As some of you may have noticed, Google has received some heat the last couple of weeks due to claims that they intercepted private data from open wifi-networks when driving around to complete Google Street View coverage. One of the many articles on this subject can be found here: http://www.computerworld.com/s/article/9176810/Google_stops_sniffing_Wi_Fi_data_after_privacy_gaffe

First off: I am very much against any form of privacy infringement and believe quite strongly that most forms of proactive surveillance against non-criminals are futile at best and damaging for national security at worst. However this whole case is just somewhat ridiculous.

Yes, Google made a mistake in not disabling that specific piece of software, but calling the data they gathered private is a bit of a joke. What they gathered was data sent unencrypted over a public network. If you’re sending confidential information over a public network unencrypted, Google stealing your deep-dark secrets is the least of your worries. They did it by mistake – many others do it intentionally!

In fact where I’m sitting right now, I can see no less than 7 open wifi-networks. Most are private homes and most of them have, according to Kismet, traffic flowing over them right now. This means that if I wanted to, I could activate software like Kismet or Wireshark and use this to steal every single bit of unencrypted data sent over this network. In fact, I would be able to do this with almost no chance of ever being detected in doing so. Even if the network owners tried to catch me, they most likely would not be able to. That’s simply how easy and risk-free it is.

The reason why I can do this, is because wifi-networks work by transmitting data outward on a given frequency and then let all clients in that network receive all data. It’s then the client’s computer that needs to filter out what was meant for it and what was meant for everyone else. If a computer behaves “nicely” it’ll discard anything not meant for it, but if it’s been put up to intentionally receive everything, you’ve created a so called “sniffer” and all unencrypted data is up for graps.

While software like Wireshark allows you to only “sniff” data sent over the network you’re connected to, Kismet let’s you “sniff” from any network without ever connecting to that network. This effectively makes you completely invisible to the network owners, so they have no way of knowing, that you’re stealing everything they send.

Sadly, most users are completely oblivious to these facts and use open networks as if they we’re their home networks. And sadly in some cases they even are (as was the case with most of the 7 networks here). So effectively, when Google was driving around gathering private data from open wifi-networks, they weren’t really “sniffing” because they had no intention of gathering that data. The users on those networks were however shouting every single bit of so called “private” information in all directions, forcing Google wifi-analysis software to capture and save it.

Now, to be fair: Google weren’t really being smart here and should not have captured data sent over unencrypted networks. It was a bad move and while they didn’t intend to do so, it probably still didn’t give them a boost in their reputation!

That being said, I must however still say, that the real problem here is the user and the open networks. If you don’t want your data to be scooped up by Google, don’t send it unencrypted over an open network. Chances are someone far worse than Google is listening in – especially if it’s a public network near train stations or the like. Sending data over a open wifi-network is, for all intents and purposes, the equivalent of shouting the same information out your office window.

Back in April 2010 we published a blog post describing the secure way of working from open wifi-networks – We recommend you read up on that and use the techniques mentioned there in order to keep private data private in the future.

McAfee came out with a blog post on March the 17th concerning a new scam targeted against Facebook users. An attack that had quite a significant success, and therefore clearly shows an issue that still isn’t being sufficiently adressed by private individuals as well as companies.

The original blog-post can be found here: http://www.avertlabs.com/research/blog/index.php/2010/03/17/facebook-suffers-password-reset-scam/

For the people who didn’t feel like going in and reading the original blog-post, I can give a small summary of it here:

Basically what it says is, that McAfee has been tracking a Facebook e-mail scam where users are being sent fake e-mails with the subject “Facebook Password Reset Confirmation! Customer Support.” including a message saying that the user’s password has been changed due to security reasons and that the new password is attached to the e-mail as a .zip file.

The scam is especially interesting because people generally fell for it. Within record time, it skyrocketed to number 6 on the Global Virus Map’s Top 10 list.

What this shows me, is that companies and other organizations still have a huge education task ahead of them with regards to security. Looking at the simple scam e-mail in its entirity, this is what the content says:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

Your Facebook.

There are several tell-tale signs that this is clear cut scam mail.

First and foremost, Facebook directly warns against any e-mails claiming to be from them, if they include such things as requests for account information or include attachments.  All Facebook’s information on scam prevention can actually be found at: http://www.facebook.com/security?v=app_4949752878 . All companies should consider including this document in their general security training of all personel! Given a few years, Facebook, Twitter and the like will be used by the vast majority of all internet users (even more so than now), including traditionally non-technical users that don’t necessarily have the insight to detect attempts at IT-fraud.

But even if Facebook didn’t come out with any general information about what an official e-mail from them would look like (as most companies/organizations don’t), there are still several tell-tale signs:

Looking at the e-mail as it has been sent to most people, here are a list of my observations of scam-like characteristics:

• The e-mail is not recipient specific.
  What I mean by this is that the e-mail doesn’t mention the user specifically, but only refers to this person as “user of facebook”. This is highly unusual for a website so focused on user information. A website that would easily have access to specific information about i.e. your first name. Note however, that the lack of a personalized greeting is not necessarily an indicator of spam. In several situations some companies will probably choose to send out a non-personal greeting, but in such a case it would usually be worded differently and it would definitely not have included any profile information (i.e. a new password as an attachment)
• The presence of an attachment.
  Attachments are almost never used by any company, group or organization. If attachments are used, it will generally be because the recipient requested the given attachment. If you ever receive an attachment you didn’t expect (and I do mean EVER.. no matter who it’s from), be very skeptical! Call the sender up on the phone and ask for confirmation.
• Spelling, grammar and the like.
  Another tell-tale sign is the use of language and wording in a message. Would the real Facebook really refer to themselves as “facebook”, instead of “Facebook”. The lack of correct grammar might be possible for small companies, since they might not have anyone to check such things, but for any large company you can expect, that if there are more than a few simple microscopic typos (i.e. “teh” instead of “the”), it’s most likely a scam. Call the claimed sender on the phone for confirmation.
  Also Facebook would probably not call you their “client”, but instead their “user”.
• The e-mail is in plain text.
  Not all will agree with me on this point, but I do believe that serious individuals (especially companies) will generally send an e-mail in HTML with graphics, tables and layout and not as so called “plain text”, which is just simply characters + punctuation, with no possibility for images, tables, layout, text formating or anything of that sort. This is, as most rules above here, not a general rule and should not be used exclusively to discard an e-mail as a scam.
• Odd sign offs
  Somewhat related to the issue of spelling and language use, would Facebook really end an e-mail with “Thanks, Your Facebook”? Wouldn’t it be more likely they would end an e-mail with something along the lines of “Thanks, The Facebook Team”? Again this is not a clear cut sign of a scam, but this in union with other issues should put up a red flag for you. As always: Call for confirmation if in doubt! Any serious person will not mind that you care about security, they will most likely applaud it!
• Non-authenticated requests
  Whenever an e-mail asks you for any information you wouldn’t shout out in public, then that’s usually not information you should be sending through an e-mail in any way or form. That’s basically why we have encryption and digital signing for e-mails.
  But especially whenever an e-mails asks for account information or claim to include it, you should be skeptical. Normally whenever you access your account on the website (i.e. http://www.facebook.com/) you’ve gone through some form of authentication process, usually by means of simple username and password. You haven’t done this when checking your mail, so the website has no way of knowing it has reached the correct user with the relevant information or information request. A normal request for information will therefore include you having to go to the company or organization’s website and go through a process there – not on e-mail!
  Once again, there are exceptions and some companies don’t care much about the security and therefore do request information through an e-mail. So when in doubt: Call the company and ask for confirmation!
• Sender is wrong
  Obviously there is the option of checking the domain from which the e-mail was sent, but often times most users won’t be able to tell the difference between a correct subdomain and an incorrect one. So for most users this isn’t a viable solution for training.

All in all the real problem is that people are simply not skeptical enough and trust information sent to them over e-mail, social networks and text messages.

As companies and organizations, you need to make a continuous effort to educate your employees in all forms of basic security. Security isn’t only relevant for the IT-staff. All staffers need to have some basic understanding of what a scam might look like, no matter if it comes through an e-mail, a phone call or even physically at the business location.

There are several resources available to help you design an education program for your employees and if you need professional assistance, Aconiac is always available for a consultation.

NOTE: This news item was originally posted on April 26, 2008.

Michael Lind Mortensen is Aconiac Security Group’s Business Manager and is responsible for areas such as management, marketing and security

testing. But today, the 26th of April, is Michael’s birthday – therefore, we hereby present: “10 things you didn’t know about Business Manager Michael Lind Mortensen”