We're back from Shmoocon 2010, with much learned. The nature of the threats to our security is a constantly changing dynamic, and the conferences are a great way to link up with great minds in the field to get a better understanding of that dynamic. It has always been my view that security is relative. A lock's purpose is not to keep something protected against any possible thief, but rather to slow the thief down and disrupt their cost/benefit ratios. The same applies in information security. There is no absolute security, but there are certainly precautions and behaviors that make you a harder target than the next guy.

P2P and Social Networks are two major risks to the average user when not properly used. For P2P, see George's article on the dangers of default sharing settings. For social networks, it's far too easy and too tempting to hit that "allow/accept" button for a person who wants to be your friend that you are not sure you know, or for the latest game that all of your friends are playing.

At the conference we heard about the dangers of both. From pulling personal information from profiles that accept you, to applications and games, even social iphone games that allow you to be tracked everywhere you go in the real world. The scary part is that these are the exploits we hear about, not the countless ones we haven't yet heard about.

We heard that windows servers using certain web services, in an attempt to be helpful, will pass windows filename pseudonyms from a request through to the OS. This effectively bypasses access control, mime-type parsing definitions, and other protections.

We heard that it's not just the bugs and vulnerabilities of an application that make it dangerous, but sometimes the application's features themselves are the biggest threat. Features designed without fully understanding their impact on the security of the application, its data, or its users allows for new vectors of attack.

So how do you protect yourself against vulnerabilities that cannot be patched?

The basics cannot be stressed enough.

P2P networks

George summed it up pretty well in his article. Also see the article in CSO Online about the talk from Shmoocon.

Social Networks

For all your social networking activities, be very careful who you share your information with. Do not friend people you do not know, if you plan on sharing personal information, photos, etc.

Security vendor Sophos did a study a couple years ago on users and identity information. For the study they created a fictitious facebook profile with the profile picture of a plastic frog and requested 200 users to friend them. 87 friended the plastic frog, many of whom exposed personal information such as birthdate, address, phone numbers and employment/education histories.

Unfortunately it's not just about vetting your friends. Applications and games can access your profile information, and not all developers are angels. Many game developers' revenues are based on getting you to click on ads, give your personal information to survey and marketing firms, etc. And some are more malicious than that.

Also see our article on basic computer security for more information on the dangers of social networks.

Location Based Games and Services

I think this one should be fairly obvious. If you play a location based game on your iphone or other smart/connected device, you are handing over your real-time location to people you have not met. The implications of this were made very clear at a talk at Shmoocon where users' daily lives could be seen as mapped out data on Google Earth.

For the Admins

It is very, very important to stay on top of what the current attack trends are. As is the case in the windows file pseudonyms vulnerabilities discussed at Shmoocon this year, the attacks do not have to be extremely high tech, and the exploited vulnerability does not have to be some brand new bug. Some of our biggest vulnerabilities are bigs that have existed since the beginning of an application or platform. Keeping on top of patches is not enough. Knowing how to quickly detect and respond to the very latest threats requires knowing about and understanding those threats. Be active in the community.

Security takes all of us.