Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

Your MP3 Player As Your Phone

I’m not convinced that this gadget is exactly the wonder it claims to be, but it’s an interesting fusion of functions. The soon-to-be-launched Ezmax MP3 Player includes a VoIP feature that, in the words of PC World’s Paul Kallender

when the device is linked to an Internet-connected PC via a USB 2.0 port, people can make local and international calls using a microphone that is included in the device’s earphone cord.

I must confess I share some of the skepticism expressed about whether this is a breakthrough product or a gimmick. But there are some interesting elements here that perhaps merit a closer look:

For one, this represents an interesting variation on the idea of USB application drive, where you keep the programs (and not just the data) that you need on a portable drive. (Here’s a discussion of the issue and some examples.) In this role the EZMP-4200P is simply working as portable application device.

But there’s also the built in microphone, which illustrates how the quality of recording, both in terms of input (the microphone) and storage (compression, sampling) have improved. I’m still using my Olympus DM-1 to record interviews but this is old, expensive and stale technology. It would be much better to have the same capability on a key drive (or, as some people do nowadays, their cellphone. iPods are an option, but an extra load.) The existing EZMP-4000 for example, already lets you record your lectures or conferences for up to a maximum of 18 hours(on a basis of 256MB) through a built-in high efficient mike. The USB drive as a good digital recorder. That’s pretty much all a journalist, writer, academic or whatever needs.

Then there’s the idea of identity on a stick. The EZMP-4200P, according to the article, would contain details of the VoIP accounts held by the user, and, while of course it needn’t serve an actual authentication role, it could. Carry your USB drive around, just plug it in to an Internet-connected PC and all your VoIPs accounts synchronise, just like your email, capturing voicemail, letting you make calls etc. Your USB drive would be like a SIM card: Just yours.

So maybe the EZMP isn’t that great a leap in itself, but it’s a sign of the opportunities that USB drives could provide.

My Friendly Neighbourhood PC Store

I’ve long had a love hate relationship with the PC World megastore in my hometown. On the one hand they’re the only folks in town stocking any computer stuff. On the other hand they are truly dreadful:

  • Even during a lunchtime a week before Christmas they have only one till open. When another staff member opened a second till for someone buying something a queue formed. “I’m not open, I’m afraid,” the staff member said. One customer was so livid he threw his intended purchases on a nearby display, offered some unChristmas-like valedictions to the staff and left empty-handed. I would have followed in solidarity but I really, really needed the Bluetooth adapter.
  • Sadly the staff look like uber-geeks but are idiots. I asked a guy for help on scanners — which were powered, which were USB2.0 compliant, all that kind of basic stuff (which wasn’t written anywhere on the labels), and he launched into a long treatise that bore only tangential relationship with the topic in hand. I’m no expert, but I know a bluffer when I see one. He didn’t even offer to look up the information for me.
  • When I took an Ethernet cable to the counter and asked whether I had the right one for a network (as opposed to connecting two computers, which, I read, would involve different wiring) he felt the cable itself and said, “Yeah, that’s the right one, it’s red.” Ah, that’s alright then; 
  • What I really hate, and this may not be their fault, is the supplying of gear without cables. It’s been the practice of printer manufacturers for some time now to sell their printers without the USB cable. I guess this shaves a few pounds off the price, but it’s sneaky and merely enables the store to then charge the unsuspecting punter for the most expensive USB cable in the store ‘because it’s better’. The number of times I’ve seen naive shoppers taken in by this annoys the hell out of me. Probably they’ve got a USB cable at home that would do the job, but, unsuspecting and trusting, they believe the guy and take whatever is recommended to them in the shop. Some of these cables cost $20 or more, significantly adding to the cost of the device. And don’t get me started on the dodgy ‘no cartridges in the printer box’ scam. Jeesh.

For once you’d think these shops would try to win customers’ long term loyalty by giving them good information and a square deal. But why bother when you’re the only store in town?

News: Spam The Website

 You know that spam has hit the big time when it gets its own website. Well, a corner of one: yesterday released Spam Watch, a new section of its web site dedicated to the latest news, tips and tools in the war against online junk mail. PC World Spam Watch also features “Spam Slayer,” an exclusive weekly column, the Top 5 Anti-Spam Downloads with the hottest freeware and shareware to help stop spam, and the latest information on legislation opposing unwanted e-mail.