Tag: Security

Keeping Hidden from Satellite Surveillance

This is an interesting story about how Area 51 was kept hidden from Soviet spy satellites during the Cold War. So how did they do it? Did they use some kind of optical camouflage? Did they have some method of distorting the view of what the satellite picked up? No, the solution was far more low tech:

Often hoisted atop tall poles for radar tests of the planes’ stealthiness, OXCART prototypes were tested outside—making the Soviet spy satellites especially aggravating.

“We had hoot-and-scoot sheds, we called them,” Barnes says in the new National Geographic Channel documentary Area 51 Declassified. (The Channel is part-owned by the National Geographic Society, which owns National Geographic News.)

“If a plane happened to be out in the open while a satellite was coming over the horizon, they would scoot it into that building.”

Former Area 51 procurement manager Jim Freedman adds, “That made the job very difficult, very difficult.

“To start working on the aircraft and then have to run it back into the hangar and then pull it out and then put it in and then pull it out—it gets to be quite a hassle,” Freedman says in the film.

That’s pretty simple and sounds pretty effective. The Soviets couldn’t see what wasn’t there after all. I find the stories of how the Americans and Soviets tried to keep secrets from one another fascinating and I think a general rule of tactics that were both simple and effective eventually sprung up.

The Best Data Protection is Not Having Data

Although I just got done talking about protecting your data via encrypting your hard drive there is a much better means of protecting data that I didn’t cover, not having it:

As both data storage and data processing becomes cheaper, more and more data is collected and stored. An unanticipated effect of this is that more and more data can be stolen and used. As the article says, data minimization is the most effective security tool against this sort of thing.

This advice applies to anything. If there is an absence of something it can’t be taken. If you don’t actually have incriminating data on your computer then it can’t be used against you. If you don’t have a television to steal then a crook can’t take your television. Unfortunately this isn’t very practical and the real problem is one of personal information that is stored by third parties.

Like it or not third parties store a lot of information about you. Even if you’ve never purchased anything online the government likely has countless documents relating to you and your identity. If you use a credit or debit card there is a record of every purchase you make, where you made it, what day you made it one, how much it cost, etc. Most people have cellular phones these days which means a third party, the cellular provider, has your personal information, a history of calls you’ve made or received, your location, etc. Even automobiles are starting to store more and more information about drivers.

I would love to see a world where the amount of data stored by third parties was kept at an absolute bear minimum. Sadly I don’t foresee such a world as personal data is valuable and thus people want to have it.

If You Have a Credit Card Tied to Sony’s PlayStation Network Cancel It

I haven’t commented on the serious security breech Sony is dealing with involving their PlayStation Network but I thought I’d toss out a warning. It appears as though whoever broke into Sony’s network was able to walk off with account information for 24.6 million of Sony’s customers. Sony has listed that following information is likely compromised:

name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

bank account number
customer name
account name
customer address.

That amount of personal information is perfect for malicious people wanting to perform targeted scams so watch yourself. Likewise if you have a debit or credit card tied to your PlayStation Network account call the bank that issued you the card and report it as stolen because it likely was.

Why Have a House When You Can Have a Fortress

These are uncertain times and you never know when a stray velociraptor or a horde of zombies are going to make their way onto your property. In such times the only safe place is a fortress and by Thor I’ve found a rather stylish one. It’s a house that is basically a large reinforced structure that can be sealed up in minutes.

It looks as though it would work well against zombies but I question it’s safety against man’s greatest threat, velociraptors. There are many large windows for a raptor to jump through and let’s be honest and admit no early warning will exist if you’re being hunted by one of these clever girls.

FBI To Remove Coreflood From Infected Computers

I’ll be honest and admit I’ve heard little about the botnet being referred to as Coreflood. Apparently it did something nasty enough to gain the attention of the Federal Bureau of Investigations (FBI) though:

Two weeks ago, the DOJ and the FBI obtained an unprecedented temporary restraining order that allowed them to seize five command-and-control (C&C) servers that managed Coreflood. Since then, the U.S. Marshal’s Service has operated substitute C&C servers that have disabled the bot on most infected PCs.

But that’s not the most interesting part of this story. It seems that the FBI have been able to identify the owners of some infected machines and are going to offer to uninstall the botnet software from those owner’s computers:

The FBI has also identified infected computers, and in some cases has linked names to the static IP addresses. Those are the PCs targeted for remote Coreflood eradication.

“While the proposed preliminary injunction is in effect, the Government also expects to uninstall Coreflood from the computers of Identifiable Victims who provide written consent,” said the DOJ in the memo.

I’m not sure how the written consent will be dispatched but I do have some advice if you should receive such a consent form. First of all turn it down, the last people you want in your system is the government. Thor knows that they’ll probably uninstall the botnet software but will also install something that monitors your network activity to “verify property removal.” Yes I’m actually that cynical but I trust nobody inside of my machines be it government officials or just regular people off of the street (although I’m inclined to trust the latter more).

The second thing you should do after burning that consent form is to wipe the machine and reinstall the operating system plus all available updates. Only one means exists to uninstall malicious software and ensure it’s actually gone, wiping the entire computer clean and starting from scratch. Software is incredibly complex and there is no way to know if every backdoor for a piece of malicious software has been removed. Do yourself a favor, if your system has been infected just start over. Anti-malware software can make an attempt to remove malicious software and may or may not be successful but you have no way of knowing.

MySQL Compromised by SQL Injection

This is comedy gold. MySQL.com’s database was compromised yesterday (at least that’s when the story was published) by somebody who used an SQL injection attack:

MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by “TinKode” and “Ne0h” of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by “Jackh4x0r”.

Oh delicious irony how I love thee.

That’s Clever

I have to agree with Bruce Schneier that this is just plain clever:

The thieves glue down the “enter,” “cancel” and “clear” buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account.

The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touchscreen to finish their transaction, or become nervous when the keypad isn’t working and react by leaving the ATM unattended, Richmond Station police Capt. Richard Corriea said.

Since January, there have been four such thefts in the Richmond District alone, Corriea said.

Take note when you use an ATM check to make sure the keys are all in proper working order. Most of the time the simplest hacks are the most effective.

Attacking Phones Using SMS

Though this will come as no surprise to anybody but a couple of researchers have found a method of attacking phones using the Simple Messaging Service (SMS):

A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages.

It should be noted that they’ve only test this on feature phones so we don’t know if smartphones will be affected or not. Likewise they only tested this on GSM phones so it may be such a thing where most CDMA phones will remain unaffected. Either way if you want to screw with somebody and you know their number this would certainly be a viable method. Heck if you knew somebody’s number you could potentially start a denial of service attack against their phone by constantly sending crafted text messages that cause your target’s phone to reboot.

Credit Card Fraud, So Simple an Inmate Can Do it

I’ve always known credit card fraud was easy to do but I couldn’t appreciate how easy until I read this story which I found via Bruce Schneier’s blog:

A Rikers Island inmate ran a nationwide cyber-crime ring from behind bars that forged fake credit cards to buy $1 million in iPads and Apple computers, officials said Wednesday.

Shaheed “Sha” Bilal, 28, directed the massive syndicate, instructing his girlfriend and three younger brothers on how to encode the magnetic strips on credit cards with stolen financial information, Manhattan District Attorney Cyrus Vance said.

Obviously the prison system works well if those incarcerated for performing criminal acts can continue to perform criminal acts while imprisoned.

Facebook Turns on HTTPS

Just to let everybody know it seems Facebook has finally activated the option of turning on HTTPS. HTTPS encrypts the traffic between your computer and Facebook making it more difficult to eavesdrop on your traffic (useful for example if you actually use open Wi-Fi access points). You should go to your settings and enable this right away.

Of course if you’re using HTTPS Everywhere you don’t have to worry about manually enabling this Facebook feature. Or you could add Facebook to NoScript’s force HTTPS section.