issue infosec december - adpoly.ac.ae · the report is available online at . future reports will be...
TRANSCRIPT
Abu Dhabi Polytechnics’ Monthly Newsletter on Information Security Issues
InfoSEC Times
Welcome to our newsletter!
At the occasion of country cele-
brating the 43rd National day,
we are releasing the seventh
edition of our new newsletter
from the Abu Dhabi Polytechnic
Information Security Engineer-
ing Technology (ISET) Depart-
ment.
This is the last edition of this
year which will be released
during the National day eve. We
hope this will be a place where
you can share your stories with
us and each other;
We trust this will be a source of
connection and inspiration for
all students in the UAE.
We seek to stimulate in our
readers the movement from
reflection to action, from ideas
to embodied and emboldened
ways of living and working safe-
ly and securely.
Be aware of UAE privacy laws when
posting Facebook content, TRA warns
ABU DHABI :Posting content about other people on
Facebook without their consent could be breaking the
law, regulators warn.
To help social-media users stay within the boundaries
of law and the site’s own privacy policies, the Telecom-
munications Regulatory Authority, or TRA, has pub-
lished a set of guidelines.
“Users should not tag other users without their con-
sent,” the guide says. “Users should be aware of the use
of photographs and videos of other people without
consent.
“UAE law contains quite broad provisions relating to
the protection of privacy and reputation, so care needs
to be taken when posting information about others.”
Facebook’s own privacy and use guidelines are similar
to UAE laws.
“These restrictions are no more than users should ex-
pect under the laws of the UAE, which prohibit the
publication of content that is contrary to public morals,
the principles of Islam and the social and moral welfare
of the UAE,” the guidelines say.
They warn against sharing sensitive or private infor-
mation, such as passwords or financial information, as
this could be shared publicly.
“Facebook and Twitter were built for people to share
ideas, and for users to stay in touch with friends and
relatives,” said Thomas Shambler, editor of Stuff maga-
zine.
“Their purpose was never to serve as an environment
for slander and trolling, which is internet-speak for
saying deliberately hurtful things.
“These guidelines only strengthen what made social
media popular in the first place. The sheer amount of
information available on social media makes it an un-
comfortable place, especially for parents.
“Ultimately, these new guidelines will make social me-
dia a more friendly place and should help parents to
decide if their children should be allowed to partici-
pate.”
The TRA’s guide is based on a study of Facebook’s
Statement of Rights and Responsibilities, Data Use Poli-
cy and the Facebook Community Guidelines.
It is designed to act as “a public service and for general
information purposes only”.
The report is available online at www.tra.gov.ae. Future
reports will be published on Twitter, Instagram,
YouTube, Yahoo/Flickr, LinkedIn, Gmail, Microsoft
Outlook, the Apple Store, BlackBerry and Keek.
Facebook’s own guidelines include provisions forbid-
ding content that “includes hate speech, incites violence
or which is threatening or contains graphic or gratuitous
violence”.
Nudity or pornographic material is also prohibited.
If found to be in breach of any of these conditions, Face-
book can remove the content and ban the page.
The site has features that allow users to restrict who can
see their content.
But the TRA warns that this would not stop another
user who has access from reposting the information
elsewhere.
It also enables users to control what posts they are
tagged in, and report other users for abusing the feature.
The TRA’s guide adds that in the UAE, 69 per cent of
Facebook users are male and 31 per cent are female.
Source: thenational.ae
I S S U E
D e c e m b e r 2 0 1 4
07
In this issue
Be aware of UAE privacy laws when posting Facebook content, TRA warns P1
Cracking down on cybercrime in Ivory Coast P2
Black Friday shopping: Tips to stay cyber-secure P3
Google Releases New Security Tools to For 'Apps' Users P3
The Importance of Forensic Analysis Training P4
Why Killing The Password is The Next Billion Dollar Industry P4
Passwords: To be or knOt2$B3? Take the Quiz! P5
Abidjan, Ivory Coast - At 6:30am
more than 20 men aged between 14
and 28 - mostly school dropouts -
gathered in front of the metal door
of a street-side shop waiting for it to
open.
After a few minutes, a weary fellow
in his late 30s trudged down holding
a thick bunch of brass keys and
undid the padlocks, ignoring taunts
about his hangover from the crowd
behind him. When he pulled the
door open, the men surged inside to
snaffle the few desktop computers.
"They stay here everyday until 10pm
when I close. Some do not even go
out for food or drink for fear that
someone else will take their seat.
They call their girlfriends to bring
them snacks and soft drinks," says
Jean Luc Tiemele, who runs the
stuffy, one-
room inter-
net café
mainly pat-
ronised by
dubious
youth,
known collo-
quially in
Ivory Coast
as "Brouteurs" - or grass eaters.
"For me I don't really know how
they proceed, but I see that they
harvest thousands of email address-
es per day using diverse apps and
send countless emails of business
proposals to those addresses.
"Once they get a response, they fol-
low it up until that person pays up
some money, which they in-turn
squander on girls, expensive mobile
phones, wristwatches, perfumes,
drinks and sometimes cars," Tiemele
says.
The story is the same at almost every
internet café in the main Ivorian city
of six million inhabitants, with thou-
sands of small and large computer
halls for public use, which locals say
have been seized by cybercriminals,
who spend seven days a week in
front of computer screens seeking fast
cash.
"They have abandoned schooling and
believe they can succeed in life
through internet scams because they
see other young men in town who
make money from it and later branch
out into legitimate businesses. Our
fear is growing that they could be-
come role models for other youths," he
says.
Consequences and reactions
The Ivorian government has set up a
special forensic police unit, Plateforme
de Lutte Contre la Cybecriminalité
(PLCC). It is composed of policemen,
computer and telecommunication
experts, and law practitioners to com-
bat escalating cybercrime - which
analysts say has dented the image of
the country abroad.
Annual reports published
by the PLCC showed that
victims lost $6.2m in 2012
and $6.6m in 2013 from
cybercrime carried out in
Ivory Coast. A total of
$28m has so far been sto-
len since the police unit
began keeping records of
complaints five-years ago.
The PLCC received 514 complaints
from victims in 2013, 42 percent of
which came from locals, and arrested
50 suspects who were prosecuted.
Ouattara says more suspects could
have been brought to book. "We can't
arrest anybody we see in front of a
computer. My team respects human
rights. We only proceed to bust once
we have fully investigated."
The use of fake identities, pseudo-
nyms, and phone numbers by cyber
rogues bedevils police sleuthing, says
Ouattara. "We have to use other meth-
ods ... including telephone data to
trace these guys, which may take
months, or up to a year."
Various victims
Swiss and French police have collabo-
rated with the PLCC to uncover nu-
merous phoney transactions,
leading to the arrest of a dozen
young men and women in
Ivory Coast. One of the victims,
who is based in Switzerland,
tells Al Jazeera that he lost
much of his life's savings in an
Ivorian scam.
"First it was a simple email I
found in my inbox. She was
telling me of business opportu-
nities in the Ivory Coast and
how she could help me get a
cheaper and faster licence to
operate in the country," Steve
Widmer says.
"She even sent some money [to
me] for DHL fees to send my
documents faster so she could
submit them with her uncle at
the ministry of commerce,
which I did. The whole thing
took more than a year and we
later became good friends even
without meeting each other.
"I kept sending funds to her for
one thing or the other until I
finally realised she was a man
and had been defrauding me,"
he says.
Sylvie Kouassi, a 37-year-old
Ivorian businesswoman, says
she lost $4,200 to fraudsters in
Abidjan when she opened her
email at an internet café to
organise funds wired from
abroad.
"I was told the money had been
cashed when I went to a money
-transfer agency for withdraw-
al. I later discovered the com-
Ivory Coast tackles internet
fraud scourge, but analysts
say criminals continue to
outsmart authorities.
puter I had used at the café was
infected with spyware," she
says.
Brouteurs install diverse spy-
ware on computers at internet
cafés to retrieve passwords and
email addresses in order to
check for fund-transfer codes
and other usable information,
according to Silvestre Moke, an
internet security engineer at
Stamteck in Abidjan.
"The safest thing to do is never
going to a public café to check
an email account. They could
monitor your inbox for days
and even months without you
knowing," he says.
Colonial debt
"Cybercrime in Africa is not
really a crime, it is known as
colonial debt. The Whites are
paying us what they stole from
our forefathers and what they
continue to steal from our rich
soil," a 25-year-old cybercrimi-
nal boldly says, refusing to give
his name for fear of police re-
prisals.
"Nearly every cybercriminal in
Ivory Coast uses the "colonial
debt" theme as a pretext. It has
also inspired a popular song
released in 2012 by a local anti-
imperialism artist titled "Dette
Coloniale".
As authorities step up efforts
against high-tech trickery, the
rogues are thinking up cleverer
methods to elude controls, with
no end in sight to the phenome-
non.
Source: Aljazeera
Cracking down on cybercrime in Ivory Coast
Google announced on Monday the
availability of two new security tools
designed to help Google Apps users protect
their accounts.
According to the company, the new "Devices
and Activity" dashboard and the security
wizard for Google for Work accounts should
make it easier for IT administrators to manage
devices, applications and security settings.
The activity dashboard displays a list of
devices and locations from which an account
was accessed in the past 28 days. It also
shows details on the current device that is
logged in to the account. When users detect
suspicious activities, they can immediately
take steps to secure the account.
The security wizard for Google for Work
accounts helps users set up and configure
security settings in just a few minutes.
Customers can utilize the wizard to provide
account recovery information, and review
permissions and activity on the account.
"This tool prioritizes all administrator settings
for security features that end users are
permitted to turn on," Eran Feigenbaum,
director of security at Google for Work,
explained in a blog post.
Google is increasingly concerned with
security in enterprise environments. Last
week, the company's Macintosh Operations
Team released "Santa," a new blacklisting/
whitelisting tool for Mac OS X. Santa is just
one of the many unofficial Google products
designed to help organizations with
managing a fleet of devices running Apple's
operating system.
In October, Google introduced a new account
protection mechanism called Security Key.
Those who want to use Security Key must
acquire a FIDO U2F compliant USB device,
and enable the feature on their accounts. Once
the system is enabled, customers must
connect the USB device to their computer and
tap it when prompted in the Web browser in
order to log in to their account.
Source : securityweek
*Black Friday may be a deal-hunter’s dream, but
it's also a golden opportunity for hackers seeking
to steal credit card information and other sensitive
data.
Cyber-security firm Symantec has been tracking
incidents of cyber attacks and security breaches for
19 years, and has found that they "rise exponential-
ly" in October, November, and December.
Alex Rau, a national information security strategist
with the firm, says that's not a surprise, given that
more people are Internet shopping for the holi-
days.
"The more people shop
online, it's a target for at-
tackers and they will try to
get the information and use
it and sell it for their own
purposes," Rau told CTV's
Canada AM on Friday.
Shoppers who think that
sticking with in-store shop-
ping makes them safer
should remember that
there are opportunities for
hackers to steal their infor-
mation, particularly if they
go south of the border.
In the U.S., chip and pin technology is not as com-
mon for debit and credit cards. A hacker may have
planted malware on the point-of-sale swipe strip
found on the sides or bottoms of older cash regis-
ters.
"You swipe your card and it skims the card and
sends it to servers and they get thousands, even
millions, of credit card information," Rau warned.
Earlier this week, an Ipsos Reid poll found that 1 in
3 Canadians plan to do their holiday shopping
exclusively online this year. However, a survey
conducted by Kaspersky Lab found that nearly a
third of respondents admitted to paying little at-
tention to the security levels of the websites where
they shop.
If you're going online for deals, here are some sim-
ple steps to ensure private information stays that
way:
Shop only at websites that you know and
trust.
Check that the website is encrypted. Look for
the web address to start with "https," and check
that your Internet browser is displaying a lock
symbol, Rau says.
Don't click links in emails that advertise deals or
sales in case they are phishing scams, say the
experts at Kaspersky Lab. Type the URL manu-
ally into your browser to confirm that it's real.
Don't use your sensitive banking or credit card
information when you're connected to the Web
through an unprotected wireless internet con-
nection, common in public places like coffee
shops and shopping malls. If your private wire-
less network is unprotected, add a password.
Ensure that the operating systems on your
smartphone and tablet are up to date. Most
users shop from these devices but don't run anti
-malware software on them, and that makes
them more vulnerable. OS updates contain the
most up-to-date security features.
Use the same credit card for all online purchases
in order to better track activity, find suspicious
transactions, and set a low credit limit in case of
theft, Kaspersky Lab advises.
Finally, check your financial statements on a
daily basis through the holiday system, rather
than weekly or monthly, "just to make sure the
fraudulent transactions get discovered right
away," Rau says.
Source: ctvnews
Black Friday shopping: Tips to stay cyber-secure
Google Releases New Security Tools to For
'Apps' Users
Why Killing The Password is The Next Billion Dollar Industry
It's becoming increasingly difficult
to live a safe life online relying on
the password, as even the most
intricate password is useless if
someone finds it and posts it
online.
That's why the two-factor authen-
tication industry has exploded. It
means in its most literal form a
second way in which you verify
that it's you logging in, from a text
message or phone call to a pop-up
on a separate device. Even though
it adds a layer of friction to signing
up to and logging into services,
which can stop a (lazy) user from
wanting to log in, the result is a far
tighter security package. As long
as you have your phone, the other
person won't be able to log in.
An aggressive example of this was
by Christopher Mims, a reporter
for the Wall Street Journal. He
published his password in a na-
tionally-read print newspaper and
turned on two-factor authentica-
tion. He revealed in a follow-up
piece that two-factor worked in
theory: that nobody got into his
account, but Twitter publicly
showed the number being pinged
for the two-factor code
Venture capital has followed--in the
last few months, Duo Security raised
$12m and Authy raised $3m alone. In
July, mobile identity firm TeleSign
raised over $49 million, off the back
of a successful two-factor authentica-
tion business that Forbes reports
covers 9 out of 10 of the top web
properties.
Some companies complain that two-
factor authentication interferes with
the overall usability of the web expe-
rience. However, a collaborative aca-
demic report by the Internet Society--
combining the work of PARC
(Xerox's research/development arm),
University College London and Indi-
ana University found that two-factor
is perceived as usable, based on the
cognitive strain, ease-of-use and
trustworthiness required by a user.
There's little or no reason beyond
wanting to slow down the flow of
getting more users, and it's even be-
come ridiculously easy to integrate
two-factor into any app. In October
TeleSign, potentially using some of
the aforementioned funds, created a
Free SDK for building Two-Factor
Authentication into any app.
While Duo offers a similar SDK, Tele-
Sign is apparently focusing on the
ease-of-integration, one of the many
reasons that some apps that could use a
more security interface haven't integrat-
ed two-factor.
Even then, there're still issues with two-
factor. The Unofficial Apple Weblog
warned of the new functionality in the
latest Mac OSX that forwards texts di-
rectly to your computer--so that if some-
one happened to be using your computer
with your password, or had access to
your iMessages, they could get your two-
factor codes. This is similar to those who
happened to use their web-accessible
Google Voice number to have their texts
received in a browser, or using Motorola
Connect with a supported phone to re-
ceive text popups.Criminals are crafty
and the result is that it's impossible to
create an unbeatable solution. Clef last
week received $1.6m in funding to focus
on barcodes over the simple pins that
you receive via SMS in most two-factor
authentication situations. Killing pass-
words is a tough task--but it now even
has heavyweights fighting the battle like
Mastercard. Here's hoping.
Source: www.inc.com
The Importance of Fo-
rensic Analysis Training
The mobile device industry is evolving very
quickly. To stay current on the latest devices
and the proper techniques for acquiring and
analyzing data, smartphone and mobile de-
vice forensic analysis training courses are
becoming more and more necessary. These
courses aren’t limited to law enforcement
either. Courses are available for those who
work in IT and believe corporate information
may have been compromised by an employ-
ee or those proactively looking to secure a
device.
There are many training courses currently
available. For example, most vendors offer
vendor-specific courses for their toolkits.
While these courses are valuable, they are
limited as attendees only learn how the ven-
dor’s toolkit works. Vendor-neutral training
courses, however, teach digital forensic
examiners, law enforcement officers, and
information security professionals how to
conduct smartphone forensic analysis using
the best tools for the device. Smartphone
forensic tool vendors often support the same
devices, but the underlying capabilities for
each drastically differ. Knowing which tool
is currently the best one for the smartphone
in an investigation will aid in the entire fo-
rensic process. Vendor-neutral forensic anal-
ysis training courses provide the necessary
insight to deal with all of these variations.
When considering training courses, advanced
investigators should look for those that offer
deep dive analysis rather than push button
forensics; which is simply pushing a button
and getting all the answers. While push
button forensics can get some of the data,
deep dive analysis is necessary to recover
data that a tool misses. These courses will
show how to handle the data that is missed
by the tools and provide detailed instruction
on data validation, which is required in any
investigation. Otherwise, without knowing
how to handle the data, the data is non-
sensible (i.e. virtually useless). Data must be
understandable for it to add value to an in-
vestigation. Deep dive analysis training
courses will provide the necessary insight to
leverage all data that is available on a
smartphone.
Source: dfinews.com
Do you think passwords are still important? Do you ever
worry about your passwords? We’ve been kicking around
computer and information security for a while now. Why
don’t we have a better answer?
Personally, I have gotten a little tired of password articles and
blogs. I started “logging on” in about 1976, and I kind of
thought we had said pretty much everything there was to say
about passwords by now. Then, I recently spoke with some
people born in the 1990s and 2000s, and it seemed like they
tried their best to make my brain spring through the top of my
skull. From these people in their teens and 20s I heard things
like, “I just use the same password for everything,” and “I’m
just a student, hackers don’t want my stuff.”
As a professional security geek, my reaction was more or less
“you’re kidding, right?” But it should really not be a surprise
when we look at some of the recent statistics about password
use. This includes analysis of compromised passwords that
shows that the most commonly used passwords are things like
“123456” and “password”. Or droves of surveys done over the
past six or seven years which keep saying that 55-70% of people
(depending on the exact survey and year) use the same pass-
word across multiple accounts. Or similar studies that say 70-
80% of passwords being used online are classified as “weak”,
which often means a password that is less than eight lower-case
characters, or are simple dictionary words like “iloveyou”,
“monkey”, “dragon”, or “ninja”.
If you paid any attention to the scoring, you may have noticed a
couple things. The positive numbers are all small, and include
all of the technical parts of password construction. With a cou-
ple small exceptions, the negative numbers are more related to
password usage. The technical side is the easy part – make a
strong password. If any part of this is hard, it is the usage – use
your password(s) wisely. It’s not like, as an industry, we consist-
ently do either part well. But we have to do the two parts to-
gether. A strong password, used foolishly, is probably not go-
ing to help us much. At the same time, a poor password, used
well, will, at best, make us think we are more secure than we
really are.
Passwords are not the keys to our systems and information. At
least they should not be. The purpose of a password is to help
separate the wheat from the chaff, and to slow down attackers.
We create good passwords, and then use them wisely for two
reasons:
1. To help slow down access to our stuff, not stop it.
2. We don’t have an answer that is better than
“passwords,” yet.
And, one last question for the quiz. If you have
ever emailed your password to anyone you get
to subtract another 200 points from your score.
By Jon-Louis Heimerl—Securityweek.com
Passwords: To be or knOt2$B3? Take the Quiz!
Points
Question
_____
+1 – If your passwords are at least eight characters.
_____
+5 – If your passwords are at least 10 characters.
_____
+1 – If you use both lower-case and upper-case in your passwords.
_____
+2 – If you include numbers in your passwords.
_____
+3 – If you include special characters (like !@#$%*) in your passwords.
_____
+1 – If you ever change your passwords.
_____
+3 – If you change your important passwords at least annually (e.g., bank, credit card).
_____
+6 – If you store passwords in a password vault, or offline.
_____
-1 – If you include any numbers of special characters only at the end of your password.
_____
-3 – If your password mystery relies on substituting numbers for letters (it is simply not that tr1cky or 3L1T3).
_____
-5 – If you include keyboard sequences in your password (like "qwerty" or "mnbvcxz" or "123456789").
_____
-20 – If you include any form of the word "password" in your password (like "password" or "pwd" or "pass").
_____
-10 – If you repeat any letter of number more than two times (like "aaaa" or "666").
_____
-15 – If your password includes any part of your name, username, any month or has anything at all to do with the site associated with the password (like having your Facebook password as “fbletmein” and your email password as “emailletmein”).
_____
-50 – If you use the same password on social media, email and private sites (like shopping and banking sites).
_____
-10 – If you have shared your personal passwords with anyone.
_____
-20 – If you keep passwords in email or in a plain text, unencrypted file.
_____
Total Score
core Description
Less than -50 Um. I’m not even sure why you pretend you are using pass-
words.
-50 to 0 Please reconsider your password habits – they are probably
giving you a false sense of security.
0 to +15
In general, your password practices are not unreasonable.
Check the quiz again to see how much more paranoid you are
willing to get.
+15 and up Greetings fellow paranoid security geek. Nice to know some-
one takes this seriously.
Upcoming other Events
.
International
Conference on
secure
knowledge
management in
Big-Data era
SmartSec
InfoSEC Times Issue 07 Dec 2014
Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE
For information and to get involved in the next issue contact :
Dr. Jamal Al-Karaki at:
Phone: +971 2-6951047
Upcoming Events
Computer hacking is a breach of computer security that can expose sensitive user data and risk
user privacy. Hacking activities expose confidential user information like personal details, social
security numbers, credit card numbers, bank account data and personal photographs. User infor-
mation, in the hands of
computer hackers, makes it vulnerable to illegitimate use and manipulation. ADPoly is organizing
a competition where students will be divided into three categories Green, Red and Blue where
each category will contains multiple teams. Green teams will show their coding skills and will
come up with a fully functional website that will be tested by Red teams for weaknesses in their
code and will come up with a report representing all the bugs in that website. Now the blue
teams will show their coding attitude by fixing those bugs and come up with a clean website that
is no more vulnerable to the represented exploits.
Prizes: young hacker, inspired developer, talented software tester The ADPoly recognizes out-
standing achievements in all these fields and more. Winners will be recognized with prizes worth
their talent
Tri-Sec Challenge Build it, Break it, & Fix it.