2015 Cyberattack on the German Parliament – Probably by the folks who hacked the DNC

An interesting read on how a cyberattack – similar to what was apparently done to the Democratic National Committee in 2016 – unfolded in Germany. Cyberattack on the Bundestag: Merkel and the Fancy Bear | ZEIT ONLINE

This is a long article on how the Germans discovered the attack, and what they did about it.

The lethargic pace of the bureaucracy is most interesting. Days elapsed after they were warned of the existence of the attack. The way different bits of the government don’t work very well together. The fact that politicians were shocked – shocked! – to discover that they might be the target of hackers.

Adylkuzz: Worse than WannaCry?

What a surprise. (NOT!) There is another exploit that uses the unpatched computers attacked by the WannaCry ransomware worm. Adylkuzz hack, called larger than WannaCry, slows computers across the globe – CBS News

Monero is a crypto-currency, similar to Bitcoin. Adylkuzz takes over vulnerable computers to mine for Monero.

If you don’t understand that previous paragraph, you should make DAMN sure that you keep all of your computers up-to-date, and surf the web as little as possible, and DON’T open emails for folks you don’t know.

It’s a beautiful exploit really. These guys are probably making more than the folks behind WannaCry did, and most people won’t even realize that their computers are infected.

And all of this the result of NSA hording vulnerabilities so they could spy on us. (Well, and the insistence of folks who don’t know better that they can’t be bothered keeping up with security.)

WannaCry: You Probably Haven’t Even Seen the Beginning – Let Alone the End

This latest cyber attack has been called a “wake-up call.” But no one will wake up. Ransomware attack ‘like having a Tomahawk missile stolen’, says Microsoft boss | Technology | The Guardian. (The name of this malware – WannaCry – always makes me think of the song “She Makes Me Wanna Die” from the soundtrack of The Replacement Killers. The video is at the end of this post.)

The cyber attack on Friday was stopped. (More on that in a bit.) But the fix was likely temporary. And new versions without a “kill switch” have been reported in the wild. So buckle-up buttercup, cause it gets bumpy from here.

Security officials around the world are scrambling to find who was behind the attack which affected 200,000 computer users and closed factories, hospitals and schools by using malicious software that believed to have been stolen from the US National Security Agency.

Can you imagine the devastation that would be unleashed if the .gov got a backdoor into every smartphone? Because they clearly can’t be trusted to keep secret things secret.

Businesses and hospitals were running PCs with Windows XP, and claiming that they are “critical infrastructure” and they also exposed those PCs to the public internet. What a bunch of idiots.

As I said the other day. If you are running “critical” systems on an operating system that isn’t supported, or you aren’t keeping up with the security updates, then treat it like a critical system and take it off the public internet.

  1. Make your system separate from the Internet. A hard gap. No access to the outside, only access to the features (like medical records) that are critical. (And no access to email, etc.)
  2. Commit to keeping your systems up-to-date. That means applying every MS patch Tuesday update, updates for all your application software (including such things as PDF readers) Not as fool proof as 1, but you can say you are doing your best.
  3. Go back to keeping records with pen and paper

Of course, no one will do this. Executives/Administrators/Powers-that-be will claim it is critical, and that it MUST be available on the internet, that we can’t possibly keep up with monthly security updates, or afford new hardware, and it isn’t our fault. It’s the fault of those damn folks in Information Technology who didn’t scream loud enough about this being a problem. We didn’t believe them when they spoke calmly.

Continue reading

Some Simple Steps Toward Online Privacy and Security

I value my privacy. That is one of the reasons I live where I do. (In the country) I don’t have nosy neighbors to deal with every day. My neighbors and I talk when there is a reason to do so.

I also value my online privacy. I don’t want to be a “product” for Google, or Facebook or whoever. So I do things to safeguard my privacy. Google tracks every search you make, back to you as an individual. Facebook tracks you even if you are not logged on to Facebook. (Every site that has a Facebook “Like” button is tracking you.) And they sell that information about you to other companies.

Google and Facebook – not to mention the CIA/NSA/FBI/EIEIO – want you to believe that privacy is impossible. That security is impossible. Because if you think it is impossible, or even just really hard, you won’t even bother to try to secure your technology. But it isn’t that hard to have decent privacy and security. And it isn’t just the .gov or the big corporations that want your information. Hackers are looking too.

So here is a list of things you can do. Some are easy to do; some are a bit harder. Some are free, while some cost a little. While the list isn’t in order of importance, or effect, the first 3 items on this list should take you less than 10 minutes – total. And you only have to do them once (or until you get a new computer or switch to a new browser.) The rest of the items are a bit more complex, but they are not impossible. Do one thing a day for a week. Or do one thing a week if they seem overly complicated. Even if you only do one thing a month, you will have much better security in a fairly short time. Do something.

  • Use a Search Engine That Doesn’t Track Every Query.

    There are a couple of alternatives to Google. And not Yahoo or Bing. (They aspire to be Google.) DuckDuckGo is the easiest (though you have to install an extension in Chrome to set it as your default search engine because Google REALLY doesn’t want you to have any options). Disconnect is another option. There are probably more choices to cut off the tracking of everything you do. I started using DuckDuckGo when Google stopped answering the queries I typed in and started answering what they THOUGHT I wanted to know. Also Google has a tendency to shortchange any site connected to firearms or the 2nd Amendment. (Which is a subject near and dear to my heart.) There are probably other subjects that Google is downplaying. (That said, I do use Google, Yahoo and Bing on occasion.)

  • Disable 3rd Party Cookies in Your Browser.

    This isn’t a fool-proof method, but the folks who write tracking software still complain about Apple’s Safari browser – it is the ONLY browser that ships with 3rd party cookies disabled by default. How to turn them off depends on which browser you use. But look under “settings” or “options” for something about content or privacy. The browsers have good help – mostly.

  • Install Privacy Protection Extensions in Your Browser.

    Privacy Badger from the EFF blocks all kinds of things that are stealing your info – and potentially loading Malware on your system. It is available for Gecko-based browsers (Firefox, Pale Moon, etc.) and Chromium-based browsers (Chrome, Opera, Vivaldi, etc.). I am not sure about Microsoft’s browsers or Safari.

    uBlock Origin (not uBlock, uBlockPlus, or any of the others) is a fairly efficient ad-blocker that will shut down tracking-based ads. And the potential spyware, etc. that can come along with ads. Available for Gecko and Chromium browsers as well as Microsoft’s Edge. (Some of these may be available for your mobile devices as well.)

  • Continue reading

Hacker Shows That Dallas Area Emergency Sirens Are Not Secure. Officials are Angry.

They should be embarrassed. This isn’t 1997, it is 2017. Infrastructure needs to be secured against hacking. But they are all “appalled at the attack.” Hacker Set Off All Dallas Emergency Sirens in Middle of Night, City Says – NBC News

A city spokesman said all 156 emergency sirens were activated at 11:42 p.m. Friday, and the office of emergency management service agency eventually disabled the entire system at 1:17 a.m.

Here is the money quote.

The OEM hopes to have the system back up and running, with safeguards to prevent another hack, by Sunday night.

So the million dollar question is, “Why weren’t those safeguards in place last week?” Here are some other questions: When was the last security audit by an outside firm? (Can you spell “Red Team?”) What amount of the budget is dedicated to security? Are other aspects of the public infrastructure at similar risk? Who is that OEM, and how did they get the contract? (I don’t expect any of these questions to be answered.)

If you think this is only a problem in Dallas, there is probably some Florida swampland still available for purchase.

Uber Data Used to Spy on Folks Including Celebrities

Security? What’s that? Uber allegedly spied on users, including celebrities like Beyoncé | Fox News

So you think security isn’t an issue? How about stalking? What do you think about that?

Uber employees helped ex-boyfriends stalk ex-girlfriends, and were even able to access trip information for celebrities like Beyonce, Reveal News explains. These revelations come from the company’s former in-house forensic investigator Ward Spangenberg.

Just like in the case of the sexual harassment story, Uber decided to blame the whistle-blower instead of addressing the problem.

Spangenberg objected to the company’s “reckless and illegal practices” and Uber fired him 11 months after he joined the company in March 2015. Uber says it fired Spangenberg because he violated a code of conduct policy and reformatted his computer. The security expert argued that he simply began rebuilding the laptop after a crash.

The only safe information is your credit card data, because Uber doesn’t store that – their bank does. So why does Uber need your Social Security Number?

“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” Michael Sierchio, who was a senior security engineer at Uber, told the site. “It didn’t require anyone’s approval.”

Uber was allegedly more interested in fast growth than enforcing strong security. “Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” Sierchio added. “One of the things I was told is, ‘It’s not a security company.'”

Uber and their ilk are painted as the future of everything. Technology to rule your life. (Do I hear echos of “One ring to rule them all?”) And these are the people you want to put in charge of security.

Their self-driving cars… How much security is built into that? Will ex-boyfriends be able to crash their ex-girlfriends’ cars, and not just know where they are?

Vendée Globe Update 17 November 2016

Alone. Nonstop. Around-the-World. No Assistance. That is the Vendée Globe.

The leaders in the Vendée Globe have crossed the equator into the Southern Atlantic.

The video is quite long, and you probably aren’t interested in the whole thing, but the first minutes are interesting, and then there is an interview with Rich Wilson, skipper of Great American IV, which starts at the 14 minute, 20 second mark. Rich Wilson is 66-years-old, and sailing in his 2nd Vendée Globe. He is running a global education program while sailing the race.

The race has been going on long enough that the first mechanical problems are beginning to show up. Rig problems. Hydraulic leaks. Generator problems.

Ranking on 17 November at 17:00 GMT

1. Alex Thomson (Hugo Boss) 20,830.6 miles from the finish
2. Armel Le Cleac’h (Banque Populaire VIII) 84.6 miles behind the leader
3. Sébastien Josse (Edmond de Rothschild) 93 miles back
4. Vincent Riou (PRB) 118.2 miles back
5. Paul Meilhat (SMA) 183.5 miles back
6. Morgan Lagravière (Safran) 204.8 miles back
7. Jérémie Beyou (Maître CoQ) 271.1 miles back
8. Yann Eliès (Queguiner Leucémie Espoir) 414.3 miles back
9. Jean Le Cam (Finistère Mer Vent) 545.4 miles back
10. Jean-Pierre Dick (St Michel-Virbac) 602.9 miles back