Friday, September 9, 2011

NBC Twitter account

Hi folks,

So, today, in an (impressively successful) attempt to prove how irresponsible some people can be, some morons calling themselves ScriptKiddies managed to sneak into NBC's Twitter account, and posted fake alerts about a hijacked plane crashing into the World Trade Center site.

It's not clear how they got in yet, but I have a feeling it was password re-use. Yes, I know the password might have just been phished, and I know it might been a weak password which was guessed, but I doubt that it was brute-forced, as Twitter learned that lesson years ago.

Entirely too many people use just one, or a few, passwords for all their web access, and there are simply too many places we log in now, and if one falls, they all fall.

There are three lessons from this:

(1) Don't take Tweets too seriously. People do get their accounts nailed from time to time.
(2) Subscribe to multiple sources. If something important does happen, multiple sites will report it.
(3) Most importantly, please use one password, or passphrase per site, and either write them down and keep them in your wallet, or use some password keeping software, but don't re-use passwords.

Password re-use is your enemy.


Monday, September 5, 2011

Diginotar notes

SO, over the weekend, we became aware that a Dutch certificate authority had been hacked, and a whole truckload of fake certificates issued for people like google,, and mossad, to mention just a few of the more embarrasing ones. In the fullness of time, it's become clear that the initial result of this is that for at least a day, Iranian Internet users were subject to mass Man In The Middle attacks.

The certificates have now been revoked, but there is a certain amount of damage already done.

What this means to those who have been attacked, is that authorities probably read a whole lot of their supposedly private emails, and may have stolen their login credentials for future use. If you happen to be an Iranian dissident, that's probably not good news for you.

There are a couple of shoes left to drop, however. The first is that some of these certificates could probably be used to sign executable code, which in turn will make it easier to slip targeted malcode into a victim's system. Stuxnet, you might recall, was code signed with stolen certificates, so as to avoid Windows warnings.

I don't like this idea at all, as I'm fond of having electricity, and would prefer if it stayed on. Just saying'

The second, and bigger shoe, is the simple idea that a medium sized Certificate Signing Authority can (a) have so much power, and (b) be so poorly defended.

How many more such authorities are there? It's worth pointing out that this is probably the second hack of a CA by the same guy, and we may be confident that he'll find more.

The really sad thing is that there is no easy solution for this. No single bit of software, like anti virus, will protect us.

The best we can do is to start layering in defenses.

For starters, make CAs show some level of security sense.

From an end user point of view, use only one password for each site.

Create a user-grade account for your PC, and use it on a daily basis, instead of admin level.

If your computer warns you about a dodgy certificate for a website, or for an executable... listen to it.

Keep patched (obviously) and find an av program that doesn't rely on signatures.

Most importantly, more needs to be done by ISPs, and backbone providers. Botnets have to be reduced.

We have probably reached a point where machines cannot be allowed on the Internet if they are showing they are infected. As it is, no one cares,as there is no revenue in it.

This has to change.


Wednesday, August 10, 2011

FaceBook _didn't_ screw up

Hi folks,

This morning, following a friend's status update, I looked at my contacts list on FaceBook, and was horrified to see a huge list of friends and their _phone numbers_! (If you want to see it yourself, you go to Accounts, Edit Friends, and Contacts)

On the page, FaceBook says "Facebook Phonebook displays contacts you have imported from your phone, as well as your Facebook friends. If you would like to remove your mobile contacts from Facebook, you need to disable the feature on your mobile phone and visit this page."

My initial reaction, looking at great swaths of phone numbers that I'd never seen before was "Oh no! FaceBook's done something bad again with privacy" (or words to that effect), followed by "And _I_ never gave permission for my contacts to be imported from my phone!", but after I looked at it for a while, I realized that the list did not have my phone's contact numbers at all. And not only that, but the list did not have all my friends on it.

What I was actually looking at was a list of my friends that had ponied up their own numbers. Perhaps they'd come from some of their phones, but a bunch that I checked were simply what people had put on their own profile, including one memorable one of +10000000000 (R.A....You know who you are).

FaceBook didn't do anything bad, they simply assembled available information, from your friends, in a neat list.

It was just a shock to see it all at once.

Really, the only downside is if your privacy settings are open to the world, and in that situation, it is not yet clear if that might leak your friends' private information.

Perhaps that's a topic for another day.

Keep safe folks.

Roger (Btw, I am currently an independent security guy, _not_ something to do with AVG. Even though they're still my friends, I no longer work there)

Saturday, July 23, 2011

YAFC-Y (Yet Another Facebook Clipjack - Yawn)

Hi folks,

Today, with Amy Winehouse's passing, another young star burned out entirely too soon. Whether we were fans or not is irrelevant. The salient point is that there is a group of greedy, covetous, rapacious, insatiable, avaricious, penurious, gluttonous vultures who eagerly await some misfortune, such as Amy, or yesterday, the cruel events in Norway.

Within hours of these events, they flood Facebook with promises of prurient or sensational videos, but the real goal is to trick kids or teens into agreeing to a $10 a month charge to the cell phone bill. They assume they won't read the fine print.

So, as the title says, on one hand it's YAFC-Y ... Yet Another Facebook Clipjack - Yawn..., but by golly, they're not much more than sociopathic animals. I wonder how they can sleep at night.

Truly, these people (and I use the word loosely) are the lowest of the low, and I can only hope that someone like FTC has them squarely in their crosshairs.


Wednesday, July 6, 2011

Hardening iOS

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.

Tuesday, July 5, 2011

A trap for young players

Hi folks,

Today, on my iPhone (note: not my laptop), I got this message from the friendly folk at Facebook Support...

I've been doing a bunch of things on FB recently, so I thought "I wonder what they want? Did I do something wrong?", and clicked it.

To my shock and chagrin, I was taken, not to FB, but to a Pharma page!

Wait ... I'm much too cunning to be caught by that! What happened?

The issue, friends, is that I was reading FB on my smart phone, and not my laptop. If it had been the laptop, I would, as a matter of course, simply hovered the mouse over the link, and after a small pause, my mail client would have shown me the true URL behind the link. (In non-geeky talk, what that means is that whenever you get a suspicious email, you point the mouse at the link in the email, but _don't_ click it. Just wait a couple of seconds, and it will pop up a message showing the _real_ URL behind the link. If it's not Facebook, or eBay, or whatever you thought it should be, just delete the email)

Because, however, I was on my smart phone (dumb phone might be more correct, perhaps?), there is _no_ way to do a mouse hover, and therefore no way to see what's really behind the link.

Because so many people are moving to either Android or iPhone, this is an emerging problem. In this case, all I had to do to fix it was to close the browser, but if there had been an exploit, or even convincing social engineering behind it, they might have caught me. And I'm a little bit more cunning than lots of users.

What is needed is some way to view the source of the message. If no one builds such an app, maybe I will.

Keep safe folks, and be cautious. When Obi-Wan Kenobi said "There has never been a more wretched hive of scum and villainy", I'm pretty sure he was talking about the Internet.


You just can't believe everything you read

Hi folks,

Over the weekend, our friends over at Sophos noticed that Fox News got one of their Twitter accounts "hacked". The "hacker" posted four or five bogus tweets about the President being assassinated, over a ten hour period, before the Fox guys noticed. I guess we could say that it took them ten hours to tweak that their tweets were being twampled. (Sorry)

Once they realized what had happened, they (presumably) changed their password, and deleted the dud tweets.

Their public response was that they had been "hacked", and they were demanding a full explanation from Twitter about what happened.

Well, I can tell you what happened. You weren't "hacked". Your person, or people, running that Twitter account got his or her password phished.

It hurts a bit, but it wasn't Twitter's fault, so there's no point in blaming them.

What it really underscores is the danger of password re-use. It's dangerous, and you simply must adopt the idea that you'll have one password per website that you want to use. If that's 50 websites, then you need fifty passwords. It sucks a but, but the alternative is that if you only have a few passwords, and one website fails, then that all the other websites that password accesses, are compromised.

Use a password manager, or even write them down and keep them in your wallet, but the rule has to be ...

No password re-use! Ever.

Keep safe folks,