Saturday 30 June 2012

Online tracking and what you can do to stop advertisers

On Monday, CBS ran a morning segment about targeted online advertising and the growing trend to market to users based on their online activity. They talked about ads targeted to site visitors based on what kind of computer they’re using, what other sites they’ve visited, and what they’ve purchased. But this shouldn’t come as a surprise to anyone who has spent any amount of time shopping online. Companies like Google, Facebook, EBay, Amazon and others are making a mint selling targeted ad space.
This woman has no idea what she's talking about.

The reporter concludes the segment saying, “Is there a way to stop them? Right now there’s not.”

I don’t know what passes for research at CBS, but there are several things you can do to prevent websites from tracking your activity. But before we get into that, let's explore how exactly online advertising works and why these companies are tracking your every move.

How it works

Every time you surf through, let’s say a shopping website (but don’t think that it’s limited to these sites), a third party advertising company that has an agreement with that website is logging your IP address, which pages you visit, how long you stay at those pages, how much you spend, how fast your internet connection is, and about a hundred other things that are combined to build a profile of who they think you are. That profile is then stored in one of your browser’s folders as a “cookie”. Now, pretty much all websites place cookies, but not all are used for advertising – many are important – giving users full access to a site’s features. But, if you have a tracking cookie, as you web surf and go to different sites, that cookie will track your movements and record what you do on those sites.

Furthermore, many sites have agreements with outside companies to whom your click information is forwarded whenever you visit. Let’s say you go on Ford’s website because you’re in the market for a new car. After shopping around for a while, you head over to the New York Times to catch up on news. If both of those companies have a relationship with the same third party advertising company (and it’s often the case that they will) that company might show an advertisement for a brand new Mustang on the New York Times.

Now here’s where it gets even more personal. Think about a company like Google. Google manages my email, my web searches, the route I take in my car, and a lot more. How much does Google know about me? You can bet they’ve got my name, my age, my geographic location, what I search for online, and pretty much every other little detail. Companies like Google have enough information to paint an extremely detailed portrait of their users.

So, what can you do to prevent companies from tracking your online activity?

Part 1: Opt Out

Since there are a few ways to go under the advertising radar, this will be broken into a two-part series. This week, we'll explore "opting out".

1.    Opt Out Cookies

A few years ago, investigators at the U.S. Federal Trade Commission decided that some internet users might not be very excited about having all of their personal data recorded and logged by advertisers. Thus was born the opt-out cookie. For every tracking cookie used by a company there is a corresponding FTC-required opt-out cookie that tells the advertising company they can’t track you.

If you want to go with this approach, it’s important to remember that there is no single blanket cookie that prevents all tracking – you need to download an opt-out cookie for every advertising company. Fortunately, a plug-in is available for most browsers that will maintain a catalogue of these cookies and ensure that yours are up to date.

2.    Do Not Track

Remember the Do Not Call list for telemarketers? This is basically the same thing but for online advertisers.

When you go to a site, information is sent to the site’s servers and in bits called headers. When you use Do Not Track – which is available as a plugin and will soon be available on Internet Explorer – a header is sent to websites notifying them that you are on the Do Not Track list.

Unfortunately, Do Not Track does not apply to sites in closed networks like Facebook and since there is no legal requirement forcing advertisers to go by this list and, from what we’ve seen, most of them choose to ignore it. But hey, it can’t hurt right?

3.    Use browser settings to disallow cookies

Image courtesy of infocarnivore.com
This is the nuclear option. As mentioned briefly above, many websites – especially social networking sites – require cookies to function properly in your browser. To execute this correctly, you’ll have to maintain an ‘allowed’ list so the cookies you do want will come in without any of the bad ones.

Admittedly, this is probably one of the most effective ways to prevent tracking. Unfortunately, it also requires the most upkeep and may not be worth the compromise for most.

Next: Part 2 — Virtual Private Networks

Tuesday 26 June 2012

London's Facewatch service goes mobile - everyone gets creeped out

In case you were concerned that the citizenry of the world’s most surveilled region had just a tad too much privacy on their hands, you can now rest easy. In some kind of dystopian 1984 meets Nazi Germany twist, British authorities have released an IOS version of their Facewatch service.
... and so is that guy two tables over.

If you aren’t familiar with Facewatch, you’ll be glad to know it’s just as creepy as the name makes it sound. Facewatch was launched in 2010 and made waves last year after the London riots as an online database that displayed the faces of rioters caught on newsreels or one of the city’s four million surveillance cameras. The brilliance, of course, is that the police could rely on Londoners to report each other to the authorities instead of doing any actual police work.

The logistics were described in a Metropolitan Police Department press release.
The popularity of the app lies in its simplicity. As well as being available on all computers at www.facewatchid.co.uk the Facewatch App works across all smartphone and tablet computer platforms with internet connection and is free to download from the Apple App Store, Android Google Play and Blackberry App World.
A member of the public just has to enter their local postcode into their smart phone or iPad and then click or touch through a selection of unidentified CCTV images of suspects that the police would like to talk to. [Facewatch]
So what’s to stop a Facewatch user from going straight up Stephen Segal on an unsuspecting criminal (or someone who looks kind of like a criminal)? Well, nothing. Facewatch for IOS does, however, include a feature where users can input the name of the suspect and their current address, which is then sent “securely" and confidentially to authorities.

Saturday 23 June 2012

The Coolest Malware of All Time

For the last couple of weeks, businesses around the world have reported their printers have been spewing out countless sheets of paper with only garbage characters printed on them. Turns out, a little virus called Trojan Milicenso was to blame.

According to Symantec, the virus was designed primarily as a delivery method for other malware--typically adware, but, because of a coding fluke, has caused some infected computers to go bonkers on the printer. Admittedly, it's a kind of cool little quirk. 

And this got me thinking. What are the coolest pieces of malware of all time? I know, I know, when you're the one with the infected computer, it's never "cool" to have malware. But, from an outside perspective, you've got to admire the ingenuity behind some of this software, as damaging as it can be. So without further ado, here is The Coolest Malware of all Time:

The Creeper

The granddaddy of all malware, Creeper was the worm that started it all. Written and deployed in 1971 by an engineer named Bob Thomas, Creeper was released on Arpanet – the precursor to the internet. In total fairness, Creeper is not technically malware since it was never designed to actually do any kind of harm – it was merely an experiment in mobile programs. That said, it is the program all other viruses, worms, and Trojans are based off of, so it’s definitely worth noting.
The Creeper was named after a
Scooby Doo villain

The worm infected DEC PDP-10 minicomputers and caused them to display the message, “I’m the creeper, catch me if you can!” Appropriately, a program called “Reaper” was written and deployed to wipe out Creeper.


NIMDA

NIMDA (admin read backwards) was the fastest spreading computer malware ever. And when we say fast, we mean fast. Within 22 minutes of hitting the internet, NIMDA hit the top of the list of reported attacks, becoming the world’s most widespread worm.

The brilliance behind NIMDA was the ways it propagated. Where most malware spread through only one avenue, NIMDA took a multi-pronged approach, spreading through email, shared files, Microsoft IIS security holes, and file transfers. Furthermore, NIMDA would infect thousands of files on each system and even re-infect files already carrying the worm several times over, making it very difficult to get rid of.

NIMDA’s ultimate goal was to create a backdoor for the malware’s author to access the infected computer. However, the real damage was felt in networks being brought to a standstill and entire servers crashing from the heavy traffic load. NIMDA essentially became a mobile Distributed Denial of Service attack.

Commwarrior-A

Commwarrior-A was the first actually relevant virus for mobile devices. Where previous pieces of malware could only spread via Bluetooth (you had to be near another phone to infect it), Commwarrior-A was capable of spreading among Samsung Symbian Series 60 phones through the Mobile Messaging System (MMS). In this way, Commwarrior-A acted a lot like traditional computer viruses that were frequently transmitted in emails. In the end, Commwarrior-A only infected about 50 cell phones and because it didn’t carry a payload, it’s largely believed it was a proof-of-concept, setting the stage for future mobile malware.

ILOVEYOU

Often referred to as “Love Letter”. ILOVEYOU originated on May 5, 2000 in the Philippines and would ultimately spread to tens of millions of computers worldwide through a blank email with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt."

I never knew you felt this way!
Once the probably lonely message receiver opened the attachment, ILOVEYOU would install and begin writing over image files on the infected computer with copies of itself. The worm would then propagate by sending the original email message to the first 50 contacts in Microsoft Outlook’s Address Book.

Entire governments had to shutdown their email systems and billions were spent in response to the damage ILOVEYOU caused. (Most of the money was spent trying to recover overwritten files.)



Stuxnet

If you haven’t heard about this, you’ve been living under a rock. Stuxnet was the U.S.-Israel project codenamed “Olympic Games” designed to take out Iran’s uranium enrichment facilities.

Iran’s uranium enrichment facilities – specifically the Natanz facility – consist of large underground centrifuges operated by control systems. If a control system could be compromised, a virus could damage the centrifuge. This is exactly what Stuxnet did.
Centrifuges at the Natanz Uranium Enrichment Facility

The malware was injected originally by a combination of spies and “unwitting accomplices” through a thumb-drive and would subsequently spread through windows networks and into Siemens industrial software. Once installed, Stuxnet would quietly record what normal enrichment activity looked like, send centrifuges spinning out of control and send back false reports of normal operation. Consequences? The damage caused by Stuxnet forced the head of Iran's Atomic Energy Organization, Gholam Reza Aghazadeh, to resign and it’s estimated that the program successfully destroyed about 1,000 of the 6,000 centrifuges.

Thursday 21 June 2012

North Korea uses computer game to attack the South

If you haven't read about this yet, it's really pretty incredible. Admittedly, after all the recent coverage of Stuxnet and Flame, a country launching a DDoS attack is hardly impressive. In fact, it's almost laughable. That said, there are a couple really intriguing aspects to this story.

If you aren't impressed that North Korea launched a DDoS attack,
 keep in mind that they're hardly using electricity, let alone the internet.
A South Korean newspaper reported yesterday that North Korea has been launching DDoS attacks on a South Korean airport using malware spread through an online video game.

According to the Korea JoongAng Daily, a South Korean video game distributor identified only by his surname, Jo, commissioned a North Korean company in China to develop a new video game. As it turns out, the North Koreans were actually part of the North’s Reconnaissance General Bureau – a fact that Jo was aware of.
 Jo purchased dozens of computer game software for tens of millions of won, which was a third the cost of the same kind of software in the South. The games were infected with malignant viruses, of which Jo knew, an official at the police agency said. 
Jo sold the games to South Korean operators of online games. When people played the games, the viruses used their computers as zombies, through which the cyberattack was launched. [Korea JoongAng Daily]

It seems the big take-away from this story is that cyber warfare is hardly limited to wealthy nations. If North Korea is doing it, you know everyone else is too. But even more importantly, the delivery method for the malware – a video game – is actually pretty brilliant. As we saw in the use of thumb drives to distribute Stuxnet in Iranian facilities, the delivery is often the most important aspect of targeted malware. As users become increasingly wary of traditional delivery techniques like fraudulent websites and phishing scams, it’s not a stretch to imagine we’ll see many more creative attempts at distribution in the very near future.

Saturday 16 June 2012

Anonymous v. India

About 1.2 billion people live in India. And while only a minority of them have internet access, that minority adds up to about 120 million people and is growing quickly. And like the people and governments of so many other countries, the citizens and politicians of India are struggling with digital rights and censorship.

Last weekend, online hacktivist group Anonymous organized public protests against online censorship in India. And while the turnout for the demonstrations was pretty sparse, the group is now calling on Indian citizens to file Right to Information requests of public servants in an effort to expose communications between politicians and ISPs pertaining to censorship.

In one of their signature video messages, Anonymous says that Indian politicians are not only out of touch with the modern internet, but enforcing and encouraging policies that work in opposition to the legitimate pursuit of information and for criminals who know how to game the system.

People of India, we have been watching. We have been noting the perversion of freedoms to the point where barriers are increasingly restrictive. The politicians whose websites are primitive for the previous decade are deciding from their ignorant perches how the internet of today must be. Their lack of understanding of how content is shared, spread or accessed on the internet makes their restrictive plans ridiculous for any criminal who actually would want to bypass those restrictions, while they serve to keep the common man ignorant of anything they do not wish them to know. It is time to expose this ignorant intolerance for what it is.

It should be noted that SumRando in no way endorses illegal file sharing or any type of copyright violation. However, as we’ve previously stated, attempting to enforce intellectual property laws through censorship is never acceptable.

Internet censorship has been a long-standing issue in India and can be traced all the way back to 1999 with the censorship of Pakistani websites. The latest round of controversy stemmed from a High Court decision to block several file-sharing sites including Vimeo and the Pirate Bay that made two popular Bollywood movies available for download. (For a little dose of irony, it’s worth noting that one of those films, “3”, only gained popularity after a song from the movie went viral on the internet.)

So here’s the thing. India appears to be at a crossroads. As the internet-using population grows – again, only about 10% currently surf the web – the country will need to decide what kind of digital landscape they want. Will they follow the oppressive firewall policies we’ve seen in China and Iran? Or will they favor the largely open infrastructure in place in many (but definitely not all) Western countries?

Monday 11 June 2012

All your passwords are belong to us

Are you a professionally-savvy gamer looking for a date? Well, turn down the internet radio and listen up because your passwords are probably compromised.

Over the last few weeks, we’ve seen an unprecedented number passwords leaked. Here’s a rundown of what’s been happening, site by site.

LinkedIn

Over 6 million hashed passwords were published last week on a Russian forum site. Many experts are speculating that the list may actually be substantially larger and that many simple passwords that were quickly cracked have been left off. Despite many members reporting that they had identified their own password on the list, the company really took their time in confirming the authenticity of the list.

Over the weekend, LinkedIn posted an update on their blog.

First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.


League of Legends
 
Riot Games, publisher of the popular real-time-strategy game League of Legends, announced Saturday that player information and hashed passwords in two of their three servers (EU West and EU Nordic & East) had been accessed by hackers.

The company’s blog reports that the stolen information included hashed passwords, players’ first and last names, home addresses, security questions and answers, and email addresses.


Last.fm

The popular internet radio site had about 1.5 million hashed passwords leaked to a password cracking forum last week. But here’s the best part – while the hacked list was only published last week, a story is developing that the actual security breach happened months ago.
 
In May, Last.fm users took to the company’s forums, reporting that they were receiving unprecedented levels of spam.  In response, the company ran a security audit and said that no breach was detected.

However, reddit user mingaminga is now claiming that the password list is 17 million strong and was privately discussed at hacker convention DEFCON 2011 which took place in August of last year.

Last.fm says they have not yet identified the security vulnerability that led to the leak.


eHarmony

Details are murky with the eHarmony password breach, but it looks like about 1.5 million passwords were leaked online. According to the company’s blog, all members using one of the exposed passwords will be prompted to change it.


eHarmony last updated members on June 7th and said they do not believe any information other than passwords has been compromised.

Thursday 7 June 2012

Flame snuffs itself out

In other news from the cyberwar-front, the epic state-sponsored malware Flame that has recently run amok worldwide has suddenly begun self-destructing.
Image courtesy of wn.com

Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider. [Symantec]

According to Kaspersky Labs, only hours after being publicly exposed, the developers behind the massive Flame malware initiated a self-destruct sequence that turned off the command and control infrastructure behind the program.

Flame worked by contacting a number of specific servers that would dish out control-scripts to the program. When the servers went dark shortly after details began to emerge on May 28th, flames functionality effectively came to an end.

Research efforts aimed at investigating the origin and exact purposes of Flame have been substantially hampered by this development.

Check out CNET’s Flame FAQ for more details on the worm.

Google warns Gmail users of State-sponsored attacks

As if we didn't have enough to worry about with a steady increase in cybercrime, cyberwarfare is coming to your Gmail account. Unfortunately, this is not an exaggeration. In a blog post this week, Google’s Vice President of Security Engineering announced that their Gmail client will now alert users when their account is threatened by a state-sponsored attack.



Grosse emphasized in the blog post that receiving a warning does not necessarily mean that your account has been compromised. Rather, it means that Google believes a malicious agent working for a government is trying to access your account through methods including phishing or redirects to malicious websites.

Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. [Google]

The blog post said that while Google will not reveal what criteria or evidence will be used to determine whether an attacker is a typical cybercriminal or a state-sponsored organization, it should be noted that attacks perpetrated by states tend to target specific individuals or companies in attempts to acquire sensitive information. Typical phishing attempts tend to use broader brush strokes, attacking anyone who might be vulnerable.

Although it might be slightly unsettling to see state-level espionage brought to the user level, this is not the first time Google has sparred with national governments. In 2010 Google threatened to pull out of China entirely after a massive Chinese state-sponsored attack targeted dissidents’ Gmail accounts.

Wednesday 6 June 2012

Change your LinkedIn password now

The Verge broke news this morning that a Russian hacker has downloaded login credentials for almost 6.5 million LinkedIn accounts. To prove his claim, the hacker posted a list of the 6,458,020 hashed passwords on a Russian forum site.  While there is currently no confirmation that usernames have also been stolen, security experts are saying it’s very likely. At this point, it’s been reported that about 200,000 of the hashed passwords have been cracked.

Furthermore, users have reported via Twitter that they’ve found their own password on the list, making it all the more likely that the list is real.
We spoke with Mikko Hypponen, Chief Research Officer at F-Secure, who thinks this is “a real collection.” He told us he is “guessing it’s some sort of exploit on their web interface, but there’s no way to know. I am sure sure LinkedIn will fill us in sooner or later.” [The Verge]
Since we simply cannot confirm the legitimacy of the list, we’re recommending that users change their LinkedIn passwords immediately.

As we mentioned above, the passwords on the lists were stored as unsalted SHA-1 hashes, not actual passwords. SHA-1 is an algorithm that changes passwords into combinations of letters and numbers. “SumRando” fed through an SHA-1 algorithm becomes “ebc26281d960110b8111d3a78889b05fc50e0a8b”, unfortunately, without salting (basically another round of encoding) it’s quite easy to decode the hashes to the original data.

According to LinkedIn’s Twitter feed, the company is not yet confirming the breach.


Update: LinkedIn has confirmed the theft of user data and has automatically changed the passwords associated with the leaked accounts. The LinkedIn blog provides further details.

Friday 1 June 2012

In post-Soviet Armenia, crime pays for you

Remember kids, hack is whack. But apparently not that whack in Armenia where the creator of the notorious Bredolab virus was just sentenced to a measly four years in prison by Armenian courts.

Georgy Avanesov, a 27-year-old Russian citizen of Armenian descent, was first nabbed in 2010 after Dutch authorities took down a large Bredolab network made up of about 140 different infected computer servers. Shortly after this seizure, global spam levels fell by 12 percent. 
Avanesov confessed that he developed the Bredolab malware in 2009 and made it available to others via computer servers in Holland and France, according to Wired. But he also said that he was unaware others planned to use it criminally. 
Wired reports that prosecutors allege Avanesov earned $125,000 a month renting out infected computers to cybercriminals to spread their own viruses. [CNET]
Based on the scale and scope of Avanesov’s crimes, are we the only ones who think this sentence seems a bit light?  I mean, if, as an international community, we want to discourage hacking (and $125,000 a month is quite a temptation) shouldn’t we punish one of the most egregious offenders of all time a little more severely? I mean, hell, if the prosecution's numbers are accurate, this guy was pulling in $1.5 million per year. He might spend the next few years in the big house, but he’ll spend the next several decades in an even bigger mansion.