Quotulatiousness

May 4, 2010

Spear phishing (test) attack on US Air Force

Filed under: Military, Technology — Tags: , , , , , — Nicholas @ 07:43

I’d heard the term “phishing” before, and I’ve reported at least a dozen various attempts to the appropriate parties (companies and organizations who are used in phishing attempts often have a reporting address set up so you can just forward the message to them). “Spear phishing” was new to me, and apparently it was also new to a large number of US Air Force personnel:

Offers to hire American airmen, stationed at an airbase on the Central Pacific island of Guam, as extras in the Transformers 3 movie, turned out to be an unexpectedly scary training exercise. First, keep in mind that there is no Transformers 3 filming scheduled for Guam. The email was a fake, used to test how well airmen could detect a hacker attempts to deceive military Internet users to give up valuable information.

The Transformers 3 email was a test to see how many airmen would fall for a “spear phishing” offensive. “Phishing” (pronounced “fishing”) is when a hacker sends out thousands, or millions, of emails that look like warnings from banks, eBay or PayPal, asking for you to log in (thus revealing your password to the hackers, who have set up a false website for this purpose) to take care of some administrative matter. The hacker then uses your password to loot your account. “Spear phishing” is when the emails are prepared with specific individuals in mind. The purpose here is to get specific information from, say, a bank manager, or someone known to be working on a secret project. In the Guam case, the targets of the spear phishing test were asked to go to a web site and fill out an application form to be eligible to be an extra. That form asked for information that would have enabled hostile hackers to gain more access to air force networks. A lot of the airmen who received the Transformers 3 email, responded. The air force won’t say how many, but it was more than expected. A lot more.

I doubt that many readers need to be told this, but no legitimate bank or financial institution should ever be sending you an email requesting you to follow an embedded link and log in to your account. If you get such an email, forward it to the bank’s security folks. If it’s legitimate, they can confirm it for you, but in 2010, no sensible bank should be communicating with you in this way.

March 4, 2010

Canadian air travel now to be subject to US oversight

Filed under: Bureaucracy, Cancon, Liberty, USA — Tags: , , , — Nicholas @ 07:11

I’d always suspected that the close co-operation between Canadian and US officials meant that even theoretically domestic flights might be scrutinized by the other country, but now it’s official policy:

Starting in December, passengers on Canadian airlines flying to, from or even over the United States without ever landing there, will only be allowed to board the aircraft once the U.S. Department of Homeland Security has determined they are not terrorists.

Secure Flight, the newest weapon in the U.S. war on terrorism, gives the United States unprecedented power about who can board planes that fly over U.S. airspace — even if the flights originate and land in Canada.

The program, which is set to take effect globally in December 2010, was created as part of the Intelligence Reform and Terrorism Prevention Act, adopted by U.S. Congress in 2004.

Parliament never adopted or even discussed the Secure Flight program — even though Secure Flight transfers the authority of screening passengers, and their personal information, from domestic airlines to the U.S. Department of Homeland Security.

January 21, 2010

And yet more on passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 13:11

This is becoming a quarterly topic around here. Imperva has done some statistical analysis of the 32 million passwords which were exposed in the Rockyou.com security breach:

Key findings of the study include:

* The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

* Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

* Recommendations for users and administrators for choosing strong passwords.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

So there you go — all the tools you need to be a world-class password cracker.

January 2, 2010

This isn’t the way it was supposed to go

Filed under: Bureaucracy, Government, USA — Tags: , , — Nicholas @ 13:39

Over at Ace of Spades HQ, “Purple Avenger” tries to decipher the inscrutable Obama administration policy on information classification:

Here’s what I’ve found so far that I’m 100% sure of:

There’s a 10 year “default” on declassifying classified info unless a longer time frame was specified and justified.

Unclassified information may BECOME classified upon submission of a FOIA request for it . . . thus allowing for a public veneer of openness while reserving the right to clam up if said openness should prove inconvenient when someone actually learns of a document’s existence and has the nerve to request it.

Its a very lengthy and tortuously worded EO and people will be analyzing its ramifications for quite a while I suspect. I don’t imagine the professional intelligence community is terribly happy about the Byzantine procedures outlined here. Their jobs just got a lot harder.

December 18, 2009

More on passwords

Filed under: Technology — Tags: , , , , — Nicholas @ 08:58

The Economist‘s Tech.view correspondent confesses to password laxity:

He admits to flouting the advice of security experts: his failings include using essentially the same logon and password for many similar sites, relying on easily remembered words—and, heaven forbid, writing them down on scraps of paper. So his new year’s resolution is to set up a proper software vault for the various passwords and ditch the dog-eared list.

Your correspondent’s one consolation is that he is not alone in using easily crackable words for most of his passwords. Indeed, the majority of online users have an understandable aversion to strong, but hard-to-remember, passwords. The most popular passwords in Britain are “123” followed by “password”. At least people in America have learned to combine letters and numbers. Their most popular ones are “password1” followed by “abc123”.

I’ve written some carefully considered advice on passwords, which is still as valid today as it was in those dark, distant days of October.

November 27, 2009

A cure for complacency

Filed under: Technology — Tags: , — Nicholas @ 08:47

John P. Avlon wants to shake your complacent attitude to the threats to everyday life:

First your cell phone doesn’t work. Then you notice that you can’t access the Internet. Down on the street, ATMs won’t dispense money. Traffic lights don’t function, and calls to 911 don’t get routed to emergency responders. Radios report that systems controlling dams, railroads, and nuclear power plants have been remotely infiltrated and compromised. The air-traffic control system shuts down, leaving thousands of passengers stranded or rerouted and unable to communicate with loved ones. This is followed by a blackout that lasts not hours but days and even weeks. Our digital civilization shudders to a halt. When we emerge, millions of Americans’ data are missing, along with billions of dollars.

This scenario may sound like the latest doomsday blockbuster to come out of Hollywood. But each of the elements described above has occurred over the past decade as the result of a cyber-attack. Cyber-attacks are an accelerating threat, still without generally accepted terminology, effective deterrents, or comprehensive legal remedies. They are weapons of mass disruption, used by adversaries cloaked in anonymity, that could prove at least temporarily crippling to the digital infrastructure of modern society. This kind of attack is attractive to America’s enemies, not only because it allows weaker entities to take on far stronger ones but because it turns our technological strength into a weakness.

November 8, 2009

Aussie iPhone owners rickrolled

Filed under: Australia, Technology — Tags: , , , , — Nicholas @ 18:56

The horror, the horror:

The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling.

A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

October 23, 2009

WordPress plugins to consider

Filed under: Technology — Tags: , , — Nicholas @ 12:27

Charles Arthur looks at a few recommended plugins for WordPress blogs:

First, there’s been another upgrade to WordPress (it’s now at 2.8.5). The WordPress blog describes it as a “hardening release”.

Much more important, in my view, is the release of the WordPress Exploit Scanner plugin. Plugins are little extensions to WordPress; and Exploit Scanner is probably the next one you should install. (The first you should install, in my opinion, is Dr Dave’s Spam Karma 2 – which weeds out spam comments more effectively than anything I’ve ever seen, and is specific to your blog.)

The Exploit Scanner does a number of things: it compares your files against an MD5 hash of the WordPress files for whatever version of installation you’re running; it finds examples of suspicious code in your files – three principal ones being the use of “invisible” text through CSS; the use of iframes to embed code from other sites; and base 64 encoding, which can be used to obfuscate entire programs. It will also look through your posts and users to see if there’s anything suspicious or spammy about them.

October 10, 2009

Passwords and the average user

Filed under: Humour, Technology — Tags: , , , , — Nicholas @ 11:22

In this day of widely publicized panic about online security, it’s time we revisited the basics of password security. I’m sure that none of you reading this would ever have a less-than-ironclad routine for all your online activities:

  1. Never ever use the same password on multiple sites. Once they’ve grabbed for login for the MyLittlePony site, they’re into your bank account . . . or worse, your MyLittlePonyDoesDallas account.
  2. Always use the maximum number of characters allowed . . . I know it’s a pain when a site allows 1024 characters, but your online security is paramount. I believe most health insurance now covers carpal tunnel treatment, so you’re golden.
  3. Never include any word — in any human language — embedded within your password: this includes all the words in the Scrabble® dictionary for every known language. Can’t assume that the black hats speak English, y’know.
  4. Always use both capital and lower-case letters and include at least a single digit and a non-letter character in every password.
  5. Note: Don’t try to be clever and use 1337speak. The folks trying to crack your password all post on 4chan: you’re giving them a head-start. They dream in 1337.

  6. Change your password regularly. Daily, if necessary. Even hourly if you share a computer with others.
  7. Never, ever write your password down. That’s the first thing they’ll look for when they break down your door and trash your crib.
  8. Never, ever re-use a password. Don’t pretend you haven’t done this one. We all used to do it, until site admins started checking that you hadn’t re-used an old password.

Of course, even the professionals don’t do all of this. Some of ’em don’t do any of it. Do like the pros do: set all your passwords to “passw0rd”. Nobody ever guesses that.

For actual password advice that might be helpful, you can try this post on the Gmail Blog.

August 6, 2009

Twitter under DOS attack

Filed under: Americas, Technology — Tags: , , , , — Nicholas @ 13:58

Twitter users have been unable to access the site for most of Thursday morning, due to a Denial-of-Service (DOS) attack:

The extended silence in a normally noisy Twitterworld began around 9 a.m. Twitter later posted a note to its status update page saying the site had been slowed to a standstill by an attack.

In a denial-of-service attack, hackers typically direct a “botnet,” often made up of thousands of malware-infected home PCs, toward a target site in an effort to flood it with junk traffic. With the site overwhelmed, legitimate visitors cannot access the service.

“On this otherwise happy Thursday morning, Twitter is the target of a denial-of-service attack. Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users,” co-founder Biz Stone said in a blog post. “We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate.”

Update: Service is back, intermittantly. More background on the attack here.

July 30, 2009

Latest threat to world civilization

Filed under: Technology — Tags: , , — Nicholas @ 07:25

OMG! Everybody panic!

It’s bad enough that the iPhone can, according to Apple itself, be used to crash cell towers, but apparently they can be very easily hijacked, too:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

The researchers say they’ve notified Apple about the vulnerability, but that Apple had not provided a fix.

Everybody sing: “It’s the end of the world as we know it, it’s the end of the world as we know it . . .”

Update, 31 July: Apple has announced that it will be releasing a fix to this problem on August 1st.

Update, the second, 31 July: The folks on the Apple-iPhone mailing list say the fix has escaped and is now available through iTunes. I’ll be downloading the update as soon as I get home . . .

« Newer Posts

Powered by WordPress