Information Leakage via social networking

I frequent the linkedin website and someone recently asked 'what constitutes an identity?'. I found this an interesting question because there are several ways to answer it ranging from philosophical to technical but there is also the flip side - how easy is it for someone to assume your identity?

Social networking sites like facebook and linkedin promote information sharing, you can list work and school experience as well as share interesting tidbits about yourself but I do have to wonder just how much of that information could be used for illegal or illicit gain? All it takes is someone determined to have the sites database and not only do you have all the information that's publicly available but you also have other restricted data (assuming that the data is not stored encrypted of course).

These sites have a lot to promote them, they are a great way of getting in touch with past colleagues and for making new contacts but in many ways they scare me with the amount of information people are happy to give away about themselves - The potential for social engineering attacks based on information contained in this sites must be huge.

Moving house

Well, that was fun!

The move is over. The computers are almost all in place but there is a lot of little jobs that need doing, lots of rewiring for the computers - The study area only has a single plug which is not exactly ideal for all the computers!

It's been quite a week, Moved on Saturday, slept on Sunday then back to work Monday and Tuesday then on a course for Blue Coat Wednesday, Thursday and Friday.

The journey here is a bit more of a pain so I'm looking at jobs in the area - worth keeping an eye on all the options.

Normal blogging service will be resumed over the weekend with a look into reducing the number of services a default installation of Windows 2003 has.

As always, any suggestions for security focused articles please drop me a line.

Blog Updates for the next two weeks

Blog updates for the next two weeks make be a little sporadic as I'm moving house and will have limited net access.

Once I'm up and running I've got a series of blog articles planned that I hope you will all find interesting. Here is a brief taste:

Running Windows using Minimal services

iSCSI on Windows, Linux and NetApp

Issues with P2V and domain controllers

Any suggestions for future articles always greatly received.

Profiting from Security vulnerabilities

A new company is offering security researchers the chance to profit from discovering and coming up with innovative fixes for Security Vulnerabilities in products.

There web page (linked above) contains the following ominous paragraph:

We evaluate the vulnerability for the following criteria:

(a) Either the researcher or ourselves can suggest a method of fixing the vulnerability
(b) The fix is difficult to "design around"
(c) The fix can be protected by patents or other intellectual property.
(d) If the fix is adopted, it is easy for us to gain evidence that this has happened.

So, If I'm reading this right they are only interested in fixes that they can profit from? If a researcher discovers security hole and they can't patent a fix then they are not interested?
The next line is even more scary, How do they propose to gain evidence that a fix has been adopted? This suggests some sort of 'phone home' technology to report in to them that a particular machine has the fix installed.

Is it just me who can see several rather worrying aspects to this proposal?
1. It encourages the less ethical security researcher to profit from abusing a security hole if they believe or if they cannot make a profit from the fix
2. The phone home technology that's hinted about in clause D can be exploited - Lets say a security fix is removed by accident from a machine. That fix will then not be able to 'call home'. It its now possible for someone to review the database and see just what fixes are missing from machines rendering them vulnerable to a non-ethical employee!! This is totally unacceptable.

Annoyed at Symantec 'Trialware'

I just tried to download a copy of Symantec Sygate 5.1 from Symantec's website. I've used and earlier version of the product and wanted to test out the current version just to see what it looked like - If we purchase it then it will be via an already establisehd partner.

When I clicked on the 'download trialware' link I got a THREE-PAGE form to fill in, I never use my details on these because I already get bugged by enough sales folk.

Imagine my amazement when I complete the process to get this message:

"To ensure that Symantec can provide any technical assistance needed for a smooth evaluation, a Sales representative will contact you within 3-5 business days to provide software download details, as well as help with product activation and implementation. Do you wish to continue?"

Right. How can a SALES Rep give me technical assistance?

Why does a SALES Rep need to contact me to allow me to download the software?

Why does it take 3 to 5 DAYS before the software can be downloaded.

I thought I'd give Symantec customer care a call about this, So I dial up 0870 2431003 which is the number listed on the website for customer services and get through to a normal digital dorothy phone menu, select option 3 for Symantec customer services and promptly get cut off.

It seems that Symantecs 'Customer Care' is basically them saying "We hate you. Go away".

Thanks Symantec. I'll make sure I do as little business with you as possible.