Here’s an interesting twist on the old Internet Pharmacy scam… we’ve all gotten those emails offering to sell us various pharmaceutical products without the need for a pesky prescription.  Now, I’m assuming that all of the readers of this blog are smart enough to keep their credit cards in their wallets and hit delete.  However, there are apparently enough dimbulbs out there to keep these guys in business.  They order the pills and get… real drugs?  expired drugs?  fake drugs?  Who knows?

Well the scammers have come up with a new way to extract further profits from the stupid… according to a news release from the US FDA, version 2.0 of the scam now comes with a twist.  After taking an order for Rx free drugs, the scammers apparently come back for a second round – they call the purchaser posing as FDA agents or other law enforcement types and threaten the mark with fines, arrest, deportation, property searches and the like.  The “agents” then tell their victims to provide a credit card or wire transfer the money to pay their fines and avoid further trouble.

This is the kind of thing that makes me wish I was unafflicted by a conscience… seems a lot easier than working for a living…

If you get hacked because you clicked on a link about Brittany Murphy shuffling off this mortal coil, you most probably deserved it.    Just saying.

We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter.  Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it.  It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page.  The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers.  The lesson here?  Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible.  However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome.   When you start your browser, you type in one password to decrypt the password files and you are set to go.   You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use.  Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy?  My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

OK, before I get started with this blog entry, I want to be up font with you.  I have become a cliche… I am writing this from Starbucks whilst sipping a cafe mocha and leeching off their free ‘lectricity.  I have truly become one of those stereotype bloggers.  Shoot me now.  Anyway, on with the post…

It seems that the German government is getting together with ISPs to set up a help line for citizens whose PCs are infected with malware.  The ISPs will watch network traffic for signs of communications between zombie computers and their evil controllers.  When the ISPs detect malware activity, they will direct users to a website with instructions on getting their computers free of viruses, worms, back doors and the like.  For users who need additional help, 40 government employees will staff a call center dedicated to helping out.  (This truly sounds like a job from hell…).

This is a great idea, which other countries should consider with one twist; vendors such as Microsoft, Apple, Adobe, and the like should be required to kick in some funding for this type of work.  After all, it is their software which opens the doors to cybercriminals and (potentially) cyberterrorists.  Maybe pegging the amount they have to pay to the number of security advisories issued by the CERT about their software would make sense.    It would be pretty easy to gauge the success of this type of an effort by tracking and publishing stats on the numbers of infected machines before and after. As for the cost beyond the vendor kickins, there are a lot of places in the US federal budget to get the money from…

What do you think?

Read more
Germany pays to clean malware from Windows PCs.

You know those “private, internal emails” that get sent around within your organization, never meant to be seen by outsiders?  Well, one day, they may in fact be seen – and this is an example of what could happen.

The exposure of what appear to be email messages from the Climate Research Unit of the University of East Anglia show conversations between leading climate change researchers which were obviously not meant for mass distribution.  The messages exposed include:

• Drafts of scientific papers
• Unflattering comments about climate change skeptics
• Discussions in which scientists talk about using “tricks” to deal with statistical inconsistencies in their work.

Of course, the critics of the theory that human activity are having a field day with this:  “‘This is not a smoking gun; this is a mushroom cloud,’ said Patrick J. Michaels, a climatologist who has long faulted evidence pointing to human-driven warming and is criticized in the documents.”   According to the Times article, “The evidence pointing to a growing human contribution to global warming is so widely accepted that the hacked material is unlikely to erode the overall argument. However, the documents will undoubtedly raise questions about the quality of research on some specific questions and the actions of some scientists.”

Whether or not you believe that human activity is messing with the climate, there is a lesson to be learned here.  Unlike the ephemeral casual hallway conversations we have with our coworkers, electronic communications like email, instant messages, and in some cases phone calls leave artifacts which can surface long after they are written and which may, when viewed in isolation, provide a very different picture than what was intended.  And hackers are now the only threat… emails may also be exposed in the course of legal discovery during litigation.  Yikes!

The moral of the story?  When writing an email or IM, you need to think about what message it would give when read by an outsider, out of context, months or even years after the events which prompted it.  Another way that life is getting just a bit more complicated in our modern age…

For most people, coming down with the H1N1 flu is a temporary, miserable annoyance.  However, (like regular seasonal flu), H1N1 (aka Swine Flu) can rapidly turn from an annoyance to a life threatening condition.  There has been a lot of press coverage of the flu and you might be fighting flu info overload.  However, take a few minutes to read this article from New Scientist to get a balanced overview of the risks and the steps you can take to protect yourself and your loved ones.  And stop kissing pigs.

The NSA is one of the most secretive of the US Government’s TLAs (three letter agencies), which makes sense since it is charged with intercepting, decrypting and analyzing communications for the intelligence community.  However, in addition to its role in SIGINT, the NSA is also tasked with helping the government and private industry secure systems against cyber attack (information assurance).  If you go to the agency’s web site, you’ll find a number of configuration guides which provide security advice for products such as computer operating systems, database servers, and Cisco routers.  These guides are a great use of our tax dollars (IMHO) – they help protect government systems from attack and (with some modifications) are helpful to private industry.  So why am I telling you this?

This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release.   According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.

So, is Microsoft helping the NSA get access to millions of computers worldwide?  Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak.   But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions.  Maybe it is time for the government to separate the jobs of protecting information and gathering information.

One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets.   After all, widget production figures don’t need the same level of protection as the nuclear launch codes.  I think a lot of security professionals pass the NSA documents by because of this perception.  What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency.  For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:

• Home users
• Educational institutions
• Small and medium sized businesses
• Large enterprises
• Critical Infrastructure Providers
• Financial Institutions

I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet.  Having some very basic standards (and some teeth to back them up) would do two things:

• Provide incentives to enterprises to secure their systems
• Provide a generally accepted security baseline
• Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.

I think that there would need to be private sector involvement in developing these documents, of course.  It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.

According to Reuters… “The U.S. government is covertly testing technology in China and Iran that lets residents break through screens set up by their governments to limit access to news on the Internet…”  You go, government!   This is the kind of stuff that I like seeing my tax dollars spent on.  For a change, we are going after genuine bad guys (oppressive governments) and bringing a small but important measure of freedom to the people.  No one gets killed, no one gets pissed at us (except for aforementioned oppressive governments) and the spend is relatively small.   There is  a potential downside, however… is giving citizens of another state the ability to freely access information that their governments have decided is off limits a form of cyberwarfare?  If so, what kind of response can we expect from these governments?  We may be opening up a new theater of war, here, but I for one think it is one that is worth fighting in.