Network Security Blog

Zoom in to maximum magnification!

Google Moon

Privacy is easy to breach

I’ve had this article sitting on my desktop for several days. I’ve been letting it age a little so I can clarify my own feelings about what David Lazarus has to say. And quite frankly this article scares me. It makes me realize that, to a large extent, privacy as we knew it in the 20th century is dead.

Mr. Lazarus is using technology that is available to almost everyone out there, to prove a point: with very little information it is possible to find out a lot about anyone, even the identity of a CIA agent. He list a number of sites online that are used every day for more mundane purposes that can be leveraged into revealing vast amounts of information on almost anyone. Though several of the tools require a subscription, he points out that access isn’t all that hard to get. And keep in mind that all of this work he did took less than half an hour.

I used Zabasearch.com to look myself up after reading this article. A quick search turned up data that mixed my information with that of my fathers, and will probably include my son when he’s older. (The joy of being the first, second and third of the same name.) But most of the information contained in the reply was correct, and probably enough for someone to find me. Google Earth provides satellite photos that appear to be updated frequently enough for me to tell where I parked my truck last week. A little more digging would probably reveal my date of birth, then all someone needs is my Social Security number, and my identity is stolen. Or, to think of it another way, if someone does manage to get my SSN, it’s probably only half an hour to find out everything else they’d need to steal my identity.

It’s out there. Your information is out there, for anyone with a modicum of skill to find. And it’s not going to change, there’s no way to put the djinni back in the bottle. So what steps do we take to prevent the problem from getting worse? Protect the information that’s not already out there, that’s what.

Your address is a lost cause, as is your phone number, unless you really want to get an unlisted number and protect it. Don’t lose too much sleep on those. But protect your SSN, your birthday, credit card numbers and all other financial information. Be very careful about the credit cards you use for any online purchases, and only use merchants you trust. Consider buying a shredder, since some identity theft happens the old-fashion way, dumpster diving. One of the steps I may be taking is freezing my credit. That way, unless a would be identity thief would have to compromise my phone and/or email in addition to everything else. If your name shows up on any of the lists of stolen credit card information, I’d definitely freeze my credit.

Finding information on someone now takes seconds, not the minutes or days of the last century. Much of our information is already out there and easy to find. We have to protect what little privacy we have left.

A little side question for the truly paranoid: If the Google Earth satellite is capable of taking pictures that allow me to see where my car is parked, how much detail are the government satellites capable of? Suddenly, some of the premises in the movie ‘Enemy of the State’ aren’t quite so unbelievable anymore.

iDEFENSE Labs

Multipot is a new honeypot designed to emulate multiple vulnerable systems. Not that you couldn’t have figured that out from the title. Information on the software is sparse, at least on the site. There is more information contained in the bundle, but it would have been nice if they’d at least given some information such as hardware and software requirements on the main page.

It figures. I just gave my last spare computer to a friend last night. I wonder if my wife or children would be willing to give up their computers in the name of science. Or at least my hobby. Maybe someone out there will figure out how to get this running on one of the various LiveCD’s.

I’ve recently been playing with LinkedIn. I’d signed up for LinkedIn some time ago, and forgotten about it until a (very) large number of people on one of the mailing lists I frequent started to discuss it. I understand the concept of social networking, but it has never been one of my best skills. I’m prone to losing contact information or not wanting to use contacts for various reasons. And I’m getting to a point in my career where the people I know may be more important than the technologies I know.

So, now I’m curious. Do you use LinkedIn or a similar alternative? What have your experiences been, both good and bad? Are there any hidden gems or pitfalls that I should be aware of?

Personally, I’m having a bit of a hard time getting used to the user interface. Several features that have been suggested to me, such as joining a group, have been hard to find and less than intuitive. I kept confusing the link for adding a contact with the link to request contact, and have had to reinvite several people because of it. I like the listing of all the people in a group, but joining a group isn’t easy.

I’m hoping to use LinkedIn to further my career in the long run, and maybe find my next position in the short run. I’ve been told that it was originally meant to be a tool to help sales people find leads, but it has the potential to be a lot more. I’ll let you know what I find as I explore.

NY1: Top Stories

Port Authority: “Disable cellphones in the tunnels and bridges! Someone might use a cell phone to detonate a bomb!”

Police: “Yeah, but what about all those people who need to make emergency calls from there on a daily basis?”

I’m glad to see that cooler heads prevailed on this issue. Basically, the Metropolitan Transit Authority cut off all cell phone transmitters in most of the major arteries into and out of New York in the off chance that a terrorist might be considering using a cell phone to trigger a bomb in one of the tunnels. This was done in response to the bombings in London last week.

If you’ve ever read anything from you’ll know that security measures like this are going to do more harm than good, both in the long run and the short run. Shutting off the cell phones isn’t going to stop them, it’s just going to make them find a different way to set off the same exact bomb. Commuters, on the other hand, are going to find it nearly impossible to report accidents or call for help in the tunnels. You tell me which is more likely: a terrorist bomb or traffic accident?

On a related note, here’s a link to Mr. Schneier’s opinion on the continuing ban on cell phones on planes due to security concernswhich nicely echoes the situation in the tunnels.

VXers release ‘London bombing’ Trojan | The Register

I knew this would happen, as did most people, but it sickens me when people take advantage of a horrible tragedy like the London bombings. I guess some people will just do anything to make a buck. Of course, these are Trojan writers, so I shouldn’t be surprised.

Microsoft denies Claria special treatment: ZDNet Australia: News: Software

Of course Microsoft wouldn’t give special treatment to a company they were thinking about buying, now would they? I make no bones about it, I’m not MS’s biggest fan, at least security-wise. But I’m also not their biggest detractor either. But I do have to say that it’s a little funny that Claria, of all companies, would be downgraded. These are the people who used to be Gator, and are one of the pioneers of spyware.

I, for one, will not be using a Microsoft anti-spyware or anti-virus product any time in the future. They can’t get IE to work right, so they bought an anti-spyware company shore up the weakness. I guess they’re trying to combat the spread of Firefox.

On a related note, there was a rumor going around that the beta was showing Firefox as malware. There were screenshots on the web, and one of my coworkers claimed he had seen this happen himself. Well, either it change quickly or never happened to begin with, because he couldn’t reproduce the results and the screenshot was proven to be a hoax. Some people will do anything to make Microsoft look bad, but why bother? They do enough stoopid things that they look bad all on their own.

This is not your Father’s Hacker

Here’s an article on how the nature of the bad guys on the Internet is changing. Where it used to be that the majority of the hackers out there were talented programmers or script kiddies, now a days the real hackers are working for organized crime and earning the big bucks. It has a couple of comments on the writer of the Sasser worm that I hadn’t read before, but other than that, nothing really new. And that’s why I decided to link to this article.

Hackers may have nicked Israel’s nuclear secrets

The hackers managed to access nuclear secrets in Israel not through hacking the government, but rather by spreading a virus in a much less heavily secured vendor network. The most recent credit card data leaks have also come from compromises in a contractor’s network. It’s no longer enough to implement and verify security solutions on your own network, you have to verify the network of anyone you share data with.

State: Wi-Fi cloaks a new breed of intruder

Wardriving is fun, war driving is educational, and war driving can be exciting, but when you start using one of the open access points you’ve found, your breaking the law. Lack of a banner or encryption does not equate to permission to use an access point.

The gentleman in this story found out the hard way that this is a punishable offense. I don’t know exactly what ‘third-degree felony’ is, but I doubt it’s something you really want on your record. Will the local police end up trading a guilty plea for a lesser charge, or will they try to make an example of him? I guess a lot of that depends on what he was using the access for and how cooperative he has been with the law, but I’m guessing he will be used as an example.