Thursday, September 27, 2018

Stuff just got real

So, anyway, ESET just released that they found the first UEFI rootkit. You can read about it here … , but the short version is that they found an example of a modified version of Computrace/Lo Jack being used to attack a computer.

This is serious, and here are the main bits to know…

(1) Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.

Close followers of my blogs, and posts, will know that I have pointed out that the Kaspersky guys, in 2014, showed how it could be compromised, and that it was therefore a potential problem, even though it is a legit app. This is not a slight against the excellent Lo Jack. All software has a weak underbelly, if you probe hard enough.

This is now proof that I was right.

(2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government. If you are a suspicious soul, like me, you probably think this is not their only rodeo.

(3) The perps used a legitimate, and scary powerful tool called RWEverything. This is new to me, but the nub of the matter is that it is a legitimately signed driver that, seemingly, can read or write everything in firmware. This is obviously powerful, and cool, as long as it is used for good.

(4) So far, we have not found an exact match for the samples in their report in our collection, but we have _many_ variants of Lo Jack. They may be all innocent, or … maybe not. We are still looking and thinking.

(5) We still have six variants of the Lenovo rootkit, that no one detects (well, one product detects one variant, but that’s approaching zero from a stats perspective… one out of 360). This may/probably mean they are extinct, or ... maybe not…

(6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.

Bottom line is that we have many variants of Computrace/Lo Jack that need to be examined, and many Lenovo rootkit variants that need to be examined.

And we have other things that look suspicious.

It would be really helpful to get more firmware samples, and it's geeky, but some How To instructions can be found here

All this, combined with what we have found about certificates being expired, or marked "Do not trust", or "Do not ship", which you can read about here suggests to me that we are on dangerous, shaky, and new, ground.

Stay tuned.

Friday, September 14, 2018

50% of firmware certs are expired?

So, anyway, I grabbed a bunch of firmware blobs (there were 99, to be precise) that I happened to have on this laptop, in order to look for more rootkit-like thingies, but I found some other bits that I found even more thought provoking, and I got sidetracked. I do have A.D.D. Oh look! A squirrel... (That's a joke, btw)

The first TPT (thought provoking thing) was that 38 of the 99 had certificates in them that said either "Do not trust - xxx Test PK", or "DO NOT TRUST - Lost Certificate", or "DO NOT SHIP - some_company Test KEK". That's about a third, and feels rather high.

It may be that the uploads that we are getting are not completely representative of what the Real World looks like. They might be coming out of test labs or something like that, which is plausible, because you have to be a bit of a geek to extract firmware. The other, and scarier, option here is that it _is_ representative of the Real World, and one in three computers has a "Do not trust" certificate in it. I hope that is not true.

The second TPT was that my program counted a total of 1,377 certificates, and fully 631 of them were expired. That's nearly 50%, and again, seems rather high.

Again, it might be that we are getting non-Real World firmwares being uploaded, but the other option here is that people are not updating their firmware, which seems likely to me.

The third TPT was that 24 of the blobs had a release date of 2018, and still had 42 expired certs in them. That seems weird.

The fourth TPT was that 5 of the 24 blobs from 2018 had a "Do not trust" cert in them. That seems way weird.

I can think of no reasonable explanation for number three and number four, unless they are coming out of labs, but I suspect that the real explanation is that manufacturers are simply not paying attention because no one is calling them out.

It's also a bit of worry that nothing in the firmware chain of trust seems to care about the dodgy certs. This implies, to me, that they could be replaced by out and out APT-level malware, and nothing and no one would notice.

The plot thickens.

The main thing we need is more samples, so if anyone wants to help, instructions about how to dump your firmware are here.

Stay tuned.

Wednesday, August 29, 2018

_Fourth_ Lenovo Rootkit variant

Hi folks,

As our ROM analysis tools continue to improve, we find more "interesting" things. Today, we seem to have found a fourth Lenovo Rootkit variant.

Admittedly, it might not be. It might be just unfortunately named (NovoSecEngine2), but it does seem to share about 97% of the code of some of the other variants, so it looks pretty suspicious.

If you read my other blogs, you will know that two of the variants had 0 detections, and one had a single detection, and unsurprisingly, this one has 0 out of 57 detects.

Again, it's important to understand that I am not suggesting that Lenovo did anything wrong. I think they were completely innocent, and just trying to make their products more secure, and I must emphasize that there is no reason to think any of these are still in circulation, unless someone hasn't updated their firmware.

It's simply instructive that there seem to be four variants, when everyone thought there was just one.

One wonders what else we will find.

Stay tuned.

Wednesday, August 22, 2018

Instructions on how to dump your firmware

Hi folks,

A number of people have asked me how they can participate in firmware gathering, and the short answer is, "Dump your firmware, and upload it to us, at https://armor.ai".

As you might expect, the actual answer is a little longer, so here are the instructions for firmware dumping...

On a Mac running High Sierra, it's easy, because there is a built-in command, eficheck. Here are the steps:

1) Open up a terminal

2) This command saves system's EFI firmware, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --save -b YourFilenameOfChoice.bin

3) This command overwrites EFI variables portions, scrubbing any privacy-sensitive bits, enabling the image to be shared for analysis, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --cleanup -b YourFilenameOfChoice.bin

4) upload firmware.bin to https://www.armor.ai/scan

Windows is trickier. There are a number of ways, but currently, the easiest seems to be these steps:

Either, (a) download your own version of ChipSec from https://github.com/chipsec, read the manual, and make your own zips, or (b) Download a version of ChipSec and an EFI shell from my DropBox (my EFI shell is set for an x86 machine)

https://www.dropbox.com/s/hyftzcttq14pm2p/chipsec.7z?dl=0
https://www.dropbox.com/s/7982bi2qrkhkosh/efi.7z?dl=0

and unzip each of those into the root of the thumb drive, and then:
(1) Boot your computer into BIOS, and turn off secure boot
(2) Boot into the thumb drive. This should bring up an EFI shell, that looks a lot like old MsDOS, but is neither Dos nor a Linux shell. It brings up a command prompt that says, “Shell>”
(5) You need to get into the root directory of the thumb drive, by typing FS0:
(I have seen machines where the thumb drive came up as FS1:, and even FS2:, but generally, it’s FS0:)
(6) You should then be able to do a Dir or LS, and see the Chipsec directory, and an EFI directory.
(7) Change directory to chipsec ... cd \chipsec
(8) type: python chipsec_util.py spi dump filename.bin
(9) type: exit

That should allow you to boot back into BIOS, and turn secure boot back on, and then boot to your OS, and upload the captured file to https://www.armor.ai/scan

Be sure to put your email into the webpage, because some analyses take a while, and your email will allow us to send it to you, when it is complete.

Thanks in advance for your help

Monday, August 20, 2018

Three Lenovo "Rootkit" versions?

Hi folks, In 2015, Lenovo was accused of sending out laptops with a "rootkit" in the firmware. Lenovo essentially said, "Ooops... it was meant to be an updater, to help with security. We bought it from a third party, and assumed it was ok." They patched their firmware, and everyone moved on.

Now, I'm not suggesting for even a second that Lenovo did anything intentionally wrong. I think they were completely innocent, and just trying to make their products more secure, but here's where it gets interesting...

To this day, only one out of about sixty anti-malware products recognizes the rootkit as malicious. If you want to check, search VirusTotal for this sha256, d3c154a38823b09edd2e119ecfd8366c2c5e725fda4f744c04e2d26fcc7c5803, and you will see that only Endgame recognizes it.

This particular bit of software identifies itself as "NovoSecEngine2", in the firmware volume, and is 139,512 bytes long. Now that we have been able to analyze a bunch of firmware, we have found two other executables identifying themselves as NovoSecEngine and NovoSecEngine2. NovoSecEngine is 248,832 bytes long, and the second NovoSecEngine2 is 203,712 bytes long.

Guess how many of the sixty anti-malware programs recognize these two...none...zero...bupkiss. No one thinks they are variants of the rootkit.

This means that they are either completely different programs, accidentally sharing the rootkit name, or ... no one has analyzed them.

Our analysis of these two programs continues, and we will post more information as we figure it out, but what this probably really means is that no one is looking at the firmware, and everyone is relying on the "Hope and trust" method.

This, in turn, leads one to wonder how many other programs with rootkit capability lurk in our firmware.

Anything in the firmware is invisible to regular anti-malware programs.

Here are some rough stats from our initial research:

Manufacturers analyzed: {'Toshiba', 'Acer', 'Lenovo', 'Asrock', 'Desenvolvida por Positivo Informatica SA', 'Razer', 'Clevo', 'American Megatrends Inc./Advantech', 'American Megatrends Inc.', 'LG Electronics', 'Dell', 'ASUSTeK', 'Gygabyte', 'Intel', 'Sony', 'Hewlett-Packard', 'Apple Inc.'}

Total firmware analyzed: 550

Total firmware with portable executables analyzed: 515

Total portable executables analyzed: 131289

Total portable executables triggering one heuristic: 20964

Total portable executables triggering more than one heuristic: 3178

Average portable executables per ROM: 254

Average portable executables triggering heuristic per ROM: 40

Average portable executables triggering more than one heuristic per ROM: 6

Now, just because they are triggering our heuristics, doesn't mean they will definitely be bad. It just means that we think they are worthy of a closer look. We will be perfectly happy if all of them are completely innocent, but having been in the anti-malware business for a long time, we suspect we will find some number of Bad Things(tm).

If anyone wants to help, and can upload a firmware dump to us here, we will gladly take a look at it.

Stay tuned, folks, and keep safe.
*** Update: Just in case it's not clear, I don't think these three are currently around, unless someone hasn't updated their BIOS. I think Lenovo took care of it just fine at the time. The point I am trying to make is that there could be lots of other "backdoors" or "rootkits" in firmware, and no one would know. I'm trying to get more people to pay attention.

Wednesday, August 1, 2018

What's in your firmware, and why should you care?

Hi folks, Today, we have officially launched our new site, and product, armor.ai. This is a place where you can upload a firmware image, and get a report on what's in it.

For example, in my 2017 laptop, I have about 380 Windows PE format executables. This is what's known as the Unified Extensible Firmware Interface, or UEFI, for short. The idea is that this mechanism provides a much more flexible way for manufacturers to add new hardware, rather having to modify handwritten assembler, as with a traditional BIOS. This is Good Thing (tm), but they are compiled C code, and this, in turn, is a format well understood by attackers, and defenders, alike.

Fortunately, these programs are cryptographically signed, and are therefore immune to attack... unless...

(1) You can compromise the Root Of Trust. This is the first part of the chain, and is responsible for checking the crypto sig of everything else. This is really hard, and we don't _think_ anyone has done it yet, but we may be sure they are trying, or,

(2) A stolen certificate might be used to sign malicious code, or,

(3) Something malicious might be installed at the factory. It'd never happen, right? Except it already has, at least once, but that's another story.

Extracting a firmware image is mostly complicated, and is not an end-user play, but if you are a geek, and want to know what's in your firmware, there are a couple of ways to get the image.

On a Mac, running High Sierra, you can simply open a terminal, and type "sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --save -b out.bin", and then upload it to armor.ai.

Any machine running Windows 8 or higher, should be using UEFI, and, for Intel based machines, the best approach at this point, is to use Chipsec, and open source tool found here. This requires reading their manual, but is easy enough once you get the idea.

We will make easier mechanisms available as we build them.

Folks, this is tricky stuff, but we need to pay more attention to it, because anything running in the firmware has complete control over the rest of the computer, and probably cannot be seen by anything running at the operating system level. Anything in the firmware is potentially a rootkit.

As well as your own, or your business, computer, think about critical infrastructure devices, medical devices, automobiles, and all IoT devices. They all have firmware, and no one really knows what's in it.

We need to find out.

Tuesday, July 31, 2018

Ok, this was scary

Tonight, I had to file a claim for one of my teenager's phones. It's dead. I called AT&T, and after quite a bit of (perfectly reasonable) back and forth about whether it was a warranty, or an insurance claim, I finally got through to an appropriate insurance person.

In order to validate that I was who I claimed to be, they asked me (reasonably enough) my last four of my social, but then they said, "and, now sir, just a couple more questions, compiled from publicly available information..."

Having been here before, I immediately, and metaphorically, gasped, and the first question was, "What color is your 2007 Chevy Express?"

I answered, "White", and they asked me another, obvious question, which I answered correctly, and the claim went on from there, but...

How the hell did they know that I had a 2007 Chevy Express????

And, they had it at their fingertips!!!!

If you are not seriously disturbed by this, you are not paying attention.

Folks, this is the Privacy Revolution in action.

If you need more, I suggest you read this,, and this, and this.

George Orwell was right. He just got the dates wrong.

:-(

Stand by for more information, and try to stay safe.

Friday, May 4, 2018

Bad Comcast, bad!

So, anyway, a couple of days ago, I decided to hang out a honeypot. This involved logging into my cable modem, to set a DMZ, and then to add a particular IP address into it. This worked just fine, but then I decided to double check what IPs were connected to my modem.

As expected, nearly all the connected devices had an address like 10.1.10.xxx. This was fine, but I was surprised to see a stray address... 30.18.32.173.

By my understanding (and from what I could find on google), nobody other than my provider, Comcast, should be able to connect to my modem from the outside, and yet here was an obvious outsider.

A quick search of who this IP might belong to, revealed that it was a DoD, or military, IP address.

As you might expect, this got my attention, and I started regular monitoring of my modem.

Regular monitoring revealed that there were about six foreign addresses that connected to my two cable modems, some more persistently than others, but, again, by my understanding, no one should connecting, other than Comcast.

I thought, "They must have my password!", so I changed it, and rebooted my modems.

They continue to connect.

I have no way to tell what port, and service, they are connecting to, so I have no idea what they might have been trying to do. This is not a Good Thing (tm).

The obvious answer here is that my modem firmware has been compromised, and I have no way to check that.

This is where is gets nasty.

I called Comcast, to try to get some support.

I first fought my way through the voice activated menus (sucks if you have an Australian accent), and finally got to a human, whose principal task was to sell me an upgrade.

This failed, so he switched me through to tech support.

This guy spoke better English, but after a while came to understand that he had no idea what I was talking about, and switched me through to the next level support.

This guy listened to me, but his response, from which he could not be shifted, was, "We just rent you the modem. Your network security is your responsibility."

I am _perfectly_ happy to make _my_ network secure, but he was immune to my argument that it was his kit, and was actually outside my network.

He basically ignored me.

I still have no understanding of why remote IPs can connect to me, but I'm working on it.

The _really_ interesting thought here is, "If it can happen to me, who else is it happening to?"

If you are a Comcast customer, and want to check, the basic routine is to point your browser at 10.1.10.1, and log in. The default id is "cusadmin", and the default password is "highspeed".

You then go to "Gateway summary", select "Network", and scroll down to select "Connected computers".

If you see any addresses, outside the pattern of your computer addresses, then you have the same issue.

I'm _sure_ there is a perfectly reasonable, legitimate explanation, but I just can't see it yet, and Comcast did crappy tech support.

I would hate to think that the firmware of my modem had been compromised, and that people were monitoring my Internet traffic. That would never happen, right?

Please let me know if you see similar patterns.

The Internet is tricky. Stay safe, folks.

Thursday, April 26, 2018

Golden State Killer DNA

Unless you are living under a rock, you will be aware that the police have made an arrest in the case of the Golden State Killer, based on a DNA match.

It was a cold case, and all they are currently saying is that they got a "clue" about six days ago, and put him under surveillance. Then they got a fresh DNA sample, from something that was discarded, and got enough of a match with crime scene DNA, that they made an arrest.

What they are not saying is what the "clue" was. They are just saying it was because of the latest DNA tests, but they are not saying what made them look at an ex-cop, who had never been a suspect in the first place.

I bet that we will find that it is an unexpected, and positive, side effect of the Privacy Revolution. (For more background on that, see Part 1, Part 2, and Part 3)

I don't, for even a minute, think that the alleged perp put his DNA online, but, it seems that he has two or three kids. I bet one of them did, probably just to innocently look for relatives.

A quick Google reveals that there are quite a number of searchable DNA databases, completely aside from the obvious genealogy websites.

Cold case. Six days from the "clue", to an arrest.

It's a positive result, but we live in "Interesting times".

Stay safe, folks.

Saturday, April 14, 2018

Fake 'Virus Detected' Scam

So, anyway, I get a lot of these scam pitches each day. The email looks something like this ...



Sometimes the email purports to be from Fedex, and sometimes it tells me I have broken pictures, but however it comes, it tells me to "Click here".

If you do, you are taken to a fake "virus detected" screen, that looks a lot like this ...



This kind of thing has been around for ages, and the idea is that they try to get you to call the 888 number, where they try to convince you to give them remote access to your computer, so that the nice technician can "help" you.

It's not exploitive, per se, but it would be a significant nuisance to a non-techie, because it hijacks the browser enough that you can't close the browser, and get rid of it. It must work a bit, because they keep trying it.

This is the sort of thing I took great pleasure in blocking, when I had a suitable product in a previous life, so I thought I'd see who was blocking it today.

It only serves that page the first time you go to it, and after that, either takes you to a (probably) fake Canadian Pharmacy (usually somewhere in Russia), or a Diet Pills site, so in order to test against a number of products, I used a thing called HttpReplay, to capture the initial sockets, and then to replay it against the eight products I had readily to hand.

I made sure that each product was able to update itself, and declare itself "current",and then I opened the socket trace, and pretended to cruise to the website. Pretty much doing what a regular user might have done. All products are the consumer versions, and are installed with default options, just as a normal end-user might. Here are the scores

McAfee Miss
Sophos Block
Eset Miss
Avast Miss
Symantec Block
Kaspersky Miss
Panda Miss
Avira Miss

Obviously, I'm not saying that this proves anything much, except that I reckon everyone should be blocking this sort of thing, because if I'm seeing it every day, chances are that lots of people are.

Thursday, April 12, 2018

The Privacy Revolution in Action

As a practical example of the Privacy Revolution, I have a little story.

In 2008, I was in London, staying at the excellent Royal Trafalgar hotel. I ordered a cab, and went downstairs to pay my bill. They ran my card, and said, "I'm sorry, sir. Your card has been declined. Do you have another?"

I said something to the effect of, "Wait ... what??? I know there's money in that account. There must be some mistake!"

They said, "I'm sorry, but you'll have to call the bank."

I sighed, and sent the cab away, and got on the phone to my bank. I fought my way through the voice prompts (never easy, when you have an accent), and finally got to speak to a human. They said, "Did you tell us you were traveling overseas?"

I felt like saying a great many things, some even unkind, but I thought better of it, and simply said, "No. I didn't know I had to."

They said, "You'll have to talk to our fraud department to get the card unblocked."

I got a human pretty quickly this time, and he asked me all the obvious questions, such as, "Last four of social, how many accounts do you have, what sort of accounts are they, and who's on the accounts with you,", all of which I answered successfully.

He then said, "And now, sir, just a couple more questions, based on publicly available information... What age-range would best describe this person... 25-30, 30-35, 35-40... Laura ************."

They used the maiden name of one of my daughters-in-law.

I was stunned.

This young lady had been married to my son for eight years at that point, and had not used her maiden name since she got married.

I stammered out the correct answer, and they asked me a different age range, and then used my wife's name, which was not a shock, and I answered that one. Correctly, thankfully.

They unblocked my card, and I got another cab to the airport, and home, but all the way, my mind was racing...Laura had never lived at the same address as me ... There was no obvious connection ... I well understood that if someone googled for a couple of days, someone could figure it out, but _at their fingertips_, they knew that I should know who this person, with a different name, was, and how old she was.

Finally, I thought... "It must be FaceBook, because on there, she calls herself Laura *MaidenName* Thompson. That must be it!", and I smacked them a little bit in my blog.

A couple of days later, a friend who worked at RSA called me, and said, "Uh ... Rog ... that blog you did. It wasn't FaceBook. It was us. We have a product called Knowledge Based Authentication (KBA), that we sell to banks."

Again, I was stunned. Then I was relieved, because I consider RSA to be Good Guys, and then I was stunned again, because the realization hit me, that if Good Guys like Google and RSA were collecting all this information, it was a given that Bad Guys were too, and we have no idea just who is.

Now, this was ten years ago, and lots of things have changed. RSA (who wasn't doing anything wrong with KBA) has sold KBA to someone else (Google knows who), and they aren't doing anything wrong with it either, but we may be confident that the race to collect information continues unabated, and probably accelerates.

It's bad enough that leaked personal data can be used in obvious things, like directed malware attacks, and common fraud, but recent events have shown us that one unexpected consequence of this is Mass Psychological Profiling, and the even scarier, Mass Psychological _Persuasion_.

This is the Privacy Revolution, folks. In the fullness of time, we will come to understand that the effect on humanity will be just as massive as the agricultural and industrial revolutions.

Wednesday, April 11, 2018

The Privacy Revolution is the fourth Great Revolution (Part 2)

So, the next interesting thing to happen was that at the end of 2007, I sold my company, Exploit Prevention Labs (XPL) to AVG. XPL watched for exploits coming off the web, because I'd figured out in 2005 that the Web was the next attack surface. (Windows XP Service Pack 2 had been released in 2004, and for the first time, the firewall was on by default, and I knew that this would be an extinction level event for the malware of the day, network worms, like Code Red, but I also knew that the Bad Guys would not give up, and the web was the obvious attack point... but I digress...)

Because of AVGs huge client base, I suddenly had a hundred million pairs of eyes helping to watch what was going on, and one day, I noticed some interesting stuff coming through FaceBook from Russia, and I thought, "I wonder why it's all coming from Russia?", so I tweaked the detection a bit, and did a release, and suddenly the main source shifted to the USA. Still FaceBook, but the USA.

Now, to be perfectly clear, upon further examination, the triggering code was not exploitive, or malicious. It was just obfuscated enough that it looked suspicious at first glance, and it was interesting, because it was coming through FaceBook. And, again, FaceBook was not doing anything wrong... it's just how things worked. People linked to their own websites, outside of FaceBook.

The triggering application turned out to be a Pink Ribbon Breast Cancer Support app. The idea was that you could access the app, and that would show your support for a clearly worthy cause. In using the app, however, you quite clearly said that you allowed the app to access all your contacts, and presumably your information. A couple of hundred thousand women had allowed that at the time I noticed.

Further examination showed that the information was going back to a website called Pebly.com, and this was the website...


No "About us" or "Contact us". Just that block graphic. Searching google a bit, revealed that they made "social applications". For example, they had a "Do it yourself survey" app, that anyone could tweak, and release. Again, I am not suggesting there was anything malicious here, but presumably anyone using any of the apps would provide all their information to that app, and google revealed they had a lot of apps.

Ownership was hidden behind a privacy protector.

Again, this implies no wrongdoing, and it is not uncommon to hide website ownership, but it does mean that we have no idea who was collecting the data, or what they were doing with the data.

By 2010, the site had morphed into a much more normal looking website...



It morphed a few more times, and then seemed to disappear entirely sometime in 2015.

Again, I am not suggesting that they were doing anything malicious. They just collected a whole lot of data, and we don't know who they were, and why they wanted the data. There doesn't seem to be any connection to any of the players in the current Cambridge Analytica saga, so the burning question is ...

Just how many organizations are out there collecting data, and what are they doing with it?

Part 3 tomorrow, folks.

Tuesday, April 10, 2018

The Privacy Revolution is the fourth Great Revolution. (part 1)

Everybody knows that there have been two great revolutions. The first was the Agricultural Revolution, where people stopped being nomads, and began farming. It took thousands of years to have its full effect, but the effect on humanity was massive.

The second was the Industrial Revolution, where people (more or less) stopped being farmers, and factories and towns became the norm. It took about a hundred and fifty years to have its effect, but again, the impact on humanity was massive.

Some people understand that there was a third great revolution, the Computer Revolution, which basically started at the end of World War II. The timeframe is even more compressed, but again, the effect on humanity is massive.

I contend that there is a fourth great revolution that I call the Privacy Revolution. It started with the advent of the World Wide Web, and continues now. In the fulness of time, we will come to understand that the effect on humanity has been just as massive as the first three.

In press interviews in 2002, Eric Schmidt, the then-CEO of Google supposedly said two very interesting things. The first was something like "We pretty much know who everyone is, and what they are interested in.", and the second was something like, "The total amount of human recorded history can be stored in five exabytes, and since some time in 2002, Google has been indexing five exabytes every two days."

The next "interesting thing" is that in 2007, I was out in Mountain View, trying to sell my company, Exploit Prevention Labs to Google. I was in a room full of engineers, and I casually asked one of them, "So, how often do you purge your search logs?", and the guy did a visible double take, and looked at me like I'd said something stupid, and said, "Never!"

Now, some of that might well have changed in the last eleven years, and I consider Google to be Good Guys, and trustworthy, but that's a lot of data.

And they ain't the only ones collecting... think about all the other search engines, not to mention the social media engines that are so in the news right now.

I'll get to the next part of the story tomorrow...

Thursday, March 15, 2018

That was a bit creepy...

So, anyway, for a variety of reasons which are not terribly important now, I decided to start using google calendar today.

First thing it did was ask if it could access my contacts. I generally say no to that sort of request, but, on this occasion, I thought, "What harm could it do?", so I clicked the OK button.

A couple of seconds later, I was shocked to find that it had populated my calendar with a couple of hundred birthdays.

Now I'm not opposed to wishing my friends a happy birthday on their special day, but some of the people in my contacts list are just business acquaintances, rather than "friends", and I would not think it appropriate to know things like that, let alone to wish them a happy birthday.

I thought, "How the heck did google know that just from a phone number or an email address? And what else do they know???"

I mean, I like google, and I consider them Good Guys, but I am concerned about the Privacy Revolution (more about that later), so with a rising sense of anxiety, I figured I'd better look at my contacts, to see if anything obvious was being leaked incorrectly.

Imagine my surprise when the first guy I looked at was not in my address book. Nor the second. Nor the third. None were in my address book. Wait ... what...???

Then I thought, "If it didn't get them from my address book, where did they come from?", and I thought... "FaceBook!!!", but then I poked around a bit, and realized that lots of them weren't friends on FaceBook either... and then, it dawned on me...

Ages ago, I'd joined google plus, but hadn't used it much, and had forgotten about it.

Yup. That's where they came from.

I was a dummy. I don't often admit it, but I was wrong.

Google calendar seems very nice.

As long as it doesn't start laughing at me...

Tuesday, February 27, 2018

Pretty good Apple phish

So, anyway, I've noticed a lot of Apple phishes coming into my email honeypots, and they're convincing enough to catch the unwary, so I thought I'd document it here a little bit. The initial email looks something like this ...
If you click the link, it takes you to this screen ...
which looks pretty convincing, unless you actually parse out the URL in the address bar, at which time you realize it ain't Apple.com. If, however, you are unwise enough to put your AppleID and password in,(or, as I did, just a bogus pair), you are taken to this screen ...
Followed by this one, which is really the point of the whole thing .... they want your credit card.
The screens, unfortunately, are convincing enough that they'll probably catch a few folk. Be cautious out there. Www stands for World War Web.