You can now find our blog at www.cqr.com/blog so please pop on over and keep up to date with Information Security News from around the globe.
Tuesday, 9 September 2014
You may not have heard of the term SOCMINT which emerged a couple of years ago as the abbreviation for Social Media Intelligence. What has this to do with Apple iCloud and Celebrities? Well if you are to believe Apple this is what was used to hack into celebrity iCloud storage. It appears the criminals gathered enough online information on these individuals to reset their passwords and hijack their accounts. Effectively we have a successful social engineering attack without manipulating the human. No one rang Apple, no one rang the celebrities, no eavesdropping in restaurants, no near contact to clone phones or going through celebrity trash cans. It appears this attack relied totally on intelligence gathering and analysis of online digital content and perhaps some targeted phishing emails.
Social engineering of social media, I think I can create a new acronym - SESM. Checked Google no one has used it before.
How do you stop SESM happening to you? Google, Microsoft and Apple all want you to use their cloud services, it’s free, it’s so convenient and you can recover your device, so “ don’t use it” is not the practical answer. It is about responsibility for your security. In a foreign country would you hand over your passport to a complete stranger? Yet when it comes to our online digital life the lack of physical presence seems to create the belief that it is ok to pass responsibility for the security to others. How much did you pay these strangers to do this for you?
Here are some simple strategies to keep strangers and hackers out of your digital life:
1. Passwords are important, give them personality – use special characters or a pass phrase. If a site you are using does not support them, account lockout hacker tools can automatically run every word in the dictionary and common password combinations against your account in only a few hours.
2. Get in front of a screen with someone who you have not “friended”, might be a sibling or work colleague. Get them to look you up on Facebook and other social sites and see what they can see as a stranger – you might be surprised. You can then go and fix your security settings.
3. On social media value your circle of trust. Do not “friend” anyone you have not met. What they say to you in a request could be totally false. There is no internet Bro code that states “I will not make up a social media page and tell lies”. You need to protect yourself and your friends. If they say they know you through a mutual friend – ask your friend how they know them before responding.
4. Would you walk up to a creep on the street and handover a photo of your smiling face with your home address written on the back? No, so don’t do it online. If you upload a photo taken at home or a friend’s house make sure the location/gps data has been removed.
5. Birth date. You need this for Facebook so everyone can wish you happy birthday but do you really need to divulge it on other sites? Most of the time these sites only want this so they can market to you, it is not adding to your experience. Limit the amount of personal information you enter on such sites, just because they ask you don’t have to tell. If you have to enter a birth date then for example round the year to the nearest decade. If one of these sites is compromised then the hacker cannot use the birth date to help gain access to your important sites.
6. SMS alerts. Apple has announced it will strengthen its iCloud account alerting in light of the celebrity hack. If there is one thing to do as soon as possible it is go to your social media sites and check that you have SMS alerts turned on for account change requests.
7. Security questions. As appears to have happened to the celebrities. The questions like - what is your mother’s maiden name , what city were born in or what high school did you attend don’t really cut it. Instead try - what movie star or singer do you not like? You are more likely to post or join conversations about things you like rather dislike – politicians are probably the exception.
8. Phishing emails can look very legitimate and may be personally addressed. Never respond or open links in unsolicited email asking you about online account details or that they have something for you. Just delete them. Only go to your sites using your browser favourites or app, you can then check if there are any legitimate messages for you.
Tuesday, 2 September 2014
“Celebs in nude photo scandal’ make it to the top of our news feed today and who’s clicking on the link. I have to say for 1 ‘not me’.
I’m sure Jennifer Lawrence has a lovely figure but I don’t need to see it and the photos were never intended for the public, they are private photos stored on a private cloud account. The only reason why the likes of you and I are aware of them is because someone stole them! Yes, stole, ‘to take without permission or right, especially secretly or by force’. It took for someone to hack into her and the accounts of others and copy and exploit their private images online for all to see and continue to use what they have to blackmail others this is a criminal act.
I was pretty shocked and disappointed seeing comments made on social media about the images and requests for links to the images, if you really need to see it there are sites already available with similar content by consenting adults rather than exploiting someone who hasn't. Celebs may be famous and making a living by providing the world with entertainment but what they do in their own time in their own homes is private, and everyone is entitled to their own privacy. In general we have all been brought up to respect others, to use a level of discretion and these values should be remembered, and simply by not clicking on that link begins to remove and sense of credibility the hacker would feel from performing such a deed.
Although there has been no official comment of how the hack was made or specifically where the photos were taken from iCloud or Photostream (and likely we won’t hear about it either) I’m sure that this has raised many questions around the Apple offices this week.
The moral of that story is if you’re using a cloud based photo storing service maybe a little cautious of what you store, having an eternal hard drive works just as well, as for what Jen Law is up to, if this is really important to you maybe you need a hobby…