loose wire blog

I have actually been appearing on Radio Australia’s Breakfast Club pretty much every Friday—around 1.15 GMT--for the past year or so, but don’t always remember to post the links to the things I talk about (or intend to; there’s not always time).

Here’s to trying to remember to do it (and audio, now it’s available.)

• Researchers in Italy have been going around nightlcubs in Chieti asking people for cigarettes. Turns out if you ask them in their right ear, you’re more likely to be successful. It’s called the right ear advantage (via the Daily Telegraph.)
• Password masking is stupid, according to user interface expert Jakob Nielsen. Users make more errors when they can’t see what they’re typing, he says, and that makes them more likely to use overly simple ones. (Interestingly, one commenter on FriendFeed said the masking thing has less to do with fear of shoulder-surfing than of old CRT monitors, whose analog connections would give off radio noise which could be reconstituted with special equipment.)
• Polaroid spin-off Zink has selected finalists for a competition to find novel ways to use its inkless printing (via Technology Review). My favorite: nail printing, via Singapore’s own Sonny Lim (above)
• CEOs are media slackers, according to UberCEO.com. Most don’t have a twitter feed, a Facebook page or even a LinkedIn profile. Only Tom Glocer of Thomson Reuters seems to be doing well.  (via WIRED)

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

"On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. ... IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. ... The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle."

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

… is that you forget you have them in your pocket. According to Credant Technologies, a Texas-based security company, about 9,000 USB sticks have been left in people’s pockets in the UK when they take their clothes to the dry cleaners.

This is based on a survey (no link available; sorry) of 500 dry cleaners across the UK who, on average, had found 2 USB sticks during the course of a year. There are, according to the Textile Services Association, some 4,500 dry cleaners in the UK. A survey by the company of taxi drivers in London and New York last September showed that over 12,500 handheld devices such as laptops, iPods and memory sticks were left in the back of cabs every 6 months.

Taking these figures with the caution they deserve—two? Is that ‘We find on average two thumb drives each year’ or ‘yeah I suppose you could say a couple’?—it doesn’t sound surprising. Indeed, you’d think it would be higher, and, indeed, in the centre of London, it is: One dry cleaner in the heart of the City of London said he is getting an average of 1 USB stick every 2 weeks, another said he had found at least 80 in the past year.

Credant want to remind us that data on thumb drives is probably going to be valuable, and there could be a lot of it. With most drives now at least 2GB in capacity, that’s a lot of files that some bad guy could have access to. Encrypt, they say (using their software, presumably.)

They have a point. Though maybe encryption isn’t so much the answer as asking whether there’s perhaps a better way to carry sensitive data around with you? Like not?

Illustration from Computer Zeitung used with permission

(Update, July 2009: A BusinessWeek article puts the company's side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something--was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

I wrote a couple of weeks ago about how KL’s airport information system had been infected by a virus. I shouldn’t have gotten so het up. Turns out that the UK’s air force and navy have bigger problems.

ITV News reported on Friday that the Ministry of Defence’s computer network has been shut down “because of a mysterious virus that is causing wholesale disruption of MoD sites.” Among those affected were Royal Navy ships including the Ark Royal and RAF [Royal Air Force] bases including Brize Norton.

The Register quotes a statement from the “MoD that [s]ince 6 Jan 09 the performance of the MOD IT systems in a number of areas was affected by a virus.” The Register says “no command or operational systems had been affected, though many of these are based on similar hardware. Spokespersons also stated that "no classified or personal data has been or will be at risk of compromise" due to "pre-existing security measures".”

This is less than a month after the Royal Navy announced it had switched its nuclear submarines to a “customized Microsoft Windows system” dubbed, snappily, Submarine Command System Next Generation (SMCS NG).

In 1998 the USS Yorktown was “dead in the water” for about two and a half hours after a glitch in its new Smart Ship system, which used off-the-shelf PCs to automate tasks sailors traditionally did manually. The mishap sunk the Smart Ship initiative, which was quietly dropped a couple of years later.

A report in Portsmouth Today said the virus had affected 75% of the navy’s ships, preventing sailors from sending email and performing tasks (like finding out how many sailors are joining the ship at its next port of call). A blog on the Ministry of Defence’s website denied a report in The Sunday Times that 'all email traffic from a number of RAF stations has been sent to a Russian internet server' as a result of a 'worm virus that entered MOD systems 12 days ago'. (The report makes it appear like it was a Russian attack, which is unlikely. But I’m not sure how the MoD can be so sure that emails were not diverted in that way.)

Neither do I know how they can be sure that it wasn’t a targeted attack. As Graham Cluley of Sophos points out, it’s more likely it was human error. But aside from the issues that raises—just how many MoD computers are hooked up to the Internet, and how smart is this? What kind of antivirus software do they have installed on the computers that are?—I would prefer the MoD not to jump to the conclusion that it’s not a targeted attack.

The reason? We need to stop thinking about cyberwar and malware as two different things. Governments rarely launch cyberattacks. But individuals and gangs do—and they usually do it for a mix of nationalistic and commercial motives. This case probably is just a screw-up. But it’s foolish to discount the notion that the information that may have been gleaned—accidentally, perhaps—would prove of value to a government or an agency.

(Image above is the result of my trying to search the Royal Navy website for the word “virus”. )

Articles | MoD computers attacked by virus - ITV News

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

(Update: corrected a few things. You can’t see the person’s bank account number. But you can see anyone’s phone bill, whether or not they’re a customer of that bank.)

---

Here’s a hole in Internet banking that allows anyone with an account at a bank to look up other customers’ people’s bills--tax, water bill, Internet bill, landline, cellphone—so long as they have that person’s account or phone number.

This means, for example, I can enter a telephone number and—so long as that person pays their phone has an unpaid bill at that bank—I can find out their name. Think of it as a reverse phone book.

Not only that: I get their bank account number.

It needn’t stop there. If I was the social engineering type, I could then call up the phone company and give them enough information—the name, phone number and bill amount—and persuade them to send me the itemised bill.

The same is true, I’m told, of all bills that can be paid at that bank.

In short, this kind of access gives me enough personal information to socially engineer all sorts of attacks. The mind boggles.

The bank is a well-known Indonesian one—making this sort of attack particularly dangerous--but it’s probably not alone in failing to ensure a validation procedure for its customers. I’ve not had the chance to explore it; most banks, I believe, would require not a phone number but a bill reference number to access this kind of information.

The problem here is that the people who set up the service didn’t imagine that someone might enter a telephone number or bill number that wasn’t their own. Techies need to think like thieves and real people when they set these things up.

Us ordinary folk? We need to stay  on our toes and yell at banks that compromise our personal data in this way. I believe the bank in question knows of this breach but as of the time of writing, it’s not yet fixed.

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What's disturbing to me is that over a month later, the airport hasn't applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

So how serious is all this? Cluely says: “Well, it's obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most "visible" sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Facebook may have just won a theoretical warchest from a spammer, but it’s not put its house in order when it comes to scams. Indeed, I suspect they’re getting worse. Now you can get infected without even having to visit your Facebook account.

What happens is that, if you have set your profile to receive email updates when someone sends you a message on Facebook, these trojan scams actually make their way direct into your inbox. Facebook is just the vector:

Here’s a message, as it looks in Gmail:

Click on that link and it takes you, not to the Facebook message page, but straight to the dodgy website. In this case the website is still active. It will have a name like YuoTube:

and a YouTube-like interface:

The message in the ‘player’ says “Your version of Flash Player is out of date.” Without you doing anything the download window will appear:

Of course, if you install that you’re in trouble. But are you in trouble if you’ve already visited the page? I’m still working on that.

A case in Connecticut has exposed the legal dangers of not protecting your computer against spyware, as well as our vulnerability at the hands of incompetent law-enforcement officers.

Teacher Julie Amero found herself in a nightmare after spyware on her school computer popped up pornographic images in front of students. Instead of realising this was spyware at work, the state accused her of putting them there and forcing her pupils to watch.

In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."

But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."

It seems the nightmare may be coming to an end, but not without a price. She’s had to admit to one misdemeanour charge and surrender her teaching licence. She’s also been hospitalized for stress and heart problems.

The lesson? This was a school computer, and it seems the school failed to install the necessary updates and protection to prevent the spyware from loading itself. That’s probably something Amero should be exploring with her lawyers.

But there’s a bigger issue. We need, as individuals, to take more reponsibility for the computers we use—to learn the basics of protecting them from attacks, and to be able to at least identify what the problem is when something like this happens. It may have taken a techie guy to clean the computer in this case (I admit spyware is really hard to get rid of) but knowing, roughly, what the problem is should be the bare minimum of our working knowledge of the computers we use.

Connecticut drops felony charges against Julie Amero, four years after her arrest - Rick Green | CT Confidential