Posts Tagged ‘hackers’

The Most Important Things to Know About Internet Safety While Traveling

Saturday, November 23rd, 2013

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. (more…)

Internet Safety While Traveling – Deeper Dive

Saturday, November 23rd, 2013

A “man in the middle” or MIM attack is not particularly difficult to pull off, and it represents one of the biggest cyber security threats we face when we are traveling – or in fact, any time we consider using an unknown wireless network.

Here’s how it works: it’s rather easy to find software which will monitor or “sniff” network traffic.  It’s even easier to set up a wireless network – by example, like many business travelers these days, I carry a portable wireless hub in my purse. If the intent is to trick other people into using it, all that’s left is giving it a name which sounds legit like, “Marriott SecureWifi”. These can even be set up as far as 15 miles away from the wifi area.

As people try to connect to the criminally controlled network, the cybercriminal allows them to do so (using the same password as the real network, or no password at all). Then the cybercriminal becomes the “man in the middle” (MIM). Sample scenario (there’s a more detailed example of a MIM in my book):
1. You ask for the gmail page in your browser and type in your gmail password.
2. The MIM intercepts your request and provides you a fake gmail login page (which looks pixel by pixel exactly like the legitimate one, including “https/gmail” in the browser, which indicates that it is securely linked to the gmail server).
3. The MIM sends your password to Google.
4. Google assumes it’s talking to you, and opens your gmail.
5. The MIM passes the gmail back to you and continues passing requests and information back and forth until your session is done.

(more…)

Zombies Attack Montana! (US Emergency Alert System Gets Hacked)

Tuesday, February 19th, 2013

Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System.  The station was muted as the following voice-over message was recited by a somber-sounding fellow:

Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police. (more…)

The real reason Mitt Romney released his tax returns – his accountants got hacked

Sunday, October 7th, 2012

I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point.  There’s obviously something powerful about “anonymous” collaboration.

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:Dark-haired man with graying hair at the temples, dressed in dark suit, at a nighttime indoor event

___________

Mitt & Ann Romney tax returns

On September 4, 2012,[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24th?  Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

(more…)

Against my better judgment…a Hacktivist cause I like!

Tuesday, August 21st, 2012

Why is it that we only need make the most innocent of unequivocal statements and suddenly things pop up everywhere to prove us wrong?

Last week I gave a presentation to a partner of ours.  I was discussing the state of cybercrime and some of the most urgent threats.  On the subject of Hactivism I said, “these guys are the unruly mob of the internet.  The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”

Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience).  So I have to admit I’ve not been much on their side.  But this weekend I read an article in Security Week about an attack I agree with.  It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release.  Who knew Anonymous had such a sense of humor?

Right now Uganda has legislation on the table which mandates death for all homosexuals.  Really.  So Anonymous (more…)

Writing Down Website Passwords versus Old-School Rules

Saturday, June 9th, 2012

There is an awful rule of basic password management which actually works counter to good security.  Yet it continues to be suggested by even the top security organizations in the world.  The rule is this: don’t write down your passwords.

There are lots of problems with this idea.  Not the least of which is the fact that if we make our passwords so easy to remember that we don’t have to write them down, well, they may well be too easy.  Or, if we decide to make it simple and use the same password for everything, that means all our banking accounts could be compromised the minute someone breaks into our gun club registry or recipe-swapping website.  And one glaring reality this rule hasn’t kept pace with is that these days we need way too many passwords: one person can easily visit 15 different sites in a few hours – all of which require passwords.

I like to write them on my mirror.

So why the dumb rule?

In their defense, this was accepted wisdom twenty years ago for two reasons.  Back then there was only one password that mattered: the one to get onto your computer.  Naturally you didn’t want that password to be in the same place as the system!  And apparently in those days people weren’t clever enough to write down passwords anywhere except on sticky notes attached to the computer.  (Duh!  At least put it in your shoe!)

More importantly – reason #2 – in those days what we worried about most of all was what we call “internal threats”.  That is, we worried about other people at our place of business gaining unauthorized access to the computer or the network. (more…)

The Zen of Internet Safety: Patience, Little Grasshopper *

Friday, June 8th, 2012
Patience!

The two best things you can do to stay safe on your PC (as long as you insist on being internet-connected) are:

a.)    make friends with your anti-virus and

b.)    cultivate an attitude of patience.

In fact, we could call this the Zen of Computer Health and Internet Safety.  Your AV is the equivalent of a security guard, a Rottweiler, and a good alarm system.  If you don’t sit back and let them do their work, you may as well save your money.

I might say that it’s really surprising that people will install AV and then argue with it.  But that would be dis-ingenuous of me, because it really isn’t surprising at all.  We are an impatient species, made even more impatient by a culture that insists on as much stimulation and instant gratification as possible (note Eric Schmidt, Google’s CEO telling college grads to “unplug” for a whole hour a day!).  I get all that, but I suggest that in the case of our PC’s AV, we fight these proclivities.

Let’s review some of the AV Commandments:

(more…)

Beware public wifi! And secure your wireless

Sunday, June 3rd, 2012

I always enjoy watching hackers in action. At least, when they are friendly (rather than malicious) and willing to share the details of their tricks. At the Kaseya Connect conference in May, Dana Epp did the following:

a.) set up his own wireless router with a name very similar to the one we had access to for the conference

b.) sucked in at least 20 conference attendees – they believed his router was legitimate

c.) proceeded with a “man in the middle” attack – this is where a person sits between the user and the server they are trying to get to, and watches everything going back and forth. Meaning, passwords, data, etc.

Of course he didn’t actually steal anyone’s data. But he did put up a screen shot of the logins of the attendees who were using his bogus wireless – a mite bit embarrassing for all but Fuzzy (who is a good sport!). It was obvious how easily Dana – or just about anyone else who was motivated enough – could monitor the data which was being sent and received. And of course, that includes the passwords they use to access their internet dating services, get on their company networks or do their on-line banking (if the first page of the banking site wasn’t secure).

Two rules for the rest of us: (more…)

Our beloved Macs and the hidden costs of cybercrime

Sunday, May 27th, 2012

When it comes to the “religion” of Apple, I’m an infidel.  But, I appreciate passionate attachments to anything – after all, they give us “raison d’etre“.  Plus some of my closest friends have been deeply in love with their Macs for decades.  And as surely is obvious by now, Apple cracked the code on “user friendly” way back when most nerds were still trying to keep those riff-raff off their grid.

Unfortunately, I started in high tech working with Unix on PCs, which is as nerdy as you can get, and pretty far from friendly fruits like the Macintosh.  Also, among our engineers, the idea of an intuitive interface was somewhat scorned.  First of all, why would you need one?  They were for dummies!  Second, in those days – an understandable prejudice on their part, I think – the more we made things easier for non-technical users, the more we had to limit their choices.  Coaxing a computer to “deposit these funds over there” over a modem was hard enough (computers were comparative dummies in those days too); thinking thru a million other possible banking needs a consumer might have – that was an impossible dream.  Drive to the damn bank already!  And in those rather dark ages – at The Santa Cruz Operation in 1988 – there was no thought at all about the other problem: considering every mistake dumb users might make.

I mention this because even though we finally ARE thinking about security on the web, it is STILL over-whelming to accommodate all the mistakes that a user like Mary Jo Redneck may make as she attempts to place an on-line order at Walmart for jerky and beer .

(more…)