home > blog

Security. Counts.
Posted: June 15, 2011 (03:48) under OMG, Security, Theft

Counting. Like a Boss.

You’d think, with all the money in the world (literally) that banks would have the best security systems.

You’d be wrong.

You’d be especially wrong if you’re the quarter-million or so Citibank retail credit card customers whose entire accounts were laid bare by an audacious if breathtakingly simple hack by an as-yet-unidentified group.

Fom the NYTimes:

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

To which one can only reply, “whatEVER!” Any security-conscious and tech-savvy person (and there must be a few of us out there, right?) would have noticed that the URL contained the account number, and it’s a short step from that to plugging in a linear series of numbers and seeing what comes up: ooo1, ooo2, etc.  You don’t even have to plug in many numbers, as a commenter on Gawker explains:

Credit card numbers are limited. The first 4 numbers indicate the card type and bank, and the last number is a check on the validity of the first 15. That means that each card has only 11 digits. That’s 100 billion. if there are 100 million cards issued by citi with the same first 4 digits, you’ve got a one in one thousand chance of hitting a real card with random numbers. That’s a really high chance for a computer. To get 200,000 real numbers, you’d have to run 200 million cycles, which could be done in a day or two on a reasonably fast web site.

Heck, you could probably randomly guess your way into several juicy accounts from your iPhone on the way to that restaurant you couldn’t afford yesterday.

But why am I still blogging? You’ve all left this site and signed into your online banking to check the URL, haven’t you?

Thatta boy!

u got meme’d!
Posted: September 10, 2010 (19:51) under Humor, Security, Technology, Theft

There are lots of technical hacks and ways to get at your internet properties, be they blogs, websites, or social media pages and profiles; why, there’s an entire master’s program in Bulgaria on hacking: not preventing it, doing it. So your internet security is always at risk, both from amateurs who only want to change your Facebook status to “poopyfacepoopyface” and from experts who have a commercial interest in your data and control of your internet properties of whatever kind.

That said, by far the easiest way to get at someone’s site is to convince them to give you the password. Don’t think it’s easy? Check this elegant, yet evil little trick out:

Facebook Password Trick

That’s not nice; don’t fall for it. But if you do, remember that you can delete your posts on Facebook if you hover your cursor over the right-hand side of your comment, just above the line of typing. But if your friends do this to their friends, GET NEW FRIENDS.

Fence in your mobile data!
Posted: March 29, 2010 (22:08) under Hardware, Security, Theft

Apple giveth and Apple taketh away

Oh, how I wish I wasn’t writing this from experience.

But I am.

This post; this one right here. This post, which is about how you iPhone addicts out there should always be sure to register with the websites associated with your apps, so that if (GAWD forbid) the JesusPhone gets raptured or falls into a toilet or whatever, you’ve got a backup of all the data that you’ve entered into it, a backup you can access and continue to use even without your Holy Handset.

Not all apps come with an associated website, but most fitness apps, personal databases like Contact lists, food logs and timekeepers do. And I won’t even mention, or yeah, maybe I will, the multiple iPhone locator apps that you should have installed. The thing comes with a GPS built-in. Use it.

I’m not gonna say it again, not gonna embellish it: just go, and register, and synch, and relax.

Because the most important part of your Jesusphone isn’t the black box: it’s your irreplaceable data.

Related articles by Zemanta

• Jesus Phone to exhibit holy gift of bilocation (go.theregister.com)

360 Degrees of Copyright Protection
Posted: February 2, 2010 (22:23) under Copyright, Intellectual Property, Security, Theft

Rebecca Bollwitt wants you to talk nerdy to her

Copyright’s a heated topic in the internet, and one about which there is a great deal of misinformation (see this example for an adamant, strongly held, oft-repeated, and completely illegal, belief about copyright). Essentially, if you’re using a major platform such as Blogspot, WordPress, or Tumblr, or if the server hosting your site is in a country which is a signatory of the major international copyright agreements (such as Canada, the US, India, China, the UK, all EU members, etc) your post is protected by copyright the moment it is created. Yes, even before you hit Publish.

Naturally, as copyright owner you are entitled to sell various subsidiary or even All Rights to your work as you please. Sadly, that doesn’t always mean you can relax, as Vancouver blogger Rebecca Bollwitt, known as Miss604, found out.

What happened was this: Miss604 signed a contract with Tourism Vancouver to supply posts for their site. One of those posts suddenly showed up on NBC’s site, contrary to the exclusivity contract in the Tourism Vancouver contract, which was binding on both sides. When Rebecca complained, NBC removed her name from the post, but keeping the content up, as you can see by her tweet above. When this hit the thunderdome of teh intarwebs, meaning Miss604′s thousands of followers on Twitter, and their followers, and all of their blogs, NBC reinstated her name, in a tiny font, with no link. It’s unclear what position Tourism Vancouver takes in all of this; whether they gave NBC the right to repost the content in contravention of the contract is still not clarified, but all parties involved now consider the matter resolved.

If Tourism Vancouver had taken down the post from its site, which sometimes happens in these disputes when companies want to stay “out of the fray,” it would have been difficult for Rebecca to prove her case to NBC or the public, as she’d have had no objective proof that it was her content which had been copied. This is yet another reason that keeping a backup of all your work (and writing that into your contract) preferably at a neutral third party’s office or site is critical to anyone who makes a living from intellectual property. Can you ever have too many?

Clearly not bright enough for MIT
Posted: December 25, 2009 (00:59) under Theft

It’s a crying shame when valuable items go missing, but at some point except for the ultra paranoid, it’s inevitable. Thieves live among us and there are plenty of buyers out there for stolen goods.

Theft is only one threat to your data but starting at $10 a month, you can back up everything online automatically. Rather than losing your life’s work, with offsitedatabackup.com you’d be able to start right where you left off.

For those interested in the original story that prompted this post, you can download Vancouver’s edition of Metro News for December 23rd, click HERE for the article in PDF format or simply keep reading, after the jump.

Read more…

Real World Insecurity
Posted: December 14, 2009 (20:43) under Hardware, Offline Security, Security, Theft

Now, this is just a sad tale, one with all the classic ingredients of a tragedy, and none of the happy endings you’re used to from Disney adaptations of the Greek myths.

Vancouver artist and photographer Sharon Burns recently showed her latest works at the Interurban Gallery downtown at Hastings and Carrall streets. She’s previously exhibited at public and private galleries from the Vancouver Art Gallery to the Gallery Gachet, and her work is both critically respected and popular.

And now, it’s gone.

If you saw the show at the Interurban, congratulations; you saw the only extant record of three years of work. Here’s how it happened:

Nobody likes moving house much, and moving house single-handedly they like even less. Burns had to move house, didn’t have any friends free that night, and decided, since it was a small job, to dispense with a moving company and hire some freelance labour. All appeared to go well, and she’d been settled into her new apartment several months when she had occasion to double-check her photo-storage hard drive for an image for the upcoming show.

You know what happened then.

The loss of a hard drive, whether due to “the confusion of moving” or to some more sinister cause, is always a blow, but if you’ve got a backup of your data somewhere else, it’s a surmountable blow. In contrast to the common assumption, online data storage can often be more secure than offline storage, and more flexible as well. Don’t get caught out like this, losing three years of work. But then, if you’re reading this blog, you probably know you’ve got some safety options; use them!