The Anonymous ‘Movement’?

I’ve been reading way too much of this garbage on the Internet lately, and it is starting to stick in my craw.  Crap like this.  It seems that everyone has accepted that the hacking group Anonymous is above the law, and has some special insight that makes them a voice of reason.  21st century Robin Hoods.  I hope that this is just the result of sensational journalism, and not what people are really believing.

“The beginning years have intensified their activities demonstrating great technical skills.”

No, what it has demonstrated is a disregard for your privacy, a lack of moral fiber, a little too much technical knowledge, and the patience that is common in a good criminal.

“As always, the movement gives voice to social dissent and protest against amendments and decisions of governments guilty of not listening to the masses.”

The Movement?  What bloody movement?  This is a bunch of self-entitled, self-indulgent, egotistical miscreants that are incapable of operating within the confines of the law or rules of society.  These are people that have an abundance of tools, have found cracks in programs and protocols, and are taking advantage of those flaws.  They are no more a movement than the clowns that walk into a bank with a note in one hand and a formiddable looking pocket in the other. Continue reading →

Insecure Conference Rooms

The New York Times is reporting that Rapid7 researchers have discovered that they could remotely infiltrate conference rooms in some of the top venture capital, law firms, pharmaceutical and oil companies across North America by simply calling in to unsecured videoconferencing systems found by scanning the internet.

Moore found he was able to listen in on meetings, remotely steer a camera, and zoom in on items in the room to read proprietary information on documents.  Most expensive videoconferencing systems offer encryption, password protection and camera lock down capabiilties, but they found that administrators were setting them up outside of firewalls for convenience, and not properly configuring security features.  Some systems were set up to automatically accept inbound calls, opening the way for anyone to call in and eavesdrop on a meeting.

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Time to review your video and conference  call setups, folks.  It would be terrible to find out that privileged client or finiancial information was so easily obtainable AFTER the fact!

Why Do We Network, Socially?

A LinkedIn acquaintance of mine has posed what I believe is a very good question, and has caused me to reflect this weekend.  I have responded, but am frustrated with the very short box (a few hundred letters?  I’m noisier than that!!)  that is allotted to respond.  I will try to say here what I have said on LinkedIn, with the complete freedom to use as many characters as I please.  I would appreciate your input as well, to find out why others use LinkedIn to connect.

HC’s question:  Why do we connect on LinkedIn?  When I log into LinkedIn, I usually see just line after line, “So-as-so is now connected to So-and-so…”.  Okay, that’s great.  Then I see that I have something in my Inbox, and it’s a couple of folks I’ve never met, or perhaps someone who attended a presentation, who wants to connect with me.  For the past couple of months, I’ve been asking folks, “why do you want to connect with me?”  What’s the value in this “relationship” to you?  Most often, the response is, “oh, sorry to offend…”, and then nothing else.  The thing is…I’m not offended.

I too have been asking, if I didn’t invite the link, what the nature of the request is, or how I can help them otherwise.  Again, not intended to offend, I have always been somewhat selective with my Social Networking connections.  I will gladly share information with others, but will try my hardest to avoid sharing others’ information.  In my 5 or so years on LinkedIn I still only have 250 connections. Continue reading →

Microsoft Sues UK Retail Chain For Pirating Windows

ComputerWorld reports that Microsoft is suing a UK retail electronics chain for selling Windows recovery discs to customers, claiming that the practice amounts to piracy.  I think that they are going to be challenged to make a strong case.  It will be interesting to see how this one unfolds.

Microsoft accuses Comet Group PLC of illegally copying Windows XP and Vista to create operating system recovery discs.  These copies were then sold to Windows desktop and laptops cutomers in 2008 and 2009.  Comet, operating about 250 UK stores, believes it was on solid legal ground.

Comet approached 95,000 PC customers over a 2 year period, and offered to sell them unnecessary recovery discs, according to Microsoft’s anti-piracy legal team.  The recovery software was already provided on the hard drive by the computer manufacturer.

The total take for Comet from this exercise is estimated at about 2.2 million dollars.  Not bad.

So is Comet just fulfilling a need that Microsoft has stopped providing in order to cut costs, or does Comet have some accountability or obligation for controlling how these recovery CDs are used after sale?  My understanding is that Microsoft’s own VAR agreement states that these CDs can be provided by the reseller “for a nominal fee”.  Is $25 a nominal fee?  If the recovery software is on the hard drive, does that preclude the VAR’s abaility to collect the nominal fee and distribute the CDs?  What’s your take on this?

Michaels Breach – More Law Suits, Police Seek Help

Police in Beaverton, Oregon are investigating 50 fraud reports related to the Michaels Crafts breach that reportedly compromised thousands of debit cards in 20 states.  Police are asking for the public’s help in identifying four suspects caught on camera using “white cards” at Oregon bank machines, created from card details skimmed at Michaels stores.   Police say that the suspects are from a larger organization which allows multiple crews to work numerous areas and move around quickly.

The law suits around this breach continue to fly in, and Michaels replaced all of its US Point Of Sale terminals by May 6 to contain the risk of continued compromise.  The law suits focus on the time taken to notify customers of the breach, inadequate protections of data, and violations of various regulatory acts.

Forty-six states currently have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state’s attorney general’s office.  Texas, the state where Michaels is based, has breach notification statutes on the books.  However, the law says that companies should notify the public “as quickly as possible”, and most other states do not specify a timeframe for “reasonable notification”.  This case and others  like it could set legal precedents about what is considered reasonable notification timelines until a national act is passed.  I will continue to watch this issue with interest.

Credit Union Times

LulzSec Hacks Arizona Law Enforcement Agency

LulzSec has announced the publication of a trove of over 700 leaked documents from an Arizona law enforcement agency on the notorious Pirate Bay file sharing site.  Arizona’s Department of Public Safety confirmed that it had been hacked.  The LulzSec press release included with the dump sounds more “hacktivistic” than usual, exposing a political agenda, opposing Arizona’s SB1070, the state’s broad and controversial anti-illegal immigration measure.

Amongst countless mundane documents covering hours worked, officers’ personal information and other stuff of minimal interest are a few fascinating stories of law enforcement activities, such as an encounter with off-duty Marines patrolling the U.S.-Mexico border with assault weapons, and tirades about illegal Mexicans and drug dealers.

LulzSec, Anonymous Declare War On Us All

Lulzsec and Anonymous are declaring open war on all governments, banks and big corporations, worldwide.  They are attempting to unite all hackers to fully expose corruption and “dark secrets”.

“Whether you’re sailing with us or against us, whether you hold past grudges or a burning desire to sink our lone ship, we invite you to join the rebellion.  Together we can defend ourselves so that our privacy is not overrun by profiteering gluttons.  Your hat can be white, gray or black, your skin and race are not important.  If you’re aware of the corruption, expose it now, in the name of Anti-Security.  Top priority is to steal and leak any classified government information, including email spools and documentation.

Prime targets are banks and other high-ranking establishments.  If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood.”

Don’t be fooled by this diatribe.  The highlighting is mine, but the intentions are clear.  This is online terrorism, and it is totally illegal.  This sort of behavior is itself corrupt.  I’m all for making a difference, I support bringing about positive change, but there is a time, a place, and a proper methodology to follow.  This just isn’t it for me.  I’m not posting links to this, you can Google it up easily enough if you are that interested.

So far, they have not done anything that I have seen that rings true to this “eat the rich” campaign.  They have broken the law, caused large companies reputational and financial hardship, and have expsoed countless individuals to unnecessary risk by posting personal and account information publicly.  What information do those “Prime Targets” hold?  So much for Robin Hood.  Stealing from the poor to hurt the rich??

TNW has posted a handy little widget available if you would like to check all of the LulzSec released files for your email address to see if your accounts have been exposed.  If your email is there, your other information may be as well.

-=[BUSTED]=- LulzSec Related Arrest in UK

A 19-year-old has been arrested in connection with recent attacks, and is being purported to be connected with the LulzSec group, responsible for Sony, and other hacks.  The Channel 4 news agency posted the following tweet on Twitter:

19-year-old suspected of being mastermind behind computer hacking group LulzSec arrested in Wickford, Essex. #c4news

The Metropolitan Police released the following statement on the arrest:

Officers from the Metropolitan Police Central e-Crime  Unit (PCeU) have arrested a 19-year-old man in a pre-planned  intelligence-led operation.  The arrest follows an investigation into network intrusions and  Distributed Denial of Service (DDoS) attacks against a number of  international business and intelligence agencies by what is believed to  be the same hacking group.

The PCeU was assisted by officers from Essex Police and have been working in co-operation with the FBI.  The teenager was arrested on suspicion of Computer Misuse Act, and  Fraud Act offences and was taken to a central London police station, where he currently remains in custody for questioning.

Searches at a residential address in Wickford, Essex, following the arrest last night have led to the examination of a significant amount of material.  These forensic examinations remain ongoing.

“Sabu”, a self-confessed member of LulzSec states that the suspect arrested by the Metropolitan Police was involved in running its IRC channel only.  All of their members remain free and accounted for.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading →

Canada Crawling With Spies

According to the head of Canada’s spy service, foreign intelligence agents are everywhere.  “State-sponsored espionage against Canada is being conducted at levels equal  to, or greater than, those witnessed during the Cold War,” said CSIS Director Richard Fadden in their annual report tabled in Parliament Monday.

Canada’s strong relationship with key allies and advanced  telecommunications and mining sectors make it attractive to foreign intelligence.  Foreign powers are conducting intelligence operations in Canada by monitoring individuals and groups that are considered a concern to their domestic security and political agendas.  They are also trying to influence Canadian policy, perpetuating domestic conflicts and grievances, the  director noted.

Fadden’s comments reiterated some of the controversial claims he made a year ago in a CBC interview, which caused outrage among many ethnic groups, especially Chinese  Canadians, and led to calls from opposition politicians for firing him.  His opening remarks this year identify the main threat to Canada to be terrorism, primarily Islamist violence.  Domestic radicalization is a key threat, and one that continues to preoccupy CSIS officers who are concerned about terrorist plotting by unknown individuals or groups.

To Canadian business, this should send the message to all employers to ensure that they perform thorough background checks on new hires, monitor their networks for unusual traffic that might be taking aim at other businesses or organizations, and to monitor their networks for inappropriate data leaving the perimeter, in my opinion.  If something is detected, engage an expert investigator, and engage law enforcement as appropriate.  Just terminating the individual responsible will only shift the problem to someone else’s network, and may make your business a target.