InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘Social Networking’

Opinion: On Tolentino’s CONfidence

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 22, 2009

I was chatting with an IT Security expert (who wishes to remain anonymous) the other day regarding Comelec’s Executive Director Jose Tolentino’s views about the coming implementation of PCOS machines as being un-hackable… yes, Tolentino’s views come even BEFORE its implemented. The reason why I’m posting it here is because I agree with the IT Security expert’s views.

Excerpts from the chat:

IT Sec Expert: such a display of confidence seems to be borderline misinformation
Me: true, i wonder what machine they used and if its possible to play around with it
IT Sec Expert: wel, they should worry more about organized crime, not hackers
Me: organized crime with hackers
IT Sec Expert: would the people handling such a new technology, na foreign made pa, be competent enough?
IT Sec Expert: that system would be closed circuit
Me: wires can easily be tapped, i wonder what encryption they’ll be using
IT Sec Expert: they’ll probably have dialup
Me: inside job na lang
IT Sec Expert: it would have been better had they had it publicly assessed and offer a bounty for the successful hacker
Me: why don’t you put your comments?
IT Sec Expert: you know how people are in the philippines, they always take things personally

I personally think that it’s great that the Comelec is trying something new regarding minimizing election fraud. However, time and again, its been shown that computers can be hacked, and challenging hackers is typically the first sign that a system will be hacked. Tolentino’s statements make me feel all so warm and fuzzy that the Comelec’s system is probably more secure than NASA, the US Pentagon, Royal Dutch Shell and hundreds of supposedly secure systems that have all been hacked. Maybe the Comelec’s people can consult for the Pentagon and teach them how to secure a system. No, really… seriously….

Our country’s history has shown that our own people are easier to hack (Social Engineering), which begs the question regarding not just the competency of the operators, but their integrity… will the Comelec be conducting background checks? I now wonder if the Comelec has had their system assessed, and if so by who and how was it assessed? I also hope that there will be transparency in the assessment.

Bernie Lopez wrote an insightful article which came out in PDI today entitled, “Computers can be hacked.” No, duh. Unfortunately Director Tolentino, one of the main people in the Philippines entrusted with keeping the sanctity of the ballot, thinks otherwise.

Social Networking
I was planning on writing about Facebook privacy, however PDI’s Bianca Consunji wrote a good article on it in “Knowing about privacy on Facebook.”

Botnets
BBC’s Click programme for Mar 13 was about botnets. They acquired control of over 20,000 infected computers all over the world (yes, you can now buy time on other people’s computers without their knowing it). Top botnets have more than a few hundred thousand computers under their control – up to an estimated million. They also talk about how to protect your computer here (warning tiny video, slightly muffled sound… they should’ve just used You Tube). They actually got in hot water because of this.

Advertisement

Posted in Philippines, Privacy | Tagged: , , , , , , , , | Leave a Comment »

Info Sec News, Jan 22, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 22, 2009

One of the reasons why I started this site is because there seems to be a paucity of Information Security News about the Philippines. Sometimes its even hard to find out about Conferences and Seminars in Metro Manila. Its refreshing to be able to find the following:

(YouTube, from GMANews.TV) IMBESTIGADOR – Friendster Hacker (Identity Theft, Cybercrime)
(GMANews.TV, Old News) Woman who hacked Friendster account faces estafa raps

(Computerworld Philippines) Surveys: Security risks impede business innovation
(Computerworld Philippines) Web Security Lifeline: In-the-Cloud Technology Beats Malware Pollution
(Computerworld Philippines) Survey: Banks need better communication methods
(Inquirer.net) Nasty worm hits millions of computers
(Inquirer.net) Kids’ shield vs porn on Net removed
(Manila Bulletin Online) EMC creates new company to address today’s growing personal information challenge
(Manila Bulletin Online) RP to benefit from Satyam scandal, lawmaker crows
(Manila Bulletin Online) Employees’ everyday behavior puts sensitive business information at risk – new threat study from EMC reveals
(Manila Bulletin Online) Sophos warns Twitter users of possible hacking

Just in case you need help in figuring out HijackThis, there’s this useful tutorial on PCHell.com. If you already use HijackThis and don’t understand parts of the log file, the tutorial points you to the HijackThis Logfile Analysis site.

The recent Twitter hack shows that some Admin level personnel should follow Admin Password Best Practices. Apparently the Admin’s password was, ‘happiness’, as is discussed in this Wired blog.

Other Info Sec News:
(SecurityFocus) Payment processor warns of network breach
(HeiseSecurity) Over 100 million credit / debit cards compromised
(Washington Post) Payment Processor Breach May Be Largest Ever
(HeiseSecurity) QuickTime 7.6 update brings security fixes
(HeiseSecurity) Elcomsoft Wi-Fi auditor prompts security warnings

Posted in News, Philippines, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Happy New Year to All :)

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 6, 2009

A lot of people in the Philippines are probably still hungover from the long vacation from Dec 25 to Jan 4, unless of course they were part of sales, or a BPO… anyway, on to the news:

OpenVAS 2.0 was released around two weeks ago, and a respected security expert (who wishes to remain anonymous) thinks it is, “fast approaching the maturity level needed to truly compete with Nessus in the vulnerability assessment area.”

The OpenVas 2.0 press release states that:
OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server administrators and for developers of Network Vulnerability Tests (NVTs).

Some of the Philippines’ high ranking government officials may want to look into cellphone voice encryption (as mentioned in this SecurityPark.net article) before calling some other high ranking government official so that they wouldn’t need to give a televised public apology (wink).

Speaking of mobile phone security, there was a DOS vulnerability found in Nokia Series 60 cellphones just before new year’s eve called the “Curse of Silence”, which either stops the cellphone from receiving SMS until a factory reset is done (Series 60 2.6 and 3.0 devices) or not all SMS’s are received (Series 60 2.8 and 3.1).

This is done via the following steps (check out the demo video link below):
For Series 60 phones v2.2, 2.3, 3.0 and 3.1 attack target phones
1. create an email that has an e-mail address with more than 32 characters followed by a space.
2. set TP Protocol Identifier of SMS Message to Internet Electronic Mail
3. send message to target (eleven times to Series 60 v 3.1, only one message is needed for all other versions)

There are currently no client side workarounds published as of the moment. If ever you work for Smart Communications, Globe Telecom or Sun Cellular maybe your network team can take heed of the suggestion in the document that “network operators should filter messages with TP-PID ‘Internet Electronic Mail’ and an email address of more than 32 characters or reset the TP-PID of these messages to 0”. I also do not have a Series 60 phone mentioned in the list so I cannot test if it can affect cell phones here in the Philippines. Kindly drop me a line in case you were able to test this.

Phones affected:
S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

More details can be found in a must see video (21 MB) and a document (6.8 KB) on the website of Tobias Engel, who is a member of the Chaos Computer Club.

Microblogging site Twitter had a major breach and has phishing problems reports HeiseSecurity, SCMagazineUS, and SecurityFocus. Apparently, US President elect Barack Obama’s and Britney Spears’ accounts were compromised.

In related news, (The Register) Bogus LinkedIn profiles punt malware to fools.

A security update for the popular email client Mozilla Thunderbird was recently released. (Heise Security report, SCMagazineUS report)

The recently found MD5 vulnerability links:
(SCMagazineUS) MD5 insecurity affects all internet users
(SCMagazineUS) Hackers find hole to create rogue digital certificates
(Heise Security) Verisign/RapidSSL close 25C3 MD5 vulnerability
(SecurityFocus) Survey: One in seven SSL certificates are weak

Posted in News, social engineering, Social Networking, vulnerability, vulnerability assessment | Tagged: , , , , , , , , , , , , , , , , | 1 Comment »

Social Networking Articles about the Philippines

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 4, 2008

A couple of interesting articles about Social Networking in the Philippines have come out in the past few months.

  • (Inquirer.net) Friendster fame, magnet for ads,
  • (Inquirer.net) Filipinos still make up big chunk of Friendster users,
  • (Inquirer.net) RP has highest percentage of social network users.

    • Wikipedia even has an article on Social Networking in the Philippines.

    1to1Media published an article regarding social networking sites such as Facebook and Multiply in Photo Tagging Portends New Frontier for Privacy Pros.

    If you’re interested in Social Networking and Social Engineering attacks using them, you might want to check out ENISA’s podcast on Locking Down Social Networking Vulnerabilities, this was given in Infosecurity Europe 2008 earlier this year. Enisa also has a Position Paper on Security Issues and Recommendations for Online Social Networks which was presented at the echallenges conference in the Hague on Oct 25, 2007. You can download the 36 page pdf from the above link.

    Posted in News, Philippines, Privacy, Social Networking | Tagged: , , , , , , , | Leave a Comment »