Category Archives: Security

A huge mistake, and disaster averted

Yep

Other than not being a woman, I know just how that lady feels. Today was a bad day, and her expression was my exact expression earlier. You’ll notice over to the right, on the twitter feed, the words “OR DON’T.” That was the header image to a post I had written about two separate attacks this month that targeted remote access software. One attack on June 1st compromised TeamViewer, a program I use myself, and the second, more recent attack targeted GoToMyPC, hence the OR DON’T. Get it? Anyway, both were based on password reuse, so change your passwords if you’re affected. Or even if you’re not.

However after I posted it, I noticed that the LightBox functionality was not working on recent posts. LightBox is the function that causes an image to expand when you click on it while darkening the background. It’s only not working on recent posts, for older posts it works fine. I didn’t know why, and started to investigate.

New ransomware method to worry about

Image Credit: makeuseof.com

(Header image credit: makeuseof.com)

Over on security blog Bleeping Computer, there is a post about a new type of ransomware that presents a triple threat. Known as RAA, what makes this one different is that instead of using an .exe attached to an email which would pop up an alert when a user tried to run it, this one is written entirely in JavaScript, a language often used to encode and provide functionality for web pages, and if a user runs something written in JS it likely would not pop up any alerts, and the damage would be done before you knew it.

Enjoy the Internet while you can

This has been in the cards for a long time, but ICANN, the Los Angeles-based organization that has its fingers in many aspects of how the Web operates, will no longer be managed by the United States, but – according to this article in the Washington Post –  by “an international body made up of technologists, businesses, governments and public interest advocates.”

This is a mistake. While I don’t have an inherent problem with a nebulous international body overseeing the continued development of the operation of the Web, what I DO have a problem with is that this will allow oppressive regimes who have no interest in freedom of expression or the open standards and ideas that the Web is built upon, and they could very well turn back the Internet clock, as it were.

I’m not being facetious when I say this could change the way the Web works forever. It could cease being the glorious, anachronistic Wild West that it always has been, and instead be regulated according to the demands of those who wish to stifle it and the free exchange of information it represents. Some governments, who have expended huge amounts of money and effort to limit what their citizens can see on the Internet, have been salivating over this moment for decades; we can all imagine why.

You’ll notice on page six of the transition assessment (.pdf here) states “This model encourages all parties—including businesses, technical experts, civil society, and governments—to participate and to reach consensus through a bottom-up process.” The problem is, governments will have ultimate decision-making capabilities and will overrule other stakeholders. I’m astounded there is not more attention being paid to this, or that the news isn’t covering it and, frankly, that people aren’t rioting. If they’re so willing to riot over the G20, which is *also* a multinational gathering – why not this? We should be very careful about who has influence over the future growth of the Web.

So enjoy the Web while you can, it could be changing soon.

Better change your passwords

1234

Seriously. I’m not just telling you this because it’s World Password Day (it is, though, and I don’t know what Betty White has to do with anything). I’m saying it because it has come out that a security pro at Hold Security discovered an absolutely massive theft of usernames and passwords from Russia’s largest email provider, mail.ru, about 275 million stolen records. Not only that, there was a significant amount of credentials stolen from Gmail, Hotmail, and Yahoo account holders as well. Incidentally, many reports are saying ‘Microsoft’ instead of ‘Hotmail,’ which is a Microsoft property, but they also have Outlook which hasn’t, as far as I can figure out, been hit.

Most surprising of all, even more than the fact this is one of the largest theft of electronic records in history, is that the teenage hacker who acquired them was willing to sell the whole multi-hundreds-of-millions record lot for the grand sum of $1. But wait, there’s more! The hacker was discovered via his bragging of the theft in an online hacking forum, and when the Hold Security employee who engaged offered to leave positive feedback for the hacker, the price was dropped to free. That’s right, free for the mere quid pro quo of a positive review.

Off topic, but that touches on the concept of what is known as the reputation economy, in which someone’s actual worth depends on what others say about them in public and think about them in private. You can read more about it here.

It’s no secret people use bad passwords all the time, and reuse them over and over for multiple functions and sites. Don’t do that! Use a passphrase – in class just today, my students suggested ‘sheturnedmeintoanewt,’ a line from Monty Python and the Holy Grail, which turns out to be a perfect passphrase. It’s long, complex, yet easy to remember. Plus, it would take 16 BILLION years to crack! How do I know? Because we plugged it into howsecureismypassword.net, and that was its estimate. Even if it’s off by a billion years or so, that’s still pretty good. If we capitalize just one letter, the ‘n’ in newt, it jumps up to 17 quadrillion years. This isn’t the be-all end-all for accurately determining password strength, but it’s a good estimator.

Pretty secure

Pretty secure

If you’d like to use a different password for each site or service, but are worried about keeping track of them all, you can use a password manager like KeyPass to manage them all. Some password managers even enter the passwords for you. I don’t know how I feel about that personally, but it is easier. Beware, password managers often have a master password and if you lose or forget that, you are screwed – you’ll be resetting passwords forever.

Everyone knows I hate passwords and especially the policies that go along with them, and I hope the scourge of passwords is one we can raze from this earth in the very near future, replaced with something more robust – but not 100% foolproof – like biometrics (fingerprint scanners, for example). Until then, just remember: It’s only a flesh wound.

I don’t know why I bother

...

SplashData has, as they are wont to annually do, released their list of the worst passwords of 2015. Definitely look at the link, there’s  lot of additional information there regarding how dumb we are when it comes to this. Want to take a guess which terrible password takes the top spot? That’s right, 123456. Anyone suprised? Anyone? No? Frankly, if that’s your password, you deserve whatever happens. Not to be all alone, other number-based passwords made the list as well, including 12345678 and 123456789. Other idiotic passwords include qwertyuiop, login, and passw0rd. That last one is especially offensive, as though the person thinks they are pulling a fast one by having a zero instead of an o. They’re in for an unpleasant surprise.

I used a different header image than I originally had intended, one that showed the bad passwords from 2014. They’re generally the same as last year, but I ended up not going with it because it was redundant considering the list below, but the original version of this post still referenced it. So I made a fun edit, and instead I found the Facebook post used in the header which – although I sincerely hope it’s fake – really very much hope that it is fake – shows how gullible people can be. If it’s real, I wouldn’t at all be surprised. Now hold on while I allow a Nigerian prince access to my bank account.

There are some passwords on the list that are less offensive, as though the person tried, including dragon and starwars, but geez oh man, at least throw a capital letter or exclamation point or something in there, even the passw0rd people up above did that. If you really need to make a strong password, remember a sequence of at least four random words is the best alternative, and hopefully one day passwords will go the way of the dinosaurs and disco (although I do love disco), and we can switch to things like biometrics full time. Here’s the full list, pasted from Cnet:

1 – 123456 (unchanged from 2014)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (up 1)
5 – 12345 (down 2)
6 – 123456789 (unchanged)
7 – football (up 3)
8 – 1234 (down 1)
9 – 1234567 (up 2)
10 – baseball (down 2)
11 – welcome (new)
12 – 1234567890 (new)
13 – abc123 (up 1)
14 – 111111 (up 1)
15 – 1qaz2wsx (new)
16 – dragon (down 7)
17 – master (up 2)
18 – monkey (down 6)
19 – letmein (down 6)
20 – login (new)
21 – princess (new)
22 – qwertyuiop (new)
23 – solo (new)
24 – passw0rd (new)
25 – starwars (new)

Incidentally, if you think you have a pretty robust password, and want to test if you really have the goods, you can go to howsecureismypassword.net and see. The site is legitimate, I promise, it’s not stealing your credentials or anything like that, and it will show you how strong your password really is. Here’s mine – I’ve got the process down.

That's right

That’s right

The Ogre-Faced spider of drones

Ogre-faced spider

As many of you know, I considered going to grad school for biology, specifically because I wanted to investigate the cognitive capabilities of spiders. I believed there were certain species of spider that had the genuine ability to think and plan out strategy, and although I decided to pursue another path, I would also like to note that I have since been proven right. I knew it all along. Not all of them have the ability to think, of course, in fact I frequently use the example of a black widow and her behavior to illustrate concepts in artificial intelligence, specifically to define what is and isn’t intelligence.

So if you take a look at the lovely lady in the header image, you’ll see a spider that is unique in many ways, not the least of which is that it has two different and distinct colloquial names – one based on her appearance, and one based on her behavior. That’s unusual in the insect kingdom (which isn’t really a kingdom in the biological sense, but you know what I mean). Her first name is the ogre-faced spider, for reasons I think are pretty obvious. Her other name, however, is the one we’re concerned with and it describes not just her behavior but what I believe is at least a low-level ability to cognate: the net-casting spider.

Net-casting spider in action

Net-casting spider in action

That’s right! This spider makes a net, waits for some unsuspecting bug to mosey underneath, then not only traps the bug in the net, but will expand the net to fit the bug if necessary, or in some cases allow the bug to pass if she feels it will put up too much of a fight. And people say spiders can’t think. Or maybe they don’t say that, but if they do, they shouldn’t.

So why all the talk of spiders that can do the thinky thinky? Well, besides the fact that I use spider cognition – insomuch as it is – to explain artificial intelligence concepts, the netcasting spider is also the first thing I thought of when I saw this post over at Engadget: It turns out students at Michigan Tech are developing a drone that, just like the netcasting spider, can throw out a net to catch other drones in midair! How badass is that? Here’s the gif, borrowed from Engadget’s post:

Dronecatcher

Dronecatcher

The designers call it ‘Robotic Falconry,’ which makes perfect sense if you’ve ever seen a falcon hunt; they often pluck their prey, if it’s a bird, out of midair. The rogue drone, as it were, is similarly plucked right out of the air via net and hauled away, helpless, to someplace for…well, I’ll say tea and cake, but more likely disassembly.

I like this idea. It seems a less-lethal way of dealing with a rogue drone. If you think that perhaps this is addressing an issue that isn’t a real problem, you might want to read this post from Ars Technica. We don’t want to see anyone get hurt, and this guy was ready to do it. There’s a fascinating follow-up to that whole thing as well that could set law and policy about drones and would necessarily be very wide-ranging, covering ownership, privacy, property, and how all these things interact and overlap where drones are concerned. Additionally, as Engadget’s post also points out, Japan is testing a net-casting drone because shooting them down could be harmful if they are loaded with a dangerous substance, a problem they’ve already had to deal with.

This could all be focused into something productive, though. What we REALLY need is some kind of gladiatorial drone-combat sport thing – that would be fun to watch. Just like the BattleBots competitions they have, drone wars could become a real thing. A real, exciting thing. Drones with nets, drones with lasers, drones that shoot flames and crash into each other. I’d watch that.

Going Up