November 6, 2009
Google have launched ‘Dashboard‘ to address privacy concerns. It lets you see the data Google holds on you. The idea is you can then manage your data and more importantly that which Google holds.
I’m not a huge user of Google services other than the web search, and I try not to be logged in when using that. But I do use Gmail for one off registrations and so on, and I have tried out a number of their services out of curiosity.
So it was interesting to log in and visit my dashboard. I saw:
- long forgotten docs,
- emails (including spam),
- a couple of calendar appointments from three years ago,
- old web searches (I used to work for an agency that dealt with people worried about kids viewing porn so there some interesting ‘research’ searches there)
- chat histories
- tasks
- gadgets I created
- contacts and more
It was quite an education but once the dust settled not particularly surprising and probably not that useful to a malicious user.
But it did strike me that if I were a more dedicated member of the Google fan club then Dashboard would hold a hell of a lot of quite sensitive information, made more so by the fact that it is displayed on one a single web page.
Building a full identity on someone might be quite a laborious task, but it’s just been made a damn sight easier, so long as you have a person’s Google account credentials. And as we know these are two-a-penny if you know where to look.
Lazy identity thieves have just got an early Christmas present.
Overall I think it’s a good move by Google and a great way to educate users on just how much of their information is out there. But if there has ever been a good reason to immediately change your Google password to a really strong one, often, then this is it.
Google Dashboard - you is here
Posted in All Posts | Tagged google, identity theft, Gmail, dashboard, identity thieves, personal information | Leave a Comment »
November 4, 2009
So the Social Development Ministry is blocking any emails with the word ‘teen’ from getting through.
From the point of view of a mail administrator it might seem reasonable to block the word ‘teen’. After all it is commonly associated with pornography. In fact I bet the views for this post will be the highest I’ve seen for a while simply because it contains the words ‘teen’ and ‘pornography’ together on the same page.
Of course blocking the word teen from the in-boxes of a government organisation which oversees the welfare of young people is ridiculous and shows that little or no risk assessment was applied. Yes the odd bit of spam might get through if the word is whitelisted, but surely even government employees are capable of exercising a little judgment and deleting any offending emails. Isn’t that better than potentially serious email being blocked?
Imagine if banks started blocking ‘mortgage’ or ‘withdrawal’. Or health care providers blocked ‘pill’ or ‘medication’.
This is a clear cut case of applying the wrong controls, technology rather than people.
Posted in All Posts | Tagged security, spam, teen, social development, ministry, pornography | Leave a Comment »
October 16, 2009
Participants at the SecTor security conference had their traffic sniffed in a kind of ‘Wall of Sheep’ stunt according to this article in the Register.
So the organisers have shown up some attendees to be security noobs or worse still completely ignorant, or have they?
Apparently users of the conference wireless network were informed that the network was being sniffed, but only by announcements between talks, which is probably when people were chatting or had their snouts in the buffet.
There was no notification given upon connection, and users were required to get a shared key from one of the conference booths so they could log on to the WPA protected network. Finally, the SSID was ‘Sector2009Secured’. Of course it may as well have been ‘ThisIsCompletelySafe’ because it makes no difference what the network is called.
So all the indications were that the network was not being monitored/sniffed/hacked/exploited or whatever else perpetrators of such stunts may call it.
Now sure, security bods should know better than to completely trust a wireless network (even though this particular network was sniffed once the traffic was on the wire and not in the airwaves). And some are quite rightly pissed off now that they know what the conference organisers were up to. But to expose those who still used the network as ’sheep’ is a bit premature.
Remarkably, one of those to have his credentials exposed was actually the conference organiser Brian Bourne of Black Arts Illuminated. His Twitter credentials were sniffed and here is the point. Participating in Web 2.0 comes with some inherent risks. Your personal info, your opinions, your very thoughts can all be exposed and your reputation put on the line. Most tech savvy people are aware of this, but they accept the risks because they are outweighed by the benefits.
So sure, the bods at the conference should have known the wireless network came with no guarantees of security, but maybe they did, and they used it anyway. Yes, those whose credit card details were sniffed should have known better, but those whose Tweets or email addresses got out were just getting on with it. They were ‘fooled’ by the confidence tricksters who were running the network. All this dirty little exercise proves is that even amongst security professionals the simplest attack vector is still through the user rather than the technology.
Posted in All Posts | Tagged Black Arts Illuminated, Brian Bourne, conference, SecTor, wall of sheep, wireless | Leave a Comment »
October 12, 2009
Shouldn’t Rob Fyfe be just as concerned that when his email finally works again it leaks like a sieve?
Yes ok it’s inexcusable that IBM left our national carrier without IT services for two hours or so. And I’m sure that somewhere along the line human fallibility is at fault. But if I worked in IT or HR at AirNZ I’d be trying to track down how the email got out.
Or maybe it was IBM that leaked that too? Disgruntled employee perhaps? You’d have to be either brave or stupid to be taking risks like that in this economic climate.
Posted in All Posts | Tagged air new zealand, email, IBM, leak, rob fyfe | Leave a Comment »
October 12, 2009
So the most common password in the now infamous 10,000 was 123456 followed closely by 123456789 (Kudos to Acunetix for the statistical analysis.)
The analyst, Bogdin Calin says in his post that:
a big majority of users still use very poor passwords
and a number of reporters have echoed this assertion, take Computerworld for example:
1234567 may not be a very secure password, but it’s popular on Hotmail
But hold on. Hotmail, Gmail etc have said that the breach was due to phishing, not hacking and so far I haven’t seen anyone saying anything to the contrary.
So really all we know is that people who are likely to fall for a phishing attack are also likely to have weak passwords. But even then there will be exceptions, like the person whose password was lafaroleratropezoooooooooooooo.
Hardly headline stuff.
Stop the Presses
Looks like there is a debate going on. Perhaps it was keylogging that got the passwords. This seems more credible.
Posted in All Posts | Leave a Comment »
September 24, 2009
Yesterday clicking on a Google search result landed me on a compromised website. I’m usually fairly careful about following links from search results but this one looked okay. There were no meaningless phrases in the Google summary and the domain looked reasonable enough.
It became fairly obvious however that I had been duped when the site I went to quickly changed to one of those fake malware scanner websites. The browser page changed to look like a folder window displaying my various drives (which of course weren’t mine at all) and a message box appeared saying my computer was ’stongly’ [sic] infected.
Oh no! I've been STONGLY infected!!!
Not wanting to click anywhere on the box I decided to ctrl-alt-delete my way out of the predicament. This worked fine except that when I restarted Firefox the page appeared again straight away. At first I thought Firefox had been hijacked. Then I realised it was actually a feature.
Firefox helpfully restores browser windows to what you were looking at when there is a crash, which under normal circumstances (I consider crashes normal) is fine. However this time the message box blocked access to Firefox so there was no way to get into it and tell it not to restore the page on startup. Alt-F4 and Ctrl-w were also blocked.
The solution was fairly simple and came to me quickly (which isn’t always the case. The other day I fiddled around trying to get internet access through my Linux box for 30 minutes before simply restarting the router). I started firefox from a command line and used the <url> option to tell it to go straight to Google.
For anyone not familiar with command lines here was the process:
- Make sure Firefox is closed
- Click Start then Run and enter the letters cmd in the little window. This will start a shell (the black window with white text that looks like computers used to look like)
- Navigate to the Mozilla Firefox folder by typing cd program files\mozilla firefox\ (this should work on most Windows computers unless you’ve got Firefox installed somewhere else)
- Type firefox.exe “www.google.com” (you can substitute Google for any website you wish)
- Firefox should open at the site you chose.
Now I know there will be other ways to do this but I’ve posted this more in the hope that it might help some frustrated soul who switched to Firefox because it was supposed to be safer…
Of course if they do find this then they are either on a different computer or using a different browser – which might become their new browser of choice – because people are fickle like that.
Note to Firefox developers – perhaps Firefox should ask if the user wants a session restored following a crash, by default upon restarting.
Posted in All Posts | Tagged command, crash, default, firefox, hijack, infect, mozilla, scareware | Leave a Comment »
August 31, 2009
Today I received yet another 419 scam in my inbox. To be fair I don’t get very much spam at all considering I’ve had my Hotmail account for well over a decade and in the early days wasn’t too worried about using ‘one time’ email accounts to sign up for web services. I like to think that maybe it’s just really well tuned now – but could be wrong.
Anyway this one was a truly pathetic attempt. Take a look at the screenshot. Come on Miss Pamela am I not even worth the effort?
Perhaps though this is a reflection of web users getting stupider? Maybe the scammers don’t have to try so hard anymore. Or maybe they’ve got so many spam bots under their control they can be this lazy and still get results.
Something smells fishy at the Wing lung bank and it’s not the staff canteen.
To be fair of course the Wing Lung Bank have nothing to do with this and in fact have a very good security education resource on their site (if you can get over the porn music in the background…) Check it out below:
http://www.winglungbank.com/download/hkma_game/XxCoElbHkmaGame.html
Posted in All Posts | Leave a Comment »
August 10, 2009
So the Twitter outage that had tens of New Yorkers wandering the internet for cupcakes was all about a DDOS attack on a Georgian blogger (tweeter).
DOS attacks are among the least sophisticated and easiest to perform hacks. Anyone can rent a botnet and order it to target a website. This perhaps shows that the attack was not the doing of some Russian mastermind high up in the Politburo.
What is more ironic however is that Cyxymu will now go down in the annals of internet history instead of remaining an obscure tweet stream from the eastern bloc.
I for one had never heard of Cyxymu but now I’ll be going to have a look.
So if anyone really cares about finding the culprits, I’d start looking for some pubescent tractor driving marxist rather than Medvedev and his cronies.
And I’d start looking in a gulag.
Posted in All Posts | Leave a Comment »
August 5, 2009
New entrant to the New Zealand Mobile phone market 2Degrees has exposed customers personal information with some sloppy web site coding.
Customers at the site were shown the personal details of previous customers part way through the purchasing process.
In a pathetic effort to excuse this disdain for customers privacy 2Degrees blamed high traffic for the error. This was not a traffic problem, it was a policy problem.
Then the lies continue:
“Above all else 2degrees values the privacy of our customers.”
This statement is clearly rubbish. If it were true then the proper checks would have been in place to protect customers privacy.
If you need any more proof that 2Degrees does NOT have the best interests of the public at heart, then read this story which outlines the fight a Manukau City community is having with the company. 2Dgrees wants to erect cell towers next to early childhood centres, schools, and outside peoples homes despite the jury being out on the possible damage this could cause to young children.
Of course you can always show your support to the company by signing up for their facebook app which will potentially share your personal details with millions of others…
Shame on you 2Degrees, ‘values the privacy of our customers’ indeed.
Posted in 1 | Tagged 2degrees, cell, children, Facebook, privacy, radiation, safety, school, tower, web | Leave a Comment »
