Short article today. Not even a picture.
I think I understand how breakups work now. I broke up with Dropbox, after an intense, deep, 5 year relationship. I was afraid it was sharing my secrets.
First, I found someone new (ownCloud). We screwed around for a few hours, but it wasn’t the same. I thought maybe I could compromise in order to have my perfect cloud storage soulmate. So I broke up with Dropbox (deleted the account). But then, ownCloud turned out to be crazy, unstable, and slow.
I tried to make it work but all I could think about was how much I missed Dropbox. Dropbox did so many things that I took for granted, that ownCloud isn’t experienced enough to do. So I tried to go back, but while Dropbox was happy to take me back, there was nothing either of us could do to completely heal our relationship (account metadata, file revisions, camera upload metadata, and bonus space). The magic was gone, probably forever.
Finally, I decided to tell both Dropbox and ownCloud that I needed some time to myself. Maybe I should go without cloud storage for a while.
Google Drive, however, is clawing at my door begging for action.
I’ll be focusing more on the implications of the decision. For a more news-y article about it, refer to WIRED or the Chicago Tribune.
“Unlock this… for safety?”
This morning, the United States Supreme Court made one point perfectly clear: Arresting officers are to stay out of suspects’ cell phones until such time as they get a warrant. Interesting about the decision is that it involved two cases, one involving a basic flip “feature” phone, and the other involving a smartphone.
Previously, warrantless searches of an arrested person’s cell phone were considered lawful under the Search Incident to Arrest (SITA) doctrine.
The Court found that a cell phone is a very intimate device and the average phone contains a very detailed digital record of it’s owners entire (private) life. Given 10 minutes with someone’s smartphone, you can learn more about them than you ever could with full reign of their house. And that’s what the decision was about.
While this decision is very important for your privacy, it’s also very important that you realize what it does and does not do, specifically, and what you can do to enhance your privacy. Continue reading
Example AutoGripe Email
Fail2Ban is a nice piece of software that detects SSH brute force attempts and locks out offending hosts for a predetermined length of time. It can also be outfitted with new and exciting ways of handling these attacks.
Banning script kiddies that are trying to brute their way into your box is nice, but what if you could also take that detection and help clean up the Internet a bit?
Action scripts already exist for Fail2Ban that take the offending IP address and dispatch an email to the abuse email listed in the WHOIS for that IP range. But, it relies on sendmail. With the advent of increasingly aggressive spam blocking solutions, it’s entirely possible that unless you install a full-blown mail server, your mail won’t get through to those who can actually process your complaint. What a drag!
That’s why I took it upon myself to write AutoGripe. AutoGripe is a Python tool that accepts an IP address (automatically, from fail2ban) and dispatches an email with logs to an abuse email address. You can get a copy for yourself at AutoGripe’s GitHub repo.
Wild SKITTY used POOR SECURITY!
It’s been a while since script kiddie extraordinaire Julius Kivimaki (zee/zeekill/RyanC) got so thoroughly 0wned. The “super dooper hax0r” committed rookie infosec mistakes and a close friend popped his # cherry. Lots and lots of evidence of lots and lots of illegal things were revealed and released. You should totally check that out.
Since then, he was (finally!) taken in by the Finnish police, who sent him to a European prison. You know, the kind that has better accommodations than most U.S. college dorm rooms. Anyway, Julius couldn’t handle his all expenses paid getaway, so he misbehaved. He misbehaved so badly that they had to send him to a more restrictive facility, but that facility was full. Do you know what the Finns do when they don’t have a place to put a misbehaving prisoner? They sent him home, on the promise that he’d stay off the Internet. He didn’t stay off the Internet.
He’s been popping in and out of the Finnish criminal “justice” system ever since, the FBI twiddling their thumbs all the while. But that’s not why we’re here. Something a tad more interesting happened last night… Continue reading
See, yeah, I’m going to have to call bullshit on this one
We hear quite a bit about copyright infringement on the Internet and how it hurts (or doesn’t) the economy and the entertainment industry. It’s usually expressed in near astronomical numbers, billions of dollars annually because Spiderman was downloaded a few times. But I think the numbers may be inflated.
The Institute for Policy Innovation gave a thoroughly detailed (but REALLY biased) report on the losses to the U.S. economy due to piracy. They give some pretty big numbers, but most importantly they list a few “multipliers” that enhance those numbers, reflecting the economic velocity of a dollar that’s spent on, say, a DVD of, or a ticket to see, a movie. Continue reading
Today, something odd happened.
The official website for the Trucrypt cross-platform open source encryption program was forwarded to a warning that due to Windows XP being sunsetted, Truecrypt is no longer being maintained, is unsafe to use, and that users should switch to Microsoft’s Bitlocker instead. Additionally, the program was “updated”, such that it only decrypts data, and warns you every step of the way that it’s unsafe to use.
This has caused a minor panic across the Internet. Obviously something strange has happened to Truecrypt and its developers. Was the software really unsafe? Was their website compromised? Is this a hoax or the doing of a three-letter agency?
I’d like to offer some analysis and my possible theories. Continue reading
Since Google released a developer-focused version of their Glass product last year, we’ve learned quite a bit about some possible uses, and some possible technical and social issues behind the product. Businesses are starting to ban Glass from their establishments. People are getting mugged for their Glass, and for using their Glass. One man was questioned by DHS/ICE for having his prescription Glass unit on in a movie theater.
Nearly every problem that society at large has with Glass starts with the unit’s camera. When Google designs and builds the final Glass product to be released to consumers, some changes are going to have to be made that take the incidents above into account. Here are some features I’d like to see in the final Glass build.
On Monday, it was announced that OpenSSL, an incredibly popular encryption library (quite possibly the single most popular), contained a rather serious security bug named Heartbleed. This name refers to the TLS “heartbeat” that is abused in order to exploit the bug.
This bug basically allows anybody to obtain an arbitrary 64kb of an affected server’s memory. An attacker can do this as many times as they need to obtain more and larger secrets. Secrets like encryption keys.
While some end users can at least get a feel for how big of a problem this is, very few are aware of how it affects them, directly, and why. What exactly can an attacker do with a “secret” from a server that you use?
I’ll also explore an SSL feature designed to mitigate this sort of attack, how it helps here, how it doesn’t and which popular websites don’t use it. Continue reading
Mess with the best, die like the rest, amirite?
(Note: Earlier this week, I presented evidence of a Finnish individual by the name Julius Kivimaki being the perpetrator behind the EC-Council hack over the weekend. You should read that post first, if you haven’t already.)
tl;dr: Last weekend, a person using the nickname ‘Eugene Belford’ took over the DNS for the EC-Council, an organization that certifies “Ethical Hackers”, and pointed it to his server, where he displayed a picture of Edward Snowden’s US passport.
Last night, our team obtained access to the server used in the EC-Council hack. Somebody asked for, and received from Julius, a shell on his server for the purposes of sending spam and phishing emails. This person turned the shell over to us, we then elevated to root access, and had a look around. Here’s a small list of what we uncovered: Continue reading
It’s not really hacking. Just FYI.
Update: Since the writing of this article, I was invited to see the contents of Mr. Kivimaki’s dedicated server after another party compromised it. You can read the analysis of what I found here.
Two days ago, the website for the EC-Council was broken into and defaced. The EC-Council is an organization that certifies so-called ‘ethical hackers’. The website was defaced and its content was replaced with a picture of Edward Snowden, and an HTML comment that gives away the identity of the “hacker”.
Once control of the website was given back to the rightful owners, a known password was used to again deface the website, to bring it to it’s current state now. It now contains a scan of Mr. Snowden’s passport and a letter from the US Department of Defense affirming his experience as a security researcher.
Continue reading to learn the hacker’s identity.