Can you get Fortune 500 data using typos?

Monday, September 12th, 2011

Stealing data is so flipping simple. There are so many ways to do it as well, not just through infecting machines with pernicious malware either.

As many simpleminded creeps have noted, buying up domains similar to big name companies and adding little typos into those domains can bring in that valuable data. People send emails to these domains – possible examples being Gookgle.com or Fleecebook.com – not realising they could be posting their data to the wrong people. Sometimes these people will be naughty boys and girls.

This is known as typosquatting. It’s a simple trick, but seemingly a rather effective one too. Surely you can’t get hold of actually valuable data with this technique though, right? Wrong.

During six months, two researchers, Peter Kim and Garrett Gee, managed to acquire a hoard of interesting data just through buying up 30 internet domains similar to Fortune 500 companies bar a few spelling mistakes.

They received 120,000 emails during that time. These included rather important things like passwords for an IT company’s external Cisco routers, as well as VPN details and passwords for a system managing road tollways.

There are more worrying consequences as well. By performing a remarkably simplified version of a man-in-the-middle attack, the researchers could have sent on the original email to the intended company, modifying their messages to feature a bogus return address. Just as in any standard MITM attack, they would be the silent middlemen watching over interactions between two parties who believe they are talking in private.

Is there much a company can do to solve this? On the sender’s behalf, simply getting the spelling right might help. As for companies who don’t want their name used in vain, buying up similar domains to their own is a good start. Of course, that requires time and money – something many of us are short on.

So encryption is the key (puntastic!). Encrypt all sensitive data being sent over emails. Simple advice that is so often not taken.

TfL late to bus timetable app, just like our buses

Wednesday, September 7th, 2011

In a bid to save money and regain a little of my moribund fitness, I decided to start walking to work earlier this year. But yesterday, as the rain returned to batter Londoners’ hopes of an Indian summer, I took to the bus.

This is something I reserve for days of truly inclement weather and yesterday reminded me how anathema getting on UK public transport is to me.

The whole process may be improved with a TfL app though, which will soon tell me when my bus is due. Having just tested out the beta version, which appears to be working rather well, it should at least not leave me in the lurch in terms of having a modicum of knowledge about when to actually vacate my flat.

As pointed out by my editor though, the bus arrival notifications at many bus stops in London are far from accurate. For those who’ve been promised a bus is due by those machines watching over their waiting, only to be left standing another five minutes staring desolately into the rain spattered road wondering how things got so bad, you know what I’m talking about. This app appears to offer little more. Look, even the ‘Countdown’ test page has a picture of one such ‘timetable update’ machine included on it:

It seems the timetable data will be based on “bus departure predictions” although there is a promise of “real-time departure information” on  the service’s corporate page. Will it really be real-time? I’m dubious. It’s just a web version of the already unreliable bus stop countdown machines, isn’t it?

Can’t we track every bus and then see exactly where it is via an app? That way we’d really know when the bus was coming. Given our movements are apparently followed by tech companies and Governments alike, surely this wouldn’t be too much of a stretch. Finally, a positive side to tracking software. Huzzah!

But it doesn’t appear that will be the case. Furthermore, having read around the development of this app, it appears TfL is rather late to the game, just like our buses so often are. Scots in Edinburgh and Finns in erm… Finland have grown used to such services already, according to the Guardian.

Oh and if you want to use the text service, you can expect to pay the standard rate for each message. So that’s more money down the (already-flooded) drain if you want to be organised… or avoid the atrocious English weather.

Ich hasse Facebook!

Monday, August 22nd, 2011

OK I don’t really hate Facebook. Like most people my age, I waste countless hours of my life perusing other people’s updates, watching on green with envy at the exciting things everyone is purportedly doing and smiling about so earnestly.

It’s just my German language skills are fairly poor, if non-existent. I was simply trying to find something suitable to accompany a blog on the Facebook Like button being deemed as illegal by a data protection official in Germany. I think I did alright.

If the story sounds fairly ridiculous, that’s because it is. The Like button, which can be found all over the web like some highly contagious blue and white rash, has been declared in violation of privacy laws in Germany. The reason? Thilo Weichert, a data protection official for the northern German state of Schleswig-Holstein, said it meant users were more at risk of being tracked if they used the button to show their appreciation, according to reports.

Does this not mean that any website using cookies is breaking the law in Germany? That’s what Weichert appears to be getting at. It seems fairly myopic to say Facebook is at fault here when countless other websites will be running cookies doing exactly the same thing.

Germany is known for having privacy laws as strong as Superman on steroids, but this is just silly. The irony, of course, is that Weichert wants people to stop using the Like button without asking them first. Whilst trying to protect civil liberties, he is also taking them away.

It makes me feel a tad queasy but Germany might want to follow the British model (I don’t say that too often): force companies to offer an opt-out option for cookies. It’s such a simple idea it feels like it should have been around since the dawn of the internet – like, erm, Facebook.

As for Zuckerburg and Co, they don’t think they’ve done anything wrong.

“We firmly reject any assertion that Facebook is not compliant with EU data protection standards. The Facebook Like button is such a popular feature because people have complete control over how their information is shared through it,” a spokesperson said. “For more than a year, the plugin has brought value to many businesses and individuals every day.”

Personally, I have qualms over whether users have complete control of their data on Facebook. Then again, how much control do any of us have over our information, wherever it resides? Very little, is the answer. It’s out of control, I tells ya!

Man does impossible! Multitasks with two phones and car!

Tuesday, August 16th, 2011

There is a belief men can’t multitask – that is the domain of the opposite sex. Yet that idea has been completely blown out of the water by a genius/wizard/possible necromancer, who managed to juggle three tasks at once whilst hurtling along a major UK road.

Unemployed David Secker achieved the feat by simultaneously operating two mobile phones (one for calling, another for texting) whilst hurtling along the 70Mph A47. How was he controlling the steering wheel? With his knees. Pretty awesome, huh?

Once he was pulled over, Secker wasn’t going to let the men in blue stop him from chatting away. The officers had to wait until he was done talking before they could start to ask questions, according to the BBC. Yeah, stick it to the man!

Shockingly, despite Secker’s impressive stunt, the authorities chose to ban him for driving for an entire year. No doubt, the country’s roads will miss his antics, although a circus career may beckon. Don’t be surprised if Mensa get in touch with him either.

One has to wonder, is this just another attack on people who enjoy testing their driving skills to the limit? What next? Telling Clarkson he can’t say offensive things on telly when speeding around the English countryside?

Or should we respect the law and, I don’t know, other people’s lives? Should people let go of their mobile when in their car and possibly forego mundane tasks such as passing on a friend’s mobile number until they get home? The latter. Obviously, the latter. No matter how important a call might seem, be it personal or business, people’s lives are far more valuable.

Why Microsoft was right to apologise for Amy Winehouse tweet

Tuesday, July 26th, 2011

There have been some pretty egregious moves by media and PR organisations recently, taking advantage of tragedies for their own gain.

Microsoft has come under heavy fire for a tweet following the death of Amy Winehouse. The Redmond firm’s tweetbox360 Twitter account posted a message recommending people pay tribute to Winehouse by purchasing the singer’s masterpiece ‘Back to Black’ via Microsoft’s online store Zune.

Yes, it was cynical. All Microsoft had to do was leave out the reference to Zune and it would have been fine. People can buy the album from anywhere after all – in my view they should get it from an actual record shop (remember real things? They still exist apparently). Some have jumped to the company’s defence, but Microsoft didn’t need to promote Zune in that context and shouldn’t have done, so it was right to say sorry for that reason alone.

Microsoft wasn’t the worst offender, though. At least its tweet contained a modicum of sensitivity. It was promoting the music of Winehouse – what she should be remembered for.

Numerous others have chosen to capitalise on the singer’s death, but in slightly more subtle ways. Security companies, for instance, have ironically/hypocritically posted numerous warnings about scammers posting messages on Facebook and Twitter to dupe users. Their aim is to have journalists back their warnings with articles, in turn getting their business coverage. Good writers don’t cave, of course.

Others have been far less surreptitious, the worst being The Huffington Post, which decided to publish an article on how businesses could learn from the tragedy. The writer, Tricia Fox, chose to compare the life of Winehouse to the life of a business. I’ll leave you to spurt out a few curses in disbelief.

These brazen acts of idiocy came after some fairly appalling ‘reporting’ of the killings in Norway, where various ‘news organisations’ assumed the perpetrator was carrying out the atrocities in support of the Islamic faith. But as one considerably more erudite journalist noted, the horrible events in Norway were of a European nature, derived from European ghosts (read Charlie Brooker’s piece here for a more incisive look at the reporting of the Norway tragedy).

During a time when the reputation of media bodies is taking a battering, you would have thought journalists hoping to sell stories to death-hungry civilians, as well as companies looking to promote their brand to writers, would have taken it easy.

But no, death has become a commodity. It is there to be bought and sold. Fox highlighted the fact perfectly in her comparison.

How have we reached this point? I’d cite the end of the Second World War as a turning point. It’s my personal belief that through the rise of mass media and technology, we have objectified death. We have almost crystallised it, wrenched it from ourselves and turned it into an invisible substance, a thing of commercial value.

Death is no longer such a spiritual thing, it is no longer something to be explored within oneself. Compare the Egyptian Book of the Dead to what most people read today and the case is made. Once, the journey to death was something to be taken with the utmost seriousness – contemplation of it was almost the purpose of life itself. Now, death’s meaning has been eroded away, its core has faded, it is something to report on and then make money from.

So, every other company along with Microsoft, be they media firms, technology vendors or indeed anyone who has contributed to the problem of death objectification, should be sorry too.

Maybe we should all be sorry… we’re the ones who buy into it after all.

Two years until Google+ hits 500 million?

Wednesday, July 13th, 2011

Remember that pivotal moment in The Social Network when Facebook holds a little party to celebrate hitting 500 million users? If you haven’t seen the film, it’s likely you would have been slapped in the face repeatedly by the slew of stories focusing on the milestone anyway.

Now, if current estimates are on the money, then Larry Page and his minions will be holding a similar shindig in the not too distant future for their Google+ venture. In two weeks, the service has amassed 10 million users, according to an estimate which claimed Google+ membership would surpass that figure today.

Extrapolate that figure in a very straightforward way, and it’ll be less than two years (approximately 20 months) until Google hits the 500 million mark. It took Facebook six years to get there.

My maths here is admittedly pretty lax (even the above estimates from Paul Allen are somewhat flawed, as the man himself admitted). For instance, it doesn’t take into account any withering of excitement around Google+ or the fact that registration is only by invite at the minute. So the eventual date could be a year or so either side of mid-2013.

Nevertheless, it’s startling how quickly the enterprise has gathered momentum. Already it has attracted a host of plaudits with some (a little lazily and unsurprisingly) labelling it a Facebook killer.

Just a few weeks ago it seemed as though Facebook was the only social network that mattered and it would remain so until the final days on earth, so indomitable did Mark Zuckerberg’s company seem.

But as with any major move it makes, Google has shaken things up. It did it in the search space when it first started, it did it with its cloud-based productivity tools and it did it in the mobile space with Android. The Mountain View company has tried to do it with social networking before, but never has it received such instantaneous and widespread approval of such a venture.

Android left others staring on in amazement, drool hanging from their gaping jaws, as it made its way to the top of the smartphone OS pile, trampling on the woebegone faces of Apple’s iOS and Symbian along the way. So don’t be surprised to see Google+ do something similar and overtake Facebook in terms of membership numbers in the not too distant future.

Facebook has reportedly been losing users too. So the timing and the product itself appear to be just right for Google to become the king of yet another market in the tech world.

Whether you like it or not, Google wants to, and will be, a part of your everyday digital lives.

Lockheed Martin shows how to deal with attacks… or does it?

Tuesday, May 31st, 2011

The way in which the world’s biggest aerospace company, Lockheed Martin, dealt with attacks on its network were more than admirable.

That might be your first impression anyway – it was mine when I read the official statement from the Pentagon’s number one arms manufacturer.

It was this line from the official statement that had me convinced for about 10 seconds: “The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.”

This all makes it sound like the hack was fairly inconsequential. Perhaps it was.

But of course, when it comes to data breaches, nothing is that simple. Reports have suggested Lockheed was hit by hackers using duplicates of EMC’s RSA SecurID tokens – you know, the ones which were stolen in a separate hack attack recently?

Only now has the company moved to replace all SecurID tokens. As noted by Rick Moy, president and CEO of NSS Labs, “Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach.”

“Based upon their remediation actions for this breach, Lockheed Martin’s senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential aftereffects of the RSA attack,” Moy continued in his own blog post.

And that’s the real issue here – if Lockheed didn’t replace the tokens, why not? It was huge news at the time and given the warnings put out by various people within the security industry, you would’ve thought they’d act. It seems a little myopic… in fact it’s almost beyond belief if it really didn’t act on the RSA breach whatsoever.

Perhaps Lockheed didn’t consider it enough of a problem, or maybe RSA wasn’t strong enough in its own warnings. Whatever happened, it just goes to show, organisations need to protect against any potential threat they are aware of. Hopefully this event will act as a signal to others to do something about their SecurID tokens if they haven’t done so already.

Otherwise they could end up with the proverbial egg on their face, especially if they’re a high profile firm that does an important job like, oh I don’t know, making fighter jets for one of the most powerful nations on earth.

Grandmother convicted for illegal filesharing? Really?

Thursday, May 12th, 2011

You’d have thought copyright enforcers couldn’t upset their enemies much more, but this week saw a nurse and grandmother from Ayr become the first person living in Scotland to be convicted for illegal music sharing.

Anne Muir, a 58-year-old and grandmother to eight, is due to be sentenced later this month after admitting to distributing £54,000 worth of copyrighted music files over a P2P app.

Not only is Muir an elderly woman, it appears she has serious mental health problems too. Muir’s lawyer Lorenzo Alonzi told the BBC his client had used the P2P network to help with self-esteem issues after suffering from depression.

“She has, for many years, suffered from bouts of depression, which causes her to have extremely low self-esteem,” Alonzi said. “Learning this new technology and picking up new skills gave her self-esteem a boost.”

If what Alonzi says is true, it’s a sad day for the UK legal system. It seems clear Muir broke the law, but do we as a nation not make allowances when it comes to vulnerable people? What if the activity they are doing makes their lives that little bit better, dragging them out of the mire they live in day in, day out?

How significantly the copyright holders were actually harmed by Muir’s actions is not totally clear, but no doubt these proceedings will have had an irrevocably damaging impact on Muir’s wellbeing. So I ask you, what is more important, the life of a person with mental health issues, or respecting copyright law?

Peter Bradwell, campaigner at Open Rights Group, was unsurprisingly unsettled by Muir’s conviction and its hard not to agree with his sentiments.

“Anne Muir is a grandmother and a nurse who has stolen nothing and has made no money from her activity,” Bradwell said. “It is not clear the music industry has lost any money as a consequence. She is now facing a fine of thousands of pounds and is being labelled a criminal. What she has done is no worse than a teenager hoarding cassettes. This case is a waste of public resources, arbitrary and disproportionate.”

As for the BPI (British Recorded Music Industry) and IFPI (International Federation for the Phonographic Industry) who pursued the case in the first place, they may want to watch out for a response from hacktivist groups. It would come as no surprise if both come into Anonymous’ crosshairs thanks to the Muir case.

Now – and this goes for any company – do not invite trouble to your doorstep, especially when there may be no need. Just look at what happened to HBGary.

Sophos vs. Facebook – The security war continues

Monday, April 18th, 2011

Facebook must be getting a little bit peeved by Sophos’ continual hounding of its security policies.

The ubiquitous Graham Cluley has been banging on about the social networking site’s privacy flaws for some time, as well as posting numerous blogs about what scams are spreading across Facebook every week.

So either Facebook is just ignoring Sophos, pleased with the way it protects members’ data, or it is blanking Cluley and Co afraid it will get shown up by a smallish security firm (Sophos doesn’t rank in the top five for security software license sales in Western Europe).

Today though, Sophos stepped up its campaign, issuing an open letter calling on Facebook to enforce some security changes.

In particular, Sophos wants “privacy by default” to make data sharing optional for users. The security firm also asked for an improved app vetting process (walled garden approach anyone?) and HTTPS for everything on the site.

“The Sophos three-point plan would turn Facebook into the good guys and also be a real safety step-up for its 500 million users,” Cluley said.

“Facebook is popular and successful and is not going away. So it is essential that Facebook takes proper care of its users by making their security and privacy a top priority.”

It’s hard not to agree with Cluley here. Why is Facebook taking risks by not implementing simple measures such as HTTPS? Is it just so the site runs a little faster? You’d really hope not.

You’d also hope Facebook isn’t pandering to shareholders too much. From an investor perspective, the more available data there is, the more money can be made by everyone – from businesses to cyber criminals. Not having strong default privacy settings simply makes more business sense, albeit at greater risk of being punished by regulators at some stage.

Thankfully, Zuckerberg comes across as a man who won’t be swayed by external sources. If anyone is taking the site anywhere, it it’s him.

Then again, we may have just been fooled by the media portrayal of the man himself. The Social Network did a fine job in presenting the billionaire as something of a megalomaniac, but what if the film was wrong? What if the CEO is just as susceptible as the next man to the charms of more money?

If Facebook becomes the lapdog of big corporations and uncaring advertisers, then user data will truly be under threat. Not only would big businesses have control of our information as they sell it off for big bucks and further tighten their grip on the Web 2.0 world, they’d most likely restrict enforcement of security controls seen as barriers to revenue gains.

This dystopian scenario looks unlikely in the near term. To keep it at bay for good though, we’ll need constant campaigns similar to the Sophos one to keep Facebook in check. It is, after all, a service for users, by users. Let’s keep it that way Zuckerberg.

What’s for lunch? Vulnerable people…

Monday, April 11th, 2011

This is how I imagine a recent conversation at Leicester City Council went:

“Good weekend?” asks one worker.

“Not bad. Gutted to see the Foxes lose again, but good game nonetheless,” says the other.

“Tell me about it. What’s in your trusty lunch bag today?”

“Well, Walkers crisps… obviously. A cheese cob [otherwise known as a roll], another pack of Walkers and… hey what’s this?”

“Looks like a memory stick mate. Not sure it’s a good idea to eat that… although it could be nice with some humous. Also, wasn’t there some email asking about one of those recently?”

“Hmmm maybe. Boss said something about vulnerable people and data but I’m sure it wasn’t that important. I’ll just chuck it – no one cares about these things anyway, do they?”

“I wouldn’t do that. Just looking at an email now… says there might be an investigation from the ICO, whatever that is.”

“Alright, I’ll go and speak to the boss. Just after I’ve downloaded some odd looking file attached to this email from Nigeria…”

This never happened, of course. And I’m sure workers generally aren’t that careless. But the fact that data on thousands of vulnerable people was lost by Leicester City Council and then reportedly found in a worker’s lunch bag beggars belief.

Thankfully for the local authority, it seems the data on the drive was not accessed while it was missing, but this fails to make up for the fact the council handled sensitive information with such apparent carelessness. Surely better practices were needed to protect the vulnerable citizens of the city.

The ICO is due to investigate and it’ll be interesting to see what the body does. In the past, the ICO has often avoided handing out fines, favouring the education route over stronger punitive measures.

This case could prove to be different, however, given the number of people affected and the kinds of data involved, namely medical information and keysafe codes. That is some important stuff to be playing around with.

Surely it’s time for the ICO to show it has teeth again and prove to organisations they cannot get away with lax practices.