacker breaches and stolen credit cards read the same.

The process now begins where all the merchants have to be identified, then each merchant has to notify their customers. Their customer then have to work with their banks to stop credit cards, have to get credit monitoring and thus goes the Circle of Life (of data breaches) Here is the list of data breaches in 2009 alone. If you recall the breaches of Heartland Payment Systems and RBS WorldPay, the breachescaused them to be removed from the PCI security audit () list . Well that should be obvious, or should they have been rated compliant int he first place. Known non-compliance might be a better than weak compliance.

The basic question is what was Network Solution not doing to have malicious software installed on key servers? Was it a breach through a web application, was it through malicious email, a browser based attack, some insider who didn’t know enough about security and clicked on the wrong thing? What routine check found it and why wasn’t this check run on a more routine basis, such as weekly or even daily?

At the end of the day, security is a moving target. We can utilize encryption, vulnerability management, application security risk assessment, email filtering, backup and recovery, but all will be useless is we follow poor practices or do not have good procedures in place to take into account the human element. Most breaches are insider problems or mis-configurations or plain old stupidity.

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

I am pretty puzzled about how the malware actually got on the machine. The article doesnt delve into too much detail, but looks like maybe a driver was infected that got placed on the machine. This seems to say the manufacturer does not use any kind of antivirus, or antimalware to test the security of the system before shipping it out. It also calls into question the security processes in place around managing software and development. A bit scary.

So what are some things you can do to protect against malware (i hope you know most of these already)

1) Use a firewall - A good personal firewall will help defend your system, especially if it has the capability to monitor outbound traffic or stop unknow programs from being run or installed. Try Zonealarm, free version.

2) Run anti-virus – This is obvious. while many antivirus programs will miss a lot of malware, you need a defense in depth strategy. Try AVG or Avast.

3) Install patches - A must do. Keep your systems patched because many worms, virus, and malware take advantage of unpatched system vulnerabilities

4) Use antispyware – This is a bit different from antivirus. It can stop malicious code from running and warn you of registry changes. A good start for the beginner is SpywareGuard and  Spybot S & D.

5) Protect the browser – Browser protection software can stop activex controls from running, protect you from tracking cookies and known malware. Two examples are SpywareBlaster and IE-SpyAd

6) Stop Surfing Porn!

Baha

baha@kraasecurity.com

www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

++++++++++++++++++++++++++++++++++++++++++++++++++++

Netbook comes with factory-sealed malware
Chuck MillerMay 20, 2009
SC Magazine