Category Archives: security

Chat Log: What It Looks Like When Hackers Sell Your Credit Card Online | Threat Level |

The seller in this deal is Max Butler, the subject of the book. A white hat hacker gone bad, Butler at this time was still finding his legs as a stolen credit card vendor, using the handle “Generous.” He’d recently cracked the point-of-sale system at a pizza restaurant in Vancouver, Washington, and he was looking for someone to buy the credit card “dumps” – magnetic stripe data, including account numbers – that he was stealing from customers.

via Chat Log: What It Looks Like When Hackers Sell Your Credit Card Online | Threat Level |


One Job I Wouldn’t Want

Good luck, new CISO of Sony.

Good luck.


Wow. It really works!

Cyber War versus Cyber Espionage

Sy Hersh has an excellent article in The New Yorker about much-politicized notion of “cyber war.” Insightful all around, but the real crux of the story is noting a distinction between cyber war and cyber espionage:

American intelligence and security officials for the most part agree that the Chinese military, or, for that matter, an independent hacker, is theoretically capable of creating a degree of chaos inside America. But I was told by military, technical, and intelligence experts that these fears have been exaggerated, and are based on a fundamental confusion between cyber espionage and cyber war. Cyber espionage is the science of covertly capturing e-mail traffic, text messages, other electronic communications, and corporate data for the purpose of gathering national-security or commercial intelligence. Cyber war involves the penetration of foreign networks for the purpose of disrupting or dismantling those networks, and making them inoperable…Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.

Cyber war, it turns out, is a ploy used to scare up the body politic, and funnel funding into lucrative defense contracts. Often, one hears of hacker attacks on things like our electrical infrastructure. But this is just not possible:

There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines, with separate computer systems and separate security arrangements. The companies have formed many regional grids, which means that an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems. Decentralization, which alarms security experts like Clarke and many in the military, can also protect networks.

Hersh’s article is well worth reading, a straightforward and level-headed look at the threats we face, and the once that are more or less fictional.

XML Insecurities

The thing about computer security is, the more you learn, the more you realize the Internet is essentially patched together with duct tape and butcher’s twine:

Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products.

…Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML “libraries,” chunks of code that are typically used and re-used in software applications to process XML data.

…XML is used in a variety of document formats (docx, openoffice, playlists, configuration files and RSS feeds, to name a few). As a result, there are numerous vectors for attacking XML flaws remotely, such as sending malicious documents or network requests, said Jussi Eronen, an information security adviser for CERT-FI, the Finnish Computer Emergency Response Team.

Um, yay?

Tweeting The Revolution Is Not Without Risks

The biggest story about Iran, besides the protestors themselves, is the protesters’ use of social networking sites, especially Twitter, to help perpetuate the images and stories of what is happening on the ground.

But these same sites that can fuel a revolution can also be misused, as noted here in a recent SANS ISC diary:

From an information security perspective, the threat is leading people to malicious websites. Set up a blog with an archive of posts on the issue, “borrow” a few pictures of the conflict and post them. Tweet a message that says “live images of protestors being shot at” and point to your blog that also includes pre-tested malware that is known to be not detected by AV vendors. Twitter and social networking tools provide another mechanism to lead people to the cyber-threat where only e-mail was used before. Twitter has no “anti-spam” features, everyone talking about a subject shows up.

So while the use of twitter and other tools provide for a means to breach censorship rules of foreign regimes, it does not come without risks. Is the information valid? Is it leading you to malware infecting your machine?

Simple precautions should be taken when viewing these sites — at the very least, make sure your AV is up to date, and use Firefox with the NoScript add-on.

We’re only at the early stages of this kind of political “hacktivism,” and as our lives turn increasingly digital, the tools and technologies we use are simultaneously connecting us to others as well as putting us at risk.

Oh Good, The Power Grid Will Be Hackable

A new security hole has been found in utility smart meters:

New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.

The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them…There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.

What perhaps adds a more dangerous element to this story is Google’s recent plans to hook into the power grid, via free software that customers run:

In a move to connect the emerging smart energy grid with the Internet, Google on Wednesday announced partnerships with eight national and international energy companies to allow consumers to access data about their energy usage through Google’s PowerMeter gadget.

Google PowerMeter is a software application that can be embedded on the company’s iGoogle personal home pages. It displays data about home energy usage, data provided by the new generation of network-ready smart power meters that are being installed by various utilities around the world.

While the vulnerabilities aren’t related to Google’s software, the fact that they are in this game, using the same free software model that made their other gazillion products popular, means there is a good chance this type of smart metering will take off. Under the guise of “informing the consumer,” the cool factor of monitoring your electricity bills over the net might cause the underlying software risks to be ignored, or pushed to the side.

Don’t Click!

Yesterday, an interesting worm spread its way through Twitter. Thousands of people started tweeting “Don’t Click:” with a link attached. Click on that link, and it posted a tweet from your account to all your friends, with the same message.

Sunlight Labs did the initial analysis:

Huzzah! the first twitter social virus!

It seems mostly harmless, just perpetuating itself and breeding. You can check out the graph of its use here:

Here’s how it works:

You can actually link to twitter and auto-fill a message box quite easily. All you have to do is write a link like this: Labs post on Don’t Click:”. What this “virus” does is, it creates an iframe of the page, hides it, and when you click that button and you’re logged into Twitter, it makes you post that message (even though you don’t see it). There’s not a bit of javascript involved. The only javascript on the page is their Google Analytics code.

So, this “social virus” simply created an invisible page that overlaid the page you *thought* you were clicking, and it essentially forces your browser to push out a link.

That fact that no scripting was involved, and your password wasn’t at all needed for this little trick means it was basically harmless, from a security and privacy perspective.

Many people on twitter remarked how the way this “virus” spread demonstrated the “power of social networking.” But that’s not true — just the opposite.

It demonstrated the frailty of social networking. It has exposed what is always the weakest link in any system — the human factor.

The spread of this “social virus” relied on the trust we all place on our online friends. When someone you know and trust says “Don’t Click,” you assume it’s a joke they are playing (like you going to get rickrolled), and so you go ahead and click on it. The fact that many of your friends started posting the “don’t click” message on Twitter simply meant that everyone else was in on the joke, and you had to find out what it was all about.

Social networking sites and programs rely on the fact that we all trust each other. This same trust we place in each other is also the way social networking site and programs can be exploited.

Initial Thoughts on Conficker

I’ve been following the news on Downadup/Conficker, the largest botnet ever created/perpetuated to date. If you’re not familiar with it, Conficker is a computer “worm” that has infected an estimated 9 million Windows computers to date. It is essentially a large computer network, at the direction of *someone*, and no one knows at this point who that someone is, and what he or she (or them) may want to do with it. This botnet may end up being nothing; it may be the largest spam headache we’ve ever experience; it may be worse.

You can chart developments on sites like Symantec, or follow the SANS Internet Storm Center. The latest news on this botnet is a number of IT companies have decide to put up a stronger front in the fight:

Firms, including Microsoft Corp., Symantec Corp. and VeriSign Inc., have joined ICANN, the nonprofit group that manages the Internet Domain Name System, to preemptively register and remove from circulation the Internet addresses that the worm’s controllers use to maintain their hold on infected machines, said Gerry Egan, director of product management in Symantec’s security response group.

Separately, Microsoft has offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched the worm.

In any case, I’ve been trying to think of how to correlate this into something related to media theory. I’m not there yet, but certainly Galloway and Thacker’s The Exploit is an obvious starting point. Their thesis is essentially “the network” has become the dominant cultural paradigm, and we seen this in both positive and negative ways. So that the same mechanisms and forces that make, for example, music file-sharing or Facebook or online politics so powerful are the same forces that can perpetuate terror networks or things like the Conficker botnet.

The fact is that Conficker is endemic to our cyber-lives; it, and the no doubt larger, more pervasive, and more dangerous botnets that will eventually come along in the future, are a by-product of the connectedness we share, both online and off.

Portable Apps and TrueCrypt

An update on my previous post, about Portableapps.

I’ve been using this for a few weeks now, and have updated my setup, with TrueCrypt. Basically, I’ve set a USB flash drive with an encrypted TrueCrypt partition, and within that, I’ve installed portableapps.

So, with this setup, anything I want to bring with me gets encrypted — my browser settings, bookmarks, documents, etc. It’s secure, in case I lose the drive. I have a browser with me all the time, as well as a PDF viewer, and an IM client (Pidgin).

I have two drives, actually. One is 256MB, the other 8GB. Because of FAT limitations, the Truecrypt partition is limited to 2GB, but that’s more than enough space. The only difference between the two drives is the smaller one does not have room to install OpenOffice, but the larger one has that, too.

A very nice, secure, opensource, portable setup.