The Hazards of Recommending

image

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

image

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

“On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. … IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. … The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle.”

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

The Problem With Memory Sticks

image

… is that you forget you have them in your pocket. According to Credant Technologies, a Texas-based security company, about 9,000 USB sticks have been left in people’s pockets in the UK when they take their clothes to the dry cleaners.

This is based on a survey (no link available; sorry) of 500 dry cleaners across the UK who, on average, had found 2 USB sticks during the course of a year. There are, according to the Textile Services Association, some 4,500 dry cleaners in the UK. A survey by the company of taxi drivers in London and New York last September showed that over 12,500 handheld devices such as laptops, iPods and memory sticks were left in the back of cabs every 6 months.

Taking these figures with the caution they deserve—two? Is that ‘We find on average two thumb drives each year’ or ‘yeah I suppose you could say a couple’?—it doesn’t sound surprising. Indeed, you’d think it would be higher, and, indeed, in the centre of London, it is: One dry cleaner in the heart of the City of London said he is getting an average of 1 USB stick every 2 weeks, another said he had found at least 80 in the past year.

Credant want to remind us that data on thumb drives is probably going to be valuable, and there could be a lot of it. With most drives now at least 2GB in capacity, that’s a lot of files that some bad guy could have access to. Encrypt, they say (using their software, presumably.)

They have a point. Though maybe encryption isn’t so much the answer as asking whether there’s perhaps a better way to carry sensitive data around with you? Like not?

Illustration from Computer Zeitung used with permission

Still Sneaky After All These Years

image

I still retain the capacity to get bummed out by the intrusiveness of software from companies you’d think would be trying to make us happy these days, not make us madder.

My friend Scotty, the Winpatrol watchdog, has been doing a great job of keeping an eye on these things. The culprits either try to change file associations or add a program to the boot sequence, without telling us. Some recent examples:

Windows Live Mail, without me doing anything at all, suddenly tried to wrest control of my emails by grabbing the extension EML from Thunderbird:

image

This was unconnected to anything I was doing, or had asked. I didn’t even know I still had Live Mail installed. Shocking. Imagine if I hadn’t been asking Scotty to keep guard? Or that I didn’t have much of a clue what I was doing? (OK, don’t answer that one.)

(Just out of interest, launching Outlook Express will do the same thing:)

sc847

Still, I suppose the Microsoft defence is that everyone else is doing it. I installed WordPerfect Office the other day and found that, without asking, it tried to take over handling DOC files without asking first. Luckily, Scotty woofed a warning:

sc1028

No wonder users are baffled about what is going on with their computer and end up heading off to the Apple Store for some TLC. Software companies have got to stop doing this kind of thing. (And no, I’m not saying that Apple are any better at this. It’s just they reduce the choices so people feel their computers behave more predictably. This, after all, is what people yearn for.)

Likewise with starting programs. Once again it’s about predictability: If software starts loading without the user being asked first, then a) the computer is going to slow down and b) the user will have a bunch of new icons and activities to figure out. A couple of examples:

Windows Live forces its Family Safety Client to boot without asking:

sc947

as does eFax, the online faxing service:

sc948

These companies need to stop this. They need to stop it now. Consumer confidence is low, but so is user confidence. I am inundated with letters from readers of the columns who talk about their bafflement and sense of alienation from their computer. (Meanwhile, I read love stories from those who switch to Macs.) The point is this: Not that people believe Macs are better computers—although they may well be—but they are simpler to use, more predictable, more understandable, more, well, user-friendly.

What’s user-friendly about changing the settings on someone’s computer without asking them? Would a company try that with someone’s car, fridge, or dishwasher?

Radio Australia stuff, Jan 23 2009

For those listening to my slot on Radio Australia’s Breakfast Show, here’s what I was talking about:

  • Inauguration fever: How it may have tipped the way we use the Net, just like the election did. (People who weren’t there weren’t googling, they were twittering and facebooking.)
  • ‘Dark ages’ White House:The White House runs on ‘six year old versions of Microsoft software’; press office officials use Gmail. Website doesn’t get updated until evening of first day. Or is it a case of Macopia?
  • Shock, horror: Windows 7 might actually be quite good

and some stuff we didn’t have time to talk about, but which tickled me:

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Virus Hits British Defences

image

I wrote a couple of weeks ago about how KL’s airport information system had been infected by a virus. I shouldn’t have gotten so het up. Turns out that the UK’s air force and navy have bigger problems.

ITV News reported on Friday that the Ministry of Defence’s computer network has been shut down “because of a mysterious virus that is causing wholesale disruption of MoD sites.” Among those affected were Royal Navy ships including the Ark Royal and RAF [Royal Air Force] bases including Brize Norton.

The Register quotes a statement from the “MoD that [s]ince 6 Jan 09 the performance of the MOD IT systems in a number of areas was affected by a virus.” The Register says “no command or operational systems had been affected, though many of these are based on similar hardware. Spokespersons also stated that “no classified or personal data has been or will be at risk of compromise” due to “pre-existing security measures”.”

This is less than a month after the Royal Navy announced it had switched its nuclear submarines to a “customized Microsoft Windows system” dubbed, snappily, Submarine Command System Next Generation (SMCS NG).

In 1998 the USS Yorktown was “dead in the water” for about two and a half hours after a glitch in its new Smart Ship system, which used off-the-shelf PCs to automate tasks sailors traditionally did manually. The mishap sunk the Smart Ship initiative, which was quietly dropped a couple of years later.

A report in Portsmouth Today said the virus had affected 75% of the navy’s ships, preventing sailors from sending email and performing tasks (like finding out how many sailors are joining the ship at its next port of call). A blog on the Ministry of Defence’s website denied a report in The Sunday Times that ‘all email traffic from a number of RAF stations has been sent to a Russian internet server’ as a result of a ‘worm virus that entered MOD systems 12 days ago’. (The report makes it appear like it was a Russian attack, which is unlikely. But I’m not sure how the MoD can be so sure that emails were not diverted in that way.)

Neither do I know how they can be sure that it wasn’t a targeted attack. As Graham Cluley of Sophos points out, it’s more likely it was human error. But aside from the issues that raises—just how many MoD computers are hooked up to the Internet, and how smart is this? What kind of antivirus software do they have installed on the computers that are?—I would prefer the MoD not to jump to the conclusion that it’s not a targeted attack.

The reason? We need to stop thinking about cyberwar and malware as two different things. Governments rarely launch cyberattacks. But individuals and gangs do—and they usually do it for a mix of nationalistic and commercial motives. This case probably is just a screw-up. But it’s foolish to discount the notion that the information that may have been gleaned—accidentally, perhaps—would prove of value to a government or an agency.

(Image above is the result of my trying to search the Royal Navy website for the word “virus”. )

Articles | MoD computers attacked by virus – ITV News

Radio Australia, Friday Jan 16 2009

Here’s what we talked about today:

Another Facebook Hole?

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

image

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

image

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

The Big Chill Hits Google

So is Google, like, the new Yahoo?

Google is closing some of its services, or at least no longer supporting them. Which for me is a tad sad, since I’ve always loved prodding around inside the Googleplex, convinced that one day all these disparate services would come together in the same way Google Docs, Calendar and Gmail have. I thought Chrome would be the centerpiece of all this. Now, maybe not.

But no. Jaiku is now open source, meaning it’s not going to become Google’s competitor to twitter or anything like that. For me Jaiku had tons of potential because it seemed to understand that many of us work from our cellphone as much as our laptop. Anyway, it’s not going to happen.

Google Notebook is also on the deathlist. Another shame: While I never used it as much as I should have done, I have been busy divining a catch-all answer to everything, and the Notebook app, and its Firefox extension, was a key part of it. Google has said it’s no longer supporting it, but existing users will be able to continue to add and access their material.

The other thing they’re dumping is Google Video. It always took a back seat to Youtube, but for me that was a good thing. No inane comments, and no restrictions on file size. The result was a mostly classy collection of videos. Gone.

So what should we use instead?  Well much of what you do in Google Notebooks could as easily be done in Evernote, while others recommend Zoho Notebook. Jaiku? Well, Facebook and twitter, and I guess FriendFeed, have already moved into the space that Jaiku looked so likely to dominate, once upon a time.

I feel sorry for the guys who started Jaiku. They were an impressive and fun bunch, when you could understand them. I hope they walked away with a decent stash.

Directory of Distraction-free Writing Tools

(2009 June: added two no delete editors)

Editors

A working list of tools to reduce writers’ distraction. I’ve been using some of them for a while; I was inspired by Cory Doctorow’s latest post on the matter to collect what I could together. All are free unless otherwise stated. 

No backspace/delete editors

Typewriter “All you can do is type in one direction. You can’t delete, you can’t copy, you can’t paste. You can save and print. And you can switch between black text on white and green on black; full screen and window.” Freeware, all OS.

Momentum Writer Same idea, really. “Momentum Writer is the ultimate tool for distraction-free writing. Like a mechanical typewriter, users are prevented from editing previously written text. There are no specific formatting options, no scrolling, deleting, or revisions. Momentum Writer doesn’t even allow you to use the backspace key. Momentum Writer forces you to write, to move forward, to add new words. It halts the temptation to linger, revise, and correct. Momentum Writer is a typewriter for your PC.” Freeware, for Windows.

Multiplatform

JDarkroom (works on Windows, Macs and Linux, thanks. Tris): “simple full-screen text file editor with none of the usual bells and whistles that might distract you from the job in hand.”

Windows

TextEdit (there seems to be a Mac product of the same name. The Windows website is under reconstruction so I can’t grab a description, but downloads are available.)

NotePad ++ “a generic source code editor (it tries to be anyway) and Notepad replacement written in c++ with win32 API. The aim of Notepad++ is to offer a slim and efficient binary with a totally customizable GUI.”

EditPad “a general-purpose text editor, designed to be small and compact, yet offer all the functionality you expect from a basic text editor. EditPad Lite works with Windows NT4, 98, 2000, ME, XP and Vista.” Lite is free; Pro is $50

PSPad code editor

And some so-called ‘dark room apps’ which blank out the outside world:

WestEdit “a full screen, old-school text editor and typewriter. No fuss, no distractions – just you and your text.”

Dark Room: “full screen, distraction free, writing environment. Unlike standard word processors that focus on features, Dark Room is just about you and your text.”

Q10: “a simple but powerful text editor designed and built with writers in mind.”

Mac

TextMate: “TextMate brings Apple’s approach to operating systems into the world of text editors. By bridging UNIX underpinnings and GUI, TextMate cherry-picks the best of both worlds to the benefit of expert scripters and novice users alike.” ($54)

The Mac dark room is WriteRoom “a full-screen writing environment. Unlike the cluttered word processors you’re used to, WriteRoom is just about you and your text.” ($25)

GNOME etc

image

gedit

Distraction reducers

Write or Die: “web application that encourages writing by punishing the tendency to avoid writing. Start typing in the box. As long as you keep typing, you’re fine, but once you stop typing, you have a grace period of a certain number of seconds and then there are consequences.”