The recent twitter phishing scam had non twitter users scratching their heads on why this service would be targeted for a phishing scam at all.. Most people view little or no monetary value to twitter accounts. For most people this may actually be true. For people like Scoble or companies that promote themselves over twitter, well the brand name damage caused by a hijacked twitter account could be quite costly.

One of my friends on twitter had a reply about this issue (I’m assuming the other person didn’t realize the long tail potential impact (yes I used the term long tail – get over it)). What I saw was this:

@jeremyasmus could be any number of reasons, spread malware, spam, get passwords, us humans tend to use the same password over and over.

This is the crux of the issue isn’t it? The problem isn’t average user with nine friends directly, it’s the large power users and the passwords for other services. Let’s look at each of these.

Let’s say you are Scoble and your account get’s hijacked. Scoble has a level of trust built from himself, he is known to get the inside scoop on information, people click his links. Scoble has over 47,000 followers. If his account was hijacked and ten percent clicked a link that was really a malware installer – that would be 4,700 people infected within a matter of minutes. I think however the number of Scoble followers would be much larger probable in the 50-60% range. For a malware distribution this is a great return for the time frame, with the added benefit that you may get some other high profile names in the attack.

The cost to deploy such an attack is extremely low – under ten dollars, while the net return would be a few thousand, potentially more. Since there is little risk to getting caught if you know what you are doing, you could make some decent money by exploiting this chain of trust that exists and is protected by a mere password.

Let’s look at the side of this coin, the normal user.  Adam Baldwin nailed it right on the head when he stated “us humans tend to use the same password over and over”. I know I do, though different level of things have different passwords – my banking account does not use the same username/password combination as my twitter account – neener/neener. It is however shared with some other web 2.0 services. Some other people may not be so diligent. This once again is a chain of trust issue. You are trusting the companies that you give your passwords to are truly them, so once your password is in the wild it’s exposed and all of your accounts are open to attack.

Let’s look at the information an attacker can get from you if they have your twitter password:

User Name – while by itself it’s exposing a little bit about your account and your password – the problem lies in having both bits of this information. That part should be blatantly obvious. The issue lies in the fact that most of us use the same username or “handle” across many sites on the web. Doing a Google search for “Creeva” yields over 46,000 hits. A lot of these hits are different services that I play with and over 90% of the hits link back directly to me in some fashion. Since most sites use you username as your login name, if I used the same password every single one of these services would be exposed if I fell for the twitter phising scam.

E-Mail Address – Yes though it maybe only a small amount these days, your e-mail address is still worth a few percentages of a penny to the spammer. This would get you on more mailing lists, and ones that would be quite hard to get off of. It is also normally used as a login name for service that do not use your handle. More accounts have now been exposed because of this. If your e-mail account passwords is the same as your twitter account (dumb mistake) everything about your online life, accounts, and transactions can now be exposed and utilized against you. Would you notice a gmail filter that someone setup to clone every incoming e-mail?

The other issue is even you do not have accounts that show up in a Google search they could use a service search engine such as Spokeo to find accounts even you may have forgotten about.

Mobile Phone Number – This probably would be one of the most annoying things, that your phone number has been exposed to the internet underground. Phone spam, call back charges; there are a few things they can do with this number. I do think this is small annoyance compared to loosing your email account.

Being a good security professional my recommendation is to use strong passwords that are unique to each service and are rotated regularly. I am also a realist and know that you won’t. This may be the time to start doing segmentation where different accounts do get different levels of passwords. This is what I do so if my twitter account was compromised only the services that I consider on par with Twitter security-wise was at risk. Lower level accounts would be safe and higher level accounts would be safe. I also think with the range of accounts, I could move faster then the phishers going through and knowing what to change faster then they could try all 46,000 sites. It’s a thought – now what are yours?

Picture from here

A few months ago my home server lost all of my MP3′s from a share.  I was freaking out thinking some process had magically deleted them.  Then I noticed the partition was missing.   I spent a few days banging my head against the wall trying to recover the data and nothing helped.   Since I’m a listener of Security Now, I attempted to use Spin Rite on the drive, even this didn’t help it.   I was freaking out.

I set aside the drive and re-addressed it yesterday.  A friend of mine had a copy of Partition Doctor 3.5 and we ran it against my drive.   In a matter of minutes we managed to get the drive back up and all of the MP3′s were there.   Neither my wife and I were too anxious to go through the 2-3 week ripping process we did last time when we re-ripped at a higher bit rate.

This is not a promotion, I get no money from the links you click, if however you do have an issue with a lost windows partition, try Partition Doctor’s demo version and it will show you if it can be recovered.

Picture from here

Though I don’t think it’s related to the search engine privacy story, Google has just released a web book for free titled Browser Security Handbook.   Some people are relating to this as Google’s answer to the security (and privacy) issues raised by Chrome.  Others belive it’s a way of giving back to the community based on the way Google looks at these concerns and how they address them.

Currently I’m reading through and thought I would share.   You can go to the project page, download test cases, or read it online.   If you have any interest in this field I suggest you at least do one of them.

Well it seems I’ve been lax the last couple weeks in my weekly summaries.  Let’s catch up:

Articles:

I Think Fragmented Communities in Social Networks Are a Good Thing

Interesting – Guess They Don’t have Time to Meet

Web Application Developers Can Learn A Bit From WordPress

Holy Legos Batman (Not About Lego Batman)

Some Great Macro Photography Images

Sad Day For Free Speech For Students

Had to Remove Some Sites From My Lifestreaming Page

Web Companies Today Are On Top Of Customer Service – Traditionals Take Note

Get an E-Mail or Twitter Alert When a Company Changes is Privacy or Security Policy

Pop-up Study Proves Users Will Click Anything

It Had to Happen Eventually – DHS Testing Pre-Crime Detection

Palin Hacker Is Not Indicted …So Far……

VHS Alumni Band 2008 Memories

Did I Blog Without Permission or Do You Not Understand Creative Commons

Daily Online Activity:

Online Activity for 2008-09-19

Online Activity for 2008-09-20

Online Activity for 2008-09-21

Online Activity for 2008-09-22

Online Activity for 2008-09-23

Online Activity for 2008-09-24

Online Activity for 2008-09-25

Online Activity for 2008-09-26

Online Activity for 2008-09-27

Online Activity for 2008-09-29

Online Activity for 2008-09-30

Online Activity for 2008-10-01

]]> http://creeva.com/2008/10/03/creevacom-weeks-in-review-91908-10308/feed/ 0 http://creeva.com/2008/09/23/it-had-to-happen-eventually-dhs-testing-pre-crime-detection/ http://creeva.com/2008/09/23/it-had-to-happen-eventually-dhs-testing-pre-crime-detection/#comments Tue, 23 Sep 2008 19:21:49 +0000 Creeva http://creeva.com/2008/09/23/it-had-to-happen-eventually-dhs-testing-pre-crime-detection/

First let’s start with something from Cory Doctorow‘s book Little Brother:

If you ever decide to do something as stupid as build an automatic terrorism detector, here’s a math lesson you need to learn first. It’s called “the paradox of the false positive,” and it’s a doozy.

Say you have a new disease, called Super-AIDS. Only one in a million people gets Super-AIDS. You develop a test for Super-AIDS that’s 99 percent accurate. I mean, 99 percent of the time, it gives the correct result — true if the subject is infected, and false if the subject is healthy. You give the test to a million people.

One in a million people have Super-AIDS. One in a hundred people that you test will generate a “false positive” — the test will say he has Super-AIDS even though he doesn’t. That’s what “99 percent accurate” means: one percent wrong.

What’s one percent of one million?

1,000,000/100 = 10,000

One in a million people has Super-AIDS. If you test a million random people, you’ll probably only find one case of real Super-AIDS. But your test won’t identify one person as having Super-AIDS. It will identify 10,000 people as having it.

Your 99 percent accurate test will perform with 99.99 percent inaccuracy.

That’s the paradox of the false positive. When you try to find something really rare, your test’s accuracy has to match the rarity of the thing you’re looking for. If you’re trying to point at a single pixel on your screen, a sharp pencil is a good pointer: the pencil-tip is a lot smaller (more accurate) than the pixels. But a pencil-tip is no good at pointing at a single atom in your screen. For that, you need a pointer — a test — that’s one atom wide or less at the tip.

This is the paradox of the false positive, and here’s how it applies to terrorism:

Terrorists are really rare. In a city of twenty million like New York, there might be one or two terrorists. Maybe ten of them at the outside. 10/20,000,000 = 0.00005 percent. One twenty-thousandth of a percent.

That’s pretty rare all right. Now, say you’ve got some software that can sift through all the bank-records, or toll-pass records, or public transit records, or phone-call records in the city and catch terrorists 99 percent of the time.

In a pool of twenty million people, a 99 percent accurate test will identify two hundred thousand people as being terrorists. But only ten of them are terrorists. To catch ten bad guys, you have to haul in and investigate two hundred thousand innocent people.

Guess what? Terrorism tests aren’t anywhere close to 99 percent accurate. More like 60 percent accurate. Even 40 percent accurate, sometimes.

What this all meant was that the Department of Homeland Security had set itself up to fail badly. They were trying to spot incredibly rare events — a person is a terrorist — with inaccurate systems.

Now that all being said, DHS has actually build a machine that tests for security threats.   Now if this is put into production you get to be watched everywhere you go and wonder about this machine judging your intent and being pulled over for questioning.

If you would like to read more information on this please read the link below.

‘Pre-crime’ detector shows promise – Short Sharp Science – New Scientist

People in the security world were all pretty sure that users never paid attention to dialog boxes.   Ars Technica printed information about a study performed North Carolina State University that proves that the security professionals were correct.  Most users only want to get rid of the immediate annoyance and don’t read what is happening on their screens.

We already know most people don’t read their end user license agreements – but come on.  How many fake windows dialog banner ads do you need to load and have bad things happen to your computer before you learn.   Unlike other childhood cause and effect lessons, we don’t lear clicking the button is bad like the stove is hot when we get burned.   There is a mantra I’ve always enjoyed, “If Stupidity Can’t Hurt, Then It Should Cost”.   I’m rather happy that most users that click and click and click to punch the monkey or get rid of fake banners hads more then likely spend hundreds of dollars keeping their computer in running order after the spyware has had a field day.   I do feel sorry for their family members that have to fix it for free though……

For More information click the link below (Ars Technica)

Fake popup study sadly confirms most users are idiots

Picture from here

A couple weeks ago I was talking with a friend about an idea for a new web service.   The web service would have you enter in all the services and sites you use and have an account with online, and then send you a twitter alert when the policy changed and it would show you which text changed.  My problem is while I could come up with the design, function, and architecture I couldn’t figure out any way to monetize such a service.  I let it languish and said I would eventually write a blog article on how to roll you own.   This is that article.

The key feature to making this work (obviously) is a service that can monitor website for changes and give you some sort of data trigger outbound that is usable for repurposing.  I know I could use services that would do an RSS feed, but I wanted something more immediate and trustworthy then RSS for this scenario.  I hunted around and I found the service Change Detection that will send send you an email when a web page has changed.

E-Mail Alerts

With e-mail you have a bit more control.   It’s all easy.  If all you want is an e-mail alert put in the policy page into the page address field.   Then place your e-mail address in the “send alert to:” field.   Easy as cake and your done.

Twitter Alerts

What about getting twitter alerts?  The first thing I’ll point out, I’m not a programmer.  I’m sure there are much better ways to do this in much simpler methods.  I have two requirements for myself.   Keep it free, and it keep it in the cloud.   Make the internet do the work for you, it’s always on and online – your computer doesn’t have to be.  So instead of using an Uber-Twitterbot I’m going to utilize a few free service:

1. Change Detection -Configure the privacy page you want to monitor the same way in section for getting email alerts.  Instead of relying on the emails for notification, change detection allows you to create an RSS feed for each page you are monitoring.

3. Twitter – Setup a new twitter account that you can friend.  If you worried about privacy (people knowing which sites you are watching), set the updates to be protected so only “friends” can see them.   Have the alert twitter account friend you, log out and friend the account back with your main twitter account.

4. Twitterfeed -Take the feed from change detection, pipe it through twitterfeed so it will put update notifications to your “alert account”.   Now whenever anything has changed you can watch updates from that account and you’ll have almost real time monitoring of any web page.

It’s been a long time since I’ve beeen excited about a new browser.  Theoretically I’ve never been excited about a new browser that was announced.   I remember being excited when AOL resurrected Netscape – but that turned into a flaming pile of poo and Netscape lost dominance being THE browser to use.   Like many users at that time frame I used Internet Explorer 5 and at the time it was best of breed, then a new challenger arose.

The Mozilla foundation announced they were taking the open source bits of the Netscape browser and making a new slimmer browser called Firebird.  Because of issues of legal and copyright, Firebird was renamed to Firefox.   I’ve been using this browser since Firebird and I have had no reason to move to a different primary browser.   I’ve tried Flock and Safari, there hasn’t been a sticky reason to keep using those over Firefox.   I was excited, kind of, of the release of Firefox version 3.   But that wasn’t a new and different browser, it was more of the same.

With last nights announcement of Google’s New Chrome Browser, but they put up a nice little web comic that explains the features it offers.   The security, privacy, performance enhancements alone make this a must watch for browser.  WHen it is actually released later today, we’ll see how I feel then.

UPDATE:

Found a site that has some Chrome screenshots you may enjoy.

Picture from here

So I’ve taken over the position of webmaster for the VCMA (Vermilion Community Music Association).  This is going to start a new series as I’m going to use them as guinea pig’s for what I’ve felt non-profits need to do to survive and thrive in the web 2.0 world.   They are not a big organization, and I’m sure I received this position for my background and not my witty personality.

I’ve been working on the site for a couple of weeks and here is what I’ve found so far.   They had a private member’s section on the old site to share files and personal data.  This section was password protected, but the username field was just a front, as long as you nkew the password anything you put in the username field was accepted.  Since I’m a security engineer, this just wasn’t going to work for me.  I’ve ranted before the illusion of security and how illusionary security wasn’t worthwhile at all anyways.  The other problem was that their member page “password protected” section was just a javascript that rewrote the “HTTP GET” to a file named a combination of the requested page plus the password.   So if the page was index.tml and the password was “password” the ending HTTP in the “HTTP GET” command would be indexpassword.html.   Since it was still a plain text file without any encryption on it, in theory it could still be spidered and stored by google, thereby completely undermining any security it was giving them.

I’m working on a better and more secure solution while maintaining the balance of ease of use.   I don’t want to burden them too much on the security side.  I’m sure some of the older members would blink at me with a blank stare if I handed them secureID tokens to access their newsletters.

Picture from here

The next thing I discovered is that code each web page by hand, ugh.  There was no way I was going to maintain each HTML manually and hope for any semblance of style and continuity between pages (an issue they had in the past).   They had been using FrontPage and offered to buy me a copy.  First no, no and no – currently I’m using Linux on my main computer (Ok I dual boot into XP and between WoW and Netflix streaming I don’t get into Ubuntu as much as I should), so Frontpage was out.  They were insistent at first that this is how it was done, I however readjusted things.  I moved them to WordPress which I’m not using as a blog but rather as a CMS (Content Management System).

Picture from here

I manually migrated the data from the old HTML files, I spent hours converting the front page data to be “clean” data that i can migrate and copy paste anywhere.   I was a dumbass though, I should have just copy and pasted the text into notepad or a generic text editor, then I wouldn’t have had all the background crap.  This is my nore to myself to now be stupid next time.  I added images and a javascript navigation menu, but essentially the page was just a cleaned up (easy to maintain now) version of what they already had.

Now the next step is to migrate them to Google Apps for their member related information……

Somehow I always end up volunteering for Vermilion non-profits, now if only I could get one of them to pay me……

Picture from here

I randomly go through my commentors and visit their sites and profiles.   This is more out of curiousity then anything else.  I’m curious who they are what they are interested and what they write about.   In most case they are not much different then myself.   They are geeks, or lovers of crossposting, the occasion security geek.

While for this post I don’t really have a point, just an observation.  “They” say to make your blog sticky and interesting you build up a community.  You interact with your commentators and make sure you comment on their posts.   I’m just curious how many of the bloggers actually read what their commentators have written that fall outside the realm of their own door step.

Picture from here

I thought the teens and pre-teens were the sounding board for tomorrows technology.   Well this isn’t always the case.   I previously mentioned talking with my brother over the weekend.   Well there is more to it then just the security post that came out of it.   He complained that he wasn’t getting confirmation e-mails for some of the web services he was using and he thought they may be getting caught by his spam filter.   I asked him which e-mail provider he was using.  He’s using his ISP…………..

I may be 32, but I have two brothers that are twins that are thirteen years old.   They have the fear of sharing their name online and everything else they will get over as they get older (or become completely paranoid and withdraw from the Internet entirely by the time they are 20).   They don’t however use web based e-mail.  I understand that they should be showing me what is new and interesting, so I expected Myspace or some such service for sending e-mails to friends.  Well they don’t, but part of that is that my 26 year old brother who sets up the web filtering for my dad frowns upon Myspace for that age group because of worrying about pedophiles I suppose (though a child is 99.9 more likely to be molested by a relative or immediate friend of the family instead of being attacked by an online predator).   My father and step-mother aren’t too hot on it either – they believe in the sunshine and dirt makes strong boys.   I’m more of the give me a book and a bed to lay on, or a laptop and a Gameboy with a bed to lay on type of guy.

They don’t however use web based e-mail – I haven’t used a strictly POP3 mail solution since college – so 14 years of using web based e-mail.  With the exception of corporate mail I can’t understand using it any other way.   Spam control is easier, you can access your e-mail from anywhere, you can archive your mail online without ever losing anything.  I started a series about computing in the clouds and even did one subject on web based e-mail.  The generation that comes after us (and the age difference is pretty much a generation) should have a more refined method of handling data.   It’s seems they choose to hamstring themselves then to learn and be more interactive.   That is not the case.

I have a sister that is pretty much from the mind set of using the computer as a utility or appliance.   It’s something that’s only slightly more interactive then a game system or television set.   I understand that mentality.   I figured however it was something that would end with my generation.  It seems not, the next generation at least in my family is not grasping and making tech work for them they are working for their technology.  What I mean by that is they put more effort into the computer then they need to, the computer should be a tool to make things faster and easier.   Not using it to the fullest extent you can and streamlining what you do is almost a shame.

My 26 year old brother and myself when we had our own computers kept pushing the line and seeing what we can do next.  He was twelve/thirteen when I went to college and he was running his own BBS.   He went the design and programming route.  I went the security and architecture route.   Both of us are very good at what we do in our own fields – at least we think so.  Though we have very little overlap since both of us view the other person as focusing on the wrong things.  The thirteen year olds don’t have the same in depth interaction with their computers.   Maybe this is a problem with growing up with computers their whole lives.   It’s not viewed with the same regard as it was for me and my next youngest brother.

It does give me some slight hope that the current twenty something and young thirty somethings are the height of the internet users while the rest of them stagnate and fully pushed the line.   But the youngest brothers have a few years to catch up and may do something with it yet, so I can’t fully discount them until the future arrives.

Now if they are reading this – go get a Gmail address and learn how to use it.   My father-in-law and mother-in-law have even moved to Gmail and it only took them a few minutes to learn it.

Picture taken from here

Yesterday I was talking with my thirteen year old brother.  He told me about how he was going to setup a website for this girl he knows.   He was going to configure it so you couldn’t take the images off the page and use them somewhere else.    I explained that it truly couldn’t be done.

To get into a quick side note, if you have images on your site and I want to copy them, don’t bother it’s trivial.  I will just pull them out of my browser cache and viola – there I have your images.  Just because you thought you were “Uber Cool” because you used JavaScript to disable right clicking and saving the images doesn’t mean your images are secure.   If you go even more “l33t” and try to use a flash slideshow program attempting to lock it down further, a quick screen shoot and a copy paste into MS Paint will still get me that image if it’s so cool I must have it for my personal collection or to display on my website.  Anything that can be seen or heard will always be open attack in one form or another – smell and touch we will eventually come for you.

The main question in the title stands, if you can’t bypass it is it secure?  The answer should always be no – there is no unbreakable form of security.  Given enough time and effort any security in the world can bypassed. Given enough exposure at Defcon and unlimited hot pockets anything is vulnerable. Just because you, yourself can’t not fathom a way to bypass the security you have put into place doesn’t mean that it’s the top of the line.   There is always someone smarter then you.  Even if you are the industry expert in cryptography and think you are secure because of some great password system you came up with, doesn’t mean your system can’t be infiltrated from a physical attack.

Let’s go into a real world example

I’m someone who doesn’t really use the deadbolt in my house (my wife does for anyone getting ideas).  Why don’t I?  It’s passive self assurance against an attack that’s improbable.  Locks can be picked fairly easily, either through skill or the advent of “bumping”; this makes locks for all intents and purposes useless right?  Well not quite, to pick a lock it takes effort time and exposure to being caught (yes even in the case of using a bump key which isn’t nearly as noticeable).  A lock is a good first round barrier to keep people out as a casual deterrent.   If a door is lock most people won’t progress much further.  For some reason even mild deterrents will keep most people honest.  This doesn’t mean that you house is secure.

If I was going to rob your house, I’m not going in the front door.  Ironically no one puts deadbolts on their back doors.  So if I’m going to pick a lock (I’m too lazy and I would more likely kick the door in anyways) I would immediately be picking your back door instead of your front door.   Does this mean putting a deadbolt on your back door will make you secure?  No actually I’m more likely to go in through a window in the back or side of your house.   Do you have a security alarm?  Well that’s another deterrent, but still doesn’t really buy you security.   If I’ve targeted you and you have something I really want I would just sit in the bushes outside your window and watch you enter in your key code.

So now you’ve put bars on all of your windows, put your alarm code number pad in a place that can’t be seen from a window, put deadbolts on your back door, put door jams on all your doors to make them resistant to being kicked in, so now your secure right?  Well do you have a garage door opener?  For a fairly cheap price I could use a scanner to get the frequency that allows me to open your garage door.   You go away for the weekend I can open your garage door, pull inside, close the garage door and then proceed to ransack all your expensive tools and possibly gain entry to the house if I want to risk the alarm.   Your neighbors aren’t likely to notice that if I pull in at 1 AM.

If you are interesting you can be targeted, it’s all the matter of effort someone wants to put into an attack.  Most people don’t have a security mind set so they assume they are secure because it will keep them out.  Unfortunately it doesn’t work that way.   Security, especially home security requires a little bit of trust in what effort your fellow man doesn’t exceed the effort it takes to steal your stuff.

I’ll give one more example:

When I start work at my new job they were talking about the screensaver policy at work which was fifteen minutes.  It was a written policy but they planned to put in a windows policy to enforce it.   I stated that such policies are hard to enforce since software to emulate random key presses are easy to get (I used one in my previous job so I could watch movies on flights without hitting the keyboard myself).  You would think that I just gave nuclear launch codes to the Russians – I kind of defeated his logic with a trivial bypass.

Wisdom in security is gained when you realize that all you can really do is best effort.  Nothing is truly secure, nor will it ever be.  Trust while being the anti-thesis of security plays an important role.  You place safeguards into effect up to and past the amount of trust you have in the users accessing whatever you are trying to protect.  With each safeguard that goes into place the likelihood of being attacked drops, that doesn’t mean it’s secure, it just means you have mitigated some of the risk.  Once people start to understand this wisdom and the logic behind it, they will actually be more secure, the irony of it all.

It’s not because I’m older or more knowledgeable, it’s because I have wisdom when it comes to security.   Even for things I don’t know how to compromise I know attack vectors and likely targets.   I can’t crack high end computers or pick digital locks, but I know how I would attack them, which gives me an area for how I can defend them.  I don’t need to know how to break or bypass something to know it’s insecure.  Like I’ve said it’s a matter of knowing everything that can be built up can be torn down.

Picture from here

Sunday night I was bored, so like all bored geeks I updated my device to the bleeding edge.   The N810 feels peppier, but then again that could be my imagination or just the fact of cleaning out all the programs.   Either way it feels faster.

My biggest heartbreak is Canola2 is not fully updated and I can use the old installtion but it only half works.   I’ve read the most common reason for applications has to do with the supported version of python has changed, but who knows.   Until I can use Canola2 as a podcatcher and video player again, it’s dead to me.

I also lost alot of my network security tools, my solitaire game, and the program that synced my Google calendar with my local GPE calender.   Writing this all out I’m not sure what exactly works.  The new built in mail client works better (yet still crashes), Pidgin seems to work, and browsing is fine.

The applications will get ported, I’m just on the bleeding edge and now need to wait.   That doesn’t mean I can’t throw a hissy fit.

creeva’s Recently Played Tracks

creeva’s Recently Played Tracks