Feeds:
Posts
Comments

Archive for February, 2014

This will be another long post.

A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going forward. This is contained in a series of articles they posted on their website.

To make a long story short – they were phished.

image

From: How the Syrian Electronic Army Hacked Us: A Detailed Timeline of Events, all highlights are mine:

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

This is an effective strategy and it was part of a two pronged attack. Someone from Forbes got an email that is somewhat related to what they do, and they may have even received a link like this:

Hey, what do you think about this? Is it true?
http://www.article-to-some-important-new-site.com/article/cgi?=randomstuff

If you hover your mouse (if reading this on a laptop or desktop) you will see that the displayed http link is not the same as where the link actually takes you.

The linked page asks the user to enter their credentials. Being prompted to enter your credentials at work is so common that many people don’t think twice about it. This person was doing their job and so far everything more-or-less fits with their general work flow. It’s not exactly congruent, but close enough.

Once inside, the hackers used another effective tactic – they moved laterally. They sent spam from the compromised account to other users in an attempt to gain access to important data. While the spam filter didn’t work the first time because it came from the outside, it definitely wouldn’t work when sent from the inside because most environments assume that the inside is secure. People inherently know that it isn’t, but it’s close enough.

Until it isn’t.

In an interview with the attackers, Forbes posted a follow up article by Kashmir Hill about why they attacked Forbes. According to a representative not involved in the attacks but close to those who were:

He says that Forbes editorial content on Syria made it a target, pointing to recent articles about a hacker who claimed to find porn on Syrian secret police’s computers and an article decrying the SEA’s hack of the Marines’ website. “This is pure propaganda,” he said. “This is a message, we will not tolerate lies.”

In other words, this was an episode of hacktivism and resembles that 2007 DDOS attacks on the government of Estonia by Russian youth angered by the Estonian government taking down a Russian World War II memorial.

I want to make three points about this incident:

  1. This was a well-executed social engineering attack.

    image

    When I say “well-executed”, what I mean is that all the pieces of the puzzle were done with minimal suspicion.

    – The web page where the user entered their credentials looked like a valid login page
    – The phishing email didn’t contain suspicious language (i.e., grammatically correct)
    – The phishing email was relevant to the target
    – The landing page was hosted on a compromised server
    – The phishing email was sent from a compromised server that had not previously sent high volumes of abusive content

    In other words, there was great deal of care taken by the attacker to disguise their tracks, and it would be difficult for the average consumer of email to detect this without a high level of vigilance (i.e., working in the security industry, receive lots of education, etc.)

  2. People in the security industry are very smug about their own non-susceptibility to fall for scams relative to others, but shouldn’t be

    image

    This is the point that prompted me to write this post. Forbes is not the first company to have something like this happen to them. People are targeted all the time. Yet there are people in the security industry – people I have personally talked to – who say that the people who clicked the link and entered their credentials are “idiots.” When I challenged them on this point, they dug in their heels and reiterated “Nope, they’re idiots.”

    The idea is that only an “idiot” would fall for something so obvious and do something so careless like entering their credentials on a web page that looks like their regular corporate login page.

    This strongly irritates me because the average consumer is not overly security aware but they do have a basic awareness. People know about bad passwords and poor security habits, they just don’t always follow them. In the Forbes case, the user was aware but made a poor judgment. The problem is that the average consumer does not have computer security awareness drilled into them over and over again to internalize these behaviors.

    What irritates me is that while we in the security industry complain about consumers’ poor security habits despite a lack of education, but what does it say about us when we ourselves have poor health habits? For example:

    * We all know too much sugar is bad for us. It makes us gain weight and is bad for our teeth. This is reinforced almost every day. How many of us eat too much sugar? And junk food in general?

    * We all know that an inactive lifestyle is very bad for us. Yet how many take steps to ensure we get our 10,000 walking steps per day? Or try to alleviate sitting for 6-8 hours per day like the typical office worker?

    * We all know that staring at computer screens is bad for our posture, our muscles, and our eyes. Yet we do it anyway in spite of health advice that tells us not to.

    * We all know that we consume too much energy in the first world. Yet how many of us make sacrifices to reduce our energy consumption without prompting from anyone?

    In other words, the average consumer makes mistakes in a very narrow set of circumstances. Yet the same people who call consumers “idiots” for making a bad choice in spite of their lack of knowledge make bad choices every single day in their own lives in spite of an abundance of knowledge.

    And that bothers me because it is a double-standard and we should know better.

  3. Criticizing others for falling for scams makes a Fundamental Attribution Error – not accounting for the situation

    From Wikipedia:

    ”The fundamental attribution error is people’s tendency to place an undue emphasis on internal characteristics to explain someone else’s behavior in a given situation, rather than considering external factors.

    For example, consider a situation where Alice, a driver, is about to pass through an intersection. Her light turns green and she begins to accelerate, but another car drives through the red light and crosses in front of her. The fundamental attribution error may lead her to think that the driver of the other car was an unskilled or reckless driver. This will be an error if the other driver had a good reason for running the light, such as rushing a patient to the hospital. If this is the case and Alice had been driving the other car, she would have understood that the situation called for speed at the cost of safety, but when seeing it from the outside she was inclined to believe that the behavior of the other driver reflected their fundamental nature (having poor driving skills or a reckless attitude).”

    image

    Thus, from my point #1, this was a well-executed phishing attack. Saying other people are “idiots” fails to consider the circumstances in which this person clicked the link:

    – She was an editor who is asked to comment on articles like this regularly
    – She got an article and was asked to comment
    – She has to login to pages regularly
    – She doesn’t normally see spam in her inbox
    – She is used to obvious spam like “Get your free Viagra” or something similar

    Security professionals have what I call an “empathy gap” where they are unable to see the situation from the average user’s perspective. It is obvious to us but it is not obvious to others.

    However, in my own life, there are many things that are not obvious to me:

    – I don’t know exactly how my furnace heater works (I paid a professional $800 to fix it this morning)
    – I don’t know exactly how the plumbing in my house works
    – I don’t understand the medical billing system or what many of the words mean when a doctor explains to me what is wrong with me
    – I don’t fully understand exactly how all the parts of my car work together

    When I look at myself, I am an expert in almost nothing in life. Because of this, I need to empathize with the average computer user who has as little expertise as I do in almost everything as they do in my field. Were they really careless? Or am I misjudging them due to cognitive bias?

 

Anyhow, those are my thoughts on consumers getting hacked. I’m not picking on Forbes because it could happen to anyone. According to some sources, it has happened to every organization in the Fortune 500.

Read Full Post »

Tonight, the wife and I are headed out of town to visit her parents.

Last night, the heater furnace died.

This is a very inconvenient time for the heater to go down. It’s still winter and while we would turn down the heat while we are gone, we don’t want to have zero heat. That could cause some damage.

I don’t know what damage, exactly. But it’s a matter of risk tolerance. Because I don’t know, if something really bad happens in the week while we are gone and not around to keep tabs on everything, it will be a lot of money to fix. By contrast, fixing it now may be expensive but prevents future damage of unknown costs.

$800 later, the furnace is fixed.

Read Full Post »

Tomorrow, Feb 23, 2014, is the gold medal men’s hockey game between Canada and Sweden. The game is 4 am local time where I live and I plan to get up and watch it (whether or not I execute on that plan is still up in the air).

While I enjoy hockey, I am not the best analyst. But I think Canada will win for two reasons:

  1. Defense

    I watched the Canada/US game and Canada just has a big, pounding defensive style. They clog up their defensive zone and it’s tough for the opposition to get anything going. They get one shot on goal and then the puck is cleared (that’s how it was against the US, anyhow).

    Olympic hockey rinks are bigger than NHL rinks and that favors fast, passing teams which is what European teams like Sweden are known for. And this Olympic tournament has demonstrated that Sweden is a good team – they have skilled players and they good at streaking and passing.

    But Canada’s defense is suffocating. I think that gives them an advantage because the passing and fast skating is neutralized if you can’t get anything going.

  2. Personal Bias

    As I said, I am not the best analyst. Team Canada does have the best players in the world but the fact is I am Canadian and I want Canada to win. That probably shapes who I think will win more than I consciously realize.

Anyhow, that’s my rationale for the pick. But what I want to discuss is my goal of getting up at 4 am and watching the game.

Why am I doing this (trying to do this)?

I enjoy hockey but I’m not a huge fan (it’s my second favorite game to watch but my favorite to play). I don’t watch very many games anymore. When I was a kid I used to watch a lot but less so now.

Instead, the reason I will make the personal sacrifice of waking early is because I like the commitment that it demonstrates.

12 years ago, I was living in England. It was also the same year as the World Cup of Soccer and it was hosted in Japan and South Korea. I wasn’t a big soccer fan but all of my friends were. And, the big game in the opening round was England vs. Argentina!

In case you don’t know, at the time (not sure if still true), England had a huge rivalry against Argentina:

  • In 1982, Argentina invaded the Falkland Islands and England responded by going to war

  • In 1986, Argentinian soccer star Maradona scored a goal by swatting it into the net against England and it counted, and it was the decisive goal (the referees missed it)

  • In 1998, a 22-year-old David Beckham of the England team got kicked out of the game by drawing a red card; England eventually went on to lose in a shootout

So, when England drew Argentina, it was huge! A bunch of friends said they were going to get together at 7 am to watch the game as Japan was about 7 hours ahead of local time. I was like “7 am?” and my friends said “Yes! We’ll make breakfast!”

I was unemployed at the time, this was right after the dot com bust. So, at 6:30 in the morning I left my house and walked down to my friend’s place where a bunch of us watched the game and witness England defeat Argentina 1-0 after David Beckham scored on a penalty kick late in the first half.

Even though the game was super early, it was a lot of fun. I don’t remember much about the game but I do remember enjoying hanging out with everyone and the experience of getting up to watch a sporting event.

That’s why I plan to get up tomorrow. It’s a big sporting event, men’s Olympic hockey only happens once every four years and the next time they not even have NHL players in it. This could be the last time I see Canada win gold (or even play for gold).

But more especially, I want to recapture that experience.

So why not get up? Every time I’ve made such a commitment, I’ve enjoyed it.

Hopefully this time is no different.

Read Full Post »

Whenever I go traveling, I try to avoid bringing back too many doodads. I prefer for my memories to live on in pictures, video and my actual memories.

However, the one exception is artwork. These hang on the wall so they don’t take up that much room. I buy “touristy” stuff and I know it’s not precious artwork but I like it and to me, that’s what matters.

This past week I finally put up two pieces of artwork that had been hanging around a long time. The first is an oil painting that I picked up in Cambodia in April 2012. The oil painting is on a canvas (cloth) that you need to wrap around onto a wooden frame. I didn’t buy the frame (can’t take it with me) so I couldn’t put it up when I got home unless I made the frame.

Last weekend, I finally made the frame. I went down to Home Depot, bought some supplies, came home, charged up the battery in my drill to screw together pieces of wood, and created it. The picture only cost me around $25, as I recall. The frame materials cost around $5.I put the picture on and hung it on the wall. Here’s what it looks like:

image

Out of all the pictures that I have, this one is probably my favorite. I like the image of Buddha and I especially like all of the oil painting collage of color that goes into it. The picture only cost me around $25, as I recall. The frame materials cost around $5.

The second picture that I picked up I got in Ushuaia, the southern-most city in the world (there are towns that are further south but none of the qualify as a city) at the bottom of Argentina on the island of Tierra del Fuego. I bought this picture in a tourist shop in Ushuaia. However, it really needed a frame. The wife and I didn’t get one for it until October 2013, nine months after we got the picture. I didn’t put it up until this past week. This makes the time-to-acquire till the time-to-display was 14 months. Below is what it looks like:

image

The picture cost more ($40?) but the frame was ridiculously expensive, around $150. I figured that for that price, I better put it up.

After these two, I still have one more piece left and it will be my most ambitious project – the painting of a mural on the wall.

Read Full Post »

Well, here I am at 10:24 pm on a Sunday night. The wife had to work today and she worked a later shift – from 1:30 pm until 10 pm. The bridge is closed so she has to take another route home meaning she will be home around 10:45 pm.

Yet somehow, the cat Ruby, knows that she is getting home soon. On weekdays when the wife gets home by ~9:30pm, Ruby starts waiting by the door around 9:15. Tonight, she didn’t bother waiting until around 10 minutes ago (meaning she still has another 20 minute wait). That is, she correctly delayed the start of her waiting period.

I’m not sure how the cat figures this out. While the wife was gone last week out of town, she never waited at all. And now that the wife is coming home later, she waits later.

How is she figuring this out?

WP_20140209_002

Read Full Post »

A few weeks ago the wife and I took part 1 of a stained-glass class and yesterday we completed part 2. We were there for about 4 hour each time (I’m a little slow) but in the end the product turned out pretty good:

image

I liked how it turned out. As I was creating it, I thought nearly the whole time “Man, this looks pretty bad.” But 5 minutes before I finished I said “Hey, this looks halfway decent!”

You may be curious what it takes to make something like this. Well, let me tell you:

  1. You pick out a pattern that is drawn on a piece of paper.
  2. You pick out large pieces of colored glass (red, blue, pink, gray, or pink).
  3. You cut out the patterns using scissors from the paper and glue them onto the glass.
  4. Using special tools, cut the glass out. Be careful not to do what I did and slice open your fingers with glass.
  5. Line up the pieces of glass on the pattern and shave down the corners and edges of the cut out pieces. Do this over and over and over again until they fit. This takes FOREVER!
  6. Continue shaving down the edges until they fit even better.
  7. Line the individual pieces with copper liner.
  8. Put goop on the glass pieces and solder the glass pieces together.
  9. Solder the other side of the glass pieces together.
  10. Solder on the edges.
  11. Wipe the goop off the glass.
  12. Put a chemical on the solder to give it a grayish, metallic look.

Finished!

Read Full Post »

The wife and I do not let the cat sleep in the bedroom.

Why?

Because she’s too annoying. She’ll keep jumping on the bed every 1-2 hours and then walk across our pillows, waking us up. She just can’t sit still. The wife then has a bit of a freak-out moment (“Aaaah! Stop waking me up!”). I don’t know why the cat does this, it’s as if she’s saying “Hello, everyone! What’s going on now?”

However, this past week for a few days the wife was out of town. I decided to let the cat sleep in the bedroom. I was concerned she might be annoying.

She wasn’t.

She stayed on her chair the entire night. The only time she jumped on the bed to wake me up was a few minutes before my alarm went off so it didn’t make any difference to my night time slumber. She let me sleep through.

The wife came home and we let the cat sleep in the bedroom and sure enough, the cat was annoying. Multiple times.

What the heck?

The only difference is that the wife is now home. Somehow, I don’t know what, the wife brings out the cat’s naughty behavior. I need to stay home and see what the wife is teaching the cat.

WP_20140206_003

Read Full Post »

This is going to be a long post.

How I spent my weekend

This weekend I took a quick glance at the World Economic Forum’s Global Risks for 2014 report. The WEF is a Swiss nonprofit foundation that describes itself as an international organization that is dedicated to improving the state of the world by engaging business, political, academic and others in society to shape global, regional and industry agendas (I pulled that description off of their Wikipedia entry). They bring together 2500 leaders and convene to compile a report of threats as well has how to combat them. The 2014 meeting, held late January, had the theme “The Reshaping of the World: Consequences for Society, Politics and Business.”

They face criticism; anti-globalization activists claim that capitalism and globalization increase poverty and destroy the environment (they are right in some ways, not wrong in others).

Anyhow, I was reading the report about the leading risks the world faces, and they divide them up into five categories:

  • Economic risks
  • Environmental risks
  • Geopolitical risks
  • Societal risks
  • Technological risks (purple in the chart below)

Within each category there are 6-8 specific problems except for technology where there are only 3. If you want more details I’d encourage you to read the report yourself (linked above).

What I want to focus are on how they rate the risks as per the below diagram:

image

The impact – how bad something would be if it happened – is plotted on the vertical axis and the likelihood – the probability of it occurring – is listed on the horizontal axis. The worse an event is, the further up and right it will be.

Looking at these, the acquisition (and presumably use) of weapons of mass destruction would cause a lot of damage but the odds of it occurring are small. On the other hand, mismanaged urban development is not nearly the impact of WMD’s but is much more likely to happen.

I looked at this table and I created another category – Expected Impact. To do that, I multiplied the Impact by the Likelihood to come up a third category that estimates how bad something is in objective(ish) numbers. The table above doesn’t have the number values, only the plots on the chart so I estimated their relative values by eyeballing them.

The Results

Of the 31 threats, Technology is responsible for 3 of them. Cyber attacks rate #7 and Data Fraud/Theft rate #8. The rest of the top 10:

  1. Extreme weather events
  2. Climate change
  3. Income disparity
  4. Unemployment and underemployment
  5. Water crises
  6. Fiscal crises
  7. Cyber attacks
  8. Data fraud/theft
  9. Biodiversity loss and ecosystem collapse
  10. Natural catastrophes

As someone who works in computer security fighting spam (among other things), it gives me a sense of pride to know that I work in an industry that the World Economic Forum considers my industry in the top 10 most important things that are facing humanity to address.

By that, I mean that cyberattacks (#7) are a serious issue, and working to enhance things like authentication (e.g., DKIM and DMARC) strengthen the Internet and make it more difficult for attackers to take it down. Reducing spam increases trust on the web and creating products that make software secure makes the risk of a cyber attack that much less. I play a small role in this; many others reading this are as well and we should take pride in it.

I won’t go into the full details about what the WEF means by this category, but the WEF defines cyber risks as crime, hacktivists, espionage and war. The worst case has been called “Cybergeddon” where the Internet would no longer be divided between attackers and defenders but between predators and prey. Because this would cause a loss of trust between people, they would rely upon the Internet less and less. The most transformative technology since the Gutenberg press would regress, to the loss of humanity.

It is a question of trust.

How this affects me

Part of my job is to create a more secure Internet; it’s what I do. My responsibilities at work are to help drive authentication in email. It’s my small part of the world and one thing where my abilities are useful in real life.

This is important to me. A few years ago, the wife and I looked into doing some sort of charitable work. After researching Doctors Without Borders, Engineers Without Borders, and a few other organizations, I realized that I have no useful skills in the developing world. I know nothing about medicine, I can’t build radios, and any physical strength I have is easily matched by anyone else (i.e., I provide no special benefit) and surpassed by people younger and stronger than me (plus, I have bad hips).

image 

Large companies like Google and Facebook have made it their mission to help connect the developing world by providing them with Internet access. However, Microsoft founder and philanthropist Bill Gates has scoffed at this and said basic things like access to clean water, immunization against diseases and reduction in child mortality is far more important.

“I certainly love the IT thing,” Gates said in the interview. “But when we want to improve lives, you’ve got to deal with more basic things like child survival, child nutrition.”

He said that making it a "priority" for the whole world to be  connected to the Internet was, "a joke."

“Take this malaria vaccine, [this] weird thing that I’m thinking of. Hmm, which is more important, connectivity or malaria vaccine? If you think connectivity is the key thing, that’s great. I don’t.”

Source: Vator.TV

Those are some tough words but he’s probably right.

As I have gotten older, I feel like I have become more cynical. I have started to be come more aware of the wealth gap that exists today, and this is highlighted in the #3 risk above – income disparity.

I feel weird sometimes being in an industry that pays me as well as it does and wonder if I’m doing the right thing. Am I making the world a better place? Should I be doing something different?

Last week, the Seattle Seahawks won the Superbowl and everyone around me was cheering. I was happy for them, too. The Seahawks were clearly the best team in the NFL this year.

image

I have watched football for nearly 25 years. But here’s the thing – as the press was writing glowing reviews about how the Seahawks worked hard to become champions, and how the owner of the Seahawks turned the franchise around and talked about him in glowing terms, and how so many fans were cheering, the following thought crossed my mind:

Middle class people who spent a lot of their income to watch the game are cheering for a bunch of millionaires and billionaires who will each be getting bonuses for one day’s work, the total of which is more than most of those cheerers make in a year.

I know that everyone on the team worked hard to get there and deserve the money they are paid, but it seemed weird to me that we would all cheer on the success of people who make more money than anyone else in the stands. It’s like “Hooray! You have more than I do! And now I congratulate you on getting even more!”

For the first time in my life, this puzzled me.

And this comes back to the the top 10 list above. There isn’t much I can do to fight climate change (outside of reducing my energy use but let’s face it – those of us in the developed world are responsible for most of this) and extreme weather events. I can give to charitable organizations to help reduce income disparity. But am I really making the world better?

I tell myself that at least I am making it not worse.

But with this report, with cyber attacks at #7, I can finally say that I am doing something worthwhile. This does not mean that I am correct in this belief. Instead, it means I can tell myself I am doing something worthwhile and that relieves my cognitive dissonance.

Perhaps I am helping the bottom line of the betterment of humanity after all.

That’s what I keep telling myself.

Read Full Post »