Archives For hacking

cleaning the sea

Unless you live under a rock on an alien planet, you probably know all about the massive hacks which successfully revealed every digital asset used to run Ashley Madison, the much maligned, famous dating site for cheating spouses. And you probably also know of several very vocal and visible morality crusaders in the U.S. and Europe, who have been outed as long term members paying hundreds of dollars to guarantee having affairs. A top notch cybersecurity reporter with trusted sources in the web’s seedy underbelly, Brian Krebs, has already found evidence that an enterprising group of extortionists used the leaked data to blackmail some of the users in spear phishing campaigns, demanding bitcoins to keep their affairs quiet. Although one does wonder how effective this scam would be if the data is already easy to access and a concerned spouse could just do a search for familiar e-mail and physical addresses to find a match. Seems like an attempt to scare someone to reflexively hand over some hush money. But I digress a bit…

While it’s pretty hard to gather too much sympathy for people who cheated on their spouses or advocate for their privacy, even if every users’ situation may be different, and many more than likely did not actually meet anyone, whatever we may feel towards them shouldn’t obscure the very real problem with so much of our lives playing out on the web. We need to work past all of the moral outrage and schadenfreude and come to grips with the realization that we’re using a number of sites to do things with which we can be blackmailed. Sure, those who wanted to get laid behind their spouses’ backs have something to be ashamed of and issues to work though, but consider the previous big adult site hack, that of casual sex site Adult FriendFinder. Sure, a few users were definitely cheating on their spouses, most of the users were swingers, or simply looking for a hookup on a site that seemed large and recognizable enough to work for them to get some of their basic urges met, well outside the prying eyes of today’s societal moralists.

It’s one thing when you’re busted for trying to cheat or cheating, but when you’re either in open marriage arrangements, or are single and just want casual sex and get the same vultures with blackmail threats in your inbox for being an adult with a sex drive, shouldn’t that be different? If you use the web for anything less tame than reading the news and surfing social media sites, a dark cloud should not hang over your head with every hack. And sadly, there’s not much that’s possible to do to prevent large hacks like this. From sloppy coding, to outdated certificates, to a server that hasn’t been updated in months, there are simply too many vectors for an attack, so when you’re a large target, the surface area you have to keep secure forever is immense, while hackers need only one point of entry, once to do a lot of damage. Your best hope is just to not be interesting enough to warrant anyone’s attention to avoid being blackmailed, but given how many cybercriminals are out there, if your email is on a list, you’re a viable target anyway.

That leaves us with the question of what to do when the next embarrassing, adult-oriented hack comes. Note the “when,” not an if because there will be another one. The simple, but very likely unsatisfactory answer is to just own up to whatever may be found about your sex life and figure out how to deal with it if it’s something you’ve tried to keep under wraps but can’t. We can’t hide our preferences in the closet anymore because social media is everywhere and everybody has been using dating sites, mainstream or adult, leaving a lot of digital fingerprints. Maybe the new trend of opening up about sex in casual conversation is actually a good thing here. I’m certainly not talking about adding a favorite sexual position to your Facebook profile’s likes section, or an album of you with your favorite sex toys to Instagram, but more about not shying from any adult topics of interest to you. Because after all, why should you? You’re an adult, adults have needs, and they more often than not have the money, mobility, and chances to get them fulfilled.

In short, you are likeliest to have a leak blow over when people who know you see the hackers as leering perverts and bullies, not you as a hypocrite on a crusade against the immorality of a crumbling society, which is actually tamer than it’s been in over a century. If we learn anything from the shameful outings of pious moralists and user profile leaks from hookup sites, it should be that not being able to talk about your sex life like an adult or have a clear and constant lines of communication with your partners is what creates truly awful problems, and if you don’t own up to your wants and needs, and use the web, a hacker will do it for you at some point. And it may sound paradoxical, but it seems that instead of helping anonymity and leading double lives as some really hoped, the web, thanks to the rise of social media, is actually forcing our public personalities to match our private ones. It’s going to be a long transition, but one that seems to be pretty much inevitable because its driver is unprecedented and isn’t going to go away…

surveillance camera array

On the one hand, I am somewhat surprised by recent revelations about exactly how much we’re being watched on the internet by the NSA. However, the big surprise for me is that they couldn’t get data form Twitter. Considering that it’s building an immense data center in Utah, and works with tech companies on a regular basis, is it really that astonishing that the agency is browsing through our communications metadata on a regular basis? We all suspected this was the case, so if anything the current furor is almost a required reaction of anger and hurt to have what we always thought was happening and didn’t really want to, actually is happening. The question is what to do now, in the PRISM-aware world. Citizens know they’re being caught up in the dragnet when they’re just going about their day, foreign companies are afraid of the NSA spying on them via the advanced cloud technology the United States sells across the globe, and China could sit back and laugh off American reports of its hacking and spying on the web as hypocrisy.

Another fun fact is that Americans are actually split on how they feel about the NSA’s snooping and a majority of 56% says that privacy is an acceptable casualty in trying to catch terrorists. It might also be telling that the split hasn’t changed much since 2006 and that it breaks down by a distinct partisan preference, with liberals and conservatives flip-flopping on the issue when the other party was in the White House. So while the press is incensed and investigative reporters are falling all over themselves to talk about PRISM, the American people are shrugging it off by party affiliation. I would expect everyone to carry on as normal because if Facebook and Google didn’t have a mass exodus of accounts, it’s very unlikely they will. Plus, the NSA isn’t reading all the e-mail in your inbox. It just has a record of you e-mailing someone at a given time and if you are in the United States, your phone number and e-mail should be crossed out in their system, until of course a secret court order grants the analysis access to request the whole e-mail.

Even the slowdown in purchases of American high tech gear is likely to be temporary because much of what we’re hearing from many other countries is an almost mandatory response to the revelations about PRISM. In reality, many of the countries buying these tech products have very extensive spy networks of their own and engage in cyber-espionage on a daily basis. It’s kettle calling the pot black, and it’s likely that the rumors of tech companies giving the NSA back door access into their servers are just not true. There’s a number of ways to supply data to the NSA and a number of ways the NSA could’ve gotten the data itself. I’m not going to speculate how in this post because a) I don’t know the agency’s exact capabilities, b) there are people from both defense contractors and military agencies reading this blog who I’d just annoy with speculating, and c) most of them are probably much worse than having the companies just play ball when a court order comes down and an incredibly powerful agency is knocking on their door.

Now, none of this means this isn’t a big deal. But what it does signal is that the country which is dominating the world in the tech field and serves as the key node in the global communications grid has been crying wolf about cyberwarfare and espionage while actively waging it. We were starting to be sure of this when Stuxnet was discovered, we suspected it even stronger when all of its ingenious siblings like Flame and Duqu floated into the spotlight, we had a good idea that the United State was publicly holding back when reports of its potential in cyberwarfare drills with allied nations started surfacing, and with PRISM, we now know it for a fact. On the one hand, it’s bad news because your privacy is now not only being compromised by bad security or very lax internal policies of web giants, but by the government as well. On the other, we know that we’re hardly defenseless in the cyber realm and will fight and spy right back. Make of these facts what you will. It’s not like we can put this genie back in its virtual bottle anyway…

bad idea

Recently, computers at two power plants were found to have been infected by three viruses that came from compromised USBs, all three easily detectable by up to date anti-virus software, and both infections were easily preventable if the plant operators followed the simplest cybersecurity procedures. If our infrastructure was ever to be the victim of a powerful cyberattack, the exploits’ success wouldn’t be so much a testament to the skills of the hackers as much as they would be indictments of the shoddy practices by those who simply don’t understand how to secure critical systems and don’t care to learn. Very few attacks we see out in the wild are truly brand new and very sophisticated like Stuxnet, Duqu, Flame, Gauss, and Red October. Most target unpatched, poorly secured systems with easily exploitable administrator accounts or out of date servers and database engines, attacks on which have been all but automated by simple PHP scripts. If you’re wondering how Anonymous can topple site after site during an op, now you know.

For example, take the pillaging of Stratfor. How did Anons get into their system? By using easily crackable default passwords and reading databses that were never encrypted. What about the huge data leak from Sony in which hundreds of thousands of accounts were compromised? An unpatched server provided a back door. Periodic leaks of credit card numbers from point of sale systems you find at local bars and restaurants? Out of date operating systems exposing admin accounts to external systems as is a typical industry practice. The ability to get into AT&T users’ account just by typing the right URL? Total absence of security checks on the company’s sites, checks that should’ve been tested before the sites ever went live. I think you get the point. Keep up with the virus definitions, patches, updates, test your software, don’t let external systems run as administrators on your network, and don’t stick random USBs into mission critical computers. If you don’t follow these elementary practices, you, quite frankly, are begging to be infected and hacked, and considering that we basically live on the web today, that’s just reckless.


When a Bond movie comes out, you pretty much have to go see it. I mean come on, it’s a Bond movie, right? In the latest installment, 007 is taking on a computer hacker of sorts and shows us just how little research screenwriters tend to do about technology. While Bond’s brash and bold style of field work is somewhat passable with a little suspension of disbelief from the audience in the grand scheme of things — do we really need to go into detail why not staying low and using some very carefully crafted aliases and passports is a bad idea in spy craft? — the key crimes of the film’s villain, Agent Silva, sound as if the writer skimmed a few Wikipedia pages, pulled out a few impressive sounding buzzwords, and randomly jammed them into the film. And the resulting mix of buzzword salad and technobabble drew me out of the story like an icy slap to the face.

Look, I know, I know, it’s just a movie and a Bond movie at that, and so I’m willing to believe that an agent who needs to shovel painkillers and pour scotch down his gullet to function could still beat the living crap out of an international assassin on a very high level floor of a new Shanghai skyscraper. I’m also willing to give Bond the 600 foot fall that should’ve shattered his body into a million pieces. But when M is telling her assistant to “strip the headers” to pinpoint the source of a hack, my inner professional geek rebels, mostly because the headers is there the data she’d want can be found since it carries the request IP. She basically asked one of the top intelligence agencies in the world to do the equivalent of taking a letter out of its addressed envelope, throw that envelope away, and use the letter to figure out from where the envelope came. Ugh.

And when the tech jargon isn’t just plain wrong, it’s meaningless. When Bond is told that a hard drive containing the name of every NATO agent embedded in terrorist groups is “encrypted with an asymmetric encryption” we’re supposed to get the idea that it’s really tough to crack because the encryption is asymmetric. Classified data is generally encrypted using a Triple AES cipher, an updated block cipher first created in 1998 in a competition to create a brand new encryption standard, and as a block cipher, it’s strength is measured by key size. The bigger the key size, the harder it is to decrypt. So if MI6 wanted to explain to Bond how dire the situation is while still sounding computer literate, they would fret that Silva cracked say, a 2,048 bit key. That’s a very badass thing to do and would mean that Silva can summon NSA-scale resources, and well in line with some very basic information security jargon you can see on most tech blogs.

Finally we have an egregious scene in which Q tried to decrypt Silva’s hard drive contents. If we were to believe Q, only six people in the world could write polymorphic code and that using code obfuscators makes things ridiculously difficult to decrypt. There are exactly two problems with all that. One: polymorphic code in malware is so common that anti-virus companies have a special algorithm to detect it, an algorithm you can easily find online since it’s been published sometime in the late 1990s. Two: obfuscated code is generally quickly deobfuscated because for every obfuscator there is a deobfuscator out there. By the time a plain text password appeared in what was otherwise a wall of hex — which is what you would see if you tried to reverse engineer code you found suspicious — so blatantly obviously that even the computer illiterate Bond noticed it, I was slumped in my seat, sobbing softly into my sleeve. What in the hell was that?

Again, I know it’s just a movie, but at the same time, just consider that a few days of rudimentary research could’ve created a much better picture of real cyber threats facing world governments and might have even given the writers new plots for Bond movies. Silva mentioned destabilizing entire countries by manipulating stock markets. You could totally do that! I could even explain a hypothetical step by step process of how to make that happen with a mix of social engineering, high frequency trading algorithms, and customized hacking tools while you hobnob with the elite traders of the world’s foremost financial hubs. (Screenwriters in search of new ideas, you know how to reach me, just click the About page…) And that’s certainly a worthy task for Bond to dive into, isn’t it? Think of how much press a properly researched and computer literate movie about hacking and espionage could generate. Seriously Hollywood, stop being lazy about technology and do your homework. You’ll get fun plots and save the geeks in the audience a lot of angst…

So we’ve already seen how some of the more vocal pronouncements about cyber warfare were overhyped by those who think that hackers are nearly omnipotent, and thankfully, more and more skeptics with a good idea of how computers actually work have been published in major publications. One of the promoters of the idea of cyber warfare used for asymmetrical military engagement, Foreign Policy, now has two dueling posts on the subject, one of which puts current examples of cyber war in proper context, and one which tries to spin every act of digital malfeasance as an act of war. Obviously, you know where I stand on the issue and can probably guess that I find few faults with the skeptical column. It does underplay intelligence collection on the web and recurring problems with phishing and whaling for classified information, something which does have a very real impact on military affairs and planning, but otherwise, it’s very well done and researched. And by contrast, its doppelganger seems to mix digital spies, activist DDoS attacks, and what seems to be actual military operations using a computer virus into one huge and scary melting pot of digital gloom and doom.

robot vs. fish

We can’t assume that every major DDoS attack is being executed as an act of war because it’s not. For a long time, these attacks were used to hold certain sites for ransom and occasionally, what looks like an attack is a programming error which triggers internal applications to send way too much data over the wire. Over the last year, it’s also become a form of protest, a means to voice one’s displeasure with the powers that be and do at least something to demonstrate that they’re not invulnerable. So yes, some DDoS attacks could be political in nature, but they’re hardly effective weapons. Take a look at the reality behind the case of the attack on Estonia which was compared to a military blockade of government institutions by the nation’s prime minister…

The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9th, when 58 Estonian websites were attacked [ simultaneously ] and the online services of Estonia’s largest bank were taken down… It was a nuisance and an emotional strike on the country, but the bank’s network was not even penetrated; it went down for 90 minutes one day and two hours the next.

Would you really claim that an attack that made one major bank’s online dashboard unavailable for three and a half hours over two days was a successful military operation? A similar DDoS attack on Twitter credited to a group of Russian hackers who wanted to silence a Georgian blogger also used to get a lot of traction when a cyber warfare drum needed to be beaten, but the outage lasted just a few hours and did nothing to silence or dissuade the blogger being targeted. Take a look at a much more serious incident when hackers working for a Chinese government project were snooping through Google’s servers for political dissidents’ e-mail. This was a careful, expert attack for political purposes but it was an internal matter rather than an attempt to attack the company or the nation which that company called home. So far, the only real successful example of a well executed act of cyber warfare was the Stuxnet worm. It was written by experts, targeted one specific system to sabotage another nation’s nuclear program, and seems to have achieved its intended goal. A supposed work of a Russian hacker squad to apply their own version of Stuxnet to an Illinois water utility actually turned out to be nothing more than a manufacturer’s employee trying to update the SCADA software from Russia, but it was assumed to be a sinister attack until shown otherwise thanks to the heated rhetoric about cyber war.

As said in the previous post on the subject, cyber warfare is nowhere near as effective or simple as we’re told again and again by the media, politicians, and self-proclaimed security experts why spread gloom and doom so they can sell their services after driving demand for them upwards. Counting every DDoS attack, and every questionable use of a computer as a precursor to cyber warfare diverts our focus from securing what’s really, truly important to secure, misleading those in charge into thinking that every computer virus should be treated as seriously as an active nuclear warhead ready to go off with no warning rather than prioritizing their assets, and developing cost and time-effective measures to avoid easily discoverable and exploitable flaws in the key nodes of their networks. No system will ever be unhackable or invulnerable, but it can be greatly reinforced in the most important points and surrounded by honey nets and powerful firewalls that filter incoming traffic into tools that can examine the probability that an incoming request is malicious. To do that, we need to be sober about the threats we face rather than chasing down every DDoS protest or rumor of a Stuxnet 2.0 co-opted by vicious hackers working for a special ops team with wild abandon while thinking it makes us safer.

[ illustration by Andre Kutscherauer ]

Last time we talked about somewhat improbable traffic violations, I wondered if you could get a traffic ticket for teleporting your way around a traffic jam and then argue your way out of it. But there is another possible use for technology in getting out of legal trouble if it works, or landing yourself in serious hot water if it doesn’t. And even more interestingly, it doesn’t require any sort of futuristic machinery to pull off. All you need is to know the basics of an SQL command, and you might just beat those automatic speed cameras without having to resort to rocket cars. And while you might not be able to stop them from taking a picture of your speeding, how could the camera’s operators send you a ticket if they can’t find an entry for your violation? That’s the thought behind a concept known as the SQL injection plate, a license place with a script telling the computer recording your offense to erase the record it just made, if not entirely deleting its database tables, or the database itself.

Would this little trick work? Well, it sounds better on paper than in reality because if you don’t know the names of the tables where your entry is stored, an optical character recognition system wouldn’t accept the command as valid. Plus, since these hacks aren’t exactly unknown, a programmer can easily disable these attempts by telling the system to look for SQL scripts in images and discard them as invalid input. Or more probably, mail the photos to a police department which might not take this lightly and very sternly warn you not to do this sort of thing again in the form of a citation or a rather strongly worded letter. But of course this is assuming that the camera’s operators are even using some sort of OCR system. Depending on the quality of the pictures taken by their cameras, it may be far cheaper and more efficient to leave this work to people who could have a laugh and attach the snapshot to the ticket to be sent in the mail. Again, neat idea, but the execution is a lot tougher than an aspiring traffic camera hacker might want it to be.

So what can you do if you can’t trick the speed camera into giving you a free pass? Annoyingly enough, it’s not very hard to use the impartial lens and its often less than caring operators as a means for a scam. Just a tad over a year ago, teens in Maryland supposedly printed fake license plates and then intentionally sped through intersections monitored by speed cameras, and by using the numbers of teachers or other students, they saddled those they didn’t like with traffic tickets requiring at least some time and effort to sort out. Though a few of their victims probably paid the fines because they thought they had no chance to dispute their wrongful punishment, I would be surprised if quite a few of these tickets didn’t get dismissed if those pranked drove a different car and could easily prove it in traffic court. The extent of the prank is hard to pin down because many of the story’s details come from an unnamed parent who stated that he was extremely opposed to the use of speed cameras in general, hence the use of the qualifier supposedly instead of using the story as a fact.

But then again, the mechanics of this prank seem perfectly plausible when we consider that speed cameras don’t necessarily snap the greatest quality pictures, meaning that a well printed fake license plate glued over its perfectly valid counterpart would be very hard to notice, even on a decent image. So the next time you find a ticket in the mail, claiminging that camera caught you running a red light or speeding, take a close look at the image and make sure it really does present a strong case. If you see another car racing past you in the shot, or something looks amiss, take it to court. Machines make mistakes, and they do it all too often, since fallible and error-prone humans are usually the ones calibrating them…