Archive for the ‘Security’ Category

Make this important adjustment to your Gmail account

August 22, 2008 4 comments

Les at Stupid Evil Bastard explains why If you use Gmail you should enable the SSL feature right now.

SSL stands for “Secure Sockets Layer” and it makes your Gmail account much more secure.  This has suddenly become important because a new Gmail hacking tool will be released in about a week and enabling SSL is the antidote.

Here’s what to do: Just open Gmail, click on “Settings”, scroll down to the bottom of the “General” tab and click “Always use https”.  Then click Save Changes.  That’s it.  Your Gmail now works the same way it did before, only more securely.

(Thanks Les.  We appreciate you watching out for us.  It’s easy for this kind of thing to slip off the radar.)

Categories: Geeky, Security

False sense of security

August 14, 2008 4 comments

I’m actually sympathetic to Boston for getting a court order to forbid three MIT students from giving a talk about security problems they found in the subway payment system.  I mean, after the city spent $180m to set up the system, how could those students jeopardize it by revealing the holes in the wall?  Nor is it surprising that city officials didn’t understand the security hole – according to security expert Bruce Schneier, they didn’t do their research, didn’t know how to buy a secure product in the first place.  They fell for a sales pitch.

They want “time” to fix the problem that they don’t even understand yet.  It’s what every company, every half-assed government agency charged with keeping our information safe from identity thieves, says.  The bad guys won’t figure it out if… Shhh!… we just don’t talk about it!

Yeah.  I’m sure Boston will give the problem all the attention it deserves without a spotlight on it. They wouldn’t drag their feet, sweep it under the rug, and just basically forget about it after news reports die down.  Would they?

Categories: Geeky, Security

Frozen (laptop) Memory

March 5, 2008 5 comments

There have been a lot of news articles about the discovery at Princeton that cooling the RAM chips of a laptop to -50C enable a quick restart from sleep mode, and potentially allowing retrieval of encryption keys residing in the chips.  The news media has been treating this as a major vulnerability.

You take the stolen, sleeping laptop, remove the cover to the RAM chips, freeze them with an inverted can of “canned air”, and then “cut the power and then re-attach the power, and by doing that will get access to the contents of memory – including the critical encryption keys.”  It’s being touted everywhere as a “major vulnerability”

Umm, sure… I do it all the time and the encryption key just pops right up on screen in a blinking box labelled “Encryption Key”.  Movie and TV writers, freshly off-strike, are probably dying to use this in a story.  That math guy on “Numb3rs” will pull it off in the bad guy’s apartment with whatever stuff is lying around and the seconds ticking off toward disaster. 

Essentially what the hacker needs to do is remove the chips from the laptop, put them – still frozen – in another laptop that is running a memory-analysis utility, access the chips and “dump” the memory contents to the a file on the hard drive.  Or somehow load a new operating system into the first laptop without writing to any of the memory in its RAM chips.  Simple! 

What Professor Felton and his team found was that cooling memory chips “enhanced the retention of data in memory chips.”  That’s a long way from a usable hacking technique.  So you have to power completely down if you think your laptop might get stolen and it contains a huge database of people’s personal information.  Or… don’t carry stuff like that around on laptops!  There.  Problem solved. 

Categories: Geeky, Security

Campus safety follies

March 2, 2008 2 comments

When the Columbine shootings took place in 1999, my son said; “This will bring out the stupid in everyone”.  That observation still holds following the ‘08 Valentine’s day shooting at NIU, and it could hardly get any stupider than this:

An armed man who burst into a classroom at Elizabeth City State University was role-playing in an emergency response drill, but neither the students nor assistant professor Jingbin Wang knew that. “I was prepared to die at that moment,” Wang said Tuesday…

Charlotte News-Observer: Mock Gunman terrifies students

There’s lots of entertaining stupidity in the article but here’s my favorite part:

John Pierce of Bristol, Va., a spokesman for a pro-gun Internet group called, said the university’s drill was poorly planned and dangerous. He said people in the class could have been killed or injured trying to escape or could have harmed the role player.

He called for the state to make it legal for individuals to carry firearms for self-defense. He said North Carolina is one of 16 states that make it a crime for people to carry firearms on campuses.

I’m not categorically opposed to carry laws for certain situations and with with certain restrictions.  But we shouldn’t have any illusions about how much good they might do.

Bonus question: if one of the students had been packing, and he had heroically shot the ‘gunman’ (who was a campus police officer but they didn’t know that), would he have been given a medal?  Or charged with a crime?

Notes and links:

Categories: Geeky, Security

Here’s your toothbrush, jerk - now get busy cleaning every building in the city

June 1, 2007 5 comments

News item: Man described as 1 of world’s top 10 spammers arrested in US

A federal grand jury last week returned a 35-count indictment against Soloway charging him with mail fraud, wire fraud, e-mail fraud, aggravated identity theft and money laundering. Soloway pleaded not guilty Wednesday afternoon to all charges after a judge determined that—even with four bank accounts seized by the government—he was sufficiently well off to pay for his own lawyer.

Soloway has been living in a ritzy apartment and drives an expensive Mercedes convertible, said prosecutor Kathryn Warma. Prosecutors are seeking to have him forfeit $773,000 (euro576,005) they say he made from his business, Newport Internet Marketing Corp.  Prosecutors say Soloway used computers infected with malicious code to send out millions of junk e-mails since 2003. The computers are called ‘‘zombies’’ because owners typically have no idea their machines have been infected.

Very impressive:  catching the spammers involves both technical and financial investigation.  I think they’re a little optimistic in saying people will notice a difference in their inboxes.  Someone will take his place.  And for the economic damage he’s done, he won’t spend enough time in prison.

Categories: Geeky, Security

I can think of a lot of ways to misuse this product

May 30, 2007 6 comments

Parents, do your kids trust you too much?  Would you like them to be more emotionally distant, more wary, and never tell you anything?  SnoopStick is here to help.  Just plug it into your kid’s computer, run the setup program, and quick as you can say; “I just don’t know why we don’t talk anymore” you can spy on everything that happens on his or her computer.

Husbands and wives can use SnoopStick to spy on each other, too.  It’s fun for the whole family!  There’s endless ways to show you’d rather run a power play than risk having any real relationship with someone. 

Bosses can even use SnoopStick on up to three employees at a time.  Just remember your employees might use a SnoopStick on your computer if they know how to bribe a janitor.  It’s really hacking made easy.

Note: there are about a zillion ways around SnoopStick, including running the computer off a Knoppix or Ubuntu boot CD when you want privacy. 

Categories: Geeky, Security

Checking the ingredients of your new jump drive

February 1, 2007 12 comments

Sure the snack-cake looks tasty, but millions of times a day, people flip the package over to check the ingredients.  If it contains trans-fats, they pass.  It’s a common ritual.

Consider doing the same thing when you buy a USB jump drive.  If you see “SmartDrive” or “U3” anywhere on the drive, well, it’s your funeral but I’d look for another jump drive. One clue is that some companies pay the jump drive manufacturer to be included in the capabilities of that drive’s U3 installer (accounting for an unusually low price). And although it is billed as a security feature, hackers are quite excited about the possibilities of U3, but that’s not the main problem.  Here’s what really pushes it into the “no buy” category for me – picture this:

You buy a new jump drive to carry your files around.  You plug it in, and it seems to take a lot longer to detect than other jump drives; the light flashes for a long time, your machine seems busy, but finally it says “ready”.  So you copy your presentation onto the drive, drop it in your pocket, and head off to give a presentation in another city.

When you get to the venue, you confidently plug the drive into their computer and the system says; “you need administrative access to install software on this machine, please contact your system administrator.”  You’d have been totally out of luck if by chance you hadn’t pre-emailed it to your webmail account too.  Hardly a convenience feature.

Sandisk and the U3 group deny this happens, of course, but this is only one example of several I have seen. The more I find out about U3, the more I feel inclined to mention it as a warning rather than a feature. 

  • By the way,  the U3 removal tool doesn’t always work properly, either. 
  • And you should be aware that all USB drives pose risks.  Many companies ban them altogether, for good reason.
  • If you’re travelling with a presentation, I recommend assuming your transport method won’t work.  Copy it on a jump drive, pre-email it to yourself, put it on a web page where you can find it, burn it to a CD, and bring your own laptop with the presentation on it.  Be unstoppable!

  • Webs05 has a more in-depth article about the hacking angle here: Smart Drive my ASS!!!

More abandoned-data follies

January 1, 2007 2 comments

Picture this: a Unix guru finds a Sun Ultrasparc server at the Goodwill store for $12.  How could he resist taking a look at it?  What would he find?

I found a lot. A scary amount. Whomever previously owned the box hadn’t cleaned up very well. The ultrasparc had been used to run oracle databases for several large companies that you all have no-doubt heard of. Yes, the databases were intact. But this is only the surface. Deep within the vaults of the /opt directory, I noticed a ‘backup’ directory. Turns out one of the admins for this box made a complete backup of his personal windows computer, including his Palm-OS-powered cell phone, blueprints for his house, family pictures, plain-text password lists for the companies he worked for, and the greatest gem of the entire collection: 1200dpi scans of his and his wife’s US passports. I mean, what can I say?
Elliott Writes: Sun Ultrasparc with 9 Ethernet ports

Wow!  A very unfunny assortment of data to leave lying around. Lucky the system was found by someone with a conscience.  After erasing the data Elliot went on to beef up the system with eight more Ethernet ports and NetBSD (it would make one hell of a firewall in this configuration – why buy a router when you have a *nix box with that many ports?  Very, very cool. )

I have written about this issue before, but that was about personally-owned machines.  It makes you wonder, what are the equipment-disposal policies of your company’s IT department?  And since there were several companies’ data on the machine, the same question applies to the data storage, offsite backup, or transaction hosting subcontractors your company uses.  I’m sure there’s something about this in the SarbOx law – individual network administrators could try to push awareness at the corporate level if the CIO is sans-clue.

Categories: Geeky, Security

More fear itself

October 4, 2006 2 comments

For a nation of immigrants, this does not bode well:

Seth Stein is used to jetting around the world to create stylish holiday homes for wealthy clients. This means the hip architect is familiar with the irritations of heightened airline security post-9/11. But not even he could have imagined being mistaken for an Islamist terrorist and physically pinned to his seat while aboard an American Airlines flight – especially as he has Jewish origins.

Yet this is what happened when he travelled back from a business trip to the Turks and Caicos islands via New York on 22 May. Still traumatised by his ordeal, the 47-year-old is furious that the airline failed to protect him from the gung-ho actions of an over-zealous passenger who claimed to be a police officer…

“This man could have garrotted me and what was awful was that one or two of the passengers went up afterwards to thank him,” said Mr Stein. He has since been told by airline staff he was targeted because he was using an iPod, had used the toilet when he got on the plane and that his tan made him appear “Arab”.
- Humiliation at 33,000 feet: Top British architect tells of terror ‘arrest’

After 9/11, I had a Turkish grad student working for me – a wonderful guy, though as he put it; “Look like terrorist!” from his swarthy skin to the single dark eyebrow that spanned his face.  He occasionally encountered awkward moments, such as a when a number of police cars were summoned when he asked one D.C. cop for directions.  He felt it was understandable in light of recent events.  I thought he was an exceptionally good sport about the whole thing.

But it isn’t ‘understandable’.  As FDR said in his first in his first inaugural address, fear itself merits a skeptical review.  It can lead us to do stupid things we later regret, both as individuals and as a nation.  While promoting fear may be an effective strategy for keeping legislative seats or winning presidential elections, it guarantees an erosion of common sense and of confidence in our freedoms.

(from ***Dave)

Categories: Geeky, Security

Keillor’s suggestion

September 14, 2006 1 comment

I love Garrison Keillor:

The way to stop terrorists on planes is to encourage passengers to bring loaded firearms aboard: guys in orange vests sitting in exit rows with deer rifles on their laps, ladies with Mr. Colt in their purses, kids with peashooters. Somebody wake up the National Rifle Association. Does the Second Amendment say, “The right of the people to keep and bear arms shall not be infringed except on commercial airliners”? Where are the right-wingers when you really need them?

This way, if some guy in a burnoose sets up a chemistry lab in row 24 and mixes hydrogen peroxide, sulfuric acid and acetone in a big beaker that is packed in 15 pounds of dry ice to keep it cool, and cooks up some triacetone triperoxide, or TATP, the passengers will be able, in the several hours it will take him to make the deadly explosive, to bring him under control, assuming the fumes haven’t knocked him out. And they could nab the mastermind, too, the monocled guy in first class petting the white cat.
- Baltimore Sun: Coffee, tea, or triacetone triperoxide?

Yes, I know he’s speaking tongue-in-cheek but there is truth in it.  If a Terror!st ever does manage to smuggle any kind of weapon aboard, he’ll have the luxury of confronting passengers who have been stripped of anything that could conceivably be used to fight back.  News flash: most people are law-abiding, but Terror!sts are not.  There are times when a nail file could come in really handy, y’know?

Categories: Geeky, Security