Social Networks Fool InfoSec Pros

BitDefender says they have a survey that shows over 30% of users who accepted a friendship with a bogus profile are in the IT Security industry.

Although it would be cool to jump into this statistic, I do not see any analysis or data on the users that proves they were not faking their own profile.

Turnabout is fair play, no? How much of this information that BitDefender collected is real?

The study sample group included 2,000 users from all over the world registered on one of the most popular social networks. These users were randomly chosen in order to cover different aspects: sex (1,000 females, 1,000 males), age (the sample ranged from 17 to 65 years with a mean age of 27.3 years), professional affiliation, interests etc. In the first step, the users were only requested to add the unknown test profile as their friend, while in the second step several conversations with randomly selected users aimed to determine what kind of details they would disclose.

Ironic that they would assume it can be trusted. Or did they verify? The complete 400K report does not give any verification of the survey group, so maybe we can assume they also could have been duped while they were trying to dupe others. The closest thing I found was this note:

These outcomes were tested against the motivation of IT security industry users to become friends with the blonde girl, in order to ensure that they didn’t accept the friendship request just to have “study material” for their own research.

That means they asked the person they were trying to befriend for their motivation; 53% said “a lovely face” was their reason to accept the girl. Was this a game response or sincere? I don’t see it as validation.

The experiment revealed that the most vulnerable users appeared to be those that worked in the IT industry: after a half an hour conversation, 10% of them disclosed to “the blonde face” personal sensitive information such as: address, phone number, mother’s and father’s name, etc — information usually used in recovery passwords questions. In addition to that, after a 2 hour conversation, 73% revealed what appears to be confidential information from their work place, such as future strategies, plans, and unreleased technologies/software.

Two hour conversation with a fake profile. That’s impressive but I still would like to see validation results. I mean what percentage of those claiming to work in IT were proven/verified to actually work in IT. Did they divulge real or fake information? When a study begins with a premise that you can easily fool people online, it would seem logical to then proceed with caution and not believe everything a new contact might say.

Cracking Encrypted HDDs

Sprites mods has a very nice in-depth hardware security review of the Disk Genie hard drive. The first problem seems to be how easily the device is opened. The next failure comes from how it indicates failures to the attacker. Spoiler alert: here are the conclusions.

If you’re just a generic Joe Blow who wants to make sure your private pictures don’t get viewed by your collegues or kids, you’re golden. The fact that the there’s no way a software-only attack can get the pincode means that some hardware-experience is needed to start hacking the device, and that will deter casual onlookers enough to make the device completely safe for curious neighbours or collegues, even if they are smart enough to, for example, install a keylogger on your PC.

If you’re a business-person with actual info to hide, info that could financially benefit other parties… you can still use this, but make sure to pick a strong pincode. More than 11 digits should do, depending on how badly others want the data.

If you’re, say, the president of a nuclear country and want to use this to carry around the launch codes of your nukes, I wouldn’t recommend this device. While the thing is safe for a casual hacker like me, someone with money or the resources to de-cap chips can probably get to the data fairly easy: the PIC which contains the keys to the HD is not a secure device and when decapped under a microscope in a laboratory can probably be made to give up that key fairly easily.

Is that a qualified hint to the Pentagon or just an example?

Auditors catch E-waste fraud in CA

The California Attorney Jerry Brown has filed charges against e-waste recycler’s execs

In late 2008, CalRecycle auditors contacted investigators at the California Department of Toxic Substances Control after noticing discrepancies in the claims submitted by Tung Tai and the records kept by Golden State Records and Recycling, a company that collected and transferred materials to Tung Tai, Brown said in the release.

In July 2009, state agents searched the Tung Tai facility and discovered two separate sets of records, Brown said. Those records showed that Tung Tai had significantly inflated the pounds of recycled material it submitted for reimbursement to CalRecycle between January and September 2008, Brown’s office said.

Two separate sets of records? That is pretty bold.