Saturday, August 31, 2013

More on private encryption keys; are fears of a cyberwar from Syria ovetblown?

Electronic Frontier Foundation has an important statement about service provider private encryption keys, link here

An important subset of this discussion is Perfect Forward Security (PFS). That facility prevents “retrospective” attacks that might even get through https. EFF is mainly concerned about this possibility from government snooping itself, the NSA.

There is discussion today about whether the US infrastructure could come under cyberattack from the Syrian or Iranian forces, particularly if the Obama administration launches air strikes against chemical weapons sites. 
A deliberate attack could make financial processing as we know it now very difficult.

As for the power grid, military systems, or other critical infrastructure systems (like oil pipelines), I would wonder why it is even possible, from the point of view of topology or graph theory, to reach a power grid computer (especially at a nuclear power plant) from my own computer that I type on.  I don’t think it should be (nor should this be possible from a computer in Tehran, Damascus, or Moscow).   But if I can log on to Dominion Power during a storm when the power is out (through wireless cellphone) and look at the status of my outage, there may exist such a direct connection.  Nobody has explained this yet. 

I thought that the Stuxnet virus was implemented through a flash drive.  Of course, utilities and all other infrastructure have to use security with respect to other “objects” brought into the workplace to be loaded onto their systems.  To that end, telecommuting or use of employee owned laptops (I owned most of what I connected to work with from home during my career) becomes a security issue.  Two-step verification is predicated on a level of physical world security.

Jordan Robertson talks to Bloomberg News about what a cyber war could be like. 

Robertson also says that the domain name attack on the New York Times could have been prevented by a “registry lock”, which Twitter had.

Thursday, August 29, 2013

DNS redirection most recent hacking technique, at least by rogue states or regimes (New York Times and Twitter)

Is the most recent “hack” of the New York Times and Twitter an indication of a change in strategy by hackers?  Is this a risk to home users or small business or even newbie bloggers? Timothy B. Lee and Hayley Tsukayama have the story here

This time, it appears that the “Syrian Electronic Army” got access to the record keeping at an Australian company, Melbourne IT, which apparently the NYTimes and Twitter and others use.  “Ordinary” people are more likely to use one of the numerous domestic companies.  In fact, most large ISP hosting companies also offer domain name registry.  It used to be that the most important player in the US was Network Solutions, still a big player in the Loudoun County, VA technology corridor.
It seems bizarre that an autocratic regime would use such crude attacks against major news media.  This possibility wasn’t viable twenty years ago for Saddam Hussein.  Attacks against news media seem to have no effect on government policy, such as possible military intervention.

A practical risk for users would be financial institutions DNS being hacked and pointed to fake servers,  That is forestalled in part by https, but also by the use of secret images on sign on which tell you that you went to the real site.  A hack could not go on for long without attracting enormous attention from the news media.

I’ve experienced only one hack, in 2002, against an on-line copy of a chapter on terrorism from my “Do Ask Do Tell II: When Liberty Is Stressed” book (“pubbed” in 2002; the online essay had gone up first).  That defacement occurred starting with a passage that discussed possible terrorist use of nuclear weapons.  It contained some bizarre references to areas in NW Russia.   I’m not sure what anyone could make of it.  It was passed on to the FBI.  The corruption seemed to occur by leaving a Unix Site command open.  

So far, it has been large media, corporate and government sites that have been targeted for hacks.  Undermining of small business would have a different aim, a kind of psychological warfare of intimidation of the grass roots, which seems to be how things work within Putin’s Russia right now.  Or that may be how the legal bullies (copyright and patent trolls) work, but with nearly “fake” litigation.  We could say that about SLAPP lawsuits. 

It is taking up to 48 hours for the New York Times to become available again to all users, because correct DNS mapping has to propagate.  I can receive get it now through Comcast. I never did actualy experience the outage.  Twitter worked normally for me yesterday. 

I did have about a 10-hour outage Sunday night and Monday morning on my own site, but this appears to have been the result of  weekend ISP shared hosting Windows Server maintenance, which became more complicated than had been expected. 

Wednesday, August 28, 2013

Fake AV will make escalating "offers you can't refuse", as if you owned a "Maria bar".

Some rogue antivirus vendors make “escalating” demands and “offers” to owners of infected personal computers, according to Tony Bradley in a column in his CSO Security and Risk page.   The link is (webite url) here.

Bradley compares it to a Mafia-controlled town, where organized crime requires families (particularly small business owners) to pay “protection” or extortion money after small acts of vandalism, which escalate. He calls this trick "The Offer You Can't Refuse".  
Microsoft Malicious Software Took can usually remove these products.  Microsoft provides a video of an example of a generic “Fake AV” product.

Such attacks are much less likely on pc’s with properly updated anti-virus software.
I used to find offers of fake AV software in spam blog comments until I started monitoring, and Blogger also started filtering them.  All such comments have been removed as far as I know 

Remember the "Mafia bars" of the 1970's?

Tuesday, August 20, 2013

Mobile scam claiming GMail is compromised reported today on local TV station

Liz Crenshaw of NBC Washington (NBC4) is reporting today about a mobile phone virus or worm that flashes to users a message (apparently an MMS or SMS text) that their Google GMail has been compromised, and which then attempts to solicit personal information.

This is a hoax or scam, and should not be responded to. Links in the text should not be reported.  Users can report incidents to their carriers or the FTC.

Off hand, it would sound as if such a scheme could compromise "2-step verification" to Google accounts, which depend on a cell phone.  But users can download an app to generate the verificaion codes and not depend on the text being sent -- suddenly, that method sounds more secure.  Or users can also use special codes that can be saved on a file and used when a cell phone is not available.

Other providers, such as banks and other social media (like Facebook), are likely to adopt such verification methods in the future.  There might need to be common vendors for the code generating apps.
Google accounts started offering 2-step verification about three years ago after password cracking attacks (for international scams trying to get money from relatives for people falsely reported as arrested overseas) made the news.   

Sunday, August 18, 2013

Baby monitor hacked; home locks, security systems and other hardware controlled by networks could be vulnerable

The latest technology safety scandal seems to be the hacking of a baby monitor, which was apparently controllable by remote device or through a home network with a password.  CNET has a typical news story account (website url) here.

Similarly, the smart home, where electronic door locks (like those in hotels),  thermostats, and even the security system itself can be monitored by smart phone and wireless Internet (it might require that a PC be left on while the person is away) could leave the home itself vulnerable to hackers.  Maybe door locks should just be mechanical (and Medeco). 

When I care for my mother at home, with hired caregivers, there was a radio baby monitor in her room, so that the caregiver could hear her in the living room.  But it was not connected to the Internet or my computer.  

Friday, August 16, 2013

Washington Post, other sites hacked by Syria, apparently through phishing and through ad network

A couple days after a quirky story in the Washington Post about Gillette and male body shaving, reporter Paul Farhi, with Hayley Tsukayama, report on a serious hack at the Washington Post by the Syrian Electronic Army, on the first page of the Style Section Friday in print, here
The hack apparently was abetted by phishing Post correspondents with emails spoofed to look like that had come from other Post associates.
The SEA claimed that CNN and Time had been similarly hacked. There are also reports that the hack occurred though Outbrain (link), an ad network. 

SEA has also hacked the AP, NPR, Al Jazeera, and Human Rights Watch.
  Update: Aug. 28

The Washington Post reports that Twitter and the New York Times were hacked in the past few days.  Details will be forthcoming on a future post.

Wednesday, August 14, 2013

Public charging stations can infect smart phones

Public charging stations for smart phones can conceal microcomputers built with firmware to spread viruses, it was disclosed recently at a Black Hat convention in Las Vegas.  The story is reported in the New York Daily News here

The viruses could make incriminating of illegal phone calls automatically, or could try to steal banking information.
Could public charging stations for electric cars or hybrids transmit viruses to auto ignition and safety systems?  

The idea of a "phone virus" in the 1997 novel "The Trojan Project" by Minnesota libertarian novelist Edmund Contoski is starting to make sense with smart phone trojans.  

Thursday, August 08, 2013

TOR browser hacked, leading to vulnerabilities that could identify users to hostile governments; ordinary browser updates urged

Electronic Frontier Foundation is reporting that the TOR browser was recently hacked, probably Sunday, by a java vulnerability that would allow “law enforcement” in non-democratic countries to harvest IP addresses of anonymous users and also identify the services that they use.

The browser vulnerability appears in Firefox 21 or earlier, Thunderbird 17.06 or earlier, or Sea Monkey 2.18 or earlier.

It is believe that the hack was police related, but the possible country was not identified.
Dan Auerbach has the story at EFF here

TOR does not by itself provide automatic security updates. 

Saturday, August 03, 2013

Spam based on AOL complicates a genuine billing problem after credit card theft

Found a “collection notice” from AOL for past dues on my “membership” today, in the US mail to my UPS mail box.  After I was robbed at a Metro station in March, apparently the cancelled credit card started to fail.

The problem is that I get constant spam purported to be from AOL that it doesn’t catch, so that I didn’t read legitimate email about this.  I also got a phone call a month ago on my landline (not given online) that purported to be from AOL and wanted personal information that I hung up on.  If it was about this bill, it was poorly handled. 

I called the 855 number back on the cell phone (I was waiting to go into a movie) and, on the second try, got a billing collection person who did fix the credit card.  She said she would mail a confirmation emai, but that hasn’t come yet!

See the problems that “faking it” with billing spam causes when there is a legitimate problem.