Say “Creep!”

13 01 2012

One of my students sent me a link to a story about a webcam hacker published in GQ magazine. Luis Mijangos, a self-taught coder/hacker, used a variety of malicious hacks to break into people’s computers and look through their harddrives. On the surface that sounds like basic “run-of-the-mill” hacking… but the really creepy part was when he would hack the computer’s webcam to turn it on and off at will. Since a lot of people keep their laptops/desktop machines in their bedrooms, you can imagine the kind of webcam recordings he was able to download (and eventually use to blackmail his victims). The author of the article, David Kushner, does a great job at trying to understand the psychology of the hacker.

Here’s the link to GQ. It’s worth a read – especially if you need a little Friday the 13th paranoia.

Thanks to Dylan T. for the link.


Anonymous Intro

9 11 2011

Considering that we’ve been looking at online security issues in class it seems appropriate that Wired has two features on Anonymous this week. If you’re interested, have a look:

Anonymous 101 (the article)

Anonymous Playlist (the videos)

Stuxnet 2.0

19 10 2011

A number of news outlets are reporting on another sophisticated piece of malware that has appeared online. Apparently this piece of malware (called Duqu) is based on the Stuxnet worm from months ago. For those who don’t recall, Stuxnet was an advanced piece of malware designed to target specific industrial control systems (in this case, experts believe that the target was nuclear facilities in Iran). You can bet governments and corporations that run core systems (water, power, nuclear, etc) are watching this one closely.

Read more from the BBC.

Government surveillance continues

12 09 2011

With the 10-year anniversary of 9/11 you don’t have to look far to find stories about how the world has changed in the last decade. Every major news outlet has some angle on the event that defined a generation. Here’s one story from Ryan Singel at Wired about the U.S. government’s domestic surveillance program that’s worth a read. It can be easy to forget that governments around the world (including our own) have a distinct incentive to monitor online behaviour – even if such programs aren’t particularly effective at catching terrorists.

Read the summary of government surveillance activity since 9/11 from Wired.

Device chipper

2 03 2011

The CBC is reporting that the Public Works department of the Federal government is looking for an industrial machine that can chew up old hard drives, USB drives, CDs and other media, so that the data is unrecoverable. This machine would be like a tree-chipper, but for old electronics. Why not simply erase these devices clean? Well… erasing software doesn’t always work on a lot of the new drives. Data, it would seem, prefers to hang around.

Interestingly, Public Works currently has a number of obsolete BlackBerrys that have to be stored under lock and key because they don’t have a way to safely dispose of the data on them.

Destroying the storage devices is definitely a good idea when you have as much sensitive information as the federal goverment; however, it’s worth pointing out that this strategy only destroys the data on the devices that were destroyed – if the data were copied or backed-up elsewhere, then that very same data may resurface down the line. Isn’t digital information great?  

Read the full description from the CBC.

Worms as Weapons

27 09 2010

A complex piece of malware (named Stuxnet) was discovered recently on the Internet. Apparently, this software worm was designed specifically to attack corporate information systems designed by Siemens. In this case, the target isn’t really Siemens, it’s the organizations that run Siemens’ systems: nuclear plants, oil pipelines, manufacturing plants, etc.

Perhaps the most disturbing thing about this story is that the worm was apparently designed to attack a particular configuration of this system. Some experts are speculating that the worm was targetting nuclear facilities in Iran, but to date nothing has been proven. Basically, this isn’t your run-of-the-mill worm designed by a bored teenager in his basement, this malware was designed with specific intent by someone (or some government) with a lot of resources.

We may never find out what the real intention of this worm was, but computer security experts say that the worm was bent on sabotage. Perhaps the next nuclear meltdown, or oil pipeline catastrophe, won’t really be an “accident.”

You can find news on this story all over the Internet, but check out the NYT and Wired.

What’s your mother’s maiden name?

8 03 2010

The BBC is reporting that those “security” questions used to help users reset their email passwords – probably aren’t that secure. Joseph Bonneau, the lead researcher of the study, says that if attackers are given three chances at one of these security questions (e.g. What is your mother’s maiden name? What is your favourite vacation spot?), then they can crack into about 1 in 80 accounts. If the attackers know the target, then it’s even easier.

In some cases, a few simple searches in public databases will reveal the answers to those “security questions” (e.g. searching marriage registry information from government sources, browsing Facebook for personal information, etc.). Of course, once the attacker gains access to the target’s email–or, in more serious instances, the target’s banking information–the first order of business is to change the password and lock out the rightful owner of the account.

Email wasn’t designed to be a secure application, but it’s becoming increasingly important that people treat it that way. In the future, expect to see email providers offering better security questions – or using other methods of identifying account holders altogether.

Read more on the story from the BBC.