Tag Archives: PC World

Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

Your MP3 Player As Your Phone

I’m not convinced that this gadget is exactly the wonder it claims to be, but it’s an interesting fusion of functions. The soon-to-be-launched Ezmax MP3 Player includes a VoIP feature that, in the words of PC World’s Paul Kallender

when the device is linked to an Internet-connected PC via a USB 2.0 port, people can make local and international calls using a microphone that is included in the device’s earphone cord.

I must confess I share some of the skepticism expressed about whether this is a breakthrough product or a gimmick. But there are some interesting elements here that perhaps merit a closer look:

For one, this represents an interesting variation on the idea of USB application drive, where you keep the programs (and not just the data) that you need on a portable drive. (Here’s a discussion of the issue and some examples.) In this role the EZMP-4200P is simply working as portable application device.

But there’s also the built in microphone, which illustrates how the quality of recording, both in terms of input (the microphone) and storage (compression, sampling) have improved. I’m still using my Olympus DM-1 to record interviews but this is old, expensive and stale technology. It would be much better to have the same capability on a key drive (or, as some people do nowadays, their cellphone. iPods are an option, but an extra load.) The existing EZMP-4000 for example, already lets you record your lectures or conferences for up to a maximum of 18 hours(on a basis of 256MB) through a built-in high efficient mike. The USB drive as a good digital recorder. That’s pretty much all a journalist, writer, academic or whatever needs.

Then there’s the idea of identity on a stick. The EZMP-4200P, according to the article, would contain details of the VoIP accounts held by the user, and, while of course it needn’t serve an actual authentication role, it could. Carry your USB drive around, just plug it in to an Internet-connected PC and all your VoIPs accounts synchronise, just like your email, capturing voicemail, letting you make calls etc. Your USB drive would be like a SIM card: Just yours.

So maybe the EZMP isn’t that great a leap in itself, but it’s a sign of the opportunities that USB drives could provide.