LinkedIn Scamming Customers?

Anyone who is active in the professional world loves LinkedIn. (In my opinion) it is an absolutely flawless way to network, get your name out there, and build up on online resume that is able to be referenced on websites,blogs, or emails. It allows companies seeking employees an easy venue to find qualified personnel, helps skilled labor to find a company looking for someone just like them, and rekindles old flames left to die. Okay, so maybe isn't the hotbed of romantic activity on the internet, but its great for business. Especially LinkedIn's bottom line.


"How can LinkedIn benefit from networking?"

When you sign up for LinkedIn, you are asked to complete a resume of sorts. This initial information includes your name, date of birth, field of business,location and interests. Then you of course have the option of adding where you have worked, gone to school, and clubs/associations you are a part of. After all these personally identifiable things, you are then given the option of Joining Linkedin "Groups". These are generally trade groups or groups that allow a person to further network their profile. In short, LinkedIn has developed a complete advertiser's dream scenario. A company can buy your profile information from LinkedIn, and are provided with all of your information, along with means of contact for you. In general, LinkedIn has a full demographical breakdown of you and anyone you "Invite" to LinkedIn. And whereas the majority of LinkedIn users are over 40 and have incomes of over $100,000 dollars- they are the ideal targets of marketers, both legitimate and not. Recently LinkedIn decided to advertise merchandise to its users, but in a selective manner. For example, if Mercedes decided to advertise its new model, it would go to LinkedIn and they would choose from the member database the ones that fitted the marketing campaign. Then, LinkedIn decided to make a little more money by offering Premium Business and Premium Business Plus. With a regular membership you couldn't just send someone an e-mail, you had to be introduced first; with the new types of membership, this was no longer an issue. HR companies saw a great opportunity in this and for good reason. All they had to do was pay and they had access to all sorts of potential job candidates.

Their new Enterprise Corporate Solution gives access to all 23 million users of LinkedIn.

More Data Stolen

Finjan Inc., a leader in secure web gateway products, today announced its discovery of a server controlled by hackers (Crimeserver) containing more than 500Mb of premium
data. The data included healthcare and business related data, as well as
personal identifiable information (stolen Social Security Numbers). This
data is part of the premium offering that the cybercriminals operating the
Crimeservers were selling to the highest bidder online.

The compromised data came from all around the world and contained
information from individuals, businesses, airlines and healthcare
providers. The report contains examples of compromised data that Finjan
found on the Crimeserver, such as:

- Compromised medical related data of hospitals and publicly owned
healthcare providers

- Compromised business related data of a U.S. airline carrier

- Identity theft (stolen Social Security Numbers)

Some of the implications of stolen medical and patient data include:
illegal and/or bogus treatments; obtaining prescription drugs for the
purpose of selling them; loss of health coverage for the victimized
patient; inaccurate records of victimized patients, which could result in
incorrect and potentially harmful treatments. Healthcare providers could
also face potential HIPAA violations or breach of general data protection
legislation.

Finjan's Malicious Code Research Center (MCRC) detected a Crimeserver
operated by cybercriminals who used campaigns to steal data. These
campaigns consisted of highly sophisticated attacks, incorporating
Crimeware toolkits, Trojans and Command and Control (C&C) servers to drive
traffic from a specific region, with specific characteristics.

"This report illustrates the latest development in cybercrime. It shows
the business cycle of data collecting and trading by today's
cybercriminals. Crimeware infecting PCs is a serious business problem that
has far-reaching consequences, such as impacting the security of businesses
and patients around the world," said Yuval Ben-Itzhak, CTO of Finjan. "We
see that cybercriminals go after premium data that they can trade for
substantial profit. The increase in Web-based attacks is staggering.
Industry figures include a growth of more than 200% of Web-based malware,
with an increase of over 800% in backdoor and password-stealing malware,
illustrating that sensitive corporate and medical are at risk."

According to Finjan, the fact that sensitive business, patient and
personal data were compromised in a timeframe of less than one calendar
month underscores the necessity for enterprises and organizations to have a
comprehensive security technology in place that provides effective
protection against these sophisticated threats.

The compromised data and the Crimeserver applications were detected
using Finjan's patented active real-time code inspection technology while
diagnosing users' Web traffic.

Students Hack Windows Cardspace

Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft's new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data – such as passwords, credit card numbers, and delivery addresses – when they are transmitted. CardSpace (formerly InfoCard) is the successor to Passport. In both architectures, users' personal data are stored locally on the user's system. Depending on the web site, users can decide which data they want to transmit. CardSpace is designed to make classic passwords a thing of the past, by replacing them with digital certificates that may be self-signed or signed by an authoritative CA such as Verisign.


According to the report, anti-DNS pinning, DNS rebinding, DNS spoofing, and drive-by pharming are apparently all successful ways to steal transmitted tokens. Attackers basically need to manipulate the user system's name resolution so that the token for the browser-based CardSpace is sent to the attacker. To this end, attackers manipulate the DNS entries on a router, for instance by means of cross-site request forgery, and send the attacked user to a malicious name server. If the attacker manages to switch name resolution during an authentication process so that the victim lands both on a shop's genuine CardSpace website and on a malicious forgery, the attacker then gets the token. During the token's validity, attackers can then pretend to be the user in question when they go shopping.

The students have created a demo server that they claim demonstrates the problem. To reproduce the demonstration, you should change your own DNS settings and install an untrusted certificate. In our test at heise Security, we could not get the demonstration to run, however. Microsoft has apparently already been informed of the problem and is working on a solution. In their report, the students propose improving Same Origin Policy as a security function for browsers.

Wordpress SQL injection

Today it came out that there is yet another SQL injection in WordPress Blogs.


This code exploits the Wordpress Plugin Upload File, and allows an attacker to execute an arbitrary command on the hosting machine. If you host your Blog Locally, this is an enormous problem! The exploit (Discovered by a russian hacker http://eserg.ru ) ,  is one of a myriad of security issues recently exposed by Hackers- leaving bloggers worldwide vulnerable.  

What is a Arbitrary Command?
   This is when an attacker is able to exploit a security vulnerability in a program, to execute commands on YOUR computer. For example, in this case, By simply executing this SQL query
null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*
On your server- he is able to add/remove users, Delete Files, and install any number of viruses.

Be on the lookout in the next week for a patch from www.wordpress.com/www.wordpress.org

VOIP Cellphone Security

It's happened to all of us. Your busy, walking through a busy area- talking on your cellphone, when suddenly you get the option to switch to Wi-Fi and save those crucial peak hour minutes. Of course you do! So you switch over, and then gloat about being able to do so to your friend on the other line.
So you think you are the best of the geeks?

What you didn't know, was that the router you just connected to was a fake. Well, technically it was real, however- you gave up any right to privacy when you connected. The administrator of the server has installed software on his server, that will allow him to see all of your calls- bye-bye privacy. When a hacker was asked to demonstrate the methods he used, he explained it like this.

"You can see all the cell phones connected to the base station," he said. "You can't see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are."

That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. "I know exactly where you are on the network."

As far as localized calling goes, if you have any point in your company where an attacker can gain access to your network- You will find yourself compromised. While VOIP certainly reduces your phone bill,  initially you have to make up the costs in security implementations. Skype is relatively secure, while Vonage is absolutely open to exploitation.

Microsoft Vista Security... Yeah Right!

Lately, Microsoft has been trumping the myriad of new security measures that have been included in Windows Vista. However, IT techs have been screaming their guts out that between the lack of any substantial changes (aside from a circular start bar), the forced User Account Control, and big brother like computing- That everyone should stay with XP. Well, now we have actual basis for this. Notice how that Microsoft is quick to shift ALL the blame to the incompetent user.  

                The claim that Vista is less secure than Windows 2000 was made last week by security vendor PC Tools, which said that over the past six months Vista had suffered 639 unique threats, whereas Windows 2000 has suffered 586. PC Tools's research was conducted by collecting data from customers using its ThreatFire behavioural detection software. "Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date," said Simon Clausen, the chief executive of PC Tools last week. "However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight-year-old Windows 2000 operating system, and only 37 percent more secure than Windows XP," Clausen said.

        However, Microsoft strongly hit back at the claims, blaming users for executing malicious code on their machines. On Tuesday, Technet blogger and Microsoft evangelist Michael Kleef said the number of infections found by PC Tools was an indication of poor user behaviour


639 unique threats? This coming from the billion dollar brain-trust that spent four years to develop a circular start bar? I am truly, truly stunned.

Hi, Im Here to fix your computer.

How Many of us work in a hectic, stressed environment- where deadlines and bottom-lines rule your workweek? In the course of a day, How many idiotic requests do you get to do seemly mundane chores?  How Often has this happened?

You: {Bored and Seeking an excuse to take a break}
Phone Repairman: "Hi, Coorporate sent me over to do some work on your Phoneline"
You: "Oh, Alright- About How Long Will it take?"
PR: "Ten Minutes, Twenty Tops- I have some other stuff to do- so if your busy I can come back during lunch"
You: "Alright, Thanks!"

What happened here? You just gave a rival company full access to your office!
You: But he can't do anything! He doesn't Have My Password!
Me: *Hits You in the Head*

Lets go through this- He could (in Ten Minutes)
A. Steal A Hard Drive
B. Install a Hardware Keylogger

In twenty Minutes
A. Do a Stealth Boot Onto Your Computer
B. Install Software Keylogger and Screen Capture Device
C. Comb through trade secret documents, and walk out with them unquestioned.
D. Confiscate Hidden Bank documents, Client Credit cards, Even Blackmail.

Would You Give A Thief A Key? Would You Give a Murderer A Knife?
            Would You Give A Meth Addict A Pipe?

You wouldn't do it with a Hacker either, 10% of Hacking is Intelligence: 89% is Persistence: And 1% Is Technological Prowess.

Hackers won't be the typical grungy teen whilst looking for information:

When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”



Need More Info/ Training?
Let Me Secure Your Network!
Gillis57@gmail.com

Or, If for some god-awful reason you actually want to know what I'm doing
twitter.com/Gillis57
gillis57.googlepages.com