Vulnerabilities

#celebgate, or what 4chan has jokingly labelled “The Fappening”, is the second most commented event of the month after ShellShock, essentially because the target is a long list of high-profile celebrities and because, considering the circumstances, the hacking offence may very well go unpunished.

In mid August, the first wave of private photos depicting famous actresses was posted on 4chan, seemingly hacked from their iCloud accounts. At the time Apple identified a vulnerability that had allowed brute force attacks on accounts. But that didn’t stop a new batch of private photos and videos of female celebrities from being released in mid September.

Despite all of the investigations and complaints, and seeing in 4chan, known for its “anonymous” actions, may be behind the attack, it doesn’t look like the hackers responsible for the photos of Scarlett Johansson and other celebrities will be caught any time soon.

The fact is that to a certain extent we’re no longer surprised by cases of stolen credentials. We know that at any time our passwords can be compromised many different ways:

  1. Stolen data from service websites, such as the hacked Sega Pass system in 2011, is just one example. And the bar is raised every day with incidents such as    Tripadvisor’s partner Viator.
  2. Specific malware installed to steal email account credentials. This is how, for example, Russian hackers gained access to millions of gmail accounts and Russian email providers.
  3. Phishing scams that ask you to provide personal information in the name of apparently legitimate organizations or which offer lucrative business schemes are sent indiscriminately to your inbox or are hidden in adware.
  4. etc.

The thing is that today our digital identity is spread across a number of online services (google, facebook, linkedin, twitter, iCloud, drive, Outlook, etc.) where, in most cases, the only security measure is a password, and in most cases, we use the same password for a number of these services, not to mention our user accounts for online shopping, forums, etc.). Oh, and let’s not forget our financial services and the services provided for the companies we work for.

We are what we are on the Internet. In the worst case scenario, our entire reputation hangs on a password: if someone manages to retrieve the password for one of your main accounts, he pretty much has control over the rest.

Security depends on second-factor authentication, the much-used trusted third party authorization, the model exploited in the now historic PKIs (now back in fashion; you know what they say: “If you wait long enough, it will come back in style”). So, mechanisms to secure this key part of our digital lives exist even though they’re not implemented.

And like all maladies, prevention is better than studying the symptoms, so what’s keeping us from applying second-factor authentication to our main accounts? Basically, the lack of awareness surrounding security, especially in critical environments. No, Hollywood starlets and their tawdry photos do not constitute critical environments.

The information handled by CEOs, CIOs, CTOs, CISOs and other senior executives does. Not to mention presidents and members of corporate boards of directors, the latter of which often run the greatest risk in their day-to-day online transactions. Whenever we talk about cybersecurity, it is important to understand that awareness must permeate the organization from the top to down, creating and setting an example.

S21sec

From HeartBleed to ShellShock

#celebgate, or what 4chan has jokingly labelled “The Fappening”, is the second most commented event of the month after ShellShock, essentially because the target is a long list of high-profile celebrities and because, considering the circumstances, the hacking offence may…

Leer más

S21sec detects almost 7,000 vulnerabilities en 2011

S21sec presents its first ‘Vulnerability Report’ prepared by the Ecrime team integrating the experts of the company in charge of detecting and resolving Internet offences affecting organisations 24 hours a day, 365 days a year. This report gathers the information…

Leer más

ToorCon Seattle 2011

As I mentioned in the previous post, just after Source Seattle some days ago, the ToorCon (also in Seattle) began. Some speakers took advantage of this to present the same or different presentations at both conferences. Friday the 13th was…

Leer más

Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an…

Leer más

PDF Security links, 2010: Analysis and Tools

After a year of incidents related to the Portable Document Format (PDF) it is good to look back and remember some of the most important ones. Listed below are some links to malicious and / or obfuscated PDF document analysis,…

Leer más

ZeuS spreading via Facebook

ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the…

Leer más

Common IIS misconfigurations: HTTP Basic Authentication

In my last post I talked about a common mistake of IIS administrators consisting in modifications of default directory permissions.Today I’m going to talk about another common mistake. Allow HTTP Basic authentication.The Standard IIS supports 4 kinds of HTTP Authentication:Basic…

Leer más