News « IT Security Geeks

Every now and then one of our readers will send in a link to an article that we just have to share.

A really special thank you to Brandi from all of us here at ITSG for sending this one through.

To Heather over at Backgroundchecks.org, really nice article!

So for everyone who wants to get a better understanding of what Social Engineering (S.E) is, go and have a read of the following article.

“Working With People An Introduction To Social Engineering.“

We’re pleased to finally announce that we are now operating in both the UK and South Africa. This has been a long time in the making, and we’re now ready.

Our full compliment of services is now available on both continents.

Our contact details will remain the same in the interim, however we are in the process of getting a local phone number in South Africa.

At present http://www.itsecuritygeeks.co.za is pointing to our main website, if this changes, we will update you here first.

Thank you once again to all our clients for making this a reality.

So we’ve decided to expand our team at ITSG, the full job specifications can be found on our Careers page here.

If you don’t feel that you meet all the requirements, but feel that you’re very close, or have something unique to offer to our team, then please do get in touch. We are looking for both permanent and contract roles.

We hope to hear from you soon.

We have tried to contact LinkedIn via two mediums, their social media service and twitter. We have as yet received no response regarding our communications. We have subsequently decided that we ought to alert people to this.

On the morning of 07/06/2012 an I.T. Security geeks team member changed his LinkedIn password.

The changes were implemented via a web browser.

Several hours later the user received an app store notification of a LinkedIn app update for an IOS device; and proceeded with the  update to LinkedIn version 5.0.3 dated 06/06/12.

User was however still able to view and functionally use the LinkedIn app despite not being authenticated with the new password on his mobile device.

It appears that when passwords are changed on site, the revocation of access and subsequent re-authentication of all previously authenticated devices in the user’s access matrix does not occur.

To test the theory again, user logged back into LinkedIn via web browser, changed his password and then used the IOS device in question to post a test status to his own profile and to send a message to a connection.

Despite 2 password changes, the IOS device still maintains its active session and allowed full compromise to the users account.

This poses a high risk to users.

Personal Data may be compromised.

Users cannot effectively revoke access to their profiles by changing passwords in the event of their devices being lost or stolen. If you have in the past attempted to lock out unauthorised user access on a lost or stolen device by changing your password, please be aware that this does not seem to work. Try to contact LinkedIn to assist. Our best possible advice is to uninstall the LinkedIn IOS application until further notice.

Smart grids are being hailed as a potential solution to the impending energy supply problems the world will face over the coming years.

The intent is to intelligently manage use in accordance with supply and alter tariffs to drive healthy usage patterns; Fair enough. It’s clever business welcomed by all, that is if we ignore the obvious high cost of delivery.

Accounting and sentiment aside, the real issue we see is the inherent risk in creating a management network such as a smart grid.

Many current investigations into the technology, as well as planned deployments tout trendy capabilities.

Mobile device compatibility i.e. the ability to control your homes appliances remotely to take advantage of low tariff times. Despite the obvious limitations in the theory, I am somewhat surprised that this is even being thought of anywhere; that is anywhere with an eye on Health and Safety.

Random and malicious attacks on grid residents could compromise authentication details in a number of ways and while mischief and damage could result, the same problem exists elsewhere where damage would be so much more significant.

Mobile Network Infrastructure 

In the ever demanding economic climate, many telecommunications operators across the globe have invested significantly in expenditure reduction programs.

In one way or another, smart meters are finding themselves part and parcel of a mobile network for this reason. Smart meter solutions get installed with relays for cutting supplies of energy, allowing to switch energy sources or disconnecting of subtended devices such as network equipment.

In almost all cases, solutions are scoped in a manner that gives very little consideration to direct attack scenarios. It is a fact most solutions are sold on the basis of cost savings, unified control and management capabilities and not security. If we are learning one thing of late, it is co-ordinated infrastructure attacks are possible and happening as we speak. We are also certain Iranian Nuclear Enrichment facilities are a lot harder to penetrate than your average mobile operator and it was done with impunity and anonymity.

It’s not all doom and gloom though, our high value penetration testing team at I.T. Security geeks can help. Contact us for more information.

We have recently added a button to the side of our web site for people to click and donate directly via PayPal to the Brad Smith fund, as we can’t imagine what his family must be going through right now.

For those readers who don’t know who Brad Smith is, he’s a talented and humorous security professional, who also goes by the online name of the “theNurse”.

During Brad’s presentation at the Hacker Halted conference in Florida, he suffered from a massive stroke and has been in a coma in hospital since then.

The guys over at Social-Engineer.org along with @humanhacker set up this donation for Brad’s family to assist with any out of pocket expenses that they have.

We couldn’t haven’t worded this better, so to quote the guys over at Social-Engineer.org

“Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. ”

SocialEngineer.org have a update page up and running with updates from Brad’s wife Nina, which can be found here.

On the 28th September 2011, we notified a vendor about multiple security vulnerabilities in one of their products, and requested contact details of who to send the details on to.

The initial response from the vendor support team took 6 days.

The complete details of the vulnerabilities were disclosed to the vendor on the 5th October. These included screen shots, HTTP requests and responses, and Proof of Concept code for the vulnerabilities. After that no response was received.

We then sent another e-mail to the vendor on the 11th October, asking for an update on these issues, or if they had even received our original e-mail with the details of the vulnerabilities.

We received no response from the vendor.

On the 8th November, we finally received a response stating “These have been replicated by R&D and they will fix in a later release.” No “Thanks for your help guys”, no dates that these will be patched, no responses to our other queries.

We followed this e-mail up with a response to the vendor, asking to work together on a timed release, and to agree on some reasonable dates. The vendor response was “I have asked for timescales for the fixes and will update you when these are released.”

Now just to be clear, we are not getting paid to disclose these vulnerabilities to any vendors. We are doing this to help make the Internet and networks in general a safer place for all.

We don’t ask for much, just credit for the disclosure of the vulnerability, and a timely patch to mitigate the vulnerabilities. It really doesn’t need to be this difficult to report vulnerabilities, and a little bit of thanks and courtesy never hurt anyone.

To all software and hardware vendors out there, can you please take a few moments to read the Wikipedia article on Responsible Disclosure, which can be found here. Then please try to work with your relevant teams, to make it easier to report vulnerabilities in your code, and work with you.

We understand that not all vendors can afford to hire fully fledged security teams, and most security professionals are willing to help you secure your applications and devices just for the credit of finding the vulnerability in your product. That’s got to be the cheapest application security assessment that you’ve ever had!

Little things, like an e-mail address, or a form on your website to contact your product security team, or even your developers would make the world of difference. This would also help to make sure that we as security researchers, contact the relevant teams within your organisation right off the bat (and don’t get sent around the houses, trying to do you a favour). This way, we can always deal with the same person (or team) within your organisation, and get any vulnerabilities mitigated in a timely manner.

Please guys and girls, help us to help you. We’re giving you free security advice, educating your developers and strengthening your products, all this for a one liner in your security patch disclosure notification.

Think about it…

As you can see we’ve successfully launched the new version of our web site now, and we’d like to say a huge thank you to Tick Tock Computers for all the hard work that they’ve put into this site.

Hopefully this now makes the site more user friendly, and makes finding what you’re looking for a lot easier. Please keep checking back, as we’ll be regularly updating the company Blog with news and updates.

If you’ve got any comments on the new web site at all, please drop us a line and let us know, we always value customer feedback.