CompuBlab

If it's computer related, we'll blab about it!

Category: Computer Security

SOPA and PIPA – The Battle is Far From Over

Greetings all!

It is hard to believe how much time has passed since I last posted on the blog. A string of illnesses in our family had us all gasping for air (and antibiotics) for a quite a while. Fortunately, we are all back on our feet and up and at’em once more!

During that brief hiatus, two not-so-little bills made their way through the US Senate and the US House of Representatives. You may have heard about them. One was called SOPA (Stop Online Piracy Act) while the other was called PIPA (Protect Intellectual Property Act). Both laws were, on the surface, designed to help law enforcement officials combat piracy of digital products overseas. The problem with these laws was that they were so broad, they could (and would) have been used (more like “abused”) to disrupt sites acting legally within the United States.

There is a lot that can be said about these two laws, but I found the best introduction to the issue was given by the talented folks over at the Khan Academy. I am including that roughly 11 minute video in this post for your viewing pleasure.

The only point I want to make here and now is that as you watch the video, keep in mind that the SOPA/PIPA issue is anything but over. Lawmakers were surprised at the amount of backlash that was generated from those laws and now they will regroup before trying to put such legislation through the system a second time. Since this topic *will* come up again, it behooves you, a consumer of digital and online products, to understand at least in general what the big flap was all about.

Yes, laws to combat the theft of intellectual property are needed, but we must as consumers make certain that the laws that are crafted make sense, and do not go beyond the mark of what they are supposed to do.

Give the video a look, and draw your own conclusions.

Why Your Personal Information Is Not Safe

Of all the technology mis-information that is dispersed to the common public, the one that gets my blood burning faster than just about anything else is when some company representative insists that “your data is safe with us.”

Look folks, here’s the deal. Your data is just not all that safe. Not your personal information that could be used to steal your identity, nor your banking information, nor any other information you provide to anyone else online. If you doubt this at all, just look at the news over the last six to twelve months at all of the high-profile data thefts that have occurred. From banks to online gaming systems, your data is vulnerable and the bad guys want it.

And today we have a story in the news that shows you just WHY all of the fancy data protection measures that corporate executives and marketing VPs just LOVE to tout don’t add up to a hill of beans. You see, that protection often times is geared at preventing individuals outside the security system from accessing your data. That is a very good thing. But what about all of the people INSIDE the company security system (i.e. the employees and/or contractors)? How well have they been screened? What if one of them decides to embark on a life of crime? What then?

Well, that’s EXACTLY what happened at the New Jersey Department of Motor Vehicles (DMV).

It seems that two enterprising employees of the New Jersey DMV decided to start selling people’s personal information to identity thieves. That is, names, birth dates, and social security numbers were sold for in some cases the rather paltry sum of $200. All the protections that the New Jersey DMV had in place were for naught because the people who stole the information were required to have access to that data as part of the normal course of their jobs (see the article referenced here).

Data security involves more than just encrypting people’s data and using passwords to control access. Something that company executives are getting an education in right now according to news reports.

As a side note, yes I do use online banking and what not…it is very difficult to avoid these days. However, there are smart ways to use such services, and also not-so-smart ways. Perhaps in the coming days I’ll provide some additional information on this point.

For Secure Computing, the US Dept of Defense Promotes a Bootable Linux O/S

I have to say, this was an idea I had thought about years ago. If you want to be free of viruses and trojan horses and other malicious software while surfing the internet, the BEST way to go about it is to boot your operating system from a non-writable CD-ROM disk. The US Department of Defense so believes in this technique that they have created their own version of Linux specifically for this purpose!
(click here for the original article that inspired this post)

So technically, how does this work? Well, when you start your computer, the usual steps involved include your computer starting your operating system (like some variant of Microsoft Windows) from your hard disk. Once that is started, you are free to go about your computing business. But malicious software that makes its way onto your computer wants to be run every time you turn on your computer. So how does it do this? It modifies the startup files to your operating system on your hard disk so that every time you turn on your computer, the malicious software becomes active each time.

Well, the folks from the Department of Defense are suggestion that instead of booting your computer from a hard drive, you insert something called a “live CD”, which is an operating system (perhaps like windows) that starts up from a CD ROM disk (or DVD), rather than the hard drive. The key here is that the disk used to start the operating system is NOT WRITABLE. Since CD ROM and DVD-ROM discs cannot be written to after they have been created (assuming here that you have correctly created the CD-ROM disc, closed the writing session, etc.). It then becomes much more difficult for the malicious software to get “entrenched” onto your computer such that it will activate each time you start your machine.

Of course, in the world of technology there are few (if any) “absolutes”, but this method *IS* a powerful one to prevent having one’s computer from being infected by malicious software.

I don’t know if there are any “live CDs” of Windows operating systems. I don’t know because I personally don’t use Windows in that manner. However, there are many Linux “live CDs” out there in the world. Linux is a different operating system from Windows, but for simple surfing the internet and similar tasks, it is fairly easy to get running (indeed, in most cases you just insert the live CD and power up the machine).

Anyway, I just thought I would comment on this story as I felt it was worth understanding how and why booting from a CD or DVD was a good idea under the right circumstances.

Hackers Claim They Stole 1 Gigbyte of Data From NATO

This happened a few days ago, but I thought I would comment briefly on the story that hackers from the group “Anonymous” are claiming not only to have stolen about 1 gigabyte of data from NATO computer systems, but they have already released two documents that they claim came from this data incursion (click here to see the original article that inspired this post).

I wanted to include this bit of information to continue the discussion I have had for a while that most people simply do not understand the nature of computer security. I myself have been in the computer field for over 30 years, and through I am not a specialist in the area of security, I know enough to understand just how secure your online data is…and basically it just isn’t that secure.

Again I will repeat the analogy that I have used in the past that the security measures that you often hear being touted by online vendors (encryption, firewalls, and my personal favorite “the latest in security measures”) is a lot like what my mother taught me about locking the doors on our car when I was growing up. Locking your doors discourages the amateurs, the pranksters, and those perpetrators of opportunity who want to make off with your car. However, a professional car thief will indeed make off with your car if he or she wants it.

And so it is similar in the world of computer security.

There are just too many ways that data can be compromised…and that’s when you are talking about simply breaking into a computer system (guessing weak passwords, exploiting vulnerabilities in operating systems, exploiting vulnerabilities in applications, etc.). This is before you get into such areas as:

  • attacks on data that prey on people’s psychology
  • mistakes that are made by companies that accidentally expose their customer’s information
  • unscrupulous employees of companies who hold your information
  • and more

I certainly do not condone the unauthorized intrusion into computer systems. However, with such intrusions occurring so often, I sincerely hope that the general public is beginning to get a better understanding about the true state of computer security at the current time.

Florida Voter DB Hacked…AGAIN

Earlier this week I posted about a hacker who broke into the Florida voting database to demonstrate how vulnerable it was (click here for original post on hacked Florda voter database). True to form, Florida officials downplayed the entire incident, stating that Florida elections were now more secure than ever.

Not to be dissuaded, our intrepid hacker has struck again, this time publicly posting a file directory from the voting database with the message “Glad you cleaned things up, pretty secure now guys” (click here for original article on the re-hack).

So this begs the question: Are the Florida officials incompetent or simply liars?

As bad as online security is, I think perhaps the worst aspect of the problem is that those in authority either don’t understand the problem themselves, or perhaps in their petty behind-covering mentality, refuse to acknowledge the problem.

In either event, I doubt that “the powers that be” in Florida have thanked their lucky stars that this guy or gal has only been interested in illustrating his point…not in actually causing any real damage. They seem more interested in trying not to look bad. To that end, they simply throw out that it is a felony to tamper with a voting database and if/when caught, this perpetrator will get jail time.

In my opinion, they ought to thank this hacker…but…since he offended their pride, I doubt that will ever happen. Humility and politics rarely mix.

 

Hacker Gets Into Florida Voting Database

There has been an awful lot of news lately regarding various different computer hacking organizations that have been out to make a statement about the state of computer security (or rather, the lack thereof) in the world at this time. I have commented on some of these stories before, and in at least one case I also talked about how I vehemently oppose online voting in the United States due to the fact that my experience as a computer scientist tells me that we simply do not have adequate security measures available to prevent tampering with the voting.

Well, it turns out that a hacker, wanting to illustrate the point more forcefully, has apparently hacked into the Florida voting database and made some of that information public…just to prove how insecure the system really is (see the original article here).

I am not sure that this person’s well being is going to be maximized by this intrusion should he or she be caught, but I certainly understand the desire to underscore the fact that the current state of computer security is totally insufficient to allow for online voting at this time. From my point of view, anyone telling you otherwise is just feeding you a line of malarky (don’t ask me what “malarky” is…I just know that my mom seemed to know what it was because she used it in sentences like this one all the time…).

While I cannot condone illegal activities to prove a point, I do understand this person’s frustration with the misinformation that has been spread regarding the security of online data, and their desire to illustrate the fallacy of those statements.

Anyway, give this a read and ask yourself just how safe YOU would feel if voting was moved to an online system in today’s security environment.

Non-Admin Logins

If you’ve read the news at all lately, you are no doubt aware that computing hackers and “malware” (software that does malicious things to your computer or your data) is very much on the rise. As such, I thought I would comment on a computer setup technique that is very simple to implement, yet stops a large number of malicious software programs before they even get started.

This technique involves setting up a “non-administrator” login account. This technique is especially important to users of Microsoft’s Windows XP operating system…but it applies to ANY operating system.

Whenever you access a modern operating system (such as Windows, Max OS, Linux, etc.), you typically have to “log in” to the system using a user name and password. While some operating systems can make it look like you are bypassing this step (such as some configurations of Windows XP), the fact is that you really are NOT bypassing the log in phase. What is occurring is that the operating system is logging you in “automatically” to a specific “default” login account.

Login accounts serve many purposes, one of which is to be able to assign permissions to the user of that account. Permissions are used to limit what actions a given user is capable of performing. For example, you would NOT want just any old user of your computer to be able to format the main hard disk, causing you to lose all of the data on that drive. Some people might format the disk maliciously…others might do it accidentally. To prevent this, only highly trusted users have their login accounts granted the permission to perform such a potentially dangerous action.

The thing that is important to note here is that some operating systems (Windows XP was one of them) used to set up your log in account for you during installation…and always set up the account as an Administrator (an administrator account is one that typically is allowed to do ANYTHING on the system). When it comes to malware…running in an Administrator account is a death sentence!

You see, malicious software typically needs to install itself somehow onto your computer in such a way that it will be activated each and every time your computer is turned on. To do this, it needs access to parts of the system that non-administrator logins usually are not allowed to access. Since malware first runs under the account that is logged in at the time if first arrives on your computer, if you are logged in as an administrator, the malware has no trouble at all installing itself into the deep recesses of your computer. However, if after you set your computer up you were to create a “non-administrator” login account…and if you always used THAT account for your every day activities, then malware would have a MUCH harder time trying to install itself into the operating system.

Now, there are some really “hard-core” malware programs out there that can take advantage of flaws in your operating system or other related software and install themselves even from a non-administrator login account. However, by using this one setup technique, you eliminate a LARGE precentage of the malware floating around on the internet from being able to trouble you.

Since each operating system has its own method for setting up login accounts, I can’t give you a step-by-step description on how to do that. You will need to read the manual (always a measure of last resort!) or else get assistance from a computer savvy friend or family member that you trust.

If you already have a non-administrator account that you use on your computer for every day tasks, then good for you! If not, make it a goal this week to set up (or have set up on your behalf) a non-administrator account and then USE THAT ACCOUNT for your day-to-day activities. The headache you avoid may just be your own!

Social Networking and Birthdates

We all have heard about the dangers of identity theft. There have even been some clever commercials about it on the television. But when the “bad guys” get a hold of enough information to impersonate you to the point where they can establish credit in your name, you are in for a world of hurt. The amount of time and effort that you must spend to clean things up, not to mention the damage to your reputation and the pain of clearing your credit rating, can be enough to give you a major migraine headache.

But did you know that those who are listing their birthdates on social networking sites (or any other site for that matter) are taking a risk with their identity?

The information that an identity thief needs to steal your identity is:

  1. Your name
  2. Your Birthdate
  3. Your Social Security Number

The name is pretty much a given. It can be taken from lots of places. The social security number is something most of us by now have heard that we need to protect with great vigor. But what about your birthdate?

Well, beyond the fact that it is one of the three pieces of information that an identity thief needs to steal your identity, it was reported two years ago that it is possible to “guess” your social security number with a surprisingly high degree of accuracy given only your birthdate, the state of your birth, and publicly available data.

Research at Carnagie Mellon University in 2009 ( Click here for SSN Prediction Article) showed that by using your name, birthdate, state of birth, and publicly available data, they could predict the first 5 digits of your social security number with 60% accuracy in only two tries! And with less than 1,000 attempts, 8.5 percent of people’s complete social security number could be accurately guessed.

Of course you may be saying, “so if it takes 1,000 attempts to get my SSN correct, what have I to worry about?” Well, it turns out plenty. You see, the “bad guys” can create programs to query credit card systems to apply for a credit card. They can try different combinations of name, social security number, etc. over and over again until they get the right one. Thus, needing only 1,000 tries is not that big of a deal to them.

Now also keep in mind that this research was performed TWO YEARS AGO! I have no doubt that statistical methods, as well as the data contained in online public databases has only increased the accuracy of such predictions.

Now consider the millions of people who use social networking tools such as facebook who proudly post personal information such as their home state, their birthdate, etc., and you begin to see the potential for abuse of this information. An additional problem with birthdates is that there are so manly public databases that contain this information that the persistent “bad guy” could probably find your birthdate without much trouble. But why would you want to make it easy for them?

With regards to social networking sites, there are a growing number of people who now give false birthdates so as not to divulge that information so publicly. However, whether or not you want to make it easy on the “bad guys” by posting it on your facebook profile is up to you. The purpose of this post is to simply make you aware of the potential danger, however slight you may feel that it is, so that you can make an informed decision.

Until next time…think before you post!

 

Dropbox and Online Storage

If you are a user of an online storage facility like DropBox or one of the many others, have you considered the security ramifications of what you are doing?

Today, computing “in the cloud” is a big buzzword (that should probably be “buzzphrase”). Cloud computing, in its simplest form, is just a fancy way of saying that your computing resources are coming from someone else. Online storage and backup services have been around for a while, and I have been amazed at how people have not understood all of the impact of storing data online.

Perhaps the most important thing I want to make certain you consider is exactly WHAT information are you putting on someone else’s servers. Is it just pictures, or school projects, or other items not of great importance to anyone but you? Then you are fine. But what if you are storing files related to your banking, or tax returns, or other sensitive information? Here you might want to give pause for storing such information “in the cloud.”

You see, no matter what these companies tell you, computer security is still in its infancy. These companies may tout that they use “encryption” methods (that is, they “scramble” your data in such a way that hopefully only THEY can recover the original data at a later time) to hide your data…but what they don’t tell you is that encryption is not “fool-proof” protection. In addition, when you put your data on someone else’s servers, you have to also hope that the company who is hosting your data screens its employees very carefully. Encryption doesn’t mean diddly if the company’s employees are not properly screened and are given access to both your data and the encryption algorithms used to protect it.

I am not saying that online storage is not to be trusted…I am saying that you need to be made aware of the risks of putting your data online. If you choose to put your data online and you have an understanding of the risks and accept them, then this is a good thing.

KNOWLEDGE is your best weapon against bad outcomes with computing…and knowledge is what I hope to impart to you. Do not assume, just because your data is encrypted that it cannot be read. It makes it more difficult to be read, but there are ways of breaking encryption. If you need proof of this, just follow the tech news for a few weeks and you’ll see how many security violations are being reported in the news on a weekly basis. Encryption is good…but by itself it is not, in my opinion, sufficient to protect your data.

The best security for data is to not have the data accessible to those who might try to gain access to it. Tax return information stored on a CD in your home is much harder for a hacker in another country to gain access to than data you have uploaded to an online storage facility.

Don’t get me wrong…I am not saying “never use online storage”…I am only saying be very aware of WHAT you are storing there…and know the risks. Life is not without risks. The important thing is that we identify the risks and choose for ourselves what risks are worth taking and what risks we choose to avoid.

Knowledge is the key, my friends, and that knowledge will set you free!

SecureID by RSA Hacked!

Some very unsettling news about Secure ID tokens. Don’t know what a SecureID token is? Perhaps you have one but don’t know it by name.

A SecureID token is a small little device that can fit on your keychain. It is used as an extra layer of protection for when you log into a computer system. You see, the SecureID Token displays a number that changes every so many seconds. Through some computer trickery, the computer you are trying to log into (that is set up to use a SecureID Token) can calculate the SAME number that your SecureID Token is currently displaying. The theory behind this is that if someone manages to get a hold of your User ID and Password, they STILL cannot gain access to your account with the SecureID Token number…which presumably only YOU have in your possession.

Well, that entire game just changed,

You see, RSA, the company that makes the SecureID Token, reported recently that there was an intrusion/break in/hack into THEIR computer systems, and the hackers were able to steal enough information to be able to figure out what the SecureID Token number should be for a person’s SecureID Token…effectively rendering your SecureID Token useless (click here for the original story).

Now, the thing you need to understand about system security, and the thing you are going to read from me over and over again, is that there is no such thing as a completely secure computer system. The best you can hope for is to keep the amateurs away from your data, and to give the professionals a reason to go look elsewhere for the jollies (because your data is going to be so hard to crack). Of course, some hackers relish a challenge, so you have to be careful even there.

But the overall point here is that you may be able to protect your data for a while…but eventually, given enough time, hackers WILL be able to compromise your data if they have any way of actually reaching it. Of course, if your data is not accessible from the Internet, then the only way for them to steal your data is to physically enter your premises to do so.

So as far as computer security goes, I think of it the way my parents taught me to think about car thieves. We lock our doors to keep the pranksters away and to try to encourage amateurs to find another car to steal…one that is easier to break into. However, if a professional REALLY wants your car, there is virtually NOTHING you can do to stop them.

So if you have an RSA SecureID Token, be sure to get it replaced right away! The article that I liked to previously already tells of people havingt had their accounts broken into based upon what the bad guys learned from their hacking into the RSA network.

You have been warned!

Powered by WordPress & Theme by Anders Norén