Author Archives: Terry Cutler

About Terry Cutler

Terry Cutler is the founder of Digital Locksmiths, Inc. - an IT security and data defense firm based in Montreal - and serves as the company's Chief Technology Officer. Terry is a Certified Ethical Hacker who has learned the mindset of hackers and trained in the techniques of "the bad guys" who seek to do harm to corporations and individuals alike. He is responsible for staying on top of the latest trends in cybersecurity and being an advocate for best practices in the identification and eradication of vulnerabilities that leave the customers of Digital Locksmiths susceptible to the most dangerous threats. Another one of Terry's roles is to be a thought leader for Digital Locksmiths by sharing his expert insights about effective digital security strategies and countermeasures through his writings, speaking engagements, and media interviews. Connect with Terry on Google +

The Rise of the Ethical Hacktivist

By Katherine Noyes
LinuxInsider
02/25/14 4:00 PM PT – See more at: http://www.linuxinsider.com/story/80042.html?rss=1#sthash.2up7i5g3.dpuf

When Saul Alinsky wrote Rules for Radicals more than four decades ago, the world was a very different place than it is today.

Protests and demonstrations were among the most common tactics for bringing about social change, and they were used on such a broad scale that they helped define the Vietnam War era and counterculture movement of the 1960s and 1970s.

Today there’s a new tool available to those who want to change the world, however, and it’s already brought about results that are at least as dramatic. It’s called “hacking,” and it’s as controversial as its variations are diverse.

“Try to imagine the organization of an event 20 years ago, and compare it with what is happening today,” cybersecurity expert, cybercrime analyst and author Pierluigi Paganini told LinuxInsider. “Just one tweet, a picture, can blow the wind into a revolution.”

What’s ‘Ethical’?

“Hacking,” of course, is a term that has long been fraught with ethical connotations. Often considered synonymous with computerized crime, the term has more recently been broadened to include concepts as far afield as product hacking — essentially, product improvement — and even “life hacking” for better personal productivity and efficiency.

Where things get really interesting, however — as the efforts of Anonymous have illustrated particularly well — is in the distinct and yet related notions of “hacktivism” and “ethical hacking.”

In general usage, the term “ethical hacking” typically is used to mean penetration testing for security-improvement purposes, while “hacktivism” means using computers to bring about political or social change. However, the line separating the two isn’t always entirely clear.

“There are many aspects of this concept,” Rick Falkvinge, founder of the first Pirate Party, Sweden’s Piratpartiet SE, told LinuxInsider.

“First, what is considered ethical can have many layers: Is the penetration testing made within the organization in order to promote better security practices, or is it penetration of a corrupt organization to expose corruption? Both could easily be described as ‘ethical,'” Falkvinge pointed out.

‘We Cannot Ignore Their Voices’

“Since the war in Iraq, hacktivism has been on the rise,” Terry Cutler, a Certified Ethical Hacker and cofounder and chief technology officer of Digital Locksmiths, told LinuxInsider.

From the uprising in Iran to the “Occupy” movement, “tools like Twitter and Facebook were the only way to engage and get their stories out, especially since local media was being blocked,” Cutler explained. “The tools and technology allow these attacks to happen much quicker than before.”

Hacktivism is “the expression of social dissent through hacking,” and it’s growing rapidly, agreed Paganini.

“Media mainly know the name of the collective Anonymous, but behind those masks there are many people, many cultures and countries that daily face different problems,” he explained.

“The common intent is the fight for liberty of expression and free Internet access, but recent revelations have revealed that intelligence agencies monitor everything,” Paganini noted.

“I believe that the hacktivists in the future will pass from the keyboards to the streets,” he added. “We cannot ignore their voices.”

Aaron Swartz’s Legacy

Much of the growth in hacktivism is due to the rise in public awareness of Aaron Swartz over the last year, Yan Zhu, staff technologist with the Electronic Frontier Foundation, told LinuxInsider.

“Aaron spent a lot of his time hacking on projects for social and political change,” Zhu explained, citing the SecureDrop and RECAP projects as examples.

“He embodied the term ‘hacktivist.’ I think his death inspired many people in the free software and activism communities to put more energy into doing likewise,” she said.

Aaron Swartz memorial hackathons have been organized in more than 20 countries around the world to finish some of the work that Swartz started, noted Zhu, who is also creator of the Worldwide Aaron Swartz Memorial Hackathon Series.

In fact, hackathons are increasingly the means through which hacktivist efforts are organized, said Richard Kastelein, entrepreneur, strategist, writer and founder of The Hackfest.

‘It’s the First Step’

“It’s getting more and more common,” Kastelein explained. In addition to a health hackfest being organized by Six Degrees in Brussels in June, Kastelein is working with a UK group to tackle the aging crisis later this year, as well as contributing to a separate effort to help drive innovation and educate developing countries in the Caribbean, he told LinuxInsider.

“There are more and more emerging hackathons around environment, health, LGBT issues and much more,” Kastelein said. “We are finding more and more large brands and corporations want to get involved as sponsors via their CSR departments, and there’s simply more and more companies in sectors such as health that have APIs and even SDKs that are trying to build their own developer communities.”

A key benefit of “‘ethical’ hackathons,” he pointed out, is that they are “part of the process — a larger process — of driving innovation forward that is essential because it takes people from across the spectrum, pushes them together, and in a short time, they are forced to work together in a gamified, competitive atmosphere to build something that can effect change.

“It’s the first step,” said Kastelein. “Ideally, the next step for the great ideas would be bootcamp, incubator, angel investment, VC, etc., or just a lean startup.”

‘Almost Tragic in Some Cases’

Perhaps the biggest downside of hackathons and coordinated hacking efforts is the possibility of losing momentum after the event is over.

“I’m afraid that the short duration of these events encourages people to work on small, fragmented projects that are not necessarily well thought-out,” Zhu said. “It would be great to see more hackathons that bring people together to work on larger, long-term projects, perhaps at regular intervals over the course of a year or so.”

Indeed, “seeing great ideas end after a short-term event is almost tragic in some cases,” Kastelein agreed. “Ideally, we would like to be the initial stage of an ecosystem that further fosters and nurtures those great ideas and moves them into real working products and services.”

On the other hand, “at least the results are made public,” he noted. “We are considering adding in an element that if great ideas fall to the wayside, that we work with the groups in putting their code and concept into open source or Creative Commons mode to allow others to pick up where they left off.”

Currently, all intellectual property is owned by the groups involved according to public hackathon rules and principles globally, Kastelein pointed out.

Analog Equivalents

There seems little doubt that hacktivism is here to stay; still remaining to be sorted out, however, are the legal issues.

Such questions become more clear when you compare digital hacktivism with its equivalents from the analog world, said Piratpartiet’s Falkvinge.

“I would describe the break-in to the FBI of March 8, 1971, that exposed COINTELPRO and numerous other anti-activist methods in light of the Vietnam war as a typical example of pre-Internet ethical hacking,” he suggested.

“Today, the equivalent would be to — illegally — break into a corrupt organization’s servers and copy similarly incriminating documents,” Falkvinge explained. “While today’s powerholders decry such acts, there is little doubt that the break-in of 1971 has been more than justified by the history books, and it certainly caused social change.”

Criminals or Heroes?

The main problem with hacktivism, then, “remains with the legislators and officials who fail to see things in analog-equivalent terms,” Falkvinge said. “If getting documents to a reporter was OK in the pre-Internet age as part of our checks and balances on power, then it has to be OK in the digital age, too.”

Yet “many powerholders freak out at the slightest occurrence of pentesting, even going as far as to punish students who point out security problems in their schools’ IT systems,” he noted. “That’s not proportional, and that’s causing a growing divide of resentment between the offline-borns and the Net generation.”

Looking ahead, “I’d pay attention to this growing divide of resentment and its large-scale social effects,” Falkvinge concluded. “It may manifest itself as a new political power in some countries, as is happening with the nascent Pirate Party movement, or it may manifest itself as an underground culture of people that has different names depending on whom you ask: ‘criminals,’ if you ask the powerholders whose crimes are getting exposed, or ‘hero journalists’ if you ask the average people who are getting news they wouldn’t otherwise.”

Either way, the trend promises to continue.

“We can arrest hackers and hacktivists that violate our networks and that disclose our data,” Paganini said, “but we cannot stop an ideology.”

– See more at: http://www.linuxinsider.com/story/80042.html?rss=1#sthash.2up7i5g3.dpuf

Laptop stolen with health information of 620,000 Albertans

Health officials recently informed of theft from last September

Source – http://www.cbc.ca/news/canada/edmonton/laptop-stolen-with-health-information-of-620-000-albertans-1.2507161

newstalk_770am_alberta stolen laptop

Mr. Cutler is a frequent contributor to media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day. In this interview, Terry speaks with Newstalk 770 in Alberta about a very large data breach in Alberta health. To have a laptop stolen with 620,00 health records on it has the privacy commissioner very upset. Lister to the interview here in MP3 format

A laptop with the unencrypted personal health information of 620,000 Albertans was stolen last September, Health Minister Fred Horne announced Wednesday.

The laptop contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of the individuals seen at Medicentres between May 2, 2011, and Sept. 10, 2013. The computer was stolen on Sept. 26.

4 other cases of stolen health data in Alberta

Horne said that he was informed of the theft on Tuesday,

alberta medicenters data breach stolen laptop

when he received a letter from the vice-president of Medicentres Family Health Care Clinics.

He has asked the privacy commissioner for an official investigation under the Health Information Act to find out why health officials have only just been told about the theft.

“On behalf of the citizens of this province, I am quite frankly, outraged that this would not have been reported to myself or my department sooner,” Horne told reporters.

“The theft of personal health information of 620,000 fellow citizens is unacceptable in Alberta’s health-care system in any circumstance.”

Edmonton Police, the Alberta College of Physicians and Surgeons and the Alberta Medical Association have also been notified.

Check credit card statements

In a news release, Medicentres says they were told on Oct. 1 that the laptop belonging to an information technology consultant was stolen.

The release further states that police and the privacy commissioner were notified immediately. However, Edmonton police said the theft was reported four days later on Oct. 5.

“To date, Medicentres has no information to suggest that any of the personal information on the laptop has been accessed or misused,” the news release states.

“Medicentres has already implemented a number of additional security measures and we are further auditing our security policies and procedures and are implementing further measures to ensure that personal information is further safeguarded.”

The chief medical officer for Medicentres, Dr. Arif Bhimji, said the laptop was stolen in Edmonton.

The consultant had access to so much information because he was working on a database needed to submit claims to the Alberta government.

There was a delay in notifying the public because Medicentres was trying to figure out how to best do it, he said.

“We kept the privacy commissioner involved and advised of our progress over this period of time,” Bhimji said.

“I wish we could have done it sooner, but this was the first time ever having to deal with this sort of situation and it took a lot longer than we would have liked it to take.”

He is advising anyone who thinks that their information was stolen to check their credit card statements to make sure nothing is out of the ordinary.

Bhimji said Medicentres is now seeking answers on why the stolen laptop’s data wasn’t encrypted.

“We have certainly asked for a response to that question from our IT consultant, who we would have hoped would have understood that this would be an important privacy matter to be concerned,” he said.

Bhimji declined to name the firm where the consultant works.

“We are terribly sorry that this has occurred. We regret that it has taken much longer than we would have liked to inform Albertans with respect to this and we truly do apologize for the inconvenience that some of these people are going to face and the concern that this is going to cause them.”

Privacy boss to decide on investigation

Alberta privacy commissioner Jill Clayton is en route to Edmonton and will decide tomorrow whether to commence an investigation.

Brian Hamilton, director of compliance and investigations, said that his office had been urging Medicentres to make the theft public since October.

Horne said anyone who might be affected can lodge a complaint with the privacy commissioner.

“When first asked for my reaction about this I was speechless. I find it incredibly hard to believe that in a province such as Alberta that such an incident could occur,” he said.

Opposition leader Danielle Smith of the Wildrose Party said it was inconceivable that it had taken so long for the breach to be made public and that the health minister wasn’t notified sooner.

“Why did all of this information exist in a single file on a computer in the first place?” Smith asked.

“The requirement of the Health Information Act is that vendors are only supposed to access the amount of information that they need to provide the service and no more.”

iOS Hacking. Rise of the evil Smartphone

With constant access to email, applications, the Internet, and company data, workers are using their devices to stay in touch with family, friends, and co-workers through social networks. This means that people are building a larger database and adding data to their applications. The appeal for hackers with mal-intent is obvious; the build up of data could mean massive attacks on sensitive company or government data. The crazy part is that it all could have been launched––unknowingly and cleverly––through a Smartphone.

This article focuses on black box security reviews of iOS applications, which is in contrast to white box, which does not require access to the original source code that is used to produce the binary. First, we present an overview of the iOS platform: a bit of history showing how the security has improved over time, the main security features that ensure the confidentiality of user data, and the integrity of running applications. These are key concepts that one needs to understand before they dive into penetration testing on this platform.

By Terry Cutler, Co-founder of Digital Locksmiths. Inc, CEH & François Proulx, Senior mobile application developer

Evolution of the iOS platform security
When the first iPhone was introduced, it was initially only available in the US market and did not provide the ability for end users to install applications besides those provided at the time of purchase. This meant that there was no App Store, and no official way for developers to program and distribute applications. At that point, Apple decided to keep its SDK private, and since the platform was still in its infancy, many critical security aspects were eschewed. Because of this initial lax security, and the fact that the original iPhone was only made available in the United States and on a single carrier (AT&T), it provided a strong motive for a number of hackers to form what rapidly became known as “the jailbreak community.” This community of hackers initially had two main interests: the first was to be able to run custom apps, and the second was to SIM unlock the phone to make it work on other carriers worldwide. It only took a few days after the device was officially made available for hackers to “escape jail”. One of the most well known groups in this community is called the “iPhone Dev Team”.

During the days of what was then referred to as iPhone OS 1.0, the jailbreak community had a lot more freedom to explore because of the poor level of platform security. Over time, they amassed a wealth of highly technical information about the inner workings of the Apple hardware, as well as the operating system and frameworks. This deep technical knowledge proved extremely valuable when the second device came out (iPhone 3G), along with iPhone OS 2.0, as well as the first iteration of the App Store, in which the term “App” became so popular amongst the general population. While the first iPhone could only run built-in apps written by Apple, this new scheme allowed any developer to sign up for an account, download Xcode (Apple’s IDE and compiler suites), an SDK, and access documentation. Because Apple wanted to keep a close watch on the kinds of applications that could run on their platform, they had built a review process that all had to go through before they could be downloaded on to the App Store. The review process looks for usage of critical system APIs, suspicious behaviors, etc. Before submitting for review, a developer must code sign his binary using a developer certificate, which ensures traceability from the developer, through the review process, and all the way to the device it finally runs on. This means that all apps must contain a valid certificate chain that ends with a specific Apple trusted root. There is no official way, even if one would install its own self-signed certificate in the trusted anchors store, to bypass this signature check. One of the main features of a jailbroken device is that its kernel has been patched to skip this signature check, which significantly reduces the security of the platform, but allows a technical savvy user to dive more deeply into the system. In short, it is required to jailbreak a device in order to do any serious black box penetration testing of apps. However, you will soon see that you still can do a lot without going through the process.

Please register and download our full article which includes many great tips. Here is the link: http://hakin9.org/read-new-hakin9-open-for-free-and-become-a-cyber-security-expert/

Inside this issue:

Cloud Security

Information splitting in Cloud Storage Services
By Marius Aharonovich, IT Security Department Manager at Avnet, CISSP
The use of cloud computing services is expanding rapidly in recent years as it enables scalability, quick adaptation to dynamic changes in business requirements and total cost of ownership reduction. However, these services create challenges regarding information confidentiality and availability, where the cloud service provider is solely responsible for managing the computing infrastructure and information security.

Security in Microsoft Cloud
By Shruti Prasad, Lead in Microsoft Practice at Collabera Solutions Ltd., CEH, MCPD Azure Certified
While cloud services are gaining popularity and witnessing a predictive growth, security remains the biggest concern impeding the fast adoption of cloud services. The thought of sensitive data floating on the cloud continues to make people nervous. In spite of all the challenges, Cloud is here to stay!

Not enough security In-The-Cloud
By Alexander Larkin, Senior Developer at InfoTeCS
The history of In-The-Cloud. Problems with making hosted services secure. How it can help and why attacks can make no profit of using it today in some cases.

Cloud Computing Security Challenges
By Ahmed Fawzy, CEH,CHFI, ECSA, ITIL, MCP, MCPD, MCSD, MCTS, MCT
Recently the cloud computing became the most requested service across the IT services as we all know that there are many companies, organizations and governments moved to cloud for example half of the US government moved to cloud. The main objective of this article is to discuss just discuss the types of new risks surround move our data to the cloud and evaluate the dreams of unify the storage layer across the world as per some researches.

iOS Hacking

iOS Application Hacking, a rising star
By Antonio Ieranò, VP – Security Analyst and R&D Advisor at KBE Intelligence
Mobile computing is a reality and mobile security is an obvious consequence. As we all are aware the market is nowadays divide into 3 main stream: Android, iOS and the others. Although Android is under the spotlight since its birth because of its security issues, and the issues related to the several “fork” that android generated to every single phone vendor, think of the HTC security issues last year for example, also iOS is becoming a target for malware, hacking and security concerns.

Non-Standard Way to Get Inaccessible Data from iOS
By Kirill Ermakov, Lead Information Security Expert at QIWI
In the wake of my speech at Positive Hack Days, I would like to share information I got exploring a daemon configd on iOS 6 MACH. As you know, iOS gives little information about Wi-Fi connection status. Basically, the Public API allows getting SSID, BSSID, adapter network settings, and that’s all. And what about encryption mode? Signal power? You can look under the cut for more information on how to get such data without Private API and jail breaking.

iOS Hacking
By Terry Cutler, Co-founder of Digital Locksmith. Inc, CEH
François Proulx, Senior mobile application developer
With constant access to email, applications, the Internet, and company data, workers are using their devices to stay in touch with family, friends, and co-workers through social networks. This means that people are building a larger database and adding data to their applications. The appeal for hackers with mal-intent is obvious; the build up of data could mean massive attacks on sensitive company or government data. The crazy part is that it all could have been launched––unknowingly and cleverly––through a Smartphone.

Web Security

WordPress & Web Application Security
By Marc Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA- IAM, NSA-IEM
WordPress is a system that many organizations use to develop Web Application. It can be risky for an organization to rely on WordPress without implementing proper security controls. This article presents you the basic elements and security controls regarding Web Application using WordPress.

Web Authorization Attacks
By Niharika Ramachandra Murthy, Infotech Student at University of Stuttgart
The logic behind Authorization is that the authenticated user’s session is proved with a unique random token which is used to identify him in the application. Since HTTP is a stateless protocol to overcome this session management is in place.

Advanced Exploitation

Black-Box Penetration Testing Scenario
By Basem Helmy, Information Security Engineer, ECSA/LPT
All information in this article is from a real penetration testing scenarios. Some of steps in the article are strait forward; maybe it will need more skills to bypass some restrictions like the antivirus, host intrusion prevention system and firewalls.

Instrumentation: Entering The Mysterious World of Java Virtual Machine
By Hardik Suri, Security researcher at Juniper Networks
Java is one of the most frequently exploited software by cybercriminals. The fact that more than 10 0 days have been actively exploited in the year of 2012-2013 shows the rate at which java 0 days are cropping up. Traditional IPS vendors have always lacked the capability to block java exploits generically; simple string matching methodology used by traditional IPS is easily evaded by the ever changing complex code obfuscation used by cybercriminals today. A dynamic scanning approach could help us look inside the actual vulnerability hiding behind all those obfuscation layers. Instrumentation, a tool which allows us to enter the Java Virtual Machine environment and monitor the execution of a program in real-time can provide us with that alternative.

Extra

How Hackers use QR Codes to hack you?!
By Ahmed Fawzy, CEH,CHFI, ECSA, ITIL, MCP, MCPD, MCSD, MCTS, MCT
First of all, the price of technology often be the security challenges we face as a security professionals or end users when this technology come to our life to be added value and increase the luxury of our life but in fact it may have a potential risk, in this article we will discuss how hackers exploit the QR technology to hack others.

Password Cracking
By George Lewis, Director at Big Data Solutions, CISSP
This article will cover Exploitation Phase and mainly will focus on Gaining Access / Privilege escalation throughout different Password Cracking techniques.

Privacy in the age of the hacker: Balancing global privacy and data security law

Digital Locksmiths CTO Terry Cutler’s work has been featured in Phoenix School of Law 2012 paper called Privacy in the age of the hacker: Balancing global privacy and data security law.

Terry cutler “Was 2011 the Year of the Hacker?, SECURITYWEEK (Jan 2012) http://www.securityweek.com/was-2011-year-hacker

Abstract:
The twin goals of privacy and data security share a fascinating symbiotic relationship: too much of one undermines the other. The international regulatory climate, embodied principally by the European Union’s 1995 Directive, increasingly promotes privacy. In the last two decades, fifty-three countries enacted national legislation largely patterned after the E.U. Directive. These laws, by and large, protect privacy by restricting data processing and data transfers.

At the same time, hacking, malware, and other cyber-threats continue to grow in frequency and sophistication. In 2010, one security firm recorded 286 million variants of malware and reported that 232.4 million identities were exposed. To address these evolving threats, modern security techniques analyze and process massive amounts of data. The Article posits that international law increasingly favors privacy, throwing the symbiotic relationship out of balance. By restricting data processing and by failing to exempt data processing for security purposes, global privacy laws undermine private data by increasing its vulnerability.

Be sure to read

PRIVACY IN THE AGE OF THE HACKER: BALANCING
GLOBAL PRIVACY AND DATA SECURITY LAW by MCKAY CUNNINGHAM

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2138307

TABLE OF CONTENTS

I. INTRODUCTION
II. THE PRIVACY SIDE
A. The Information Age
B. Protecting Private Information
1. Data Privacy Regulation in the European Union
a. Initial Attempts to Protect Private Information
b. The E.U. Directive
i. The Directive’s Requirements
ii. The Directive’s Reach
iii. The Directive’s Reproach
iv. The Directive’s Repercussions
2. Data Privacy Regulation in the United States
a. The Sectoral Approach
b. The Safe Harbor
3. U.S. Resistance to E.U. Privacy Regulation
III. THE SECURITY SIDE
A. The Threat Landscape
1. Cyberwar
2. Consumer Vulnerability
B. U.S. Response to the Threat Landscape
C. Exceptions for National Security
IV. PRIVACY RULES THAT UNDERMINE PRIVACY RIGHTS
A. Too Much Privacy is No Privacy At All
1. Protecting Private Data: Evolving Threats
2. Protecting Private Data: Evolving Methods
B. An Open Window: The European Union’s Proposed Regulation

Ethical Hacking as a career – What do you want to be when you grow up?

Global Montreal TV News October 24, 2013

We’ve all heard this question. And, in all likelihood, chances are that you probably dabbled with the idea of becoming an astronaut or a superhero as a kid. In high school, you may have been dead-set on becoming president. Of course, by the time college graduation rolls around, many of us have moved on to more realistic career goals.

But with our hyper-connected world moving a mile a minute these days, the tried-and-true professions that everyone pursues today could quickly become a thing of the past.

So what does the future hold? Ever heard of ethical hacking? Yeah, neither had we. We spoke to Thomas Frey, author of “Communicating With the Future,” to suss out the six quickly growing power professions of the future that you should know about. Now tell us again: What do you want to be when you grow up?

2. Ethical Hacker

How can a hacker be ethical? It turns out that many companies hire these experts to purposefully hack systems in order to pinpoint problems in security measures before their less-ethical counterparts get the chance. You can even become a Certified Ethical Hacker (CEH), a professional who’s tasked with network policy creation, intrusion detection and virus creation.

Terry Cutler is a co-founder of Digital Locksmiths, Inc.(http://www.digitallocksmiths.ca) — an IT security and data defense firm based in Montreal — and serves as the company’s Chief Technology Officer. Terry’s career in the IT security space prior to his joining Digital Locksmiths has been long and distinguished. He was most recently a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production, and before that he held digital security leadership roles with a number of large corporations. Through the International Council of Electronic Commerce Consultants (EC-Council), Terry earned the rank Certified Ethical Hacker in recognition of his having mastered a range of industry best practices to thwart hackers by knowing how they think and operate from the inside out. In addition to being a licensed private investigator in Canada, Terry is an active member of both the High Technology Crime Investigation Association and the Center for Internet Security. An internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous television and radio programs and is very active on the conference circuit. More at http://digitallocksmiths.ca/about-us/our-team/terry-cutler

Digital Locksmiths Strengthens its Security Platform with Innovative Technology from PaulDotCom Enterprises

Turning the tables on present day hackers and attackers with real-time location and identity tracking capabilities

Original source http://www.prweb.com/releases/2013/10/prweb11228377.htm

Montreal, Quebec (PRWEB) October 16, 2013

Digital Locksmiths, a leading provider of technology solutions that secure corporate and private data for organizations worldwide is pleased to announce a unique partnership with PaulDotCom Enterprises, integrating industry changing Active Defense Technology (ADT) into the Digital Locksmiths Security, Privacy, Electronic, Concierge® (S.P.E.C) cloud security platform.

A partnership designed to bring cyber attackers to their demise by combining the proven ecosystem of S.P.E.C with real-time location and identity tracking capabilities of ADT.

“We are very excited about this partnership with Digital Locksmiths. It enables the offensive countermeasure technologies to be used by a wider audience and embeds into different demographics,” said Paul Asadoorian, founder of PaulDotCom.

The S.P.E.C. Active CounterMeasures was designed to enable organizations to collect the intelligence needed to evaluate the attack methods, and fine tune their security measures and investments in shoring up their layered security strategy.

“If the bad guy falls into these traps, we can quickly identify the attacker’s tools, strategy and level of skill – a potent combination of information to be used against them,” said John Strand of PaulDotCom.

This advanced technology allows for a proactive approach in dealing with cyber warfare. In many instances, the analysis of an attack or breach is done after the fact – after the damage has occurred.

“Can you imagine going to law enforcement and being able to say, ‘Here is the real IP address and port number, latitude, and longitude of the person that attacked our site,’” said Terry Cutler, Chief Technology Officer, Digital Locksmiths. “And we did it legally. That is incredibly powerful, and this is what we’re talking about whenever it comes to turning the tables on the bad guy,” says Cutler.

Get started at http://www.specconcierge.com/activecountermeasures.

For further information:

Editorial Contacts:

Terry Cutler
Digital Locksmiths
tcutler(at)digitallocksmiths(dot)ca
888-HACK-514 x 24

John Strand
PaulDotCom Enterprises
john(at)pauldotcom(dot)com
605-550-0742

About Digital Locksmiths
Digital Locksmiths is an action leader in the holistic application of security services for both government and private sector clients, especially those in the telecommunications. We aid in the implementation of state-of-the-art security technologies combating risks to integrity, trustworthiness and availability of critical information data and systems not only for the company but also for individuals. We believe in security at the forefront of everything we do, helping our customers become more competitive through the smart use and application of technology.http://www.digitallocksmiths.ca 1-888-HACK-514

About PaulDotCom
PaulDotCom is an organization dedicated to security, hacking, and education. It encompasses weekly podcasts, monthly webcasts, security consulting, and numerous articles, papers, and presentations. Their mission is to provide free content within the subject matter of IT security news, vulnerabilities, hacking, and research. They strive to use new technologies to reach a wider audience across the globe to teach people how to grow their security knowledge.

Yahoo Recycled Emails: Users Find Security Surprises

Original source : http://www.informationweek.com/security/vulnerabilities/yahoo-recycled-emails-users-find-securit/240161646?pgno=1

Some Yahoo users who took advantage of recycled IDs report they’re getting emails intended for the old account holders — including personal data.

by Kristin Burnham – Senior Editor, InformationWeek.com

When Tom Jenkins, an IT security professional, learned in June that Yahoo planned to free up abandoned account IDs, he jumped on the opportunity to request a nickname he’s had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.

“I had tried periodically to obtain this email address, but I was never able to do it,” Jenkins said in an interview. “I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting.”

In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder’s Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

[ Need new ways to lock down your smartphone? See 9 Android Apps To Improve Security, Privacy. ]

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”

Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.

On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldn’t have been a problem, Harris said, if it weren’t for the misdirected emails he suddenly started receiving.

“I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable,” Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.

In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holder’s name and address.

“It seemed odd to me that this email was coming from all over. It’s clear that while the owner supposedly hadn’t logged in in a while, she was still actively giving out that email address,” Harris said.

They’re not alone: Scott Newman, a Web developer, also signed up for one of Yahoo’s recycled IDs. “I thought it was a cool idea because when you’re standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had,” he said.

Personal emails intended for someone else began arriving within the first day of account usage, Newman said.

“It started off with some stuff from catalogs and clothing companies and I thought, ‘That’s fine, I’ll just unsubscribe.’ I figured I’d have to deal with a little of that,” Newman said in an interview. “But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died — it was nuts.”

Yahoo’s initiative to free up dormant accounts began in mid-June when the company first announced its plan. “Today, I’m excited to share with you our next big push: We want to give our loyal users and new folks the opportunity to sign up for the Yahoo ID they’ve always wanted,” wrote Jay Rossiter, senior VP of platforms, on the company’s Tumblr. A Yahoo ID is a user name that lets you access all of the company’s personalized services, such as messenger, email and more.

Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.

In July, Yahoo opened up a wish list where users could name their top five choices for a username. Come August, Yahoo would contact them if one of their IDs was available and send them instructions to claim it within 48 hours.

Almost immediately, privacy advocates and security analysts criticized Yahoo’s initiative. Some called it “an underhanded and risky way to get people to re-engage with Yahoo,” while others called attention to the real potential for others to take over people’s identities via password resets and other methods.

Following the criticism, Yahoo released a statement reaffirming its confidence in the initiative and shedding more light on the steps it would take to ensure privacy and security. The company said that personal data and private content associated with the accounts would be deleted and would not be accessible to the new account holder.

“To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

In July, Yahoo followed up with more details about its security efforts. The company said it would work with businesses to implement a “Require-Recipient-Valid-Since” (RRVS) header. If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values don’t match, the email would bounce.

Yahoo’s security measures appeared sound in theory, said Gant Redmon, general counsel and VP with privacy and security company Co3 Systems, but failed in practice.

Yahoo’s idea was problematic from the start, Redmon said. “I can understand why Yahoo would want to do it: It’s a legacy email service that they’re trying to turn around and generate more interest in. But the initiative is troublesome,” he said in an interview. “Email has become a primary identifier because no two people are supposed to have the same email address. When you sign up for it, you think it’s yours for life.”

However, Terry Cutler, chief technology officer at IT security company Digital Locksmith, said he’s surprised that Yahoo’s security measures allowed for such a slip in the examples of Jenkins, Harris and Newman. “Yahoo seems to have done it right,” Cutler said in an interview. “They did the right thing by shutting down accounts for a period of time, which should have helped to clean them up. But something’s clearly not working, and that’s a big problem.”

Though Yahoo’s security measures weren’t effective for everyone, Redmon said the company isn’t liable for the misdirected personal emails. “Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesn’t fit the Yahoo scenario,” he said. “Yahoo hasn’t lost or disclosed information they shouldn’t have. They’re not responsible for the fact that it was disclosed to a third party — the user is.”

Yahoo performed what Redmon calls a “risk shift”: Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.

In a statement to InformationWeek, Dylan Casey, senior director of platforms at Yahoo, said that the company has received minimal complaints from recycled-account holders. “We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder,” he said. “We are continuing to work with companies to implement the RRVS email header standard that we published to the [Internet Engineering Task Force].”

Today, Yahoo charges $1.99 for you to request up to five usernames on Yahoo’s Watch List. Jenkins, who signed up when it was free, said that the hassle of dealing with the misdirected email — which totals between six and 10 messages a day, in addition to the “boatloads” of junk email — hasn’t been worth it. He’s considering shutting down his account.

Harris, whose two Yahoo accounts were merged into one, said it took four phone calls and about four hours with Yahoo customer service to separate the two accounts and close the recycled one. “They were really helpful considering it’s a free service, but they had a lot of trouble figuring out how to do it.”

Newman said he’s actively filtering the former account holder’s email with hopes that the volume will eventually decrease. “I’m using the new account mostly for unimportant email because I’d probably go crazy trying to figure out what email is supposed to be mine and theirs,” he said. “It’s kind of disappointing because it’s a great username to have, but I don’t want to work this hard for it. Plus, getting someone else’s mail just feels gross.”

Those peeks into other people’s personal lives leave Newman and Jenkins uneasy about Yahoo’s continuation with recycled accounts, and concerned for others whose accounts may have closed.

“The most distressing part for me is that because I’m a Web developer, I know how easy it could be to reset all their passwords. It’s scary to think about the damage I could do,” Newman said. “Just yesterday I got an email confirmation for an apartment application. I could have canceled someone’s apartment.”

Jenkins said the opportunities for hackers are his biggest concern. “In some ways, the former user should be lucky that I’m getting this email because I would never do anything bad with it. But this whole situation made me nervous about my other email addresses. What happens when I stop using them?”

A Montreal woman discovers a fake Facebook profile using her pictures

Photo: Amanda Klang/CBC

Carolyn Seguin says someone in Tennessee stole her identity on Facebook. She discovered a fake profile using her photos under a different name. A Montreal lawyer says this is an illegal practice that’s becoming increasingly widespread.

Terry Cutler, Digital Locksmiths CTO has a discussion with Bernard St-Laurent of CBC Radio Noon and answers caller’s questions.

Have a listenhttp://digitallocksmiths.ca/cbc_radio_noon_sept_2013.mp3

Here are some examples of why educational institutions are still actively fighting cyber attacks

Courtesy of truththeory.com

While students laze around on summer vacation, educational institutions are still actively fighting cyber attacks.

Many universities average at least a million cyber threats per week. A recent major attack was on Stanford University, and although the damage was likely minor, students were requested to change their passwords.

Western University, in London, Ontario, has also been the target of recent phishing attempts. 1092 students received emails that appeared to be credible, requesting student usernames and passwords. What was unique about this attack was how personalized the email was. Jeff Grieve, the ITS director at Western University, said that it was a “very sophisticated and well-organized attack specifically targeted at Western.” Due to the email’s authenticity, some students actually responded to the phishing scam.

Cyber Security is a rising concern across all educational institutions, from elementary to post-secondary. It is not just attacks directly on a school, but the threats that come with BYOD as well. Five counties in Norway have recently tried implementing BYOD policies into their educational systems for both teachers and students. This gives the students the opportunity to learn wherever and whenever they’d like, and where they are most comfortable. By having BYOD policies, students would never have to worry about doing trivial things like transferring homework between personal and school devices.

With the rise of BYOD in schools, there is a growing urgency its security. University of California-Berkley’s cyber security budget has doubled since last year, and was already in the millions of dollars. It provides students with the peace of mind that their sensitive information is safe.

Back in January, I was interviewed by the Montreal Global News to discuss the Dawson College student hacking into their system, uncovering major security flaws. The student, Hamad Al-Khabaz, says that what he found was so bad that “somebody could’ve ruined somebody’s life.” The Dawson College director-general Richard Filion acknowledged that Al-Khabaz had found the flaw, but said he was expelled after he repeatedly tried to gain access to areas of the college information system where he didn’t have authorization.

While Al-Khabaz should not have been hacking without permission, his discovery could have been lethal for the college had the information fallen into the wrong hands. With the rise of BYOD in education across all levels, it is important to remember that schools possess all possible kinds of vulnerable information. Educational institutions need to invest in cyber security to keep this data safe.

If you find this article helpful, I’d kindly ask you to go ahead and SMASH one of those buttons below to share the love. Talk to you in the next post !

About the author

Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company’s Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler and connect with him on LinkedIn

#BuyerBeware: 6 Tips on Understanding Popular Scams & How to Avoid Getting Duped

terry cutler on global news with camille ross about scams

Global Montreal News interview July 4th 2013

“Have you ever been at the short end of the stick when it comes to scams?” Camille Ross, news anchor and host of The Morning News for Global Montreal asked. It’s a common question, and unfortunately, the common answer is ‘yes.’

With cyber security being a growing threat, online scams are becoming a more common problem. I was invited to be a guest on The Morning News on Global Montreal with Camille Ross on July 4th 2013 to talk about what these threats look like, and how to best avoid them.

First, we talked about the latest Kijiji scams. Back in January, I was asked to investigate a situation for a woman who had transferred money to people “selling” luxury cars. They told her to wire $10,000 to their American account, but then the rest of the money to their Slovakian account so as to not set off the anti-money laundering alerts. Sure enough, the woman, along with twelve other victims, lost their money forever.

Next, we talked about Ransomware, which happens when someone claiming to be from a company, like Microsoft, calls you saying that there may be something wrong with your computer and that they need to get into it to check what is wrong. After providing the mystery caller with your information, they freeze your computer claiming it is a “virus,” and then demand money to unlock it.

So how do you avoid this online scams? Here is our list of 6 tips you can follow to avoid being duped:

If the price seems too good to be true, it probably isn’t. This is where the buyer needs to ask questions.
Look out for unusual professional photography used in the photograph ads. Often times, spam accounts use pictures of super models and stock photos. These people are hiding their real identities so you cannot track them later. Another problem with photographs is that the accuracy can be off. Is the seller “selling” 4 concert tickets, but more than that is depicted in the photograph? This can be another sign of a scam.
Does the ad or email have poor grammar? Especially when receiving information from companies, look out for the the construction of the email; professional companies would be sure to use proper grammar, syntax, spelling, and sentence structure.
If the seller refuses to provide tracking numbers or only wants to transfer money through non-traceable routes, they are likely trying to scam you so that you cannot find them later.
Try Googling the seller’s phone number to see if anyone else has commented in forums about a scam.
Instead of buying from unreliable sources like Kijiji or Craig’s List, buy tickets for concerts and events through reliable sources like the artist’s website, Ticketmaster, Paypal, or Evenko.ca.

It’s all about buyer beware. Look out for suspicious behaviour online, and remember to be safe.