Saturday, July 31, 2010

The new Facebook issue is the same old Facebook issue, yet again


The Facebook Data Torrent Debacle

Security dude, Ron Bowes, did a couple of notable things. He programmatically gathered, or harvested, names and profile links of 171 million Facebook users. This was publicly available information so he did not have to break into anything to do this. He simply wrote a script to plow through all of the data he could find through Facebook's public profile directory. He then took it and provided a way for people to download the large amount of data that he gathered.

The media (I guess me too at this point) latched on to this and started talking about it. While this is interesting data, the fact of the matter is that it shouldn't be that surprising. If you've made your data public, then that means that people will be able to see it. The fact that only about a third of the total number of Facebook users are in the directory should tell you that many people have changed their settings to prevent this. If you don't want people to see your information, change your permissions so they don't. Or, as always, don't use social networking sites all together if you don't want to be discovered online.

My last thoughts on this are more from a core information security operations perspective. It would seem that Facebook doesn't have anything in place to detect large scale probing, scanning or harvesting data from their sites. There doesn't seem to be any sort of traffic analysis or monitoring of their internet property to detect when someone is working to gather all of the information they can from their site. Facebook seems to have faith in the code that their publishing to the Internet is solid and secure, and that only the information they are intentionally sharing is the only information they're actually sharing. Because of this, I guess they wouldn't necessarily need to have this level of visibility or awareness, but when is the last time any developer or company was 100% sure of their Internet-facing applications and what vulnerabilities they have? Could they have prevented this? Should they have prevented this?

Chris
LABrat.com

Wednesday, July 28, 2010

Combining Google "mere mortal" accounts with Google Apps accounts


Looky, I'm posting under my own LABrat account on Blogger!

This has been possible as a result of new efforts from Google. It hasn't been set up globally, but you will soon be able to use more of Google's apps through your own Google Apps hosted domain. If you've never been exposed to how Google Apps work, they had offered a stripped down set of their services aimed at enterprises, or what they thought enterprises would want. For instance, Google Reader, Blogger.com and Google Voice wouldn't allow you to log in, even though you knew that your accounts were "Google accounts", their systems differentiated between a normal, public Google account and a Google Apps account. Google is now finally getting around to offering other services for their Google Apps customers.

From an Information Security perspective, there's some things to consider. You are now tying more and more services to one login/userid. This means you're putting all your authentication and authorization for all those services into one basket. Do you trust Google? Do you trust that the security of your userid/password is good? Reminder, they were recently the target of an attack by the Chinese government where source code was stolen for their authentication system, or so the news media outlets report. That being said, and maybe I'll regret saying this, but I'm not too concerned, given these types of events tend to create change within a company. Why does it take something really bad to make people pay attention? I'm not sure, but its human nature and happens, over and over again (*needs citations :-) but I'm sure you also recognize this).

The whole Google/Google Apps account authentication merger is still in beta, but transitioning data/accounts seems to work okay, although each service has its own way of doing things. Like Blogger, for instance, I just had to set up my account and then give it admin rights. Google Voice requires you to do a transfer from one account to another, which according to their instruction page, isn't actually supported for Google Apps accounts. So, they'll need to clean up some things.

Anyway, I'm glad to see that this is happening. Makes my Google life a lot easier.

Chris
LABrat.com

Thursday, July 22, 2010

Making all your mailto: links work for Google Apps hosted email

So, one of my users on my personal Google Apps domain (my Dad) asked the same question that I had written off as a normal inconvenience of using web-based email.  Not having an actual, physical application my desktop to associate with the mailto: links on webpages means that every time I click on a link an unconfigured Outlook fires up.  Annoying.  And then my Dad asked me about it, so I had to get to the bottom of this.

After a little searching I found that there is Gmail Notifier and other like applications, but they seem to only work with Gmail accounts, not Google Apps hosted email accounts.  Then I found this article, which I'm summarizing and reprinting, just in case the Google Support Forum goes away, and to make this easier to find in search engines.

http://www.google.com/support/forum/p/Google+Apps/thread?tid=78ea6533155ea1fe&hl=en


Edit the following text and make it into a reg file before applying it by replacing yourdomain.com with your Google Apps hosted email domain.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Gmail.Url.Mailto]
@="URL:Mail Protocol"
"URL Protocol"=""

[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell]

[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell\open]

[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell\open\command]
@="rundll32.exe url.dll,FileProtocolHandler http://mail.google.com/a/yourdomain.com/?extsrc=mailto&url=%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail]
@="Gmail"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Capabilities]
@=""
"ApplicationDescription"="Gmail"
"ApplicationName"="Gmail"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Capabilities\URLAssociations]
"mailto"="Gmail.Url.mailto"

[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"Gmail"="Software\\Clients\\Mail\\Gmail\\Capabilities"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto]
"URL Protocol"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell\open\command]
@="rundll32.exe url.dll,FileProtocolHandler http://mail.google.com/a/yourdomain.com/?extsrc=mailto&url=%1"


Save the above text as a .reg file. Then double click on it to import it into your registry.

Lastly, go into your Internet Options in Internet Explorer and change your default MAILTO application to the new Gmail application.

All done!

Chris
LABrat.com

Monday, July 19, 2010

Fresh security feature in the new Android 2.2

Fresh security feature in the new Android 2.2
I meant to blog about this a while back.  It looks like Android phones are prepping to become enterprise-capable, given the addition of centralized controls over security features.  Does anyone know if these have been incorporated into any commercial software?  I would hope that Exchange would soon be able to control Android phones as well as iPhones and Windows Mobile, as they do now.

Chris
LABrat.com

New logo and CafePress store, now open! :-)




I've put together a CafePress store of the new logo you've seen on the site put onto various gear, so if you're a fan, you can buy stuff through the store with my logo on it.  I know there's tons of other things they make, but my logo, as is, only really looks good on things that are white.

Anyway, check it out. LABrat.com Gear at CafePress

LABrat.com
Chris

Tuesday, July 13, 2010

How to tell the difference between Geeks and Nerds

I hear today is "embrace your geekness day".  I'm not sure if that's true or not, but regardless this is a pretty good WikiHow article about the definition of Geeks and Nerds.  I think the Internet as a whole is coming to some more solid definitions of what a geek is and also what a nerd is.  Geeks rule!

My license plate on my vehicle has GEEK on it. :-)

Chris
LABrat.com

Somewhere 'security by obscurity' actually helps: power grids

As it turns out, the old 'security by obscurity' approach does actually work in some place, like electric power grids.  This Wired article talks about what it would really take to manipulate electricity in the United States.  While its not insurmountable to achieve domination and control over the power distribution system, it takes a whole lot of knowledge that your'e not going to gain through casual reading at home.  This was a good read.

Chris
LABrat.com

Wednesday, July 7, 2010

How to be a better spy: Cyber security lessons from the recent russian spy arrests

How to be a better spy: Cyber security lessons from the recent russian spy arrests: "On Monday, a number of Russian nationals got arrested for espionage against the US [1]. With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently"

This was interesting and pretty good.  Now that the information is public, however, the spies are going to learn to cover their tracks better.  Thats the risk of information sharing.

Chris
LABrat.com