Hack The Planet

Matt Mckeon made a great graphical display of how Facebook’s privacy has eroded to where there really is none now.

Wired writer Ryan Singel wrote recently about how Facebook has gone rogue and it is time for an open alternative.

It makes sense that another service would creep up. Myspace ate Friendster and was in turn eaten by Facebook which has eaten up just about everything. Now to build a service that can compete with Facebook and eat it in turn.

There has been some discussion today around simple ways to thwart identity theives, specifically in regards to your verification questions. Bruce Schneier mentions how Ally Bank wants its customers to make up their questions and answers. Slugsite brought an interesting idea to the table by just making up things for your answers to the static questions.

I think both are good ideas. We need a way to better identify who someone really is, especially when it comes to online banking.

Bruce Schneier posted about Frank Furedi’s essay on Worst Case Thinking. The big take away is that fear is a powerful human emotion and is easily used to develop powerful images of what we imagine could go wrong, not what actually will go wrong.

A Russian/Chinese border crossing was closed down stranding almost 2,000 Russians because the automated system had been compromised by a virus. When 2,000 people have to spend a night unable to cross a border because there is no back up to the automated system then we have already become slaves to our technology.

My first clue that we were slaves though came when I heard someone years ago say “I couldn’t live without my phone.” The revolution happened, we just were too busy staring at the flashing pictures on our internet devices to notice.

A third-grader has been accused of hacking into his school system and changing passwords and other information. Luckily the police are not pressing charges here and are leaving it in the school districts hands. My only hope is they see this as an opportunity to educate and promote the boys talents instead of punishing him. Most the time when kids do these things it is because they are really smart, and really bored.

Trying to catch up on all of the news that I have missed over the last week or so. It is interesting some of the things that are going down.

The Eleventh Circuit handed down a Fourth Amendment case, Rehberg v. Paulk, that eliminates 4th Amendment rights in email. If you had any glimmer of hope that your email was private before you can just let that hope die now.

In other news, Myspace is selling your user data to third party companies. No real surprise there. It will be interesting to see how the analysis of the millions of users on Myspaces mood updates will help decide what message is right for the masses at any given time.

This is quite possibly one of the funniest things I have seen in a while. The sad part is that it is an accurate portrayal of so many companies.

[youtube=http://www.youtube.com/watch?v=VjfaCoA2sQk]

When Google came out and said they had been hacked and that they had found that the hacks originated in China it seemed that all they could find was one compromised machine in Taiwan. Now with help from the NSA they have traced the attacks back to IP’s originating from two schools, Shanghai Jiaotong University and the Lanxiang Vocational School in China.

The evidence still doesn’t show who actually did the hacking, or if it even originated in China. Another country could even be using the school as a gateway to perform the attacks knowing that relations between China and America are strained. Of course, the fact that the US did so poorly in a recently simulated cyber attack doesn’t help matters either.

Then again, a school that Peng Yinan, one of the most prolific Chinese hackers, teaches at from time to time is a pretty likely candidate for an attack to come out of. It will be interesting to see if they can find any other evidence besides an IP.

A wily hacker in Russia thought it would be good fun to place a pornographic movie on the big screen along the city’s Garden Ring Road for any driver that needed a lesson in the Birds and the Bees to see. He was later arrested but explained his actions by stating he “originally wanted to stream the video on a commercial screen of a shopping mall in Moscow”, and didn’t imagine that “thousands of people would see the porn flick in the center of the city”.

Recently, Brian Krebs, has been posting a lot about companies losing money to hackers who have money mules transferring stolen funds all over the globe (mostly to Eastern Europe it seems). The hack is pretty simple. A user with a vulnerable endpoint gets hit with the Zeus Trojan or a variant by viewing a compromised site. The endpoint can then pass on the infection to other endpoints on the network. Once it infects an endpoint that accesses the companies bank accounts the fun begins. The hackers setup many sub $10,000 dollar transfers to the mule accounts and then have the mules wire them the money.

Recently one infected machine at a Michigan Insurance firm cost them $150,000. That is a lot of money to lose (they are working with their bank to recover it but that usually only ends poorly) for not having an up to date machine. One bad hack can make you realize that a good security setup is much cheaper in the long run.

The second part of the story that I found interesting is that the bank would use “two factor” authentication by having the customer enter their user name and password, and then answer a security question. The President of the Insurance firm says “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.” So what he is saying is that it is impossible to find out his mother’s middle name online doing a quick search? Or that he hasn’t worn a jersey of his favorite sports team in some picture that has been tagged with his name on facebook? And that is assuming that the hackers even entered that information. The bank says they see someone enter it but it could be from a compromised machine with someone legitimately logging in and the hackers are just piggy backing.

Hackers don’t play these elaborate bank heists that require years of training and some elite knowledge that only they possess. They just wait until some lazy user goes to a compromised web site and gets infected with their Trojan. Then it is game, set and match.