Wednesday, December 04, 2013
This is worth keeping in the “Hacker Folder”
Introducing “Have I been pwned?” – aggregating accounts across website breaches
… As I analysed various breaches I kept finding user accounts that were also disclosed in other attacks – people were having their accounts pwned over and over again. So I built this:
The site is now up and public at haveibeenpwned.com so let me share what it’s all about.
Just after the Adobe breach, a number of sites started popping up that let you search through the breach to see if your email address (and consequently your password), was leaked. For example there was this one by Ilias Ismanalijev, here’s another by Lucb1e and even LastPass got on the bandwagon with this one. When I used the tool to check my accounts, I found both my personal and work accounts contained in the breach. I had absolutely no idea why!
The most likely answer is that I did indeed create accounts on Adobe, perhaps as far back as in the days when I was using Dreamweaver to build classic ASP whilst it was still owned by Macromedia. The point is that these accounts had been floating around for so long that by the time a breach actually occurred I had no idea that my account had been compromised because the site was simply no longer on my radar.
But of course Adobe is not the only searchable breach online, there’s also one for Gawker, another for LinkedIn passwords (emails and usernames weren't disclosed) and so on and so forth. Problem is, there’s not a tool to search across multiple breaches, at least not that I’ve found which is why I’ve built haveibeenpwned.com:
This is worth telling your Computer Security managers about.
Report – Linux Worm Targeting Hidden Devices
“Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk, since they are unaware they own devices that run Linux. The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013. Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures. Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers…”
So,some good is coming out of this mess?
How the Snowden leak is changing the tech landscape
… Leading technology firms including Google, Apple, Microsoft and Yahoo have been working to rebuild users' trust after the disclosure that the NSA can access information on their servers. For Google, this has involved announcing efforts to increase the encryption used for data travelling between the company's data centres, which the Washington Post revealed was being accessed by the NSA, as well as joining legal calls for the release of more government information at users' request.
Other technology startups have taken more drastic action. Lavabit, a secure email provider reportedly used by Edward Snowden, the NSA whistleblower, shut down after the government requested a back door into its systems. Another company, Silent Circle, closed its email service shortly afterwards.
(Related) But could we go too far? I see this as an argument based on weak assumptions. We do not need to know what a message contains to know that people who regularly email known terrorists have a connection to that terrorist. Failure to encrypt simply makes determining if our known terrorist is a leader or a follower or someone who regularly writes his mother much easier.
Adam Henschke writes:
Ex-National Security Agency (NSA) employee Edward Snowden’s various leaks – the most recent being a slide showing that the NSA infected 50,000 of computer networks with remote-controlled spyware – confirm that state intelligence agencies around the world have been collecting and analysing people’s behaviour online for years.
Many people now feel that their online privacy and anonymity have been undermined – particularly as major service providers like Google, Facebook and Apple have been compromised. In response, some email service providers (such as Yahoo! last week) are now offering full encryption of users’ data.
While privacy is generally seen as morally desirable, the ethical issues surrounding encryption technologies require some closer investigation. In order to properly assess such things, we need to assess not just the claims but the moral foundations upon which they are based.
What, then, are the main moral justifications for encryption? What are the arguments against it? And finally, what responsibilities do encryption service providers owe their clients and the public at large?
Read more on Business Spectator.
Is it easy to draft a model bill? I doubt it, but it might make for an interesting thought exercise...
Benjamin Herold writes:
An influential legislative-advocacy group’s promotion of a model bill meant to protect the privacy of student data sends a strong signal that the hot-button issue will be debated in statehouses around the country in lawmakers’ 2014 sessions.
The template being provided to state lawmakers by the controversial American Legislative Exchange Council, known as ALEC, would require state school boards to appoint a “chief privacy officer,” create a data-security plan, publish an inventory of all student-level data being collected by the state, make sure that contracts with some vendors include privacy and security provisions, and ensure compliance with federal privacy laws.
Read more on Education Week, but the full article is behind a paywall.
...and in the US you worry about being fired.
North Korean leader's power broker uncle ousted: South Korea
North Korean leader Kim Jong-Un's uncle, seen as his nephew's political regent and one of the most powerful men in the country, has apparently been ousted and several associates executed, South Korea's spy agency said on Tuesday.
… If confirmed, Jang's ouster would mark the most significant purge at the top of North Korean leadership since Kim Jong-Un succeeded his late father Kim Jong-Il in December 2011.
According to the NIS, Jang was "recently ousted from his position and two of his close confidantes - Ri Yong-Ha and Jang Soo-Kil - were publicly executed in mid November", lawmaker Jung Cheong-Rae told reporters.
(Related) ...and here's how they do it in China.
20,000 Chinese officials penalized for being too bureaucratic
The Chinese government has punished over 20,000 officials in the country’s rural areas this year as part of the Communist Party’s nation-wide campaign, aimed at cutting down bureaucracy and excessive ceremony.
Perspective They still have a bit of a way to go to overtake the dollar, but keep watching...
RMB now 2nd most used currency in trade finance, overtaking the Euro
News release: ‘”Recent SWIFT data shows that RMB (Chinese Yuan) usage in traditional trade finance – Letters of Credit and Collections – grew from an activity share of 1.89% in January 2012 to 8.66% in October 2013, propelling the RMB to the second most used currency in this market. It ranks behind the USD, which remains the leading currency with a share of 81.08%. The RMB overtook the Euro, which dropped from 7.87% in January 2012 to 6.64% in October 2013 and is now in third place. The top 5 countries using RMB for trade finance in October 2013 were China, Hong Kong, Singapore, Germany and Australia. ”The RMB is clearly a top currency for trade finance globally and even more so in Asia, as shown by SWIFT’s business intelligence statistics on the pace at which China’s exporters and importers and their counterparts use the RMB for Letters of Credit”, says Franck de Praetere, Head of Payments and Trade Markets, Asia Pacific, SWIFT. In October 2013, the RMB remained stable in its position as the #12 payments currency of the world, with a slightly decreased activity share of 0.84% compared to 0.86% in September 2013. Overall, RMB payments increased in value by 1.5% in October 2013, whilst the growth for all payments currencies was at 4.6%.”
I could click once and this entire blog would become a book. (There's a App for that) Would it be worth doing?
Are paper books becoming obsolete in the digital age, or poised to lead a new cultural renaissance?
Papyralysis by Jacob Mikanowski Are paper books becoming obsolete in the digital age, or poised to lead a new cultural renaissance? November 14th, 2013 The following is a feature article from the inaugural issue of the LARB Quarterly Journal.
“WE’RE LIVING IN A WEIRD MOMENT. Everything has become archivable. Our devices produce a constant record of our actions, our movements, our thoughts. Forget memory: if we wanted to, we could reconstruct every aspect of a life with an iPhone and some hard drives. But at the same time, physical archives seem to be fading away. Once, they were supported by a whole ecology of objects and institutions, including prints, presses, notebooks, letters, diaries, manuscripts, and marginalia. Now, each of these is vanishing, one after another. Letters don’t get written. Handwriting’s been forgotten. Presses crumble. Paper molders. And everyone agrees: the book is next to go. Of course it won’t happen all at once. Maybe it isn’t even happening now. Digital books are increasingly popular — but paper books are more popular still. Publishing is a mess — unless you’re a giant multinational or a thriving independent. Readership is in decline — but that depends on what you think ought to be read. Paper is a frustrating anachronism — and our offices and homes are full of it. The clash of technologies that we’re living through is probably less a case of the silents vs. the talkies than of radio vs. TV. However popular e-readers become, paper books will still be able to carve out a space in their shadow, at least in the short term. But how long will the short term last? It used to be possible to imagine books disappearing in the distant future. Now it feels like even money that it’s going to happen within our lifetimes… For almost 2,000 years, a technology called the codex held a monopoly on the physical form of truth. The codex was made popular by members of the early Christian church, who gathered individual scrolls and letters between two covers, creating a bible. With time, the Christian book replaced the pagan scroll, and ever since, our relationship to the format has been tinged by a reverence that’s at once reflexive and frequently denied. The written word has long been held to be close to the sacred. Milton thought that books made better receptacles for human souls than bodies. Jews and Muslims in the Middle Ages refused to throw out any texts, lest they inadvertently destroy the name of G-d. Perhaps the purest expression of the idea that books are a form of life comes in the story told by the Mandeans, an Iraqi people who practice a gnostic religion. One of the Mandeans’ great sages was a creature named Dinanukht, who was half-book and half-man. He sat by the waters between worlds, reading himself until the end of time…”
For my wife, the “Power Shopper”
– instantly compare prices on any product on any site in the US, UK, Germany, France, Canada or Australia.. WindowShopper will present products from more than 50,000 stores including Amazon, eBay, Best Buy, Newegg, Macys, Nordstorm, Overstock, Staples, Target, and Walmart. Our index covers over 200 million products in practically every product category.
I know people who look for people...
FREE EBOOK: Research Your Family Tree Online
Online, PDF, EPUB, Amazon. No password or registration required.
There is no such thing as “too much research.”
Video - How to Use Google Books for Research
Google Books can be a good research tool for students if they are aware of it and know how to use it. In the video below I provide a short overview of how to use Google Books for research. You can also find screenshots of the process here.