I Almost Fell For It!

If you fell for this, here’s what happened. Your Google password is owned. You’ve installed software that probably also controls your computer and owns your other passwords.

I don’t want to hurt myself patting my own back, but I’m pretty good at sniffing out scams. Today I came perilously close to falling for one. Bravo to the scammers. You’re getting better.

It started with an email from a friend I haven’t spoken to in a long time. Actually, the email said I had a message from her via Whats App. I have Whats App installed, but don’t use it.

So far, plausible.

We-missed-you---geoff.fox-gmail

I clicked the green “Play” button and was asked to sign in to my Gmail account. Again, this is something that happens… but I don’t give up my password easily. I looked closely and noticed the password page didn’t have a green lock next to it.

Bad sign!

Gmail (and Facebook and Twitter) always have a green lock. The green lock assures you the connection is secure and from the company listed.

Gmail-w1920-h1400

I continued to log in but with a phony password. I wanted to see where this led.

YouTube-w1920-h1400

Next screen was an install page for Flash. If the flashing red lights weren’t already going off, this would do it!

If you fell for this, here’s what happened. Your Google password is owned. You’ve installed software that probably also controls your computer and owns your other passwords.

I opened up the web pages. They’re reasonably well written code. All the images are served from their rightful owners websites. In other words, Google, Twitter and Whats App (among others) are paying for the bandwidth to run this scam!

How the hell did this get past Gmail’s filters? At least it didn’t get past mine.

We Are Doing Security Wrong

My friend’s email password was compromised. Is he the weakest link? Possibly, though recent personal experience shows he may have been sold out by the companies he deals with.

One of my former co-workers wrote me this morning under the subject: “VERY URGENT!!!!!Help & a favor.”

I really hope you get this fast. I could not inform anyone about our trip, because it was impromptu. we had to be in Turkey for Tour.

OK — it didn’t come from my friend. It was just made to look like he is writing.

i will be indeed very grateful if i can get a short term loan from you ($2,600). this will enable me sort our hotel bills and get my sorry self back home.

I didn’t follow up. Had I replied I would have been led to send the money via Western Union in a way that’s untraceable.

These emails go out because people fall for them!

passwordMy friend’s email password was compromised. Is he the weakest link? Possibly, though recent personal experience shows he may have been sold out by the companies he deals with.

Yesterday eBay asked me to reset my password because of their security problems. This follows Target’s faux pas which led to our credit cards being reissued (and the hassle that followed).

Companies screw up, but I’m obligated to help clean their mess.

In most cases, if a hacker gets hold of your email account he’s got everything! Passwords can be reissued and ownership of a specific email account is all the ID you need!

This is crazy.

Google and a few others have begun offering 2-step verification to cut back on fraud. I tried Google’s offer and switched back. It was an incredible hassle.

Passwords were good protection when the Internet was young and its users mostly trustworthy. That’s no longer the case. We live our lives online. We need a better way.

The NSA’s On The Wrong Side Of Heartbleed

Since this entry was published the NSA had denied any part in knowing the Heartbleed flaw existed. Their adherence to the truth has been less than exemplary in the past. Let’s let this play out. – Geoff

heartbleedYou’ve probably heard about the Heartbleed bug by now. It’s a flaw introduced to to SSL (Secure Sockets Layer); a mistake as code was updated.

Simply put, Internet data transmissions we thought were secure were not. Things like passwords, financial information, anything private was easily cracked.

The bug languished mostly unknown for years. That’s called security by obscurity. Never a good idea. We’re seeing that now.

As far as I can tell Heartbleed’s never been exploited for nefarious commercial purposes. It has that potential. However, it has been exploited by our government’s spies!

The NSA knew Heartbleed existed. They had a choice, tell the maintainers of the code to fix it or exploit it themselves and leave us vulnerable. They chose the latter.

Now, because the NSA felt their ability to soak up data trumped our collective security, Heartbleed is a big deal! Leaving this security hole open for years is reprehensible.

More and more it seems America’s intelligence agencies, beginning with the NSA, are out-of-control. They have lost sight of their actually mission–protecting us. Instead we are more vulnerable and our international partners know we can’t be trusted with their precious secrets.

This story was broken by Michael Riley at Bloomberg News.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

It’s time we have a come to Jesus meeting with our spies. Is everyone in Washington that scared of them?

WordPress Under Attack

Huge attack on WordPress sites could spawn never before seen super botnet   Ars Technica

There’s a headline tonight on ArsTechnica, the technology blog:

Huge attack on WordPress sites could spawn never-before-seen super botnet

This site runs on WordPress. So do all the other sites I build. Obviously, a scary headline.

Scary for ArsTechnica too. Their site is also built on WordPress.

This is pretty wicked stuff. It’s called a brute force attack because password after password is sent to the default “admin” account. The attackers are looking for sites protected with commonly used passwords.

Most of my sites don’t use “admin.” I’ll try and harden the rest this weekend. it’s a pretty simple change.

None of my sites use dictionary words for their password. This attack won’t work on me.

ArsTechnica speculates the huge bandwidth available through websites running WordPress could make these compromised machines the most powerful botnet ever seen!

This is like science fiction. Except it’s real.

I Hate Passwords

When passwords are stolen they’re usually stolen from the password keeper, not the website user.

Can we talk? I hate passwords. I used to dislike them, but we’re well beyond that stage now. It has turned into passionate hatred.

I love my job, but part of the password blame goes to our corporate policy at work. I need a new password every ninety days. It can’t be one I’ve used before. It needs upper case letters. It needs special characters. Oh–I also have to remember it!

Remembering, that’s the tough part.

I’ve been through town/zip code, old street addresses and initials/birthday combos.

My current work password is based on our home phone number 50 years ago. It’s obscure enough even with that hint you’ll never guess it. Even if you had the 1960 Queens, NY phonebook you’d be hard pressed to figure it out.

It took a while to creatively create. In two and a half more months I have to go through it again.

It all seems like a show. When passwords are stolen they’re usually stolen from the password keeper, not the website user. It’s then we find out they don’t have the security demanded of us!

For me the toughest passwords are for insurance and financial sites. They too want hardened passwords, but I don’t use them often enough to remember. One insurance password is changed nearly every time I need the site.

Don’t get me started with Apple. Abandoning their password policy was among the most rewarding parts of leaving the iPhone universe!

Like most people I have a few standard passwords for non-critical, non-monetary applications. More critical sites get their own password, but there are just too many to remember.

There are password apps which can be used, but that just creates a single point of failure where finding one password will get you all of them. Wow!

Can’t someone come up with something better? When I crawl into bed at night and cuddle, Helaine doesn’t have to open her eyes to know it’s me. Can’t passwords work like that… without the cuddling… or pajamas?

I Hate Passwords… Especially Today

I’m not saying passwords aren’t hacked, but the majority of hacking is done in bulk fashion by breaking into company computers, not knocking off employees one-by-one.

I love my new job. I thought that would be a good way to start this entry because today there’s something I didn’t like at work. I had to change my password.

For those who don’t work in a business environment user names and passwords are critical for accessing data and communicating with co-workers. My work computers won’t work without the proper username/password combo.

At this company your password must be changed every 90 days. Simple so far. It must contain upper and lower case letters plus a number or two. Punctuations are encouraged, but I haven’t crossed that line yet.

Once I changed my password it was necessary to update all the devices I use, like my cellphones and a handful of PCs.

Correct me if I’m wrong. The vast majority of us use one or two or a handful of passwords for the myriad sites that require one. I’m in the half dozen range.

That’s already tough enough to remember. Now I’ve got a password that’s specifically designed to be difficult to remember and which must be changed regularly!

I would buy into all this if password hacking was a big deal. It’s not. I’m not saying passwords aren’t hacked, but the majority of hacking is done in bulk fashion by breaking into company computers, not knocking off employees one-by-one&#185.

When individual user passwords are revealed it’s usually because they’re given away in social engineer schemes, like phishing. This password changing won’t stop that.

Most of us aren’t worth enough for someone to spend the time and energy necessary to hack our accounts. I’m certainly not.

I change my password because my bosses have asked me. I’m a good employee. I’m just not sure how much we’re accomplishing.

&#185 – “Hacking” of voicemail accounts by Rupert Murdoch’s News of the World is heavily in the news right now. I think, as the story comes into focus, we’ll see it’s not really hacking that’s been done, but bribing people with access to share that access.

I’ve Been Hacked From China – Someone Call General Tso

Seriously, is there anyone who doesn’t use the same password on more than one account? I already balance five or six passwords in my head. One for each site I visit would be nuts!

I checked in with Gmail a little earlier. Those Google boys run all my email accounts. There was a message with scary red type. Someone had logged into my account from China! The Gmail crew was wondering whether that was OK by me?

I’m a tech savvy guy. It really was from Gmail containing some details no spammer could ever conjure.

I have accounts on lots of sites. Many use the same password. That’s probably how whoever broke in gained access. This is the kind of password you can’t just guess. It’s now changed.

Thankfully this particular password wasn’t associated with any account that has access to my money. It was however my favorite. I’ve used it since the early days of the Internet.

I looked through Gmail again after the change. Everything seems intact. This should be an effective remedy.

It’s time we found a way to replace passwords. Seriously, is there anyone who doesn’t use the same password on more than one account? I already balance five or six passwords in my head. One for each site I visit would be nuts!

Tech Support 24/7… Possibly 8

There are two speeds in Stef’s life. The first is operative when she wants something. The second kicks in when I want something. Guess which is faster?

Stef called while I was driving home. It was a tech support call.

There are two speeds in Stef’s life. The first is operative when she wants something. The second kicks in when I want something. Guess which is faster?

I called her back when I got in.

She needed to know her WiFi password. I set up the wireless for her, but totally forgot the password. It seemed (and turned out to be) apropos when it was originally conjured. Problem is there are thousands of apropos passwords!

I tunneled into her computer with LogMeIn.com. It’s very reliable and resides permanently on her laptop.

Nowadays and on new installs I mainly use TeamViewer.com which seems a little more robust. More importantly it’s easy when my patient needs to be talked through its installation.

From Connecticut, but on her laptop in California, I quickly located, unzipped and executed a program to crack WiFi passwords. The virus protector zapped it on contact!

Oops.

Any program which plays with the system files necessary to recover encrypted data is looked at suspiciously. Understandable.

I tried turning off the virus protection. It wouldn’t fully shut down. Anti virus software looks suspiciously at that too! Frustration was setting in.

Finally I opened a browser and probed her router. It’s got a little website built-in to allow for configuration. Hidden away in obscurity was the password. It was fully in-the-clear. There was no encryption.

She’s happy. I am the man.