An example of a wireless virus is the Visual Basic Script-based Timofonica Trojan horse virus that hit a wireless network in Madrid, Spain. Like the "I Love You" email virus, Timofonica appends itself to messages you send and spreads through your mail client’s contact list, creating SMS spamming and eventually even a denial-of-service condition.

A similar DoS attack occurred in Japan when a virus that sent a particular message to users on the network attacked the NTT DoCoMo "I mode" system. The 911 virus flooded Tokyo’s emergency response phone system using an SMS message. The message, which hit over 100,000 mobile phones, invited recipients to visit a web page. Unfortunately, when the users attempted to visit the page, they activated a script that caused their phones to call 110 (Tokyo’s equivalent of the 911 emergency number in the United States). The virus overloaded the emergency response service and may have indirectly resulted in deaths.

This article by Kaspersky Lab, dealing with mobile malware (history, statistics, etc.), is not very recent but is worth reading:

    http://www.viruslist.com/en/analysis?pubid=170773606 .

As a consequence, you must have some anti virus software. In the already cited document about “Mobile Device Management and Security” by Nokia, it is explained that Symantec anti virus software is used for business level mobile products. According to the device and the operating system you use, you can find free or not free anti virus software. Just to give another example among the many, if you install Linux on a notebook, you can use the free Clamav anti virus software:

    http://www.clamav.net .

Starting in the summer of 2003, all Dell handheld devices began shipping with an embedded version of McAfee Antivirus, then other companies scrambled to compete. There are currently several virus scanners for Windows CE.

The choice of the operating system, in itself, influences the exposure to malware, as some operating systems are significantly more exposed than other ones, whatever the reason can be.

The importance of using certain protection tools, like firewalls and anti virus software, cannot be generalized to every possible mobile device, as we can have a lot of different kinds of mobile devices and in some cases their importance could be overemphasized. You have to reason about the meaning of the protection you think of adopting and, after deciding to adopt it, to configure it appropriately if necessary.

Logical Security regularly publishes white papers on topics vital to the security industry. Visit our CISSP Education Resources section to obtain valuable information and perspective on security practices.

Part 4 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 1 - Mobile Devices – Definition And Security Issues
Read Part 2 - Mobile Devices - Security Implications and Countermeasures
Read Part 3 - Mobile Devices - Access Control, Wireless Network Risks and Security Implementations

Mobile devices have wireless capability to connect to the Internet and office/home computer systems. Wireless capability poses a number of specific security risks in addition to typical network associated risks.

Even if Internet access is restricted to wired networks, there is another difference between desktops and mobile devices such as laptops. Desktop computers are always connected to the LAN on which their security settings can be managed and are protected from the Internet and other untrusted networks by firewalls. On the other hand, network administrators cannot be sure which networks laptop users will connect to. When at home or in hotels, a laptop user will connect directly to the Internet without any protection and the machine will be exposed to attackers scanning for vulnerable computers connected to the Internet. A user might also connect her/his laptop to the networks of her/his business partners, where confidential information can be exposed to anyone who succeeds in breaking into the laptop. Once the user connects her/his computer to such an untrusted network, a network administrator can do little to protect the machine from attacks that can be launched against it.

Man in the middle (MITM) attacks have two major forms: eavesdropping and manipulation. An eavesdropper can record and analyze the data that she/he is listening to, while a manipulation attack requires the attacker to have also the ability of retransmitting the data after changing it.

Illicit use of a wireless network involves an attacker using the network because of its connection to other networks. Attackers may use a network to connect to the Internet or to connect to a certain corporate network.

Similarly to what happens for wired networks, wireless networks can also be the target of "Denial of Service" (DoS) attack. DoS attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network. DoS attacks can target many different layers of the network. An introductory article on this subject is, for example,

    http://www.wi-fiplanet.com/tutorials/article.php/2200071 .

You can implement security for WLANs using features such as Internet Protocol Security (IPsec) and 802.11 security standards such as EAP and WEP.

"Internet Protocol Security" (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec operates at the Internet Layer of the Internet Protocol Suite and is officially specified by the Internet Engineering Task Force (IETF). You can begin reading the following article, for example, about how to apply IPSec to wireless networks:      http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html .

IEEE 802.11 is a family of protocols for wireless networks providing the basis for interoperability between equipment from different vendors, and IEEE 802.11i, in particular, deals with security. Here the subject of wireless security will be introduced but, as it is a wide subject, if you want to acquire a deeper knowledge of it you have to read some specific books. Wireless networks security is usually divided into three main parts: station security, access point security and gateway security.

The risk model of network security relies on the assumption that the physical layer is at least somewhat secure. Data in conventional networks travels across wired mediums. Coaxial cables, twisted pairs of copper wire and optical fibers have been the foundation for networks for many years. In order to view, interrupt, or manipulate the data being transmitted, wires and switching equipment have to be physically accessed or compromised. With wireless networking, there is no more physical security. The radio waves that make wireless networking possible are also what make wireless networking so dangerous. An attacker can be anywhere nearby listening to all the traffic from your network: in a yard, near a street or anywhere else.

In order to protect the data from eavesdroppers, various forms of data encryption have been used. The 802.11 MAC specification describes an encryption protocol called "Wired Equivalent Privacy" (WEP). WEP provides authentication and confidentiality using a shared key mechanism with a symmetric cipher called RC4. There are some problems with the WEP standard: it ignores the issue of key management (so that it is not suitable for WLANs as the number of users grows) and has some security weaknesses, so that it was first corrected and then deprecated by IEEE. Despite this, WEP is still widely in use: it is often the first security choice presented to users by router configuration tools even though it provides a level of security that protects your system more from  unintentional use than from deliberate compromise. The recommended solution to WEP security problems is to switch to WPA2 or, with older equipment, to the less resource intensive WPA.

WPA stands for "Wi-Fi Protected Access" and is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. The protocol implements the majority of the IEEE 802.11i standards.

"Extensible Authentication Protocol", or EAP, is a universal authentication framework frequently used in wireless networks and point to point connections. It is defined in RFC 3748, which has been updated by RFC 5247. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. The WPA/WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.

Being connected to the Internet, a firewall can be important for your mobile device. You can use commercial products like those offered by Symantec and Kaspersky or free products like those you find, typically, on Linux and BSD distributions.

In the cases it is feasible, some intrusion detection software can be used. Notice there is also a Snort project focused on wireless networks:

    http://snort-wireless.org.

Part 3 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 1 - Mobile Devices - Definition And Security Issues
Read Part 2 - Mobile Devices - Security Implications And Countermeasures
Read Part 4 - Viruses, Malware And Various Threats To Mobile Devices

All this can be welcomed as very good news, but we don’t have to neglect security implications of this widespread use of mobile devices.

First of all, you can make use of the hardware security devices that are available for your mobile device, such as locks, alarms and tracking systems. Some of them, particularly tracking systems, can be expensive: make the appropriate considerations about costs and benefits.

Now we’re going to focus more on software protection. Risks for mobile devices can be divided into two main categories:

(1) theft of the device and the static data it contains;
(2) theft of data which are exchanged during communications or other network attacks.

A mobile device is "mobile", that is people take it with them when they travel and, travelling or inside an office, it can be stolen more easily than a desktop PC or a server. It is "mobile" also for the thief. Besides, carrying the device outside the office further increases the probability of theft, as it is exposed to more people and so more potential thieves.
 
When such a device is stolen, there is a direct damage that depends on the cost of the device itself, but what happen to the data it contains? If data are important and secret, the fact that they are stolen together with the physical device can cause a damage that is far greater than the loss of the physical object. Therefore, you must pay attention to every privacy implication of a loss of your data. To prevent such a loss, it is vital to encrypt important data on any mobile device.

If you use a laptop, consider the possibility of encrypting all or part of your file system. If you install Linux, for example, this operation is easy, at least with the latest versions of the most popular distributions. With Fedora, Red Hat Enterprise or Red Hat Enterprise clones (CentOS, StartCom, etc.), you can decide to encrypt any partition you want at installation time. See for example

    http://docs.fedoraproject.org/install-guide/f10/en_US/sn-understanding-encryption.html

where you can get some advice about what to encrypt: /home contains users’ personal data, so that it is essential to protect it, but it makes sense to encrypt also other partitions like swap, /var and /tmp, as they can contain users’ data that have been temporarily saved there. You’ll have to choose a passphrase, associated to the encryption, and then, at every system boot, you’ll have to re enter it.

The “Ubuntu family” of distributions lets you easily create a private directory inside your home directory, where you can place private data, including those related to your email client and your browser (addresses, important messages, usernames and passwords, …):

    https://help.ubuntu.com/community/EncryptedPrivateDirectory .

The simple "trick", in order to put there everything you want from your home directory, is to replace it with a soft link to what you have moved. For example, to put email configuration data inside the "Private" directory:

    mv ~/.evolution ~/Private
    ln -s ~/Private/.evolution ~/.evolution

The analogue is valid for your browser or another email client. The private directory is automatically mounted when the user logs in.

That is not to say it is impossible to encrypt partitions or single directories on other distributions, just what I described is something you can do very easily, without being necessarily an expert, while other operations can sometimes require more steps, becoming more complicated.

The Ubuntu family of distributions includes a distribution for devices that are smaller than a notebook, in particular the very interesting “Ubuntu MID edition” (http://www.ubuntu.com/products/mobile), but I never tried it and I didn’t find anything on the Web saying you can apply ecryptfs to it like you do with the main Ubuntu distribution.

I used encryption in the way I described on both Fedora and Ubuntu and I was satisfied, absolutely without much loss in performance (anyway a laptop is not meant to have extreme hard disk performance, usually: it is not a server).

The more widespread “Windows family” of operating systems allows you to encrypt the file system too, but pay attention to which edition you have, for example Vista Home Edition supports file system encryption only partially:

• http://articles.techrepublic.com.com/5100-10878_11-6162949.html
• http://en.wikipedia.org/wiki/Encrypting_File_System
• http://windowshelp.microsoft.com/Windows/en-US/Help/e895bd18-36e5-4229-8424-dff307b155c21033.mspx

Besides, you can find third party software for hard disk encryption in Windows, even open source programs like FreeOTFE (http://www.freeotfe.org), while BestCrypt (http://www.jetico.com/bcrypt8.htm) and  is an example of commercial program.

I found something for Mac too:

    http://www.chuckknowsbest.com/ikrypt

Considering smaller devices, having the possibility of encrypting your file system can be less obvious, but if you choose the right device you can do it.

Let’s consider handheld PCs. As regards Windows CE operating system, you can see

    http://msdn.microsoft.com/en-us/library/aa914397.aspx

and also look for available third party software. SecuBox for Pocket PC (http://www.aikosolutions.com/products/secubox-for-pocket-pc) is an option for a pocket PC. Another example are Nokia advanced mobile phones like Smartphone and Communicator, which allow you to encrypt information thanks to Pointsec for Symbian OS, as you can see in the document

http://www.asphi.it/Mobile%20Wireless%20Accessibility/resources/NK32_EMEA_Security_WhitePaper_ONLINE_VERSION04OCT27.pdf

(I recommend you to read it, if you use or plan to use such a device). This is just an example where you can find security related documentation for such kinds of devices, it’s absolutely not aimed at asserting that Nokia products are superior to other ones, you will find security features for the  brand of mobile device you’re interested in, just pay attention to these aspects and look for the appropriate documentation.

Another interesting document by Nokia, that can be worth reading for introductory purposes, is the one you find here:

http://www.webbuyersguide.com/resource/white-paper/11326/Mobile-Device-Security-The-Eight-Areas-of-Risk .

Part 2 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 1 - Mobile Devices - Definition And Security Issues
Read Part 3 - Mobile Devices - Access Control, Wireless Network Risks And Security Implementations
Read Part 4 - Viruses, Malware And Various Threats To Mobile Devices

"A mobile device (also known as cellphone device, handheld device, handheld computer, palmtop or simply handheld) is a pocket-sized computing device, typically having a display screen with touch input or a miniature keyboard."

Mobile devices are classified into various groups:

(1) Mobile computers

• Notebook PC
• Ultra-Mobile PC
• Handheld PC
• Personal digital assistant/Enterprise digital assistant
• Graphing calculator

(2) Handheld game consoles

(3) Media recorders

• Digital still camera
• Digital video camera
• Digital audio recorders

(4) Media players/displayers

• Portable media player
• e-book reader

(5) Communication devices

• Mobile phone
• Cordless telephone
• Pager

(6) Personal navigation devices

(7) Other accessories

In this series of articles, we deal with mobile device security issues, having in mind the devices that are more frequently used in a professional environment, such as notebooks, mobile phones, etc., and neglecting other things, like game consoles, that are normally not used at work (unless your job is in the game industry).

Part 1 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 2 - Mobile Devices - Security Implications And Countermeasures
Read Part 3 - Mobile Devices - Access Control, Wireless Network Risks And Security Implementations
Read Part 4 - Viruses, Malware And Various Threats To Mobile Devices

One of the smaller changes that took place was that (ISC)² changed the names of some of the CISSP Common Body of Knowledge (CBK) domain names. While these names do map to some of the changes in the material within the CBK, this has caused some people to be confused on the current materials available for study purposes. The core of each domain has not changed. Some items have been added to some of the domains, which we will cover in this article.

The current domains in the CBK (Common Body of Knowledge) are listed below.

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

A common saying about the CISSP exam is that it is a mile wide and an inch deep’. For the most part this is true, but I think in some topics the exam now goes at least six inches deep. Now some of the topics are a bit odd, as in lock picking and extensive coverage of CCTV lenses, but most of the newer topics I have great respect for.
 
This is the first part of my new series about changes to the CISSP exam and tutorials on this new information. Below are some of the topics we will get into as it pertains to each CISSP domain;

• Information Security Risk Management
  • New – Security program and blueprints
  • New – Risk Models
• Access Control
  • New – Identity Management
• Cryptography
  • New – more block cipher modes and integrity controls
  • New – more attack types
• Physical Security - Environmental
  • New – Light types, CCTV, lock picking, lock type
  • New – More focus on methodology  and process
• Application Security
  • New – more focus on methodology and process
  • New – web site and application security
  • New – more malware types and attack types
• Business Continuity and Disaster Recovery Planning
  • New – more focus on methodology and process
• Telecommunications and Network
  • New – 802.11 types and security
  • New – instant messaging
• Operations Security
  • New - Vulnerability and Penetration Testing
  • New - Attack Types
  • New – Malware Control Types
• Security Architecture and Design
  • New – enterprise architecture, building, maintaining, holistic security, security trust zones, Zackman Framework
  • New – less Orange Book and more Common Criteria
• Legal, Regulations, Compliance and Investigation
  • New - types of Laws
  • New – focus on forensics and methodology

I hope you will join me as I roll out this new CISSP security series! To get some of this information now, please visit http://www.logicalsecurity.com/education/education_courses_cissp.html.

• Updated study questions and exam material http://www.logicalsecurity.com/practice/practice_overview.html
• My new articles on the CISSP exam http://www.logicalsecurity.com/resources/resources_articles.html
• Read my comments on http://www.cccure.org
• Read about the new technologies on one of my blogs http://cisspblog.logicalsecurity.com
• View our new products http://www.logicalsecurity.com/education/education_courses_cissp.html

I have been doing networking, engineering, teaching, writing, and other stuff – well longer than I will admit. At one time I worked with a large team that maintained huge financial environments and security was not even part of our jobs! It was not part of anyone’s jobs.

When I started in networking, I fell in love with computer security, but the term ‘computer security’ did not even exist. I loved the complexity of having to secure software because it required that you understand the software before you could secure it. I remember telling a few people back then how much I enjoyed this security stuff. I remember one comment was, "That is great, but you will never have a full time job in security.” No one imagined that computer security would ever be overly important.

Today our industry has exploded with opportunities. Thousands and thousands of people are now ‘security experts’. So many people use this term or ‘visionary’ or ‘professional’ and others to describe themselves it is hard to know who really is an expert. Guess who is not an expert, visionary and barely professional – me! This industry is too large, complex, confusing, and changing to be an expert in it. People have to specialize as physicians do in medicine and still most people cannot keep up with changes, vendors, tools, products, methodologies, laws, regulations, hacker activities, much less their socks.

So if my assumptions are correct and no one can really be experts in the security field, how do we have so many damn ’security divas’? The amount of opportunities, money, and offers security people have had over the last three to five years have spoiled many people who claimed to be ‘security experts’. I have friends who demand $1,000 per day every day to work not matter what job! Although security people have had it pretty good over the last few years and the economy won’t gouge our industry AS MUCH as others – we are all going to have to gain some more humility about ourselves.

So let’s go through some questions to gauge if you are a security diva or if you know of one.

1. Even though the security industry is growing exponentially with basically quantum leaps in technology, do you feel as though you are in step and knowledgeable of all of these items?
2. Do you require the top hotels, rental cars, gourmet food when you are working as a consultant and bill your customer for such items?
3. Do you have someone else keep track of your socks?
4. Do you stroll into work at 9am and leave at 4pm each day, while others work hard into the night?
5. Instead of ensuring that you are a good steward of your employer or customer’s money, do you recommend products they don’t need so you get to play with them?
6. Do you expect publishers to pay you top dollar to write some material, even though they will pay all publishing, marketing, sales, distribution and other costs?
7. If people in the industry send you an email asking you questions, do you blow them off and not help them out?
8. Do you have a secret cape in your closet?
9. Do you desire the lime light to show off how smart you are?
10. Have you been in the security industry less than four years and refer to yourself as ‘visionary’ or ‘expert’?

If you answer some or most of these questions with a ‘yes’, you are a security diva. If you know of people who answer most of these questions with a ‘yes’, please ask them to come down to earth and work with us more lowly and undeserving geeks – we are drowning in work and we would really like to see their cape!

By Shon Harris, a fabulous looking frog!

Social networks are very widely diffused today. A social network is a social structure made of people that are tied by one or more specific types of interdependency, such as values, visions, ideas, financial exchange, friendship and so on. A social network can be represented as a graph, where nodes are generally individuals or organizations, edges are relationships between two nodes, as in figure 1.

The "Internet version" of social networks is one of the most advanced forms of communications. The network of social relations, that is built during our everyday life, can be moved to the Web, organized and expanded with new contacts. The social network phenomenon was born in the USA and developed around three main categories: professional links, friendship and love relations.

Online social networks had an "explosion" in 2003, thanks to the popularity of some sites, such as Friendster, Tribe.net and LinkedIn. Other social networking sites, such as Orkut (by Google) and Kibop, appeared in 2004. Nowadays the most popular ones are Facebook and Myspace, with 132 and 117 million users respectively in 2008.

Further evolutions are represented by semantic social networks, connecting both people and blogs, like StumbleUpon and Funchain.

To enter a social network you have to build your own personal profile, giving personal information, such as your email address, but also information about your own interests, hobbies, work experiences, work references and so on. At this point you can invite your friends to become part of your network of contacts, and so can they, in such a manner that the network of contacts widens more and more. It is possible, of course, to build thematic virtual communities, according to your hobbies or business area, adding users and getting new friends or business contacts.

Social networks can be used also in order to try to solve the “single sign on” problem. For instance, a new “Facebook Connect” button is appearing on some websites: it saves visitors from having to fill out yet another tedious registration form, upload another profile picture and memorize another username and password. Instead, visitors can now sign into other sites using their existing identity on Facebook. The big new idea seems to be “dynamic privacy”. It means that, as the social network reaches out across the wider web, users will in theory take their privacy settings with them. Wherever on the web they are, they will be able to choose who among their friends will and won’t see what they are up to. As soon as a user demotes a friend to a lower level of intimacy in his Facebook settings, this will also take effect on other sites.

Security Aspects of Social Networks

Social networking sites depend on millions of people voluntarily divulging accurate personal information. In a world where identity theft is a growing concern and spammers can’t wait to get their hands on your email address, how do you take advantage of what these "Web 2.0" sites have to offer while minimizing risks for your personal information?

First of all, be conscious of the psychological aspect. Since most people access social network sites from the comfort and privacy of their home or office, they can be lulled into a false sense of anonymity. Additionally, the lack of physical contact on social network sites can lower users’ natural defenses, leading individuals into disclosing information they would never think of revealing to a person they just met on a street, or at a cocktail party.

Your personal information is probably already stored in lots of databases, but what’s unique about the set of personal data which is saved in famous social networking sites is that it includes intimate details (like your views on politics, religion and relationships) and that it’s tied to a picture of you. This combination of identifying details with a visual image is one of the things that makes these kinds of sites so interesting and compelling, but also so potentially dangerous. Theoretically, someone could find out what town you live in and where you are going to be at a certain hour of a certain day. Using your picture, she/he could show up there and try to convince you she/he is a long lost cousin of yours who’s down on his luck and needs some money.

The lack of physical contact makes it easier to build false profiles too, for example you think you are chatting with a CEO from somewhere while you’re actually chatting with a completely different kind of person from a completely different place.

Excessive blabbing on social sites can generate unwanted gossip about the company in which a person works and its plans, while unscrupulous competitors can social engineer employees into revealing intellectual property.

So, pay attention to the information you insert, be discreet, don’t trust people immediately and take the time to read and understand the privacy related documents that are published on these sites. Don’t share any information unless it’s absolutely necessary.

Some experts underline the fact that, even if different social networks sites are lulled together when dealing with their security issues, it is more proper to consider them separately too, as they all have their specific security weaknesses. For example, individuals are considered to be more insulated from spam or worms on LinkedIn than on MySpace or Facebook, but organizations may be more susceptible to a targeted attack via LinkedIn.

LinkedIn’s problem isn’t as much technology as the common practice of sharing of names, titles, and organizations. It can be very easy to get an organizational chart to be used for an attack. Once an attacker finds out the names of who works with whom, for instance, she/he could send a carefully crafted email via LinkedIn to the victim’s human resources department head, posing as a headhunter recommending a candidate for an open position. But his email could carry a malicious Word file, rather than a resume. When opened, the file could gain ownership of the victim PC and steal other company information. Basically, information about how people are connected, the work they do and their positions are all precious information for a potential attacker.

Letting users authenticate to the site using an email address is also considered not optimal for security.

Anyway, LinkedIn is generally safer than MySpace and Facebook, mainly because it’s less feature-rich and thus opens fewer potential attack vectors, experts say.

MySpace was one of the first social networking sites, and it’s still one of the largest ones. Its sheer size has made it an obvious target for spammers, hackers, and online predators. MySpace is also a victim of its own business model, where the user controls his or her content and presentation. Users can add banners to their pages, and embed other Web technologies and links, so that there are many opportunities to link to dangerous things and to embed malware on the pages. In MySpace there’s often spam and it has had some cross-site scripting (XSS) flaws exposed. Besides the infamous Samy worm attack in 2005, the site was reported to have some troubles in keeping some private data private.

Facebook, now the first social networking site in the world, can be considered to have security problems similar to those of MySpace, but it’s approach is a bit different. Part of the reason Facebook is so popular is that many users were put off by the anarchy of MySpace and see Facebook as more controlled and conservative, even if this is far from saying that Facebook is absolutely safe.

In particular, Facebook relies on third party Java applications, so that the user is not only entrusting Facebook with her/his login and password but also must trust the third-party applications that provide tools for Facebook users. There is a potential danger that the code you’re running on the site is malicious or points you to a site that contains malicious code.

As it has been said, Facebook lets you add applications and tiny programs that run inside Facebook itself. Facebook granted programmers free access to the Facebook platform in May of 2007, meaning that anybody with the necessary skills could create an application, so that the number of Facebook applications has grown impressively.

Facebook applications are small programs that work inside Facebook. They’re similar to Web browser plug-ins (like video players) in that they let you do something you couldn’t do before you installed them. They’re easy to install and appear on your Facebook Applications menu.

Often Facebook applications are just "humorous time-wasters", like the ones that let you spray-paint graffiti on someone’s wall, but there is also an increasing number of more serious, business-oriented applications: Professional Profile, for example, lets you post and edit your resume on Facebook, then track who views it. The downside to using Facebook applications is that you automatically grant the application’s developers access to your profile, which poses a security risk.

After Facebook introduced new options and a new privacy interface in 2008, a security expert demonstrated it was possible to exploit security holes and access private details. Then Facebook installed a bug fix to prevent it from happening. This recent Facebook breach puts in evidence how the social networking world is still evolving and continues to harbor a host of potential threats to personal and sensitive information. Businesses have been worried about social networking sites ever since they exploded in popularity. As well as expected loss in productivity, there are also worries about employees releasing confidential information.

An example of relatively recent malware appeared on Facebook is "Secret Crush": you receive a fake message saying a friend of yours has secretly fallen in love with you. To discover her/his identity, you’re invited to install an application and tell your friends to do the same. The application then sends you undesired ads instead of revealing the identity of the  person you were looking for.

Another worm that was detected in 2008 was called "Boface.G". It uses social Facebook and MySpace to spread. This malicious software adds a post containing a link to a fake YouTube video, apparently coming from a known person. If you click on the link, a message containing the same link is sent to all your friends and you are invited to download a Flash Player update to actually see the video. Instead of a Flash update, it is a copy of the worm that attack all you contacts.

Many attacks now have nothing to do with an exploit and vulnerabilities, they can be classified as "phishing", they’re about persuading people to click a link.

Something Specific About Facebook

Now let’s consider, in particular, the one that has become the first and most famous social networking site: Facebook. Today it’s frequent to hear people saying “everybody is on Facebook”. This is not to suggest to use this site instead of other similar sites, just take it as an example. Most advice that is given here is valid, “mutatis mutandis”, for any social networking site, not just for Facebook.

Privacy, as was said, is the first concern. People you don’t imagine can get access to your profile. If you think only people who live near you or work at your company can view your profile, you’re wrong. Hiring managers, parents, teachers, police officers and other folks who are determined to view your Facebook profile can find a way to do so, either by asking a co-worker or friend who is a member of your Facebook network to look up your information, or eventually by getting a court order.

There are some obvious simple advice, such as:

• Don’t share your password with anyone.
• After you type your email address and Facebook password into the login page, make sure the "Remember me" check box is turned off before you click the Login button.
• Log out when you’re finished using Facebook.

 
Besides these simple recommendations, in order to keep your private data safe, you can adopt, mainly, three strategies:
 

1. Try to avoid to put sensitive info on Facebook, choose what kind of information you share with the site and how much. Choose to put just the essential things, for example if you deal with hobbies (music etc.) don’t add non-essential work information.
2. Customize your privacy settings, as will be explained below.
3. If the worst happens, fight back blocking accesses and eventually reporting the violations.

You can make your entire profile off limits to certain groups of people, such as the people in one of your networks. You can also hide specific parts of your profile (like your contact information and which applications you’ve added) from whole groups of people, such as one of your networks or all your friends. To do so, at the top right of any Facebook screen, choose the "Privacy Settings" item from the "Settings" menu. A "Privacy Overview" page appears, letting you choose among the following privacy related topics:
 

• Profile: control who can see your profile and personal information. For example, you can decide that your phone number can be seen by all your direct friends, both friends and friends of friends, no one or a customized list of persons.
• Search: control who can search for you (everybody, friends, etc.) and how you can be contacted.
• News Feed and Wall: control what stories about you get published to your profile and to your friends’ News Feeds. For instance, you can decide if a single action such as adding a new friend is visible to all your friends or not.
• Applications: control what information is available to applications you use on Facebook. Just to give an example, you can decide applications can’t access the information regarding your work history or your relationship status. You can also block some applications completely.

If you’re being harassed by another Facebook member, you can take action. The first thing you can do is stop her/him from contacting you on Facebook. If that’s not enough, you can go a step further and report the person to Facebook.

Facebook lets you prevent individual members from knowing that you’re even on the site. Blocking someone keeps her/him from seeing your profile, finding you with Facebook searches, or contacting you via Facebook. It is possible to block someone in the main Privacy page.

Facebook makes reporting potential violations easy by displaying a "Report" link on every Facebook application page and next to virtually every potentially offensive piece of info members add to the site, from discussion threads to wall posts.

Shon Harris, and the Logical Security team, continually monitor the environment and the industry and develop programs to assist companies in achieving real security and measurable results. The Logical Security information security articles and materials provide organizations with the knowledge and strategies vital to managing and maximizing an enterprise’s security.

Hosts: Shon Harris of Logical Security, joined by Wayne Burke & Benjamin Böck of SecureIA

Sponsor: Core Security Technologies

Date: Wednesday, February 18, 2009
Time: 2pm EST / 11am PST (GMT –5:00, New York)
Register: http://www.coresecurity.com/Form/generic/campaign/caughtnon

*** A recording of the webcast will be sent to everyone who registers, so be sure to sign up even if you can’t make the live session. ***

Core Security is pleased to invite you to a complimentary webcast, Part I of “Caught in the Web: Best Practices for Effective Web App Security Assessments,” hosted by Shon Harris of Logical Security, and Wayne Burke & Benjamin Böck of SecureIA.

The webcast series will draw from SecureIA’s upcoming “IA Web Penetration Testing 101” course and present tips for assessing your web infrastructure against the most prevalent online threats today. You’ll see best practices for identifying critical web application vulnerabilities, getting data for efficient risk mitigation, and understanding the business implications of technical exposures.

Register for “Caught in the Web Part I”:
http://www.coresecurity.com/Form/generic/campaign/caughtnon

The Caught in the Web webcast series will cover topics including:

• Using practical threat analysis to identify where your organization is exposed
• Comparing web application penetration testing to “traditional” penetration testing
• In-depth assessment techniques including SQL injection, XSS, CSRF, etc.
• Filtering techniques for identifying vulnerabilities requiring immediate remediation
• Comparing manual penetration testing to automated tools
• Pitfalls to avoid when conducting web app security assessments

You’ll also learn how to connect technical issues identified during testing with underlying business risks – enabling you to effectively communicate and leverage the benefits of proactive, real-world security testing throughout your organization.

To see all the cissp courses that we offer, visit our website at: http://www.logicalsecurity.com/education/education_overview.html

As I have nothing against doing things quickly, I am also guilty of this habit. And for some areas in our lives, it really makes much sense to complete tasks as soon as possible. I am so conscious of my time that I have hired a number of people to virtually do business tasks for me. I plan ahead of time and make it a point to minimize delays in my daily waking hours.

But it is quite different when you are taking an exam like the CISSP exam. This may sound cold and I don’t want to sound mean, BUT if you want shortcuts for the CISSP exam - you are also wanting shortcuts for your knowledgebase - cheating yourself for your actual career.
 
Most people do not fully realize how things they don’t know now and don’t THINK they will ever run into in their career are some of the most beneficial info for them. If you do it right and LEARN all that is available to you - you will only do better in the long run and get more opportunities than just the credential will provide in the short run. A CISSP will only open so many doors - extensive knowledge and skill will open all the doors.

I WROTE THE CISSP Exam Guide. IT IS OVER 1,000 PAGES. I have updated it for 7 years. It has literally taken me YEARS to do this work when I combine the time I have put into this work. I did not look for shortcuts - I hope you don’t either.

I say this with all the love in the world. The time and energy you invest in the training and your conscious effort not to take shortcuts is the only way to get good results in your CISSP certification.

I was asked quite a few times whether there is an existing certification for Risk Management. No, there is currently no certification specifically for this. The industry is really just figuring out if it is needed and I find that a majority have no real idea how to do this.

Another question I am getting is how should the training for risk management be conducted? To be honest, you can’t do the training well without tackling the management issues at the strategic and tactical levels. It is just a waste of time training either the operational level by itself or even just the tactical level by itself. It is the strategic level that have to make decisions based on risk - business, financial, and security. The key element is to get a security governance piece up in place so that useful risk elements can be identified and then used in informed decisions by the upper levels of management.

It is really unfortunate that we even call this Risk Management because most companies have the narrow view that this term only means BUSINESS Risk Management and they think they have it covered. When I tell companies that they need a Risk Management program in place, I commonly hear that they have one – don’t need it – and don’t want me to try and ‘sell’ them something they already have. There is a learning curve I always have to deal with when working with organizations on the difference between their current business and financial risk management structure and security governance. They need to be incredibly linked – but it takes a while to get people properly educated and to get the actual processes in place to make it actually useful to an organization

The time and cost is something we would have to discuss, because I don’t believe just a regular class really does the trick here. I CAN do just the training and that might open the eyes that a bit more is needed just because most people in any organization do not fully understand how to IMPLEMENT Risk Management.