Hubris

As more and more details come out about this week’s security breakdown at Sony, one thing is becoming clear:  even if you think you’re safe, add a couple of more security layers.  Because you are not safe. 

According to the New York Times, the hackers made off with a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers.  Reuters is running a story that covers the number of class action lawsuits being filed on account of the breach.  The price Sony could eventually pay out in time, legal fees and lawyer costs are on the clock. 

Why? 

VentureBeat tracked down George Hotz, aka “GeoHot”, who recently settled a lawsuit with the company over hacking into the PlayStation 3’s hardware. While Sony may consider him as public enemy number one, Hotz relies that he had nothing to do with the attack.  Considering the fact that he recently settled with Sony rather than go through years of legal wrangling, (plus the fact Hotz’s main gig is hardware hacking, not database cracking), it would tend to exclude him from the line up.  But his reaction sums up what is going on nicely:

“The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”

And therein lies the point.   Companies feel it is easier to hire another lawyer rather than to fix the problem.  That the threat of lawsuits is a deterrent to hackers.  It isn’t.  You have a database with the names of customers and and their credit card numbers.  Threatening legal action with a room full of empty suits doesn’t matter, especially when the chance of catching the bad guys is slim. 

As Hotz points out, engaging the hacker community may be the best option.  Hackers are, for the most part, highly intelligent and creative people who are usually more than happy to point out the failures of your system. Make it a once a year game – give the money you would pay an overpriced lawyer to write nasty letters to the first person who can crack your system and show you where to fix it.  Admit you don’t have all the answers. 

After this fiasco, it might even be seen as a huge cost savings.

Epsilon Data Fail

Last week I received a message from my usual grocery store. I have an affiliation card with them, you know one that allows you a few cents off products in return for them getting information from you concerning your buying habits. The message was letting me know that it was possible that my email address had been taken from them. An e-mail hack, I thought.  Great.  Something else to watch out for.  At least that was all it was, I thought.  Then came the same message from another affiliation card.  Then another card.  Then the bank that I have a credit card with.  Then the phone company.

That is when I started to be very concerned, which is a nice way of saying I was on the phone asking questions and trying to keep from yelling at the harried but polite voices on the other end of the line.  Apparently, I was not the only one. You see, I am part of what appears to be the largest breach of data in US history.  And now I am going to be watching my e-mail very carefully over the next few months, because I am now at a high risk for phishing and other scams.

OK, here are the particulars.  When a company gets your e-mail address as part of an affiliation card or customer account, they do not just sit on it.  They use it to contact you concerning any offers they have pending or any type of general information.  But they do not do this in-house.  They use an outside company to do that, like a company called Epsilon.  So if someone should hack into a company like Epsilon, they are able to get information about a lot of customers over a range of companies, not just about people who shop at Kroger, for instance. 

That is exactly what happened.  Epsilon, which provides marketing services via email to about 2,500 companies, put a warning on its website on Friday stating that its systems had been “exposed by an unauthorized entry” into its email system.  It is not yet known who perpetrated the attack, which US law enforcement agencies have begun investigating.

“The information that was obtained was limited to email addresses and/or customer names only,” Epsilon said in its statement. “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.” Other information, such as passwords or credit card details, are not thought to have been exposed, but never the less, this is a huge hack. 

How many people are affected?  Given the number and names of the companies that use Epsilon (Kroger, Marriott Rewards, US Bank, JPMorgan Chase, Capital One, Citi, Walgreens for starters), it could be millions.  And out of those millions, it only takes a handful of people to fall for a phising expedition to make money for criminals. 

What to do in the interim?  Double check your emails and do not just click onto a link, especially if it is a company that is a part of this breach.  You may also want to change your current account e-mails to another address for these companies.  A pain in the neck, certainly, but it beats dealing with the aftermath of being scammed.

The More You Know (And Shooting Star)

Take a few days away and all the things that happen…

First, in the land of law, Ars Technica reports that a former lobbyist for the RIAA has become a federal judge, ruling on, of all things, three mass file-sharing lawsuits.  But we should expect nothing but a clear-cut ruling, based entirely on the law.  Because conflict of interests happens to other people.

However, if you feel the need to press the panic button, you can.  According to Reuters, some day soon, when pro-democracy campaigners have their cellphones confiscated by police, they’ll be able to hit the “panic button” — a special app that will both wipe out the phone’s address book and emit emergency alerts to other activists. 

In hacking news, mySQL was hacked over the weekend via a blind SQL injection. Hackers extracted usernames and password hashes from the site, which were subsequently posted to pastebin.com. Any easy to guess login credentials could be easily extracted from this data using rainbow tables to match dictionary passwords to their hash values.  This only points out that if it’s made by a person, a person can crack it.  Just remember that the next time someone tell you smugly that something cannot be hacked. 

Finally, we lost a true visionary over the weekend.  Paul Baran passed away at the age of  84.  Baran conceived the Internet’s architecture at the height of the Cold War. Forty years later, he says the Net’s biggest threat wasn’t the USSR – it was the phone company.  So right then, so right now.

Dirty Deeds Done Dirt Cheap

HBGary Federal.  It is a story about a scandal that has been bubbling under the surface for a little over a week, and just when you think that it has no more legs, something else comes to light.  And if the latest stories are any indication, this could blow up very quickly, now that the major news networks don’t have a revolution to focus on. 

For those unaware of what is going on, Aaron Barr, CEO of HBGary thought he had found out who certain members of the group Anonymous were.  He bragged about it, and started talking about unmasking the members. The FBI, the Director of National Intelligence, and the US military wanted to know, especially since Anonymous had generated DDOS attacks on Visa and Mastercard in the wake of the Wikileaks publication of State Department cables. 

And that, as they say, is when the fight started.

Within a day, Anonymous had managed to infiltrate HBGary Federal’s website and take it down. Anonymous got into HBGary Federal’s e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data. 

They even claimed to have wiped Barr’s iPad remotely.

Ouch.

This could have been seen as yet another Anonymous/Entity skirmish, as Anonymous has had with that group that Tom Cruise is a part of, until people started reading the emails from HBGary Federal.  The emails reveal that it proposed services to clients like Hunton & Williams, a law firm working with Bank of America and the U.S. Chamber of Commerce, that included cyberattacks and misinformation campaigns, phishing emails and fake social networking profiles, pressuring journalists and intimidating the financial donors to clients’ enemies including WikiLeaks, unions and non-profits that opposed the Chamber. In a proposal, Barr suggested that HBGary Federal could work with two other security companies — Palantir and Berico Technologies — to launch cyberattacks, seed WikiLeaks with fake documents and dig up dirt on its supporters.

Now the story has two legs; the first being how a security company as resepcted as HBGary could allow even a skilled group of hackers to get in.  The story in ArsTechnica shows how HBGary fell back on all the stupid stuff we are told not to do, like using the same password for everything and not installing the current security patches available, for starters.  From the list of mistakes, it would be difficult for anyone to take them seriously going forward-a fatal hit for a security company. 

The second story, however is actually more significant as the emails shows not only HBGary, but their associated clients in a very bad light at a time when some of them were not looking too good to begin with.  Now if a story comes out about someone who is critical of the Chamber of Commerce, can it be believed?  If a story about Glenn Greenwald even sounds like a hit piece, it most likely is now.  In addition, the emails record that co-founder and renowned rootkit expert Greg Hoglund offered Farallon Research a completely new type of super-rootkit designed by HBGary and codenamed Magenta. Farallon‘s stated aim is to “connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government”. HBGary also developed trojans, rootkits and spyware with codenames such as Project C, Task Z, Task M and Task B – the latter with a dollar value in the hundreds of thousands – for defense contractor General Dynamics. 

Everyone is backing away from HBGary as Bank of America, the Chamber of Commerce, Palantir and Berico have all since released statements that say they’ve ended their relationship or never had a formal relationship with the company.  And there are many people out there who hope that this story ends soon.

However, some think that this is merely the tip of the iceberg.  It wouldn’t surprise me if this story became an Energizer bunny.

The More You Know (And Shooting Star)

Well, the weekend is finally here and time for all the other news out there. And it appears this week’s theme is security, or lack thereof.

Let us start off with a little talking point busting from Gizmodo.

“While discussing legislative measures concerning cyber terrorism, several legislative aides on the Homeland Security and Governmental Affairs committee said that we need to protect ourselves from hackers who could open Hoover Dam and kill thousands. But is that scenario even possible?”

In a word, no.  From Peter Soeth, a spokesperson for the Bureau of Reclamation, which runs the power-generating facility on the Arizona-Nevada state line:

"I’d like to point out that this is not a factual example, because Hoover Dam and important facilities like it are not connected to the internet. These types of facilities are protected by multiple layers of security, including physical separation from the internet, that are in place because of multiple security mandates and good business practices."

As Giz points out, this “non-factual example” can be traced back to a USA Today article from 2001, that told America of all the apocalyptic things this country could endure from cyber-hackers, including the disastrous scenario where someone opens the floodgate to the Hoover dam, killing  untold numbers of people.  Wasn’t true then, not true now.  But don’t let the facts stand in the way of good talking point. 

However, what is true is that someone repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter. Supposedly, the exchange’s trading platform—the part of the system that executes trades—wasn’t compromised. However, it couldn’t be determined which other parts of Nasdaq’s computer network were accessed. Given the fact that the bulk of the various stock exchanges run on algorithms these days, messing around with the trading platform could have some serious consequences, which is one reason why the government considers the trading floor as a matter of national security, along with the pretty secure Hoover dam.

And finally, January 31, marks the fourth anniversary of the battle of Boston from the Moonites.  For those with a short attention span, the Cartoon Network, in a guerilla marketing campaign decided to place lots of battery powered lite-brites of the characters from the Aqua Teen Hunger Force not only in Boston, but in cities across America.  By all accounts, these “ads” had been in place for at least two weeks, turning themselves on during the evenings and turning themselves off during the day.  And on January 31, 2007, the city of Boston realized that they were all over and proceeded to shut the city down in a state of panic.  The mayor was angry.  He had a right to be, but given the fact that the boxes had been in place for two weeks, he should have fired his police chief.  And while two people were eventually arrested, neither one of them were the person who had thought up the campaign that caused the city to be locked down. 

So stay safe this weekend and be careful out there.

Faster Internet, Kill, Kill!

There have been some developments abroad since a couple of days ago.  At first, it looked like the country of Egypt had taken a half hearted approach to shutting down.  As of right now, this is no longer the case.   The country is in lockdown mode (the link will show you how long it takes information to hit a site from certain locations.  Cairo’s status means nothing is coming in or going out). According to reports, Link Egypt, Vodafone/Raya, Telecom Egypt, Etisalat Misr, and all their customers and partners are, for the moment, off the air.  Additionally blocked are Blackberry service and SMS. This is different from Iran’s attempt during their protests in that this is much more thorough.  The Egyptian government’s actions tonight have essentially wiped their country from the global map. How will the country react?  We shall see.

The actions bring us back to the US, where yet again congress is working on bills to allow the President a “Kill Switch” to the internet in case of a cybersecurity attack.  The premise sounds innocent enough:  ‘Critical infrastructure’ areas could effectively be shut down temporarily in case of a cyber attack from wherever.  The fact is, the country is indeed vulnerable from such an attack and something is needed to prevent such a thing from happening.  But there lies the problem. 

First, some of the pieces are not owned by the government; they are owned by businesses.  The idea of the government coming in and shutting a company down in the name of Homeland security does not sit well with some people, as it should. However, speed on the internet is of prime importance.  If the country was under a cyber attack, the ability to move with all necessary speed becomes paramount.  Waiting for a board of directors to give their consent in the time of attack does not work. 

Second, as the bill stands currently, the process of such an action, if law, is where most companies have questions.  The main point is that, as it is currently written, the bill would ban courts from reviewing executive branch decrees.  No review?  You mean Yahoo would have to accept in good faith that the government would want to shut it down because of an attack? According to Steve DelBianco, director of the NetChoice coalition, which includes eBay, Oracle, Verisign, and Yahoo as members, hold on:

"The country we’re seeking to protect is a country that respects the right of any individual to have their day in court," he said. "Yet this bill would deny that day in court to the owner of infrastructure."

The point has merit.  Without the court’s review, you are allowing the government to set up martial law over the internet.  Berin Szoka, an analyst at the free-market TechFreedom think tank and editor of The Next Digital Decade book states:

"No amount of tightening of what constitutes ‘critical infrastructure’ will prevent abuse without meaningful judicial review.  Blocking judicial review of this key question essentially says that the rule of law goes out the window if and when a major crisis occurs."

So as this bill winds through congress, look to the east and realize that under the right circumstances and the wrong laws, you too could feel like you are in Cairo this morning.  Just a thought. 

Don’t Mess With Cambridge

Cambridge University in England is one of the world’s greatest universities.  It has been home to such luminaries as Dawrwin and Sir Issac Newton. Needless to say, scientific research at Cambridge is taken quite seriously and when researchers tell certain institutions that supposedly “tamper-proof” systems are not, then you would expect the institution in question to heed the advice of the researchers.

Unless, of course you are talking about banking institutions. And therein lies the tale.

European system for verifying credit- and debit-card transactions are called “Chip and PIN”.   Now this system is quite simple: within each card there is a small chip.  By utilizing the chip, along with a PIN, a person is able to supposedly make more secure transactions than what we have over here in the states. The system has been out for some time and is actually slowing starting up here in the US.  However, Omar Choudary, a Doctorate student at Cambridge found a hole in the system and did what every researcher out there worth his academic instincts should do – he wrote a paper documenting the problem.  The paper has caused a stir around the banking industry for the last few months.  The problem is clearly outlined and the fact is, by using a paper clip, off the shelf electronics and basic technical skills, fraudsters can capture card details and PINs, then create counterfeit cards.  The paper has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. Clearly, this is a big problem that needs to be solved and quickly.

I will not go into detail about the problem, because that is not what this blog entry is about.  You see, instead of actually trying to fix the problem, the UK banking trade association wrote to Cambridge asking the university to shut down the student. 

According to the Banking Trade Association, the paper contains too much detail of the No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”.  So instead of actually fixing it, the association wants Cambridge to censor their researchers and shut up about the problem in general.  Because obviously not talking about a security problem means that it doesn’t exist.  Even when it does. 

But this is Cambridge.  In a reply to the association, Ross Anderson, professor of security engineering, made his displeasure quite obvious. 

“…you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent.”

“You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those
outside their cosy club, and indeed to censor it.”

That, dear readers is a very nice way of saying “Stuff it”. 

Thank you Cambridge University for standing up to censorship, for standing up to Corporate bullying and supporting intellectual integrity. At a time when so many institutions are caving into to pressure from business and government yours is a most refreshing stance.

Will Someone Call Security?

Just when you thought it was safe to venture out on the web… A few of stories piqued my interest today.  It may just because it’s summer, after all, during the summer the news stories tend to be about dangerous situations (Remember snakeheads?  Shark attacks?).  But since I write about technology, it all boils down to one word – Security.

Let’s start with that bastion of security and privacy, Facebook.  And I ask the familiar question.  When will Zuck and company get it through their thick skulls and make the default setting on profiles non-indexable?  Because security specialist Ron Bowes created a torrent containing over 171 million entries with links to profiles that provide access to the names, addresses and phone numbers of 100 million users.  For those counting, that is one fifth of all Facebook users.  And this wasn’t even a hack.  This was a simple program that simply gathered all public Facebook info. 

Now, the my inner Darwin tells me that all users have to do is set the privacy setting to “Friends Only” and there you go.  Those that don’t deserve whatever they get.  But there is a slight problem there.  As the torrent’s creator notes,

“Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture.”

Say I have mine set as such, but one of my friends could care less and is embracing the public sphere with all their might.  Guess what? If any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not.

Lesson here: If you are truly paranoid, get to know your friends better, or at lease what their settings are. 

The second story concerns Android.  There was an app on the Android Market, Jackeey Wallpaper.  Users can download it and use it to decorate their phones that run the Google Android operating system.It includes branded wallpapers from My Little Pony to Star Wars.

The problem?  According to mobile security firm Lookout:

“It collects a user’s browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data.”

Nice little app there.  Lesson: Roughly 47 percent of Android apps access some kind of third-party code, while 23 percent of iPhone apps do.  Be careful what you are downloading. Make sure it’s a reputable place.

My favorite story of the day though comes right out of the Terminator films crossed with MacGyver.  Security researcher Barnaby Jack, armed with only a a USB thumb drive or an Internet connection, Mr. Jack can hijack your local ATM.  At the Black Hat hacker conference Wednesday, Jack demonstrated two exploits on stage.  Later in an interview, Jack argued that focusing on any specific ATM manufacturer would miss the point, given that practically every model is likely vulnerable.

"Every ATM I’ve looked at, I’ve compromised," he says. "There’s only so many ATMs you can fit in your apartment before your girlfriend gets mad that they don’t go with the furniture."

Jack had planned to give an earlier version of his ATM-hacking demonstration at the Black Hat conference last year, but was pressured to pull the talk because the ATM industry hadn’t prepared a patch, even seven months after he had alerted them to the flaw.

The Lesson here:  Apparently some banks are so focused on stealing your money, they don’t realize that someone is stealing theirs. 

WordPress Tags: Security, Facebook, Android, ATM

Now Playing: Roxy Music – Avalon – The Space Between

No Good Deed Goes Unpunished

Take a few days off and look what happens.  One of my favorite punching bags, AT&T once again proves they have tin ears and few clues. 

Apparently, Goatse Security discovered a rather obvious vulnerability on the AT&T site that returned a customer email if a valid serial number for the iPAD Sim card was entered.  An invalid number returned nothing.  So what is a security company to do?  Why write a script, harvest as much information as they can (144,000 email addresses), notify AT&T about said vulnerability and then send the information to Gawker Media (You know, those guys that received the pre-production iPhone a few weeks ago).  Gawker published some of the data with the emails removed, just to show the world what schmucks AT&T actually are.

AT&T then went into full accusation mode, claiming that “Malicious Hackers” had gotten into AT&T and called in the FBI.

From Goatse Security:

“All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.”

So now the Feds are investigating a security company for pointing out that one of the biggest phone companies has a security problem that could have affected hundreds of thousands of customers.  Yeah, they’re the bad guys, all right.  Unless one can prove that the information was inappropriately used, the Feds should look at AT&T and tell the to get their house in order first before throwing stones. 

So what is next?  Well, there is that “small” problem with Safari that Apple fixed on the desktops, but not the iPad or iPhone.  I remember a few years ago when people were being so snobbish about how safe Apples were.  My argument then was as it is now:  the only reason why no one hacked Apples was that there were so few of them.  Now the market is growing, Apple needs to man up and  join the patch of the week club.  Because as long as there is code, it can be hacked.  If you leave a door open, people will walk in.  Those are facts.

WordPress Tags: AT&T, iPad, Failure, Security

Now Playing: Sonic Youth – Daydream Nation – Total Trash