Friday, September 9, 2011

NBC Twitter account

Hi folks,

So, today, in an (impressively successful) attempt to prove how irresponsible some people can be, some morons calling themselves ScriptKiddies managed to sneak into NBC's Twitter account, and posted fake alerts about a hijacked plane crashing into the World Trade Center site.

It's not clear how they got in yet, but I have a feeling it was password re-use. Yes, I know the password might have just been phished, and I know it might been a weak password which was guessed, but I doubt that it was brute-forced, as Twitter learned that lesson years ago.

Entirely too many people use just one, or a few, passwords for all their web access, and there are simply too many places we log in now, and if one falls, they all fall.

There are three lessons from this:

(1) Don't take Tweets too seriously. People do get their accounts nailed from time to time.
(2) Subscribe to multiple sources. If something important does happen, multiple sites will report it.
(3) Most importantly, please use one password, or passphrase per site, and either write them down and keep them in your wallet, or use some password keeping software, but don't re-use passwords.

Password re-use is your enemy.

Roger

Monday, September 5, 2011

Diginotar notes

SO, over the weekend, we became aware that a Dutch certificate authority had been hacked, and a whole truckload of fake certificates issued for people like google, cia.gov, and mossad, to mention just a few of the more embarrasing ones. In the fullness of time, it's become clear that the initial result of this is that for at least a day, Iranian Internet users were subject to mass Man In The Middle attacks.

The certificates have now been revoked, but there is a certain amount of damage already done.

What this means to those who have been attacked, is that authorities probably read a whole lot of their supposedly private emails, and may have stolen their login credentials for future use. If you happen to be an Iranian dissident, that's probably not good news for you.

There are a couple of shoes left to drop, however. The first is that some of these certificates could probably be used to sign executable code, which in turn will make it easier to slip targeted malcode into a victim's system. Stuxnet, you might recall, was code signed with stolen certificates, so as to avoid Windows warnings.

I don't like this idea at all, as I'm fond of having electricity, and would prefer if it stayed on. Just saying'

The second, and bigger shoe, is the simple idea that a medium sized Certificate Signing Authority can (a) have so much power, and (b) be so poorly defended.

How many more such authorities are there? It's worth pointing out that this is probably the second hack of a CA by the same guy, and we may be confident that he'll find more.

The really sad thing is that there is no easy solution for this. No single bit of software, like anti virus, will protect us.

The best we can do is to start layering in defenses.

For starters, make CAs show some level of security sense.

From an end user point of view, use only one password for each site.

Create a user-grade account for your PC, and use it on a daily basis, instead of admin level.

If your computer warns you about a dodgy certificate for a website, or for an executable... listen to it.

Keep patched (obviously) and find an av program that doesn't rely on signatures.

Most importantly, more needs to be done by ISPs, and backbone providers. Botnets have to be reduced.

We have probably reached a point where machines cannot be allowed on the Internet if they are showing they are infected. As it is, no one cares,as there is no revenue in it.

This has to change.

Roger