Apparently, Sears is not above spying on their customers.
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites.
Federal Agents attending this year’s DefCon, a hacker convention held annually in Las Vegas, were startled to discover that they were being scanned and photographed as they passed the conference registration table. Installed behind the counter was a device that scanned for RFID tags such as the ones commonly used in credit cards and security badges (the type that operate door locks). When and RFID signal was detected, a camera attached to the laptop would snap a picture. More details available here.
An interesting report on how Facebook's data retention and sharing policies actually contravene federal privacy laws. Very interesting stuff here. There's an interesting backdoor for "application developers" to get around your Facebook privacy settings. Becoming a developer is as simple as visiting http://developers.facebook.com/ and signing up for an account.
Yet another example of people with hyperactive imaginations. Making an argument against a technology because it could be misused is a one-sided view.
The crux of the argument here is that web sites that display aerial photos or satellite imagery could be used by terrorists to plan an attack.
By that logic, we should definitely outlaw cell phones, cars, planes, electricity, water and take-out food as they may be also be used against us. (Actually, the take-out chinese food I had the other night could qualify as "weapons-grade", but I digress)
Here’s a disturbing little story from CBC’s Search Engine blog. With an outlay of about $200 in equipment to attach to your laptop, it’s possible to drive around scanning RFID tags right out of the wallets of passers-by. For those of you unfamiliar with RFID, I wrote an earlier post about the topic in relation to the upcoming “Enhanced” Driver’s Licenses in Ontario.
Due to its ability to broadcast RFID in your wallet actually places you at an increased risk of identity theft. I haven’t seen any examples with regard to the ones in the new credit cards, but I’m sure the old adage applies. If there’s a will, there’s a way.
I came across a great resource for all of those who use Facebook. It is important to understand that by default, Facebook is pretty liberal with what it allows people to see about your personal profile.
From the article:
“This is the classic Facebook problem. You let lose for a few hours one night (or day) and photos (or videos) of the moment are suddenly posted for all to view, not just your close friends who shared the moment with you. The result can be devastating. Some have been fired from work after incriminating photos/videos were posted for the boss to see. For others, randomly tagged photos/videos have ended relationships.”
We should all be aware that the general rule is to be aware the Facebook is the public domain, and if you want something to remain private, don't talk about it on your Facebook page.
Last spring, I wrote an article on the topic of Password Mnemonics which has been published in the Winter 2008-2009 Edition of 2600: The Hacker Quarterly. For those of you not familiar with the magazine, it’s a publication that has been around since 1984 and covers topics such as viruses (and how to prevent getting them), data forensics, information security, civil liberties and privacy. The magazine is available for purchase at most fine magazine retailers. Those interested in learning more can visit their website at http://www.2600.com.
Additionally, here is some follow up on previous posts:
- Apparently, a number of celebrities had their Twitter accounts hijacked last week. This was a result of two factors:
- Poor password choices by the celebs
- Twitter allowed for unlimited failed login attempts (most systems allow a maximum of 3-5 consecutive failed attempts before locking the account).
One of my New Year's resolutions is to update this blog twice weekly. I've already blown the diet out of the water... I hope to do better with this one.
It's been a while since my last post. This is due to the fact that I'm in one of three states these days:
- Working
- Rehearsing/Performing
- Sleeping (some)
Last week, I finished a 3-night run of Riverboat Revels with the Fredericton Gilbert & Sullivan. This week, I'm in Christmas @ The Playhouse. This has effectively eaten all of my free time in December.
So, I thought I'd post a couple of links to sites I find interesting...
The Register - One of my daily visits, I find this to be one of the best tech media aggregators available.
Security Now! (Podcast) - This weekly podcast is hosted by Leo Laporte (of TechTV fame) and Steve Gibson. Every week, Steve and Leo take apart complex security issues and explain them in everyday language.
In the not-too-distant future, that stack of plastic cards in your wallet will get a lot smarter. The revolution has begun with new credit cards, and will soon be expanded to include US Passports and 'Enhanced' Drivers Licenses. These new smart cards will employ a technology called RFID.
The information encoded in the RFID chip can be "read" by an RFID reader either by placing the chip in front of the reader or by pointing the reader at the chip. This information can be read at a distance of approximately 10m (33ft).
Using this technology, the information on your new Drivers License can be read while it is still resting comfortably in your wallet. You need not even be aware that it was happening.
This means that it would be possible for an ill-intentioned person to read all of the information off of your license and potentially use that information to clone your identification and steal your identity. By employing multiple scanners (say in an airport departures area), it will also be possible to track your current location using triangulation. Interestingly enough, researchers and hackers have already proven that the RFID chips embedded in new passports can be cloned and the data can be modified. At this year's HOPE Conference in New York City, a group of hackers were able to use arrays of RFID readers to track the movements of participating conference attendees.
RFID is a great technology, but we should be concerned about the way in which we are using this technology and objectively assess whether there is any benefit to it.
As I mentioned in my previous post, it is difficult to strike a balance between a password that is easy to remember, and yet is difficult to guess. When choosing passwords, you want to avoid words that appear in a dictionary.
How Password Crackers work:
There are 3 main stages to guessing a password. The initial stage might involve some profiling of the person who’s password you are attempting to obtain. The names of children, pets, and home towns are common. This phase is often short lived but can sometimes bear fruit without having to proceed to Phase 2. The second phase is called a “dictionary” attack where the attacker uses a program to load up an enormous list of words in multiple languages and churns through the list until it finds a match. Password cracking applications also contain intelligence to attempt variants of the dictionary words (ex: Password1, Password12, Password123). An average desktop computer can run a large scale dictionary attack in a matter of a few hours to a day. If that fails, the attacker can call out the big guns. Phase 3, which is called “brute-forcing”, involves instructing the password cracking guess every possible password. Given enough time, the application will eventually find your password, though in real-world terms, it is only practical for shorter passwords.
With this knowledge in mind, it is important that our passwords be of sufficient length (8 characters at least), not exist in the dictionary or be easily associated with you, and should not follow keyboard patterns (ex: qwerty or asdfgh), and they must be easy to remember! So how do we balance these needs without writing down all of our 12 character passwords on a sheet of paper?
Two Words: Pass phrases
Suffice it to say that we all enjoy movies, music, and literature. This will serve as the root of our password generation method. The idea is to take something you’ve already memorized and use it to generate a long, pseudo-random password that will still be easy to recall. Let’s say that in your misspent youth, you memorized the lyrics to “Jump Around” by House of Pain and now they are indelibly stuck in your brain, playing over and over again while you await death’s sweet release… Please note that I cannot be held liable for any emotional or psychological damage caused by this example:
“Word to your moms, I came to drop bombs, I got more rhymes than the bibles got psalms…”
For the purposes of this example, we will just take the last 9 words here and write the first letter of each word:
“Igmrttbgp”
Now we have a 9 character non-english word. Not too bad, but it still wouldn’t take an intelligent brute force attack too long to crack as we’re only using the 26 characters of the English alphabet. We need to make the password more complex by adding some special characters and numbers. As far as this goes, I normally perform a character substitution to produce something like this.
“!gmrttbg9”
As you can see, I’ve replace the “I” with a “!” and the “p” with a “9”. This gives us a password that is very resistant to the most common vectors of attack described above. I’ve been using this technique for generating passwords for the last several years and I have found it useful. I welcome your comments and suggestions for improving on this technique.
Ian M Murphy is an IT Consultant who writes on security industry trends and privacy issues. Ian works and lives in the Fredericton area. The goal of "In"Security is to present complex issues to technical and non-technical people alike.
If there is a topic you'd like to see discussed on this blog, you can email Ian directly at ian.murphy@hushmail.com
