Sunday, August 16, 2015

The NEW improved Ashley Madison & a few loose ends

I'm starting the week off with a few loose ends, or mixed items if you will.



Well, it seems my blog is being read by the good folks at ADL.  They finally stopped making false claims on their front page about having security certifications that do not exist.

Good move Ashley.

The new front page however shows big voluptuous breasts.  I'm certain someone will complain about that.  The previous version of front page was much classier.  Personally, I don't mind the eye strain.

Previous landing page (with made up fake security certifications)

The new and improved landing page, with added eye candy

Now if you could just get rid of the fake profiles and all the prostitutes trying to "score a deal" the site would be a real asset for the cheating community ;-)

Oh wait....again.....  Did you fix that problem where anyone who intercepts your clients emails can get into their accounts without a password....   didn't think so.

So to all who see this facelift (or boob job) as a sign that everything has been "changed" and is now even more secure by a factor of 5, I leave you with this:

5 x 0 = 0

Try again Ashley.

Speaking of fakes, here are two more with a different degree of bite.

In a completely unrelated note, I stumbled on an interesting email, totally unrelated to Ashley Madison.

The latest Microsoft exploit that involves using a "special" font containing malicious code to exploit visitors of websites or folks opening documents is alive and well.
Taking a look at this suspicious email (as I have no account with this bank) reveals that someone is trying to get me to click on this font exploit.
Security researchers are curious, so I "asked a friend" to take a quick look at the system hosting this malicious code.  .UA sounds exotic, and it is.  It is a domain name registered under Ukraine.  

Big surprise, the system is owned by an unrelated company, and is in "standard" security condition.  By standard, I mean terrible. So it is being used as a victim to create more victims.

It is always interesting to see a critical vulnerability be reported, and actually see it in your inbox a few days later.

Conclusion:  Patch your systems, patch your serveurs so they aren't used  to attack someone else, train your people to not click on links from banks because banks don't send links to click on... the list is endless.

Obviously the system hosted in Ukraine is voluntarily vulnerable.  That is its mission.  It makes it a believable scape goat.

Strangely, a lot of corporations are also voluntarily vulnerable, they just don't know it.

Executives, ask yourselves this:  Would you bet your house that your IT is reasonably secure.  If your answering no and are not doing anything about it......


I get a lot of fake invites in LinkedIn, as I'm certain most people do. 

Most of the time they are hot 20 year olds with impressive titles like VP of Marketing trying to sell me appointment setting services.

This week I got one that looked alright, yet, something was off and I couldn't put my finger on it until I accepted the invitation to connect.

Then my keen...cough...cough.. senses locked eyes on the profile picture.

Something looked off, so I screen captured the picture and uploaded it into Google Images.  Voila!  The picture is from a modelling agency.  Nothing to do with a "Lindsay Campbell" from Daigo Oil.

So don't be too quick at accepting LinkedIn invitations from people who seem out of place.

The current trend is do grow fake LinkedIn accounts and then use them for such evil as:

1) Harvesting email accounts from real profiles that are all now linked together
2) Hiding their identity since they are about to make you an offer you just can't refuse.
3) Social engineering their way to top executives
4) Posting damaging information with a fake profile associated with a competitor
5) .... the list goes on, only limited by imagination

Simple Google "fake LinkedIn profile" and you will find numerous pages depicting the problem and offering tips for spotting a fake.

Here is one example :


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...