How the Media Gets it Wrong On Infosec

Just another WordPress.com site

Why passwords suck

leave a comment »

You have all heard the importance of using strong passwords, however in recent events it’s become clear not a single goddamn one of us is paying the least bit of attention to this, so that tells me that the problem will not solve itself and that end users cannot be trusted to secure their own accounts.

Google has also noticed this problem and has started allowing a 2 factor authentication system to be used to help secure a users account from their own stupidity.
Steam also implemented a similar system and made it the default. They have ensured that it doesn’t matter if you use the same password for gmail as you do for steam, they know your password is “password” and that you use it everywhere. They have begun to acknowledge that you can’t be trusted.  This is a good thing. You as an end user should demand similar protections on other services as well, go harass the OSS community to write open source software for this.  Go complain to Microsoft that you want these protections and are willing to pay for the ability to safety have a terrible password, because you have a terrible password without this protection right now.

When this happens yes of course some clever hacker will find ways around it,  but for the majority of database thefts and phishing attempts it will stop them from changing you Facebook profile photo to a giant purple dildo for their own amusement. It will help when your favorite video game company loses a pissing contest with hackers…

Written by laurelaibailey

July 2, 2011 at 6:17 am

Posted in Uncategorized

Crowdleaks

with one comment

I will be returning to crowdleaks soon, while i still will post here as well the majority of my writing will be found at crowdleaks.org

Written by laurelaibailey

June 30, 2011 at 10:23 am

Posted in Uncategorized

Why arresting lulzsec won’t change anything

with 21 comments

EDIT: Seems lulzsec proved me right http://pastebin.com/1znEGmHa now it really won’t matter if they are arrested, and they have completed their apparent objective of fueling the antisec movement.

 

 

Federal law enforcement agencies from around the world have been working to arrest members of the group known as lulzsec. Love them or hate them lulzsec has changed how the public views hackers and hacking. It has brought more attention to the cyber world and the cultures that develop there, and they have changed how some hackers operate Instead of quietly hacking smaller websites or targets of personal interest, they hack or attempt to hack government targets and post about it on social network and public chat rooms. Lulzsec declared war on the US Government and others like them have answered the call to arms. By doing this lulzsec has ensured that even if they themselves are caught their cause will live on without them, in fact if caught this would only likely motivate their followers further.

These “daughter groups” seem based on their region , on twitter I have seen “lulzsec” based groups for brazil and there have been reports of graffiti tags showing the word “antisec” and lulzsec’s mascot image in San Diego, I do not know how many other groups such as this are out there, but considering lulzsec’s over 200,000 twitter followers the number could be significant. Considering law enforcement’s history with dealing with cell based groups if they seriously want to stop the antisec movement they are going to need a different approach  than the one they are currently taking, fighting them directly is only going to expand the antisec movement and fuel its anger.

Right now lulzsec and its allies have the advantage because their operation is popular and costs very little to operate but does a significant amount of damage, while Government forces cost significant amounts of money to train and operate and do very little damage. Considering how slow that governments are to adopt change, even when it directly benefits them lulzsec and its allies will be at this for quite some time.

If the governments were truly serious about stopping this threat they would  work to defuse the anger and outright hate people feel toward the government these days, they would take steps to show people that they are not the bad guys and stop taking such a hard approach.  They would pay more attention to public perceptions and address the issues that people have in a honest and transparent manner, being answerable to the  public when questions are asked. For example there may be a perfectly rational explaination as to why the FBI took servers that didn’t seem to have anything to do with lulzsec from DigitalOne, but the people will never know why because they won’t comment, and when they do people feel like what they are told does not really explain anything, so without answers from official sources right away, people will just draw logical conclusions based on the available evidence , and said evidence makes it look like the FBI has no idea what it is doing and they have good reason to believe that.

As of late the governments actions in public have been disastrous and it has gotten to the point where people feel compelled to act to stop it. People feel like their rights are being stripped away and that they have no control over their own private lives. They are afraid. So when someone comes along and is not afraid, and not only not afraid but willing and able to act against the target of their fears, they rally around them and support them, feeling less afraid to act themselves, and after enough time they lose all fear of any legal repercussions because they believe they are morally right. This is the point we are at right now, they have motivated and emboldened people that the government has alienated and ignored. Stopping lulzsec won’t stop antisec, in fact it will likely do the opposite. The game has been changed, and right now the only winning move is not to play.

Written by laurelaibailey

June 25, 2011 at 4:48 pm

Posted in lulzsec

Tagged with , ,

Why hackers and Al-Qaeda have nothing in common.

with one comment

In a recent article by channel4.com Gregory Evans was interviewed and asked questions regarding hacking compared to his time and now.

Let us dissect this article and we will soon see why it is complete bulls**t.

“In the late 1990s Gregory Evans is said to have been one of the FBI‘s most wanted computer hackers. He made millions of dollars but after serving a prison sentence was ordered to pay back nearly $10 million.” 

Now he runs a security company helping others prevent cyber attack.

He states ” Before, it was just a whole bunch of kids trying to do mischief and trying to break into a system to see what they could access to be curious. It was not to shut down companies. People would hack systems just to see how it worked and get in.”

This from the guy who made millions of dollars from hacking???

Are you serious??

Let me get this right, you made millions of dollars from hacking, but it was just out of curiosity…

Right…

 

Now I know most of the kids of that day and a lot of them today indeed do it just out of curiosity, but you sir were not one of them.

Thats why you sell your services as a security consultant now..

Lets move on shall we..

Is hacking now dominated by Distributed Denial of Service (DDoS) attacks?

Yes. You see a lot of DDoS attacks. They are a lot easier to perform to knock a website offline. You can use a lot of computers where the owner doesn’t even know. You can just put in an IP address or a web address and send over so many requests at the same time to knock off a site. That is not hacking because they never came in. It’s like someone coming over to your house and beating on the door and the door opens and you step in. They didn’t break the law just for banging on the door. However if they step in and access information, then that’s illegal.”

No dude..DDOS is like parking a thousand cars in front of your garage door so nobody can get in or out. Hacking is like crawling into the ventilation shafts to get into a vault. Do you even know how DDOS works? The only correct thing he said was that DDOS is not hacking. And guess what DDOS is illegal! Ryan Cleary just got arrested for it!

Moving on…

“How significant do you think social media is in this current wave?

Social media is very big. I think the founders of Facebook and Twitter are more powerful than the President of the United States. We’ve seen earlier this year how social media was used to actually overthrow governments in the Middle East. Social media is a great way for some of these hackers to meet before they go into private chatrooms and start chatting about hacking. Social media also plays a big part in identity theft as well. Facebook is currently working on a face recognition application. If you put up a picture, it will go through Facebook’s half a billion users and try to match up who that face belongs to. That’s kind of scary.”

More powerful than the US president? You mean that facebook can order the military to war now? News to me… And facebook didnt overthrow those governments, the people of those countries did, they just talked about it on facebook while it happened, like everyone else talks about their lives on facebook….

Do you think the authorities are doing a good job of tracing suspected hackers?

I think they are doing what they can. To me hackers are more dangerous than al-Qaeda right now. So, we need to spend more time and resources on that before I can fully say they are doing a good job. The hackers are like bogie men though. That’s why it’s so hard to catch them.”

More dangerous than an international terrorist organization with a kill count in the thousands, a bunch of kids who at the worst have done monetary damage to a company and at the least have just annoyed some administrators are *more dangerous* then the people who blew up the world trade center, do you have no shame sir??

What kind of punishment can hackers expect if convicted in the US?

I’ve seen everything from three years to 20 years. They have to make the laws, not just in this country, but all countries more strict.”

What so some kid doesn’t start another company just like yours? You stole millions of dollars, *you* did far worse than lulzsec ever did.

This article is completely full of crap, this is the noise that people listen to, and the lies they swallow daily about infosec, if you ever want to know why companies like Sony got hacked you can blame guys like Gregory Evans for selling them a false sense of security.

Written by laurelaibailey

June 23, 2011 at 9:23 am

Posted in bulls**t

On Lulzsec and Ryan Cleary

with 5 comments

Various media organizations have reported on the arrest of one Ryan Cleary implying or sometimes outright claiming he is the leader of the group known as Lulzsec, as someone who has observed lulzsec’s public communication channels and twitter feeds I found this very surprising because Ryan ran the new encyclopediadramatica servers,  and while lulzsec did have a channel there Ryan did not appear to take any major part in the channel’s operations or conversations. Now this could indicate that if he was the leader of this group he kept very quiet about it and that would make a lot of sense, but if you look at the actual charges set against him it becomes clear he is being charged with various DDOS attacks going back years, not with any of the many hacks lulzsec has taken credit for. The charges did not mention the Sony hack or any other server breaches, in other words he isn’t lulzsec and Law Enforcement knows this or else they would have charged him (the supposed leader) with these crimes.

Lets put this into perspective for those of us who are not technically minded, a DDOS attack simply prevents a server from connecting to the internet, and once it stops the server comes back online as it was before the attack. It is the digital equivalent of a sit-in protest.

Hacking is breaking in to the server itself. It is the digital equivalent of walking into a place of business that had its doors and vaults unlocked and a single security guard who was asleep and drunk and stealing their internal documents and mass dropping copies all over the streets for all the public to see, after of course they drew a penis on the face of the passed out guard and spray painted the insides with dirty limericks.

Now it seems more probable that the operatives from lulzsec simply asked Ryan to DDOS sites of interest to “entertain the audience” while they worked on more serious projects. It is brazenly obvious that lulzsec wants public attention, especially when it comes to information security matters, to quote Patrick Gray “They’re pointing at the elephant in the room and saying “LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN’T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!” and finally the world is listening. Experts have been saying for years how insecure major companies are with personal and private information and nobody listened to them. They went to the media, they wrote blogs, they even offered to help them fix it. Nobody listened. Now someone is finally doing what they all said *could* happen if they did not secure the data they had properly. They took it and showed it to the public.  Instead of holding on to the data and quietly exploiting it they shoved it down your throat that the people you thought you could trust with your data were not so trustworthy after all.

How did this happen?

Lulzsec usually uses attacks already known to the public, attacks that have easy solutions for administrators to protect against. SQL Injection and Remote File Inclusion these attacks are easy to test for by administrators and also easy to correct. They have been around for many years and should be few and far between, supposedly just a mark of a novice administrator to make such a mistake. In other words Sony should have and probably did know better. The question you should be asking Sony is “Why didn’t  you care enough about us to protect the private data we gave you?” and you should be asking yourself what about the other hackers who do not want to disclose to the public what they do, but instead want to quietly infiltrate as much of the internet as they can for as long as they can already knew about this hole in Sony, and other holes that they haven’t disclosed. How do you know your data isn’t being bought and sold right now?

It’s the quiet ones you have to worry about.

The media is also painting lulzsec as this new threat to information security, like they are doing something totally new and unexpected when the reality of the matter is there are a lot more hackers out there besides lulzsec. You do not hear about them on the news. You do however notice that mysterious charge on your credit card bill and you notice weird little things about electronic information, data that just vanished or a program that just doesn’t quite work the way it used to. While there are many explanations for these events one of the things that could have happened that most people do not consider is a computer intrusion of some kind. If you see charges on your credit card your first and most logical response is to ask your family members if they used it without permission, usually this is going to be the case, but if your child or spouse denies this , consider the possibility that they may be telling the truth. Maybe your favorite website is having a hiccup and dropped some of your info on accident, it happens but maybe someones been playing around in the databases how would you know?  Or perhaps your favorite application is having some unexpected performance issues, it could be the latest patches broke something and you need to submit a bug, or it could be your antivirus is not as good as it claims to be and you have been infected with a virus that takes screen shots of your activity and sends them to the hacker so he can sell your information on the black market.

The biggest threat to Information Security is ignorance.

You see, lulzsec is not our biggest security concern by a long shot nor is the kid botnet herder who was arrested recently or those like him. It isn’t even the guy who wrote the code the kids use to make the botnets, its the millions of computers on the internet that are not secure, we live in an era of information technology, nearly everyone in the modern world has internet access and most people have very little knowledge when it comes to basic security practices for computers. And what little they do know is probably wrong.

You don’t leave your car unlocked and you don’t leave your safe open and your door wide for the world to see. So why do many people do the digital equivalent?  It is not because they don’t want to be safe, it is because they do not know how. If they did, most of the botnets would disappear and most of the stolen credit card black markets would dry up. If the administrators of the servers on the net payed the least attention to their jobs lulzsec would not even exist, and the only reason they had not been compromised already was sheer dumb luck.

In some twisted manner we have lulzsec to thank for bringing the reality of our situation to light.

Written by laurelaibailey

June 23, 2011 at 7:15 am

Posted in lulzsec

Follow

Get every new post delivered to your Inbox.