50 Ways to Get in Ethical Trouble with Technology

Originally written for attorneys, but great advice applicable to many of us...

Technology makes everything easier and faster. In fact, it makes it possible to commit malpractice at warp speed. We can fail to represent diligently, lose our clients data, perform incompetently, and violate the rules regarding attorney advertising—all in sixty seconds or less.

There are so many ways to potentially commit malpractice with technology that it is impossible to list them all. Still, let us make a credible stab at some of the more common missteps. (more)

Your Old Smartphone's Data Can Come Back to Haunt You

Your smartphone probably contains data in places you might not think to look. People--and companies--that sell old phones often do a lousy job of erasing all that info, according to our research with 13 secondhand phones. 

Stands at the flea market were selling stolen phones. The owners had not been able to wipe the phones remotely. Your old cell phone data can reemerge from the past to haunt you. Whether it’s because sellers are lazy or naive, cast-off phones still contain troves of information about their former users. And as phones get smarter, they’re ever more likely to hold bank account passwords, personal email, or private photographs that anyone with the right kind of motivation could exploit. (more)

Tip: Always protect your cell phone with a passcode PIN. Some smartphones allow their passcodes to be longer than the usual four digits and will automatically erase your data if the wrong code is entered too many times. ~Kevin

If You See Your Password Here - Your Account Was Hacked

via consumerist.com...

Stare agog as all the the passwords released in the Sony LulzSec breach race past your eyes in this video.

In it, the computer shows and reads aloud all the passwords, one password per frame. If you're actually able to make out a word or a series of numbers, then that means it's a string being used by more than one person as their password.

Watching some of it might make you want to revaluate your password creation system. Do you see your password in there? Here's advice on creating a strong password that's unique to every site you visit, yet you'll never have a problem remembering. (more)

Two CyberWar Hacking Stories. Just Coincidence? You decide.

China has admitted for the first time that it had poured massive investment into the formation of a 30-strong commando unit of cyberwarriors - a team supposedly trained to protect the People's Liberation Army from outside assault on its networks.

While the unit, known as the "Blue Army", is nominally defensive, the revelation is likely to confirm the worst fears of governments across the globe who already suspect that their systems and secrets may come under regular and co-ordinated Chinese cyberattack.

In a chilling reminder of China's potential cyberwarfare capabilities, a former PLA general told The Times that the unit had been drawn from an exceptionally deep talent pool. "It is just like ping-pong. We have more people playing it, so we are very good at it," he said. (more)

Lockheed Martin Cyber Attack: Routine, a Warning or a Possible Act of War?

Last Thursday, Reuters ran a story that the US defense firm Lockheed Martin was experiencing a major disruption to its computer systems because of cyber attack.

The Reuters story said that the attack began the weekend before and indicated that it involved the company's SecurID tokens which allow Lockheed's 126,000 employees "... to access Lockheed's internal network from outside its firewall."

As a result of the attack, Lockheed reset all of its employees' passwords.

Thought Wall Stickers:
• "You have no idea how many people are freaked out right now [about the SecurID breach] ... TASC is no longer treating the RSA device as if it were as secure as it was beforehand."

• As one military official in the WSJ article stated it: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

A while back, I visited the new Cyber-war exhibit at the Spy Museum in DC. It was about just this sort of thing, and the consequences of remotely destroying electrical generators using code. The outcome is very scary. Glad to see folks waking up and smelling the coffee.

The hackers have done us a favor, this time. ~Kevin

Company Customer Database Hacked? Kicker... it's a password company!

Password management system LastPass has reset users' master passwords (1.25 million of them according to security expert Brian Krebs) as a precaution following the discovery of a possible hack attack against its systems...

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post. (more)

Brain Sucking Cell Phone Spider

The "Universal Forensic Extraction Device" sounds like the perfect cell phone snooping gadget.

Its maker, Israel-based Cellebrite, says it can copy all the content in a cell phone -- including contacts, text messages, call history, and pictures -- within a few minutes. Even deleted texts and other data can be restored by UFED 2.0, the latest version of the product, it says.

And it really is a universal tool. The firm says UFED works with 3,000 cell phone models, representing 95 percent of the handset market. Coming soon, the firm says on its website: "Additional major breakthroughs, including comprehensive iPhone physical solution; Android physical support – allowing bypassing of user lock code, (Windows Phone) support, and much more." For good measure, UFEC can extract information from GPS units in most cars.

The gadget isn't a stalker's dream; it's an evidence-gathering tool for law enforcement. Cellebrite claims it’s already in use in 60 countries. (more)

Hannah Montana Hacker Jacked

The 21-year-old hacker who boasted about breaking into Miley Cyrus' Gmail account and posting racy photographs of the teenage star has been arrested in Tennessee on fraud charges.

Joshua Holly, known by his hacker alias TrainReq, got a lot of attention after posting private photos of Cyrus, then just 15. In one photo, Cyrus poses in her underwear and in another she poses, clothed, in the shower. 

In subsequent interviews Holly said that he downloaded the photos from Cyrus' Gmail account. He told Wired that he accessed the Gmail account by tricking a MySpace employee into giving him access to the company's administrative control panel, which included users' passwords. (more)

Security Alert: iCracked

A security flaw in the iPhone allows strangers to bypass the handset’s lock screen with a few button presses.

...the quick method to circumvent an iPhone’s passcode-protected lock screen:
• tap the “Emergency Call” button,
• then enter three pound signs,
• hit the green Call button
• and immediately press the Lock button.
That simple procedure gives a snoop full access to the Phone app on the iPhone, which contains the address book, voicemail and call history. (more)

Apple:

“We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November." 

"Why is this important?”

Not having password protection on a smart phone leaves you open to information theft, jail-breaking and injection of spyware.

"Why does this trick exist?"
• It is a software loophole.
• It is a programmer's shortcut they forgot to patch.
• It is a programmer's Easter egg.
• It is a law enforcement backdoor never meant to become public knowledge.
Interesting question. You decide.

FutureWatch: The ability to create passwords longer than four measly digits... which is only a pool of only 10,000 passwords. ~Kevin

The Pit and the Password Pendulum

via Risks-Forum Digest Monday 20 September 2010 Volume 26 : Issue 17
"The discussion about overly complex password rules reminds me of sage advice that Digital once published in a VAX security manual. I'll paraphrase: The definition of security must be broad. Security aims to see that authorized users, and only authorized users, succeed in doing their jobs.

The modern definition of computer security seems much narrower. It focuses on preventing unauthorized uses, and malware. If security procedures hinder authorized users from doing their jobs, security still succeeds under the narrow definition, but fails under Digital's broader definition.

An onerous password policy is a form of denial of service attack. 

Might things improve if we made security people responsible for productivity of the good guys as well as denial of the bad guys?"

--------

Also…
An additional irony of keyloggers is that the bad guys can typically see your password better than you can, since they don't have every character replaced by a black blob. Only a very few programs (7-Zip, when asking for a password on a protected archive, springs to mind) allow you to check a box to say "I do not fear Tempest scanning, and there is nobody else in the room. Please let me see this password as I type it." 

To impose passwords like fH%JK43-oe9 and then prevent people from seeing what they're typing is just sadism. It must cost millions per year in password reset costs, even with automated delivery of new passwords to e-mail addresses. 

I've added this functionality to the Web applications which I maintain. I suggested its addition to a site which I use frequently, where I have contact with the development team, and which has no major, banking-style security issues. Their reply was, "We've decided not to do this, because it's not an industry-standard practice". 

Review your password policy. Make some innovative improvements. The easier it is for employees to use, the more effective it will be. Here is your mantra for the day, "Death to passwords on sticky notes." Come on, say it! 

Busman's Holiday

(sing-a-long) During the past decade, a New York man stole more than 150 buses from an unsecured Trailway bus depot in Hoboken New Jersey; the doors were open, the key were left in the ignition, and he just drove off the lot, using the coaches for everything from fast-food runs to jaunts to North Carolina; he was finally collared last week after he stole a bus, drove to Manhattan, and took a group of flight attendants to Kennedy Airport.

Police Commissioner Raymond Kelly wants NYPD to look into lax security at a New Jersey depot from which bus-thief Darius McCollum stole more than a hundred buses. (more)

Attention security vendors who sell password access key pads. Opportunity honking.

Wash Your Hands Before Leaking

A study by Department of Computer and Information Science at the University of Pennsylvania has found that it can be possible to uncover passwords by analyzing the smudges left on touchscreen phones. Touch screens are touched, so oily residues, or smudges, remain on the screen as a side effect. Latent smudges may be usable to infer recently and frequently touched areas of the screen - a form of information leakage.

The researchers said that they believe smudge attacks are a threat for three reasons. First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oily residue smudges can be done with readily-available equipment such as a camera and a computer.

The analysis requires a photograph of the screen to be uploaded to a computer. However, the presumption that lighting conditions would affect the quality of the photo, and hence the ability to extract passwords was shown to be false. In one experiment, the pattern was partially identifiable in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37% of the setups and fully in 14% of them.

By enhancing the photo of the screen in the computer, the smudge patterns could be seen. Critically, the requirement of the password structure as used in Android phones resulted in distinctive patterns, which lead to the ability to work out which "buttons" were pressed. (more) (presentation paper)

The employees are picking your pockets...

Thirty-five percent of companies believe that their organisation's sensitive information has been given to competitors, according to a new survey. 

Cyber-Ark Software's "Trust, Security and Passwords" global survey also found that 37 percent of IT professionals surveyed cited former employees as the mostly likely source of this loss. 

The IT security company questioned more than 400 senior IT administrators in the UK and US in the spring of 2010 for the fourth annual survey.

The survey found that the most popular sensitive information to be shared with competitors was the customer database (26 percent) and R&D plans (13 percent). (more)

Password Tip from Russian Spy

The FBI's case against an alleged deep cover Russian spy ring relies heavily on surveillance of their use of ad hoc Wi-Fi networks, bespoke software, encryption and the web...

The Illegals were given a steganography program by the SVR's Moscow Centre, it says. The software is not commercially available, and investigators discovered the alleged spies held copies of it by clandestine searches of their properties...

A New Jersey search uncovered a network of websites, from which the alleged spies had downloaded images.

Similarly, a search in Boston led to websites carrying steganographic messages. The texts had also been encrypted, and both the Boston and New Jersey hard drives required a 27-character password. (more)

P.S. One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation. (more)

How Do They Do It - Codebreaking

Seattle startup Pico Computing squeezes a cryptographic supercomputer into a breadbox...

...Not every customer has the know-how or the motivation to coax FPGAs into those cryptographical feats. But the three-letter agencies that buy Pico's code-breaking systems have both, and Pico offers them versions aimed at breaking everything from the Wireless Protected Access protocol used in Wi-Fi signals to the Filevault encryption found on Mac computers. (more)

Password Whacker now a 100x Faster Cracker

Password-cracking tools optimised to work with SSDs (solid state drives) have achieved speeds up to 100 times quicker than previously possible.

After optimising its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Sécurité was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Sécurité's Philippe Oechslin told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes.

The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups. (more)

Passwords stink... Face It

A Japanese company that specialises in face recognition technology has claimed the need for security passwords and identity swipe cards may soon become a thing of the past. Omron is working on software that scans faces to help recognise customers and employees. (more)

Wi-Fi Hacker Helper...

...Time to upgrade your Wi-Fi encryption.
For $34, a new cloud-based hacking service can crack a WPA (Wi-Fi Protected Access) network password in just 20 minutes, its creator says.

Launched today, the WPA Cracker service bills itself as a useful tool for security auditors and penetration testers (and lazy hackers who seek easy access to your system) who want to know if they could break into certain types of WPA networks. It works because of a known vulnerability in Pre-shared Key (PSK) networks, which are used by some home and small-business users. (more)

Cautionary Tale: The administrator who didn't administrate.

Federal authorities on Wednesday filed intrusion charges against two men accused of accessing the computer systems of their former employer.

Scott R. Burgess, 45, of Jasper, Indiana, and Walter D. Puckett, 39, of Williamstown, Kentucky, both worked as managers for Indiana-based Stens Corporation until taking jobs with a competing company in Ohio, according to an indictment filed in federal court. On at least 12 occasions, they used old passwords to access their former employer's computer and access proprietary information, prosecutors allege.

Although the men left their jobs in 2004 and early 2005, they were able to use the outdated passwords successfully as late as September of 2006. On at least two occasions, administrators at Stens grew suspicious and terminated old passwords. The men simply tried different login credentials - and succeeded several times. (more)

One Password Will Hurt You

Nearly half of all Brits (and probably everyone else) use the same password to log in to their online banking account as their social networking account, says CPP.

• Two thirds of web users said it's too difficult to remember numerous logins.
• 17 percent said they were concerned they would get locked out of their account if they forgot their password.
• 40 percent of web users admitted that at least one other person knows their passwords, of these two percent confessed an ex partner has access to their social networking and online banking accounts.
• A third of Brits said they believed that these people may have logged in using their details.
• One in ten Brits has had one of their online accounts hacked, with 57 percent of the crimes happening in 2008.
• Of those that saw their online accounts hacked, 18 percent had goods illegally bought in their name, 12 percent had money stolen while five percent also said they'd had their identity stolen.

Sarah Blaney, identity theft expert at CPP, said: "No sensible person would use the same key for their house, car and garage." (more)

It's time for half of us to develop a better password strategy.

"Passwords? We don't need no stinkin'..."

Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. There is also a version for Linux. Sounds dangerous. Stay tuned. Freeware download.

Security Director Recommendation - One possible corporate environment solution; lock out USB ports and CD drives.