Monday, February 25, 2013

Deleted Facebook profiles get restored by hackers, harming reputations

NBC Washington reported on an incident where a man who had deleted his Facebook profile in 2008 found that someone has replaced it and added materials suggesting he supported terrorism.
He was not able to get the profile removed again until he called the FBI.
He was afraid that the post would cost him his security clearance with a government contractor in the DC area.
He had removed his profile because of his security clearance in 2008, but I know of people with very high clearances who are able to keep their personal social media profiles as long as they don’t disclose what they do at work.
The only part of the story ("Pirating Your Profile") online at NBC4 is a report by Liz Crenshaw on Facebook’s reponse.  I could not find the original story.  The link is here.   Curiously NBC4 didn’t link to the original story.

Thursday, February 21, 2013

Large corporations are more open about their vulnerability to hackers; what about people?

The New York Times has a major story about large corporate hacking “victims” in the front page and Business Day sections, “Hacking victims edge into light: One silent companies now disclose attacks”, link here
The article gives a complete list of major companies (including newspapers like the NYT and service providers like Facebook and Twitter) who have been hacked.
A major source of hacking still seems to be authoritarian governments, especially China, attempting to reign in on dissidents and possibly harass family members of dissidents.
So far, customer data (or postings) do not seem to have been disturbed or compromised.
Celebrities don’t seem to be as valued now as “marks” as are companies and even government agencies.
Nevertheless, it would be a good idea for companies to install “2-step verification” as has Google.  Another question I have wondered is whether the iPhone could offer security advantages for customers using 2-step verification as opposed to other smart phones because of ties to Google; that question needs attention from smartphone app developers.  (See IT job market blog Sat. Fen .16 for more on this.)

Saturday, February 16, 2013

"Hackers" hold security conference in Washington DC hotel; criticism of Java, Adobe Acrobat Reader

When I went to the Electronic Frontier Foundation “Speakeasy” event in Washington DC February 15 (“BillBoushka” blog today), I did have trouble finding it, in the bowels of the Hyatt Regency Capitol Hill near Union Station.  I wound up having a belated dinner (service too 35 minutes) sitting with a group called ‘Infosec for Higher Education”.  Downstairs, people could register for a “hacker conference” with groups there like “Hackers for Charity”.  The private conference appeared to be aimed at dealing mainly with corporate espionage, especially from China.

I asked a young man sitting at the Infosec table a few “reporters” questions. He was underwhelmed that Oracle had finally replace java on home computers with the latest security patch, after DHS even recommended users turning off java.  He said that java is “full of holes”.  MacIntosh now turns it off by default. 
I did have an older version of my site “” site with a  Florida-based company called Java Started from 2002 to 2006.  In the summer of 2006, the company simply stopped supporting the java engines, and the site became inoperable with Apache internal server errors.  It had been bought by another company in New Jersey and I never heard what happened.
Other ISP’s have told me that they support php but not java, which they say is too hard to secure.  I don’t know why.
Since about 2001 or so, retailers have used java as their basic engine for developing their sales websites. 
When I worked for ING-Reliastar, it used java for its mid-tier data access layer, but not for the presentation to users (for which it used Powerbuilder).  Was security a concern then?

Java made tremendous progress from 1996 into being accepted as a production language by about 2000, but now it doesn’t seem to enjoy such a good reputation. Why?

The security person also told me that Adobe reader causes serious security risks for some home users, and that Adobe had gone "out of control" with often unnecessary features.

I used PDF files all the time myself, as a respository for my book drafts.  And I look at them online without much thought, whereas I don't like to look at Microsoft Word documents directly -- but that may be an "old chestnut".

Thursday, February 07, 2013

Washington Post reports on major problems in Android mobile security

Craig Timberg has a major story in the Washington Post on Thursday February 7, 2013, “’Fragmentation’ leaves Android phones vulnerable to hackers, scammers”, link here.   
There is a specific issues with the Android operating system that leaves consumers vulnerable to certain kinds of phishing, and it’s not clear whether Verizon or Google is responsible for the fix.

The article discusses the danger that smart phone users could be “stalked” physically by hackers, but this is probably very unlikely for the average user, but possibly a real problem for corporate executives who don’t have “Secret Service” level security on their phones. 

I have a Motorola Droid (from early 2012) with about a year or less remaining on my contract, with Verizon.  I have been averaging about one unsolicited “junk” text every two days, not enough to raise my bill, but a potential problem if it grows. 

Here is an hour long video by Google Development on Android security from 2012.

Friday, February 01, 2013

Chinese government hacks NYTimes, WSJournal, to identify dissidents at home, only

The New York Times has reported in great detail on the hacking of its computers, apparently under the direction of the Chinese government, which took indirect routes of commandeering small business computers around the world to obfuscate its work, and which used sophisticated, deliberate password crackers and decryption “rainbow” tables.  Generally, only a state goes to this kind of effort.

China wanted to get the identity of individual Chinese people who had talked to the New York Times and Wall Street Journal about corruption in the Chinese government and upper floors of some major companies.  Then the government could harass, chill, or possibly arrest or interrogate those citizens.  

China did not try to gain any information about New York Times subscribers, distributors, or other stakeholders in the US or the West (we’ve read of security problems when criminals get hold of newspaper subscription holds, for example, in California; nothing like that was going on here). 
A detailed story in the New York Times by Nicole Perlroth is here

The main account in the Wall Street Journal is here

The Washington Post is also reporting that has been attacked regularly since 2009 or so, here. The story is by Craig Timberg and Ellen Nakashima.  The story discusses a blog by Brian Krebs and possible investigation by the NSA and DOD.  Again, the attacks are very sophisticated, use third parties, and appear intended "only" to intimidate dissidents within China. 
 Picture: The Ballston Common Mall (Arlington Va) computer system crashes, shows its dity laudry.