Computer Security

Why hackers have it easy

Jan 122013

The SANS Institute is one of the preeminent firms in Internet security. I subscribe to their security-related mailing lists for all the obvious reasons, and I also receive their print course catalog on a regular basis.

I was flipping through the pages of the latest when I came across this gem (which should really belong among Jay Leno’s Headlines, assuming viewers of The Tonight Show could actually tell the difference between Unix and Windows):

winlin

Which leaves me wondering if SANS really can’t tell the difference between the two operating systems. (They probably can.) Or perhaps it’s the US Navy that cannot? (I doubt it.) Or perhaps the real problem, apart from careless proofreading, is that these security training courses have become rigid and mechanical, predictable even, which is precisely why hackers seem to have so little trouble penetrating even military networks?

Spam from Facebook friends

Computer Security, Internet No Responses »

Dec 112012

Thank you, Facebook. Now I am getting garbage that is apparently coming from some of my Facebook friends, all because (no doubt in your eagerness to please your corporate sponsors and push your sinking share price up a little) you happened to leave open a gaping security hole allowing spammers to “scrape” friend lists and e-mail addresses.

Worse yet, it is possible that the same spammers are sending garbage to others in my name. And while I may know not to click on an unsolicited link even if it appears to come from a good friend, colleague, or close relative, others may not be so cautious.

One of these days, I’ll find myself a spammer and slowly strangle him.

Surveillance state

Computer Security, History, Politics No Responses »

Nov 152012

The sordid saga around the resignation of Gen. Petraeus continues. It became such a tangled story, Gawker.com actually published a flowchart to make it easier to decipher.

Meanwhile, however, The Guardian raises some very troubling points:

In response to Ms. Kelley’s initial complaint about a vaguely offensive e-mail, the FBI devoted substantial resources and engaged in highly invasive surveillance for no reason other than to do a personal favor for a friend of an agent;
Without any evidence of an actual crime, and without a search warrant, they gained access to Ms. Broadwell’s e-mail account;
Again, without any evidence of any actual wrongdoing, they also got their hands on e-mails exchanged not only between Ms. Broadwell and Gen. Petraeus but also between her and Gen. Allen.

The Guardian comments about the “sweet justice” aspect of all of this: namely that America’s security surveillance system that is running amok is targeting the very people in charge of that system, such as the head of the CIA. However, I do not share their implied optimism; I don’t think the growth in surveillance will stop anytime soon. We are nowhere near close to anything like the McCarthy era’s pivotal “have you no sense of decency?” moment. For that, a lot more good people will have to be harmed a lot more gravely first.

Things from the cloud

Commerce, Computer Security, Food No Responses »

Oct 222012

Think of an essential part of your life. Now imagine relinquishing control over it to others, people you don’t know, people who may in fact be in different countries, providing a service on an industrial scale. Most of the time they do an admirable job; but when they make a mistake you and many others suffer, possibly with life-altering consequences.

No, I am not describing cloud computing. I could have, but I was actually thinking about manufactured foods. When you buy a bag of snacks at a supermarket, for instance. The materials used to manufacture that food come from all four corners of the world. Some are organic in origin, often waste products from the processing of hundreds of animals or tons of vegetables. Others are manufactured at chemical plants, e.g., from petroleum. And when the controls fail; when an unscrupulous manufacturer in China, for instance, introduces an unapproved substitute to boost the measured protein content of a manufactured ingredient, people or pets suffer, even die.

But what I am really struck by are these similarities between cloud computing and “eating from the cloud”: that for the sake of convenience and easy access we willingly relinquish control over something essential, and that we generally trust society to such an extent that we are not the least bit worried when a private e-mail with an intimate personal photograph travels halfway around the world before arriving in our Inbox (which itself may be physically located in another country, perhaps on another continent); or when we put bits of food in our mouths without the slightest worry about the origin of its ingredients produced in distant lands by people we will never get a chance to know.

Samsung security breach

Computer Security, Internet No Responses »

Sep 072012

So recently, I got a nice new phone, a Samsung Galaxy S II.

When I set it up, I realized that Samsung chose to replace the built-in Google e-mail application with their own. This was a bit of a disappointment as the Samsung version seemed a tad less flexible and less configurable than the (also pedestrian) Google program, so I opted for the open-source K-9 Mail instead, which works very well indeed.

Today, I noticed that all of a sudden, my server is showing IMAP logins using my user ID from a strange IP address, occurring like clockwork, every five minutes. The IP address belongs to Samsung in Germany, Frankfurt to be precise. This was odd because my phone was actually connected to my home Wi-Fi, so there was no reason for it to go through a distant proxy server. Suspecting that something was afoul, I turned the phone off. The IMAP logins from the German IP address continued.

At this point, I immediately changed all relevant passwords. The login attempts (no longer successful) continued for a while, then stopped.

But what was this? A bit of research showed that the IP addresses are characteristic of Samsung’s “Social Hub” program. Apparently when I entered my login credentials using the Samsung version of the basic e-mail app, it passed on that information to Samsung’s Social Hub servers. So without my knowledge and my approval, my password to my personal account on my Linux server was sent to, and stored on, a server in a foreign country. (And no, I don’t want to hear that I actually gave my approval by clicking the Accept button on a 50-paragraph unreadable user agreement when I started using my phone. This kind of potential security breach must require up-front notification of the user and explicit approval.)

I have since kind of confirmed it by noting that Social Hub indeed shows my e-mail account as being registered, even though I deleted my login credentials days ago from the Samsung e-mail app proper. Worse yet, it seems impossible to delete this account from Social Hub; when I try, I just get a “Loading…” screen that stays on forever.

I still like this phone, but my opinion of Samsung just sank several notches all at once. A high technology company should be much more conscious of its users’ security needs and much more proactive in protecting them. Indeed it leaves me wondering if, perhaps, it might have been possible for a smart hacker to use social engineering and trick Samsung into revealing this information… which Samsung should never have obtained without my explicit permission in the first place.

Hijacking a drone

Aviation, Computer Security, Technology No Responses »

Jun 302012

Last year, many people debated whether or not the Iranians had the wherewithal to hijack that US military drone which they were so proudly displaying afterwards.

Well, wonder no more. Apparently a team from the University of Texas at Austin showed how it can be done using equipment that cost no more than a thousand bucks.

OK, you say, but this drone was using the non-encrypted civilian GPS signal. True… except that if you simply jam the encrypted signal, many military drones fall back (or at least, used to fall back) to using the civilian signal. (As designed, the encryption was primarily about preventing an adversary from using the high accuracy military GPS signal, not about preventing spoofing.)

Blackouts and blackouts

Computer Security, Intellectual Property, Internet, Politics No Responses »

Jan 182012

Here is Google’s way of protesting proposed copyright legislation: black out the company logo and direct users who click on it to a protest page.

And then here is Wikipedia’s form of protest: black out the entire site. Never mind that the people you are most likely to hurt are your friends, and the people who are the least affected are your opponents. Why not be vindictive about it, if you can?

Indeed, while you are at it, why not black out Wikipedia even for non-US users, just for good measure, despite the fact that there is very little they can do that would affect the decisions of the US Congress.

Fortunately, the blackout is easily circumvented.

Nonetheless, doing what Google did would have been just as effective, and far less harmful both to Wikipedia’s reputation and to users who rely on its services every day. Unfortunately, radical activism prevailed over common sense: the difference between public protest and sabotage was forgotten. This is what dooms revolutions: they may be started by idealists and poets but ultimately, it is characters like Boris Pasternak’s Strelnikov in Doctor Zhivago, who set the tone.

Gentleman hacker

Communication, Computer Security, History No Responses »

Jan 152012

Meet the father of all hackers: Nevil Maskelyne.

In 1903, this gentleman gained notoriety by hacking into Guglielmo Marconi’s purportedly long-distance secure wireless telegraph, causing it to tap out unflattering messages about Marconi minutes before it was to be demonstrated at the Royal Institution. Maskelyne was a disgruntled competitor, his business suffocated by Marconi’s overly broad patents, but he justified his actions claiming that it was in the public interest to expose the flaws of Marconi’s system.

If his name sounds familiar, by the way, it’s perhaps because of his famous namesake, Nevil Maskelyne, the Astronomer Royal who a century and a half earlier was the cause of so much frustration to John Harrison, creator of the marine chronometer.

2012

Computer Security, Politics, Society No Responses »

Nov 242011

2012 is supposed to be the year when the world comes to an end, courtesy of a stray planet or something. No, this is not something that I worry about, not the least bit.

Yet the world as we know it may still come to an end of sorts. Here are some of the things I do worry about:

Germany is having trouble raising cash. This alarming news may mark the beginning of the end for the Euro, triggering a massive worldwide depression.
A collapse of the Eurozone may trigger a collapse of the Chinese economic bubble. The consequences of an economic depression in China are unimaginable.
Recently, a successful SCADA attack on a water plant in the US was confirmed. Perhaps in 2012 we shall see the first large scale SCADA attack on some essential infrastructure in the United States or Western Europe. How Western governments might respond is anyone’s guess.
Israel may actually commit an act of utmost self-destructive stupidity and attack Iran.

Thankfully, there is one item that I can strike out from my list: it seems increasingly unlikely that one of the tea party fundamentalists would win the Republican nomination in the United States and go on to defeat Barack Obama. Obama may end up a one-term president, but if he is defeated by a Gingrich or a Romney, I’d know that at the very least, an adult remains in charge of the White House.

Computer Security 1 Response »

Nov 152011

This comic, from xkcd.com, would be funny if it weren’t so darn frightening:

The original caption, which also appears as hover-over text, reads: “I hear in some places, you need one form of ID to buy a gun, but two to pay for it by check. It’s interesting who has what incentives to care about what mistakes.”

Does the future belong to Skynet?

Computer Security, Society No Responses »

Oct 112011

Yesterday, I watched Terminator Salvation, the latest movie in the Terminator franchise.

Today, I am reading in the news about an attempt to reconstruct visual images from MRI brain scans.

I am also reading about US military drones hacked by a virus of unknown origin and purpose.

All of which makes me wonder just how close we are actually to the kind of dystopian future depicted by the Terminator movies.

IT products

Computer Security, Internet No Responses »

Aug 172011

I am not usually in the business of recommending software or hardware products, and it’s certainly not something anyone pays me to do… but recently, I began using two products, both of which have exceptional value, even though one came free of charge and the other cost only 150 dollars.

The free product is Secunia’s Personal Software Inspector (PSI), a software application that turned from something I never heard about into something I cannot live without virtually overnight. It is an application that keeps tabs on all the software installed on your computer and lets you know if any of them are out of date and require updates. Like antivirus software, PSI sits quietly in the background most of the time, but it pops up an unobtrusive warning whenever a new update becomes available, and even offers a direct link to the manufacturer’s download site. It is nice, incredibly useful, it recognizes hundreds of installed applications, and, well, it works as it is supposed to and doesn’t cost a penny.

The product I paid money for is a Cisco RV042 small business router. It does what small business routers do, connects your internal network to an external (DSL, cable, etc.) Internet connection. What makes it special is that it allows your internal network to be connected to two external connections at the same time, and it performs dynamic load balancing and failover functions between the two. I now set up my network architecture to take full advantage of it… and in the coming days, it will be working overtime, as I am planning a major change to my DSL service which will likely involve some unpredictable downtime. The router has other useful functions, too, not the least of which is that it can act as a VPN server, allowing a remote computer to connect to the internal network. The best part is that, like Secunia’s software, it simply works as advertised.

Scam

Computer Security, Legal 1 Response »

Jul 082011

Today, I received a phone call from 1-510-943-3040.

A gentleman with an Asian accent informed me that he is from the MS Windows Service Department (or whatever) and that in the last 30 days, they received repeat warnings from my computer about some malware attack.

I played along for a minute or two… but when the gentleman asked me to turn on my computer, I just couldn’t any longer. Still holding back my anger, I first explained to him that right now I am staring at a bookshelf containing a number of books I wrote about C++ and Windows programming; that I’ve been a computer professional since the 1970s (true, I received my first professional contract at the tender age of 16 in 1979)… and then, in language more rude I am afraid, I also told him that they are nothing but crooks and criminals, and that he should get off my f…ing phone.

The insolence!

The lady doth protest too much, methinks

Computer Security, Politics No Responses »

Jun 022011

Although the Chinese are protesting loudly, too loudly perhaps, I have no reason to question the credibility of Google’s claim that recent attacks targeted at high-profile Gmail accounts were, in fact, coming from China. As a matter of fact, I can confirm from my own experience that a clear majority of automated ‘bot attacks intercepted by my server originate from Chinese IP addresses (here is a recent small sample of 14 attempts: 5 came from China, 2 from the US, 1 each from Japan, Bulgaria, Thailand, Ecuador, Poland, Singapore and Brazil; a previous data set of 15 attempts included 6 from China and 1 from Hong Kong). Which is why I thought it was high time for the Pentagon to declare publicly that hacking can constitute an act of war.

Monster Tuesday

Computer Security 1 Response »

Apr 122011

I knew there was going to be a larger than usual set of Microsoft updates this month, but this? Half a gigabyte worth of updates per machine?

Micromort

Aviation, Computer Security, Society No Responses »

Feb 152011

Here’s a useful unit of measure that I just found out about, thanks to Bruce Schneier’s security blog: it’s called a micromort, a one-in-a-million probability of death. Curiously, according to the Wikipedia, your chances of dying on a train due to an accident are the same as your chances of dying due to cosmic radiation received while flying on a jet: 1 micromort every six thousand miles.

Card security

Computer Security, Cryptography, Society No Responses »

Jan 252011

The other day, I saw a report on the CBC about increasingly sophisticated methods thieves use to steal credit and bank card numbers. They showed, for instance, how a thief can easily grab a store card reader when the clerk is not looking, replacing it with a modified reader that steals card numbers and PIN codes.

That such thefts can happen in the first place, however, I attribute to the criminal negligence of the financial institutions involved. There is no question about it, when it’s important to a corporation, they certainly find ways to implement cryptographically secure methods to deny access by unauthorized equipment. Such technology has been in use by cable companies for many years already, making it very difficult to use unauthorized equipment to view cable TV. So how hard can it be to incorporate strong cryptographic authentication into bank card reader terminals, and why do banks not do it?

The other topic of the report was the use of insecure (they didn’t call it insecure but that’s what it is) RFID technology on some newer credit cards, the information from which can be stolen in a split second by a thief that just stands or sits next to you in a crowded mall. The use of such technology on supposedly “secure” new electronic credit cards is both incomprehensible and inexcusable. But, I am sure the technical consultant who recommended this technology to the banks in some bloated report full of flowery prose and multisyllable jargon received a nice paycheck.

That dreaded PDF non-vulnerability

Computer Security, Internet No Responses »

May 162010

Recently, news have been circulating about a new form of phishing attack that doesn’t rely on some unpatched vulnerability; rather, it uses a legitimate feature of Adobe Acrobat to hijack users’ computers.

Sophos Labs offer a detailed description of how it works. (Basically, it’s the ability of Acrobat to open non-PDF attachments that is abused, tricking a user into running an executable program.) They also offer advice on how to disable this feature. I think it’s a darn good idea to follow their suggestion: most of us never deal with PDF documents containing non-PDF attachments anyhow.

Newer Entries