Wednesday, September 28, 2011

Compromise of digital certificate authorities (CA's) leading to fake blogs, fake social networking profiles, to steal PII and phish

Byron Acohido has an alarming story on the front page of USA Today on Sept. 28, “Hackers shake web to core: security at top levels questioned” in print, and “Authenticity of web pages comes under attack” online, here.

The story concerns the hacking of at least three companies that function as Digital Certificate Authorities, or CA’s.  At least one firm in the Netherlands was put out of business by the hack.

More interesting is that hackers don’t seem to be targeting services that banks and payment service use. Instead they seem to be going after social networking and blogging sites, sometimes impersonating legitimate sites or blogs, apparently as another scheme to harvest PII (personal information).   It sounds as if this activity links into the problem of “spam blogs” and associated “link farms”, since these are often formed by scraping legitimate blogs and are difficult to detect reliably (this was a big issue for bloggers in the summer of 2008, including an incident where fake reports on a couple of disturbing national security-related slayings in the DC area were circulated). It would also bring up the subject of faked or hacked profiles.

For example MSNBC today reported a Facebook scam where a woman was conned out of $2000 by someone impersonating her sister, link here

Tuesday, September 27, 2011

McAfee gives incorrect warning of no Internet access on old XP laptop

An odd event occurred Sunday as I maintained my own 2006 Dell Inspiron laptop, which has Windows XP and McAfee.

It gets slow in both downloading Microsoft updates and running McAfee’s scan.  This time, I had pulled some old data off and copied it onto a flash drive, while the McAfee scan was unusually slow and started with the HLKM’s, which I thought were the Windows registries.  Finally I canceled the scan and let the updates install. Then I got a low on memory warning, and the Internet notification icon started blinking. I tried to restart using the update start button, and it wouldn’t. So I pressed the off button.

It rebooted normally, and seemed OK, and the wireless Internet connection with Verizon MIFI came up. But this time McAfee flashed the red “Your computer is not secure” and saying it could not check for updates and was not connected to the Internet, when the Internet browsers (Firefox) worked on uncached materials. A quick scan ran normally and found no problems. 

Monday, September 26, 2011

WSJ says naive employees make themselves targets for corporate hackers, both with "professional" blogs and with at-work behaviors

Geoffrey Fowler has a stinging article in today’s Wall Street Journal, indicating that the biggest security threat for most firms is gullible and loquacious employees (“YOU”), with the link here. Webroot tweeted this link today.

I was surprised to read how easily employees are fooled by phishing attacks from the outside and click on links. But when I worked for ING-ReliaStar-USLICO, most of the emails I received were internal. In fact, until about 1995, most of the emails came on the mainframe from SYSM (as a CICS region).

One issue is how much information employees post themselves, even for “professional” purposes on sites like LinkedIn.  Blogs are an issue, but social networking sites like Facebook and Twitter may pose less of a targeting risk than the more “professional” ones.  Employers would need to consider these exposures with their blogging policies.

Customer service workstations could get infected by trojans that would scrape personal information from clients or customers in the general public. 

At ING, we actually were infected with a virus called “Magister” three business days before 9/11 in 2001, and my work station remained clean. It was a big deal, but it would all be forgotten the following Tuesday.

Saturday, September 24, 2011

Austin TX police department had planned to warn residents about unsecured WiFi routers

Electronic Frontier Foundation is reporting about a plan by the Austin TX police department to “test wardrvie” in residential and commercial neighborhoods and look for wireless routers that are not properly secured (presumably with passwords and desired to levels of encryption).

Police were going to issue warnings to residents and local business owners with unsecured WiFi conncections.

Rainey Reitman has the story for EFF here.

The story doesn’t note where Texas has a downstream liability law that could hold residential WiFi users responsible for illegal use of their connections.  Whether there should exist such a law would set up a real debate, but EFF calls this a “Tragedy of the Commons” (Wiki article url ).

The Austin Police have postponed the plan.

KVUE has a story on the incident here

MiFi devices for travel may be safer because they require a long random code for entry to activate (unless they are physically lost). 

EFF tweeted the story today.  Let’s see if Webroot also tweets it.  

Wikipedia attribution link for downtown Austin picture. My last visit was in 2005. 

Wednesday, September 21, 2011

Fake surveys -- they're back (this time on tinyurl misspelling)

“It” happened again today.  I went into – don’t see how I misspelled it, but maybe I did – and I got directed to one of these “social rewards” surveys – intended to spam your cell phone with “guessology” and the like and run up your minutes and bill. I had accidentally gone into the 64 bit Internet Explorer instead of the usual 32 bit one, but I don’t see how that makes a difference.

Watch your spelling!

Monday, September 19, 2011

Citibank-imitation phishers tout solutions to "identity theft"

Here’s another wrinkle today on phishing.  I get an email from Citibank, or was it Citicards (where I have an Master Card account) titled “identity theft solutions”. Inside is a not very transparent attempt to get personal information. This one didn’t both to copy the trademark (which the Bank of America phishers do.)

The abuse department of Bank of America always responds to forwards of phishes, but I haven’t found that other banks (Wells Fargo and Citibank) respond.

Sunday, September 18, 2011

NBC News Twitter feed hacked

The Twitter account of NBC News was apparently hacked with bogus reports of another attack at Ground Zero, according to a story in the Huffington Post this morning, here

NBC discovered the hack and removed the posts quickly, and apologized to readers.

A group called “Script Kiddies” claimed credit.  We’ve heard of them before.

Was NBC using Twitter exclusively under https?  

Saturday, September 10, 2011

A license for webmasters? Obama administration debates stiffer penalties for hackers, stricter security standards for sites

The “Hill’s Technology Blog” is reporting that the Obama administration is considering recommending much tougher sentences for those convicted of participation in hacking and various fraud schemes, link here

It should be noted that usually when people are arraigned for computer crimes and get bail, they are required to stay off the Internet completely even before conviction, under probable cause. 

There is also debate on whether to hold companies (those who process consumer PII) to specific standards of security.  Although the article focuses on large companies, especially financial institutions, rules could affect ordinary webmasters, at least if they take credit cards.  Whether downstream liability should be tied to adhering to certain standards is being discussed.

Are we heading toward a day when one will need a “license” to have a web site?
Webroot tweeted this story early Saturday. 

Wednesday, September 07, 2011

New Jersey students discuss new anti bullying law, which covers cyberbullying off campus

In this web-only NBC Nightly News clip, New Jersey high school students talk about cyberbullying, both on Facebook and especially Formspring.

One boy said that kids tend to believe, “If it’s on the Internet, it must be true.”

New Jersey, in the wake of the Tyler Clementi case at Rutgers (university) has passed the toughest anti-bullying law in the country, incorporating off-campus Internet activity, too.

Saturday, September 03, 2011

Do auto insurance companies, like banks, eschew getting info from customers by email?

Today, I received an email from Geico asking to link to a questionnaire for an update of records.

My insurance would renew in January, so it’s early. But I did change it last Spring for business use. 

The email, however, gave a spelled out https link which, when I went to Geico’s site that way, found no such questionnaire, just the usual information on one’s policy and its billing or paid-up status as well as coverages.

I thought insurance companies would contact you by  US mail to update information, not email; pretty much as with banks.

I didn’t click on the main link, I just went to the site myself.

This is an odd one.  It arrived on a Saturday, too.  I would certainly call Tuesday and check something like this.   The email asked for a reply within 30 days.  Again, odd. 

Thursday, September 01, 2011

Reformed hacker Kevin Mitnick publishes his "code of conduct"

The National reports that formerly imprisoned computer hacker Kevin Mitnick has a new book, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker”, published by Little Brown, Amazon link here

The news story about the book, tweeted yesterday by Webroot, speaks of Mitnick’s “code of conduct”.

Mitnick was released from federal prison in 2000 and has become trusted as a security consultant.

One of the most memorable lines in the opening sequence of the film "The Social Network" was "let the hacking begin!"  There is still a cultural idea that "hacking" is something that "real programmers" should prove they can teach themselves to do. 

Pictures: The Jail Museum in Warrenton, VA.   A friend in Minneapolis, a stand-up club comic, used to say "Stay out of jail. Stay out of the penitentiary."