We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter.  Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it.  It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page.  The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers.  The lesson here?  Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible.  However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome.   When you start your browser, you type in one password to decrypt the password files and you are set to go.   You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use.  Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy?  My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

You know those “private, internal emails” that get sent around within your organization, never meant to be seen by outsiders?  Well, one day, they may in fact be seen – and this is an example of what could happen.

The exposure of what appear to be email messages from the Climate Research Unit of the University of East Anglia show conversations between leading climate change researchers which were obviously not meant for mass distribution.  The messages exposed include:

• Drafts of scientific papers
• Unflattering comments about climate change skeptics
• Discussions in which scientists talk about using “tricks” to deal with statistical inconsistencies in their work.

Of course, the critics of the theory that human activity are having a field day with this:  “‘This is not a smoking gun; this is a mushroom cloud,’ said Patrick J. Michaels, a climatologist who has long faulted evidence pointing to human-driven warming and is criticized in the documents.”   According to the Times article, “The evidence pointing to a growing human contribution to global warming is so widely accepted that the hacked material is unlikely to erode the overall argument. However, the documents will undoubtedly raise questions about the quality of research on some specific questions and the actions of some scientists.”

Whether or not you believe that human activity is messing with the climate, there is a lesson to be learned here.  Unlike the ephemeral casual hallway conversations we have with our coworkers, electronic communications like email, instant messages, and in some cases phone calls leave artifacts which can surface long after they are written and which may, when viewed in isolation, provide a very different picture than what was intended.  And hackers are now the only threat… emails may also be exposed in the course of legal discovery during litigation.  Yikes!

The moral of the story?  When writing an email or IM, you need to think about what message it would give when read by an outsider, out of context, months or even years after the events which prompted it.  Another way that life is getting just a bit more complicated in our modern age…

According to Reuters… “The U.S. government is covertly testing technology in China and Iran that lets residents break through screens set up by their governments to limit access to news on the Internet…”  You go, government!   This is the kind of stuff that I like seeing my tax dollars spent on.  For a change, we are going after genuine bad guys (oppressive governments) and bringing a small but important measure of freedom to the people.  No one gets killed, no one gets pissed at us (except for aforementioned oppressive governments) and the spend is relatively small.   There is  a potential downside, however… is giving citizens of another state the ability to freely access information that their governments have decided is off limits a form of cyberwarfare?  If so, what kind of response can we expect from these governments?  We may be opening up a new theater of war, here, but I for one think it is one that is worth fighting in.

Look behind you!

I just saw an interesting product demo from a company called Ocularis Labs… Private Eye uses the webcam built into most laptops to track when you are looking at the screen.  When your gaze leaves the screen, the display is automatically blurred or replaced with an image of your choice.  Look back at the screen and the display is restored.  If the software detects a face other than yours in the frame (meaning that someone is possibly ’shoulder surfing’), the program pops up a “rear view mirror” showing you the offender (and tipping them off to the fact that you are aware of them).   The software (XP/Vista only) costs $59.95 a seat for the full featured version – comparable with a hardware privacy display filter.  Those filters tend to be bulky and annoying – this seems like a promising technology for road warriors and those who like to work in public places like libraries, Starbucks, airline lounges or airplanes.  I am planning to get this into the lab at work and see how it works – will let you know how it goes.

On guard, protecting your data

Last week, the big story in social media (and infosec) was the theft and subsequent publication of a whole mess of internal documents from Internet phenomenon Twitter.  While the purloined documents did not contain any earth shattering information, the incident was pretty embarrassing for Twitter and raised some questions about the wisdom of using cloud applications such as Google Docs for corporate applications.  Further information has been released as to how the documents were filched and there are lessons in this for all of us.

Authentication questions are not secure enough to protect passwords. Think about all of the information about you out on the Internet… your Facebook page, your postings to web forums, mentions on school and social organizations’ web sites.  This information can be used to guess correct answers to those questions used to protect your passwords.  My advice?  Make up “special” answers that have no basis in reality – just be consistent about them.  Maybe your first school was the Jupiter Academy of Space Sciences or your first pet was a Tapir.  Using a set of “special” answers gives you another level of password protection for your real passwords.

Using the same password for all sites is a recipe for disaster. I know… we all have a zillion passwords to remember and asking you to have a separate password for each site you visit is a pain.  But think about it… if I get hold of  the password you use for Facebook, can I also access your bank account and your email?  There are some really good tools to help manage a plethora of passwords.  My personal favorite is Keepass, which runs on PCs, Linux boxen, and Macs.  Keepass keeps your passwords (get it?) in an encrypted file which you can carry with you or store “in the cloud” safely since it is encrypted.  (You need a password to open the password file – make sure it is unique!)

Old email accounts can come back to haunt you. One of the tricks used by the attacker was based on the fact that web email providers sometimes recycle accounts which have not been used in a long time.  In this case, the Twitter employee had listed a Hotmail account as their backup email address for Google Mail.  This meant that when the attacker answered the password reset questions correctly, the new password was sent to the hotmail account.  Just one problem… the Twitster had not used the Hotmail account in a really long time, so it expired.  The attacker simply signed up with Hotmail for a new account with the same name and voila… the password was his (or hers).

The overriding lesson here is that the “best” hacks are not the result of amazing technical skill – they are the result of a moderately smart attacker taking advantage of the openings we leave for them.  YOU are in control of your online security – if you are going to get hacked, at least make the SOB work for it!