US secrets leak gives cause for thought

A CD-RW with Lady Gaga written on it became the vehicle for over 250,000 leaked US state department cables sent from, or to, US embassies all around the world. This news story has made headlines the world over and put egg on the faces of the US diplomatic service, which is part of the US state department — the equivalent of the UK’s foreign office.

The results were passed to WikiLeaks”, a “not-for-profit media organisation” whose aim “is to bring important news and information to the public” based on principles of “the defence of freedom of speech and media publishing”. They were passed to the Guardian on a USB stick and it, along with three other newspapers — the New York Times in the US, Der Spiegel in Germany, Le Monde in France and El País in Spain, has started to publish the thousands of snippets of information these documents contain.

The culprit is said to be soldier Bradley Manning, an intelligence specialist who smuggled the CD-RW out of the intelligence service, and who has been behind bars for seven months as a result and faces a court martial. After the data heist, he said in a chatlog that he “had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months” and sang along to Lady Gaga “while exfiltrating possibly the largest data spillage in American history”.

The reaction from official forces has been predictably furious, although the editor of the Guardian described the leaks as embarrassing for the US rather than damaging.

But all that aside, what does it say for the security of the US’ diplomatic intelligence service? The fact that it took only a simple mistake of not configuring official computers so that were unable to burn CDs or copy data onto USB memory sticks is ludicrous. But it highlights one key aspect of security that applies whether you are the US state department or anyone who has a computer at home.

Security is a state of mind. What seems to have happened is that, once the individual who leaked the information had passed muster, probably by typing in a username and password, he was allowed to access everything on the department’s servers. It suggests that the security hierarchy is pretty flat, with little granularity of access. Additionally, it shows that physical access to a device attached to servers is not seen as something to be controlled, a least to the extent that you are able take data away with you on a physical medium.

So the state of mind of those who set up the machines seems to have been that the possession of a username and password (or maybe some form of biometric identification — there’s no suggestion that Manning falsified his identity) meant he was trustworthy enough to give access to a huge range of secrets.

While your PC might not contain information quite so portentous — though of course it might, I don’t know — it might make you wonder whether your security setup is as secure as you need it to be, especially if you share your machine. And do you trust yourself…?

Could your Apple iPad give away your data?

I read a blog today. The blog’s author compared the much-lauded (but in my view highly overrated) Apple iPad against laptops in general, and highlighted several features that iPad has that laptops should emulate.

Well yes, maybe. The one that caught my eye was the issue of instant-on. “You can click the iPad’s power button and it is instantly ready to pull up a web page, calendar or email”, the blogger wrote. Yes of course we all want computers to be instantly available as soon as we press that button, Apple is very good at making devices that appear to be easy to use but which, after a few minutes’ thought — or, often, after a few hours of ownership and intensive use — turn out to be not quite so smart after all.

The only issue with instant-on is that anyone can do it. The person who steals your iPad that you carelessly left on the coffee-shop table as you order another skinny latte, or who lifts it from your bag on a crowded train or bus will have no problem turning it on and gaining instant access to your stuff: your email, your Facebook page, your passwords, personal information…. Your life.

If it never leaves the home then maybe that’s a different story. But wait: burglars can and do steal computers if they’re small enough to walk away with without looking suspicious, and I believe an iPad qualifies. Or your small (or not so small) child — or lodgers or whoever — can come along and press all sorts of buttons with neither let nor hindrance, leading to all sorts of weirdnesses.

Aren’t we lucky the iPad is so convenient?

A combination of username and password is not the most secure way of protecting data but, when balancing convenience against security, it’s good enough and should deter most thieves.

Many years ago, my IBM ThinkPad laptop was among the goodies taken away by a burglar and, about three years later, I received a phone call from someone (who purported to be and might well have been an innocent buyer) who had managed to find out where it came from and wanted the password for it.

Of course I refused, not knowing where the machine was, who had it, or what stuff that I wanted might still be on it. But I was satisfied that that the ThinkPad has industrial-strength, password-protected encryption and that the data would be unavailable to whomever: they would have to wipe the disk to make any use of the machine.

So when you read that convenience is the sole criterion of value, think hard: data on portable devices can end up anywhere and instant-on could mean instant bye-bye to your personal data. So if you have one, use the password feature. It might be a little inconvenient most of the time, but it will be very convenient the one time it’s really needed.

Kroxxu botnet’s secrets revealed
Avast’s Jiri Sejtko, head of virus research at the company’s virus lab, has written a fascinating account of how he tracked down Kroxxu, a botnet based on infected websites with the aim of stealing passwords.

Since its inception in October 2009, it’s grown to become a network with over 10,000 redirectors, 2,500 PHP redirectors, and over 700 malware distribution sites. The 15 redirectors used in the longest active connection send visitors through seven countries in three continents to infectious exploits, with many of the zombie machines enduring 90 days or more.

It’s worth checking out.

Phishing takes a new turn

Phishing’s just taken a new turn: scammers have taken to calling people at home to warn them about their anti-virus software and suggesting that they use a certain link to install some new improved software. Of course, it’s not what it seems.

A report in the news today suggests that up to a quarter of UK Internet users may have received such a call — although that sounds like a hugely expensive exercise. Even if it’s a tenth of that, it’s a lot of calls. It seems that the callers offer to repair your PC’s virus problems — but instead install spyware with the aim of stealing valuable personal information. This includes identity data, such as usernames and password combinations, credit card details, bank account details and the like.

A PC security campaign, Get Safe Online, reckons that up to 400 people are employed in dedicated, eastern European or Asian call centres to make this happen. According to Sharon Lemon, deputy director of the UK’s Serious and Organised Crime Agency, they could be paying up to £92,000 monthly to webmasters, presumably running small websites, to advertise their software in ignorance of its true purpose. The fact that they’re spending this much demonstrates the profit levels they must be making.

Other companies call and offer technical support but in fact do no such thing. While not as malicious, it’s still a big security hole, as they ask you to allow them to take over remote control of your PC. One reporter was brave enough to let one of these people onto his PC, and found that they offer a worthless service. He reported that they footle around on your machine for a bit and that’s it. Assuming that if you’re gullible enough to let them in, you won’t know that what they’re doing is effectively worthless.

I’ll confess that in fact this is not so new: a national newspaper reported a similar phenomenon a few months ago but this is the latest wave.

But if in doubt, don’t respond to cold calls — you probably shouldn’t anyway — and certainly never provide someone whose credentials aren’t cast-iron with access to your computer.

It’s not just you you’re protecting: like any infection, if your machine is compromised, so are a whole host of others.

Avast news
Avast has released news that its software now protects Queen Elizabeth Hospital in King’s Lynn. In 2006, the hospital realised its computer network was insecure after a series of malware attacks penetrated the incumbent anti-virus software, so managers decided to evaluate alternatives. One manager had heard about avast from a relative who had successfully used it on their home PC so the hospital downloaded a free copy and ran it on a test computer.

It worked, clearing up a mess left by a previous AV package and, as a result, the trust now has Avast running on 118 servers and over 1,500 desktops. Avast claims the trust is very happy with the results over the last four years: better security and good service.

Watch out for virus on a stick

We’re all used to the ease with which we can move data around using networks — and with USB memory sticks.

While networks came later for most people, the flash memory stick has become the equivalent of the old floppy disk: universal and easy to transport. Except its not unusual to find one with 4GB of data while the last mass-market floppy could handle a massive 1.44MB. That’s 0.00014GB. I digress.

The point here is that we know about how networks can be carriers of malware — viruses, spam, and all the other unlovely stuff that some individuals (and groups) create with the express intention of messing up your day. But did you know that the humble USB stick can also be a vector?

That’s because there’s a file on most USB sticks called autorun.inf that tells the PC what program to run when the stick is inserted. If it exists, it runs the application pointed to by the file. The problems is that several malware scripts exploit autorun.inf. When you plug in an infected memory stick, the scripts can change the autorun.inf file so your PC executes the malware which will, at the very least, infect your PC, probably inviting other malware onto it. When you take the stick to another computer, the cycle repeats.

Avasts technical team recently reported that some 13.5 percent of all malware detected by its software originated from a USB stick. As Avast’s Jan Širmer reports in his blog: “This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started.”

It’s not the first time this phenomenon has been spotted and it surely won’t be the last as experience teaches us that, when it comes to a tussle between security and convenience, convenience wins every time. Alas, Windows’ autorun feature may be convenient, but the operating system doesn’t make the potentially adverse consequences of opening the contents of a stick in Windows Explorer quite so evident.

However — and there always is a ‘however’ isn’t there? — there is a simple remedy: disable autorun — it’s only a one-off task — to give Avast (or whatever you use) time to scan any USB memory device you connect to your PC before you open it up. Here’s a link to Microsoft’s website that tells you how to do it.

One last thing: just because a stick comes from a supposedly reputable source, you cannot assume that the contents of the stick as malware-free: mistakes do and have happened to even the best brands.

Just be aware.

Take control of your computer

When get calls from friends and relatives about a problem with their PCs, one of the first things that springs to mind is ‘too much software’.

Most people have fairly simple requirements: they want to browse the web, do emails, write letters, maybe run a spreadsheet or two and perhaps play the odd game. This calls for the installation of, at most, around ten applications if you include an instant messager, Skype and, rummaging around in my system tray, I also find EditPad Lite, a free, fast and much more capable replacement for Windows’ brain-dead Notepad.

But what do I find when I actually get to take a look at the machine that’s behaving oddly? Usually the symptoms are that it’s slowed to a crawl and there are common causes for that.

These days, lack of memory isn’t as much of an issue as it used to be, as most PCs come with at least 2GB which is fine for light to medium usage — although adding memory remains one of the cheapest and most effective performance upgrades you can buy.

Disk defragmentation, I hear you thinking — but without exception, my most recent call-outs have all insisted that the disk is defragged — Microsoft seems at last to have done a good job on this problem.

No, the problem is usually bloatware. A quick rootle through the task manager’s list of processes shows two or three anti-virus packages, maybe a third party firewall running as well as Windows’ own package, and a whole host of programs that seem designed to add minimal value and maximum CPU utilisation.

Many of these get installed by PC manufacturers because they get paid by software vendors to do so. It helps to keep the prices down but you don’t get something for nothing. Many also get installed by default when you install something entirely unrelated.

My next step is to remove almost all this cruft, explaining what I’m doing along the way just in case the user is really attached to or actually requires the application. At the end of the process, the disk and memory are considerably emptier, the CPU is issuing palpable sighs of relief at not having to churn away at full chat all the time, and the user experience is enhanced.

What prompted this thought was being caught the other day by this secret software installation when Firefox insisted it needed a new version of Adobe’s Flash player. I dutifully downloaded and installed — but didn’t pay enough attention to the install dialog boxes and found myself with an unwanted McAfee AV package. Others have found they get a browser toolbar as well.

It’s so easy to do. So the message this week is to pay attention to your installation dialog boxes and refuse to install stuff that insists, without an option, to install software you don’t want or whose purpose is unclear.

Not only is this good practice — it’s like keeping those fluff balls from piling up in the corners of your wardrobe — it helps to keep your PC secure as the fewer applications you run, the fewer security holes there are likely to be.