Archive for March, 2012

Hand over your Facebook username and password if you want a job

Job interview - cartoon by CarolePicture it: you are at a job interview, and the interviewer requests that you log into your Facebook account so they can shoulder surf as you lay bare your profile in its entirety.

Worse, what if they ask you to hand over your Facebook username and password?

You might laugh and say I would never do that, but what if you really, really need a job? Many of us are desperate for work at the moment, so it is no surprise that some feel they must comply to avoid being stricken from the candidates’ list.

In the US, this tactic has been used with people applying for police officer or 911 dispatcher roles, according to an AP article. But the report says that it is happening elsewhere too.

The reason that an increasing number of employers want full access to a Facebook account is perhaps due to more of us hiding information from people we aren’t connected with.

Rob MacLeod was shortlisted for a police job in Baltimore when he was asked for his Facebook password. The Spec reports that:

The question startled MacLeod, now a bylaw enforcement officer in Peel Region. He had a personal policy of not sharing his password, no matter the circumstances. So when the request came, MacLeod offered to log in to his Facebook account and then leave the room so the interviewer could browse his page.

But he says the interviewer remained firm — he wanted the password. After a few minutes, MacLeod gave it to him.

MacLeod says he "felt like I was being pressured into doing it. It felt like if I didn’t do it, he would call the recruiter and say, ‘This guy’s not interested in the job’", he told The Spec.

It is not surprising that this interview technique is riling a number of individuals and groups, including American Civil Liberties Union (ACLU) attorney Catherine Crump, who states:

It’s an invasion of privacy for private employers to insist on looking at people’s private Facebook pages as a condition of employment or consideration in an application process. People are entitled to their private lives. You’d be appalled if your employer insisted on opening up your postal mail to see if there was anything of interest inside. It’s equally out of bounds for an employer to go on a fishing expedition through a person’s private social media account.

And Orin Kerr, Professor of Law at George Washington University, told AP “It’s akin to requiring someone’s house keys… [It’s] an egregious privacy violation.”

One can understand that companies want to do everything they can to ensure that candidates will be a good fit and won’t jeopardize the company, but asking for the keys to their personal Facebook account seems many, many steps too far.

So, if you are out looking for a job, here are some tips to consider:

  1. Sanitise your account before you start applying for any jobs. Look for compromising messages, pictures, messages on walls, and remove or hide anything that you wouldn’t want a prospective employer to see
  2. You can quote Facebook’s legal terms, which clearly state that

    You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.

    Explain that you are a law-abiding citizen, and you can in no way break this binding contract with Facebook.

  3. Hacker Factor author Neal Krawetz provides some advice, including exposing the company by anonymously posting online that they made this request during the interview. He also suggests that you consider suing them if you do not get the job.
  4. Tell them you don’t use Facebook. Review your settings on your How You Connect page under Facebook’s ‘Privacy settings’, you can tweak these, as shown below.

    This means that an employer won’t find you during a search. Even friends of friends won’t see you listed. The problem here of course is that you are lying, but my view is that human rights to privacy are a little more important than a white lie.

    Facebook setting

    [Source]

2012
03/24
CATEGORY
#ZionOps
Leave a comment

Cyber-attack on BBC Persian Service linked to Iranian intimidation

BBC Persian serviceThe BBC has reportedly revealed that it suffered a "sophisticated cyber attack" following a campaign of persistent intimidation from the Iranian authorities.

Mark Thompson, the BBC’s director general, is due to give a speech at the Royal Television Society later today, describing how alongside a cyber-attack, BBC Persian’s satellite feeds into Iran have been jammed, and its London phone lines were swamped by automated calls.

In an extract from the speech, released by the BBC in advance, Mark Thompson explains the difficulty of proving the origin of the internet attack:

"It is difficult, and may prove impossible, to confirm the source of these attacks, though attempted jamming of BBC services into Iran is nothing new and we regard the coincidence of these different attacks as self-evidently suspicious."

"It now looks as if those who seek to disrupt or block BBC Persian may be widening their tactics."

Thompson claims that there is a systematic campaign to both intimidate staff members into leaving the BBC Persian service, and to turn BBC staff into informers to provide the Iranian authorities with information.

Last month, Thompson described how the sister of a staff member working for the BBC Persian service was detained, intimated and held in solitary confinement by the Iranian authorities. Thompson says that there have been many attempts by Tehran to jam the BBC’s broadcasts to the country, where the service is believed to have an audience of millions.

Writing in February, Thompson wrote:

"The BBC calls on the Iranian government to repudiate the actions of its officials."

"We also ask governments and international regulatory bodies to put maximum pressure on Iran to desist in this campaign of intimidation, persistent censorship and a disturbing abuse of power."

Mark Thompson, BBCThompson is right to be cautious of claiming definitively that the government in Tehran was responsible for the internet attack on the BBC.

Even if a computer involved in the attacks was found to be located in an Iranian military base that doesn’t necessarily mean that it was an attack done with the knowledge of Iran’s authorities.

It could have been compromised by hackers in other countries. After all, think of all the spam you receive every day – that’s not sent by computers belonging to the spammers. Instead they’re from PCs that cybercriminals have commandeered and turned into a botnet for their own purposes.

At the same time, of course, we shouldn’t be naive. If BBC staff and their families are suffering from a growing campaign of intimidation, then it perhaps wouldn’t be a surprise if the hostility also spilled out onto the internet.

It is not expected that Thompson will give any more details of the latest attacks.

[Source]

2012
03/24
CATEGORY
#ZionOps
Leave a comment

Proof-of-concept RDP vulnerability code discovered. Patch Windows now

Alert. Image from ShutterstockSophosLabs has seen proof-of-concept code on Chinese websites which tries to exploit the recently announced Microsoft RDP vulnerability, causing computers to crash.

The critical vulnerability exists in Windows, and could be exploited to spread a worm automatically between vulnerable computers.

The advice from Microsoft and Sophos is to patch your copies of Windows as soon as possible, and Microsoft warned earlier this week that it expected malicious hackers to exploit the flaw within 30 days.

Well, that’s already happening. The code we’ve seen – in the form of Python scripts – attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen. It wouldn’t be a surprise if whoever is writing this code to further develop the attacks to produce a fast-spreading internet worm.

As a result, Windows users should consider themselves on high alert and harden their defences. Microsoft has discussed the patch, and other ways to mitigate the threat, in a blog post.

Sophos is adding detection of the script we have seen as Troj/PyRDP-A.

Fake exploits for the Microsoft RDP vulnerability

Meanwhile, we have also seen what claims to be the Python script of a worm that exploits the RDP exploit.

Fake worm for exploiting Microsoft RDP flaw

The script, however, appears to be a hoax. It references a Python module that doesn’t exist (FreeRDP), and claims to be written by sabu@fbi.gov, an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months.

The code doesn’t exploit the MS12-020 vulnerability.

[Source]

2012
03/24
CATEGORY
#ZionOps
Leave a comment

Google subpoenaed by FBI to access a pimp’s pattern-locked Samsung smartphone

pimp drawn by CaroleYou can just imagine the type of person who might belong to a gang called – wait for it – Pimpin Hoes Daily.

Classy, in that gold-tooth sporting, magenta-or-lime-double-breasted-Italian-suit wearing, and toe-squeezing-winklepinker-loving way.

Gang-founder Dante Dears (his name is as priceless as the acronym for his gang) has recently found himself a touch more free press than he perhaps bargained for.

According to El Reg, Dears was jailed twice between 2005-2011 for almost six years on charges including kidnapping and pimping prostitutes, some of whom were underage.

Conditions of his parole release included search of his home. The Feds were tipped off to Dears getting up to his old ways again, so they decided to raid his home where the San Diego FBI located his smartphone, according to several media reports.

Samsung SGH-T679Thing is, the FBI couldn’t access the contents on the pattern-locked phone, so they issued Google with a subpoenae. In order to unlock the phone, the authorities require Dears’ Google account username and password, which unsurprisingly, the Pimpin Hoes Daily founder has refused to hand over.

The warrant request includes providing the FBI with the phone’s GPS data, contacts, text messages, search terms, webpage history. Normally, we would be none the wiser to such a request for information, but researcher Christopher Soghoian"stumbled" across it, and blogged it.

Now, a company such as Google is likely to receive countless demands for information, and I am sure they don’t hand over information willy nilly. In fact, Google provided Ars Technica with the following statement:

Like all law-abiding companies, we comply with valid legal process. Whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. If we believe a request is overly broad, we will seek to narrow it.

Reading this story, I just cannot believe that the Feds wouldn’t be able to get into that phone. So I asked our resident Sophos’s Android security expert, Vanja Svajcer, for his opinion.

Vanja said that although it is technically possible to break the pattern lock combination using brute force technique (there are allegedly only 895824 combinations), it requires potentially unlawful access to the phone.

To start guessing at the combination, a file needs to be retrieved from the device. Jail-breaking tools, which grant access to the device using the root credentials, may be used to get the the required file.
Check out this Forensics Focus article for more information.

Effectively, this means there is a catch-22: to get the evidence, you need the data on the phone. To get the data on the phone, you need to jailbreak it. Jailbreaking it invalidates the data. Hence, the need for the warrant.

Ah, now it all makes sense.

[Source]

2012
03/24
CATEGORY
#ZionOps
Leave a comment

Anonymous OS – you’d be crazy to trust it

Proceed with caution if you’re thinking of downloading and installing Anonymous OS, the purported new operating system from the Anonymous collective.

More than 20,000 people may have downloaded the Ubuntu Linux image full of hacking tools – but how do they know what the code really does?

Anonymous OS

When I first heard about Anonymous OS a couple of days ago, I instantly asked myself why would anyone want to put their trust in a piece of unknown software, written by unknown people, promoted on an Anonymous Tumblr webpage that you don’t know is safe or not?

If I were writing a cybercrime thriller, I might dream up a plot where the computer cops – desperate to know the identities of the hacktivists – concocted a plot where they made available software that promised to hide hackers’ identities.. but in fact secretly passed information back to the cops.

Of course, I’m not suggesting that has happened in this case. But stranger things have happened.. (like the prominent leader of LulzSec turning out to have been secretly working for the FBI since the middle of last year..)

AnonymousDon’t forget, earlier this year, we saw hacktivists tricked into installing a Trojanised version of the Slowloris Denial of Service tool.

In such a climate, it wouldn’t be a surprise if there was a Trojan element sneaked into Anonymous OS too.

We haven’t analysed the Anonymous OS download yet. Frankly, with over a hundred thousand new samples of malware coming into our labs each day we’ve got better things to do with our time.

Anonymous OS isn’t a threat to the average guy in the street or to office workers, the only people who might be impacted by it are those who are foolish enough to knowingly install unknown software onto their computers.

Nevertheless, our advice to folks is clear – be wary!

2012
03/24
CATEGORY
#ZionOps
Leave a comment
                  
Follow

Get every new post delivered to your Inbox.

Join 28 other followers