[security] Fascinating ID Theft saga

It is quite amazing (but not surprising) the degree of sophistication, care, and patience these hackers apply. Their engineering and business savvy are at the same level as the best of Google and Amazon.

Data Broker Giants Hacked by ID Theft Service — Krebs on Security:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

 

Securing or attacking Industrial Control Systems

It turns out that Kaspersky Labs is developing a brand new operating system specifically designed to be used in embedded industrial systems and industrial control systems.

In this article, Eugene Kaspersky explains why his company decided to embark on the creation of an operating system designed specifically and only for embedded industrial control systems.

The obvious question:

“First I’ll answer the most obvious question: how will it be possible for KL to create a secure OS if no one at Microsoft, Apple, or the open source community has been able to fully secure their respective operating systems? It’s all quite simple really.

“First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.” (from Kaspersky Lab Developing Its Own Operating System? We Confirm the Rumors, and End the Speculation!)

 

 

LinkedIn Passwords: Who stores passwords in the clear

I am a pretty regular LinkedIn user, so the news that some unspecified number of LinkedIn users had their passwords compromised was of some interest to me.

Here’s what a recent post on their blog says:

“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts….” (from LinkedIn Blog)

Not that I would be all that harmed if someone hacks my LinkedIn account, but still, it does affect me. So far I have not seen an email from LinkedIn telling me that my own account is in trouble.

But, the thing that mystifies me is that they make it sound like user passwords are stored in the clear on their systems. Isn’t it elementary that one does not store passwords in clear text on any server? I won’t even give any links to back up this point as it is practically in Chapter one of any web development book.

So, either LinkedIn knowingly violated a totally elementary security best practice and stores passwords in clear text. In my opinion this is very unlikely.

Or, the news reports were purposely misleading because what actually happened would give away something that they don’t want to give away.

What could that be, I wonder?

Keeping emails and security under control

Do you receive tons of notification emails form your various subscriptions or social sites like Twitter and Facebook and the others? Have you thought about the impact on your productivity all these teasers are?

Well, you might have forgotten (or are you too busy to figure out) how to manage or shutdown the notifications. Check out this handy toy that I just came across: Notification Control.

And in a related story, here’s a similar site if you want to review your security and permissions settings on all these sites. Another chore often put off to our own detriment! My Permissions.

Yeah there’s really very little to these two sites but I think you might find them very useful!

TSA: Smokescreening

An interesting and fun to read article in Vanity Fair about the security check procedures established by the TSA:

“Taking off your shoes is next to useless. “It’s like saying, Last time the terrorists wore red shirts, so now we’re going to ban red shirts,” Schneier says. “If the T.S.A. focuses on shoes, terrorists will put their explosives elsewhere. €œFocusing on specific threats like shoe bombs or snow-globe bombs simply induces the bad guys to do something else. You end up spending a lot on the screening and you haven’€™t reduced the total threat.” (from: Vanity Fair)

Schneier of course is Bruce Schneier who is always interesting to read. He writes about security and computers. I have quoted him many times before on this blog.

Swipely, cool but scary?

So there’s this rather cool new service that says they will find and give you special deals to the stores and merchants you use already. The way they do it is to examine your credit card bills and help you find deals. They say:

With Swipely, you can earn automatic cash back rewards at the best local places Boston has to offer. There are no coupons to cut, vouchers to buy or loyalty cards to forget – with Swipely you earn valuable rewards on every purchase with the credit or debit cards you already have, automatically. Best of all, Swipely is free!

Sounds great, but you know how they do it? You have to give them your credit card info and login to the credit card company web site, so they can look at your charges. They say it is very secure:

Swipely downloads transactions to give you rewards via our banking technology partner using a secure, read-only connection trusted by more than 5,000 banks and 26 million consumers. Swipely uses 256-bit SSL EV bank-grade encryption and SAS 70 Type II secure data centers.

I am pretty promiscuous when it comes to this kind of thing (for example, I’ve been using Mint.com for a while now) but still this one creeps me out just a little bit. What do you say?

BillGuard

This site looks really good, but I am not signing up yet.

Screen shot 2011 07 17 at 9 58 01 AM

I am famously promiscuous signing up with new services just so I can ‘know what’s going on’, but when the first thing I have to do is to give this site my account and password for a credit card that I use, I stop and take a breath.

Who are these guys? Fred Wilson, a highly reputable VC blogger is the one who recommended it in his blog. Maybe he’s an investor? I don’t know. But for now, I am holding off.

Wikileaks

Like many, I don’t know yet whether I support or condemn the Wikileaks action that has been discussed and debated at length on all fora. You have to agree that it has yielded some interesting insights about the way the world works.

First of all: as far as a diplomat making snide comments about one world leader or another, big deal! I mean it’s embarrassing (like someone hacking your email account or finding your personal diary) but certainly no one is surprised — gossiping and show boating is human nature, yes?

A friend of mine who has been in the foreign service for a long time read the cables with gusto and said if nothing else, it shows that the US foreign service officials are smart and thoughtful and do an impressive and important job.

From that perspective he feels pride that the work that he’s done in obscurity for years finally gets seen by his friends and colleagues who can now appreciate it for what it is.

Here are some more serious questions that occur to me:

  • If it is illegal for Wikileaks to publish cables that they received (from essentially a whistleblower in the Defense department) then why is it not equally illegal for the New York Times to publish them? Is it because the NYT is ‘more reasonable’ and will more likely do what the government wants them to do?
  • Think about having a thumb drive with 500,000 documents on it. What do you do with it? What’s the point of making it available, even to someone with a ‘need to know’? How do you make sense of it. Talk about trying to find a needle in a haystack. Chances are good that you won’t. It brings up the importance of tools and systems to process, classify, summarize and in general make sense of it.
  • This leak appears to have been the work of a lone whistleblower. How is it even possible that a single person has access to such a huge collection of documents? Given the size of thumb drives (I just bought a 16Gig drive for under $30) keeping them from moving in and out of secure buildings is impossible. So the problem is access to the data, and ability to ‘export it’ at all.

Some final links if you are still with me. Look at this very interesting summary article in the New York Times, which comments on one of the questions I raise above:

“Mr. Packer is very much against the prosecution of WikiLeaks on grounds of treason because, he said, “discerning the legal difference between what WikiLeaks did and what news organizations do is difficult and would set a terrible precedent.” (from The New York Times)

Look at this interesting post by David Weinberger, commenting on a fantastic article by Jeremy Wagstaff, who says:

“No, the problem that WikiLeaks unearths is that the most powerful nation on earth doesn’t seem to have any better way of working with all this information than anyone else. Each cable has some header material—who it’s intended for, who it’s by, and when it was written. Then there’s a line called TAGS, which, in true U.S. bureaucratic style doesn’t actually mean tags but “Traffic Analysis by Geography and Subject”—astate department system to organize and manage the cables. Many are two letter country or regional tags—US, AF, PK etc—while others are four letter subject tags—from AADP for Automated Data Processing to PREL for external political relations, or SMIG for immigration related terms.” (from Jeremy Wagstaff: Data, Wikileaks and War“)

You see, this Wikileaks question raises some important and tricky questions, and they are not all about who called who by what name.