Saturday, December 14, 2013
It is possible to secure this type of service. For example, turning it off until needed works rather well.
Hacked Via RDP: Really Dumb Passwords
Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.
Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.
… How did these companies end up for sale on makost[dot]net? That is explained deftly in a report produced earlier this year by Trustwave, a company which frequently gets called in when companies experience a data breach that exposes credit card information. Trustwave looked at all of the breaches it responded to in 2012 and found — just as in years past — “IP remote access remained the most widely used method of infiltration in 2012. Unfortunately for victim organizations, the front door is still open.”
The report continues:
“Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”
… In case the point wasn’t clear enough yet, I’ve gathered all of the username and password pairs picked by all 430 RDP-enabled systems that were sold to this miscreant. As evidenced by the list below, the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password. In each of the following cases, the username and password are the same.
… Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security. Fortunately, a quick external port scan of your organization’s Internet address ranges should tell you if any RDP-equipped systems are enabled. Here are a few more tips on locking down RDP installations.
Readers who liked this story may also enjoy this piece — Service Sells Access to Fortune 500 Firms — which examined a similar service for selling hacked RDP systems.
How do I mislead thee?
Let me count the ways:
I mislead thee to the depth and breadth and height
My vocabulary can distort...
Did someone lie to the Committee, or are they lying to us? (OR: does, “Never attribute to malice that which is adequately explained by stupidity.” apply?) Surely there have been more than 32 attempts. I heard about several at last night's faculty meeting and we're not the only school with an Ethical Hacking class.
Ranking Members Waxman and DeGette Release Memo on Healthcare.gov Security
by Sabrina I. Pacifici on December 13, 2013
“Today Energy and Commerce Committee Ranking Member Henry A. Waxman and Oversight and Investigations Subcommittee Ranking Member Diana DeGette released a memo to Democratic Committee members regarding the security of Healthcare.gov. In a classified briefing two days ago, HHS officials revealed that there have been no successful security attacks on Healthcare.gov and that no person or group has maliciously accessed personally identifiable information from the site. The memo summarizes the non-classified portion of the briefing. HHS officials told members and staff that there have been a total of 32 Healthcare.gov Information Security Incidents.
Eleven incidents are under investigation. [So we don't know if they have been successful or not Bob]
Of the remaining events, three were classified as non-incidents; ['cause we can't identify a breach when we see it... Bob]
one was an attempted (but unsuccessful) scan of the system; [What were they scanning for? Bob]
two were classified as “inappropriate usage” in violation of acceptable computing use policies; [Most organizations would classify this as a breach. e.g. Looking at Britany Spears psych records Bob]
and fifteen were classified as “unauthorized access” where an individual accidentally gained access to unauthorized information. [An accidental breach is still a breach Bob]
None of these events involved a significant breach of personal information. HHS officials indicated that they were conducting ongoing 24-7 system monitoring and ongoing assessments in order to ensure and strengthen system security. The memorandum is available online here.”
Are “cop cams” a good idea or not? Would you be suspicious if police turned off their cameras and later had to take an arrestee for medical treatment?
Andrew Staub reports:
The American Civil Liberties Union of Pennsylvania had hoped lawmakers would craft a statewide policy addressing many of the organization’s privacy concerns should an expanded wiretapping law allow police to use wearable cameras.
It doesn’t look like it will happen, even after the state House this week tweaked proposed legislation that would allow police to use recording devices attached to their uniforms, bike helmets or sunglasses.
Read more on PA Independent.
[From the article:
The amendment, put forward by state Rep. Dom Costa, D-Allegheny, made it abundantly clear that officers are not allowed to record while inside a person’s home — a point that some thought was somewhat ambiguous before. But the proposal still does not address when officers can turn the cameras on or off or how long police can keep footage on file.
Now, it looks like police surely will have broad discretion over the cameras should the legislation pass, said Andy Hoover, the ACLU’s legislative director.
… “It’s not a total lost cause,” Hoover said. “We can still get strong policies at the local level, and I have a feeling that activists at the local level will push hard to get good policies in place for the use of these cameras. [Activists? Because legislatures don't know what to do? Bob]
… the push to amend the state’s wiretapping laws surfaced after the Pittsburgh Bureau of Police spent more than $100,000 on cameras. [I'll bet the money came from a DHS grant. “We can, therefore we must!” Bob]
What are the odds that cable boxes in the bedroom make the news sometime in the next year?
Cameras in Your Cable Box Watching You in Your Home Watching Television (See the Built in Camera & Microphone)
Rather than you watching television, it is they who are watching you! Verizon has recently patented a cable DVR box that will use audio and video to record and analyze what’s going on in your living room so that they can provide targeted ads in real time on the TV to suit what’s going on. Now, one reason may be advertising and marketing, but since they can listen and watch, just think, smile you may be on candid camera!
Read more on Before It’s News.
Cameras, cameras, cameras. And now one of my favorite “You ain't got no privacy” groups, teachers! If students have encrypted their phones or photos, or even if they have just password protected them, would they be comfortable refusing to give up their passwords? If they felt intimidated, would that taint any evidence gathered? I see the possibility for too many bad scenarios here.
Drew Smith reports:
Avon authorities are investigating after they received reports of several Avon High School students who may have been exchanging nude pictures through cellphones and mobile devices.
Some students have been suspended and police said they are working with the school to determine what happened and if any laws were broken. Officials said the situation could result in criminal charges being filed against some students.
School officials seized more than a dozen mobile devices after a parent informed the administration that some of those devices could contain naked photos of female students. By law, the school had to turn over those electronic devices to law enforcement.
Read more on The Indy Channel.
Talk about blurring the line between home and school, though! Does it matter at all that the pictures may have been taken – or exchanged – while the students were not on school premises? I suspect some of the sharing went on during school hours or on school premises, but suppose it had all been off-campus? The schools says that they are required by law to turn over the cellphones. I haven’t read the law, but does Indiana law really require schools to turn over devices that may have evidence of a crime if the crime did not occur at school or on school premises? Just wondering….
Would there be a market for this device? Probably not, who would want to be constantly twitching?
The New Armor That Lets You Sense Surveillance Cameras
We pass under surveillance cameras every day, appearing on perhaps hundreds of minutes of film. We rarely notice them. London-based artist James Bridle would like to remind us.
Bridle has created a wearable device he calls the “surveillance spaulder.” Inspired by the original spaulder—a piece of medieval plate armor that protected “the wearer from unexpected and unseen blows from above”—the surveillance spaulder alerts the wearer to similarly unseen, if electronic, attacks. Whenever its sensor detects the the type of infrared lighting commonly used with surveillance cameras, it sends an electric signal to two “transcutaneous electrical nerve stimulation” pads, which causes the wearer to twitch.
That is: Whenever the spaulder detects a security camera, it makes your shoulder jump a little. You can see the spaulder in action in the video above.
Despite growing pushback from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation’s enforcer of data security standards.
The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.
On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.
Read more on Computerworld.
For my students who don't want to listen to me...
Spotify Launches Free Mobile Service For All Tablets And Smartphones
Spotify just announced that anyone using iOS or Android tablets and smartphones can use their music streaming app for free. Earlier, only desktop and laptop users had access to an ad-supported but free version of Spotify. Tablet users can now also avail the same listening pleasure as desktop users…but again with ads.
Trust me, this won't confuse the NSA for a second.
– one of the oldest forms of communication in the world is Morse Code, but it is being slowly edged out of existence by the advent of more advanced forms of communication such as the telephone and the Internet. If you are a Morse Code enthusiast, then Morse Node is a site where you can invite someone to your page, and then play Morse Code back to one another.
… According to Code.org, the organization that’s spearheaded this week’s push to teach more students computer science, over 13.7 million students have “learned an hour of code” this week.
… Chicago Public Schools says it will add computer science as a core subject, instead of an elective, in the city’s high schools.
… Timed with this week’s “Hour of Code,” Codecademy has launched an iOS app: Codecademy: Hour of Code.
… The Chronicle of Higher Education’s Jennifer Howard examines takedown notices that academics have been receiving from publisher Elsevier for articles – articles they’ve written – that they’ve uploaded to the research-sharing site Academia.edu. (Some scholars are getting takedown notices for posting their articles to their own blogs too.)
… Whose works will enter the public domain in 2014 (in those countries with a “life plus 70 years” copyright term)? Beatrix Potter, Sergei Rachmaninoff, and Fats Waller, among others. (Whose work will enter the public domain in the US? No one’s.)
… Fordham University has released a study on “Privacy and Cloud Computing in Public Schools.” Among the findings: “Districts surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.” The study, it’s probably worth noting, was sponsored by Microsoft.
… “Smartphone Use Linked to Lower Grades,” reads the Inside Higher Ed headline of a study by Kent State University researchers published in the Computers in Human Behavior journal.