Show of 2-26-2011

  • Email and Forum Questions
    • Email from Robert Tyler: Dear Dr. Shurtz, I’ve been reading about the online attack on HBGary by the hacktivist group "Anonymous". Could you explain what HBGary does, why HBGary was the subject of this attack, how the hackers gained access to HBGary’s files and emails and the repercussions this had on the company and its leaders. Maybe you could also give us a little background on Anonymous.
    • Thank you for a great podcast. I look forward to it every week. Loyal Tech Talk Podcast listener. Robert Tyler
    • Tech Talk Responds: Anonymous is a loose-knit group of hacktivists, with links to the notorious message board 4chan. The group has hit several targets, including the website of the prosecutors who are acting in a legal case against Wikileaks founder Julian Assange. An Anonymous member told AFP news agency the group would extend their campaign to anyone with "an anti-Wikileaks agenda. Anonymous has recently extended its efforts to hack government servers in protesting Arab countries.Anonymous attacked HBGary because their were about to release the names behind Anonymous. They made the mistake of contacting the group leader and threatening him.
    • Email from Jim Russ: I got an email from a friend this past week. The thing is, he’s dead. Imagine the shock when I saw his name pop up in the spam folder on my g-mail account. Someone has obviously absconded with his email address for nefarious purposes. Obviously, I knew this was a scam, so I deleted the email immediately and emptied my trash bin. Is there a place I can report this, so that the spammer is caught and stopped?
    • Tech Talk Responds: His email was not hacked. However, a spambot has harvested his email address from the contact list and emails of a compromised machine. They simply used his address as the return address. This is very commonly done. This is why when you send an email to a list of people, you should use BCC:
    • Email 2 from Jim Russ: I have a Sony Erickson W760a cell phone on the AT&T Network. I never turn it off. Last week I had trouble sending texts because the phone told me that its memory was full. I have one picture stored on the phone, no music, no ring tones. I cleared out all sent and received texts and there was no change. So I turned the phone off and then back on. That seems to have fixed it. Is there some sort of cache in the cell phone that is cleared by turning it off and then on. Thanks
    • Tech Talk Responds: Your phone is suffering from a memory leak. So is mine. I have to reboot my Blackberry every week to increase the amount of free memory.A memory leak, in computer science occurs when a computer program consumes memory but is unable to release it back to the operating system. Eventually, in the worst case, too much of the available memory may become allocated and all or part of the system or device stops working correctly. Simply reboot the device to release all memory.
    • Email from Ms. Bartiromo: Dr. Richard Shurtz, I own a Sony Walkman that was purchased some time ago. It came with the following: AM / FM Radio, Cassette tape player, DC metro area TV stations (audio only). This devise still works and I still love it, but, since we have moved to digital TV, the TV part of it no longer works. Is there a newer device to have all of this in a mobile product that I can carry on me while riding a bike? Thanks for your thoughts. Ms Bartiromo
    • Tech Talk Responds: You are in luck. Sony-Walkman S2 Sports Armband Radio with headphones features a slim digital tuner that includes 30 station presets 10 FM, five AM, five TV and five weather band stations. $65. Beware there are still some analog set on sale at a steep discount.
    • Email from Lauren: Dr. Richard Shurtz, I want to purchase a new pc and am considering a used ThinkPad. I found one posted on CL and am wondering. What is the best way for me to ensure this machine is not a lemon when I get home with it? What are the appropriate questions to ask the seller, who appears to be an individual and the original owner? Is there some ‘test’ I have never purchased a used pc. Generally is this a reasonable or problematic thing to do? Thanks! Lauren
    • Tech Talk Responds: Used computer used to make sense. But now that prices have dropped so dramatically, it is not as attractive. Software costs are much higher than hardware costs. If you get such a machine. You can open the control panel and go to systems to see what the configuration is. You can check the software versions. You need to get all user licenses for software. Battery life on older machines is also an issue. My advice is to get last year’s laptop onsale.
    • Email from Arnie: Hi Dr. Shurtz. Couple of other questions if you have time on your Techtalk program: What exactly is "deep packet inspection" and how is it used? I understand it may be a way of reducing people from using so much band width. How does it affect normal users on the Net?
    • You mentioned Ooma and some other voip phone systems during your last program. What kind of computer does one have to have to have Ooma or another system, i.e., does one have to have a desktop and does it have to be kept on 24/7? I have Verizon FIOS broadband.
    • Lenovo was a subject last Saturday’s Tech Talk. It’s interesting to note that Lenovo won the contract to provide computers to incoming freshmen at the Naval Academy last year. Cold War fighters would turn over in their graves knowing one of Mao’s people was selling to the US Govt. Then again, so much stuff is coming from China nowadays. Do you have any comments on the following proposed legislation for next Saturday’s Techtalk program? More government intrusion into the Internet maybe? Thanks Arnie McKechnie, Davidsonville, MD.
    • Tech Talk Responds: Deep packet inspection identifies the application that is sending the packet. This information is used to limit BitTorrent traffic, for instance. I can also be used for government espionage. Ooma does not require a PC. It is simply an appliance that is connected to the Router. I am surprised that the Navel Academy is buying Lenovo. The Cybersecurity bill is aimed at protecting critical infrastructure (power grids, financial systems, water supply). The controversy is that government is normally not the solution. Such safeguards should be implemented through the IETF. The bill, however, is not designed to cut off access to information.
    • It authorizes one single entity, the director of the National Institute of Standards and Technology, to represent the government in negotiations over international standards and orders the White House office of technology to convene a Cybersecurity university-industry task force to guide the direction of future research. It also directs the National Science Foundation to research the social and behavioral aspects of Cybersecurity, like how people interact with their computers and manage their online identities, in order to establish a new, more accessible awareness and education campaign. On balance, it seems like a good bill.
  • Profiles in IT: Pony Ma
    • Pony Ma is the founder of Tencent Holdings, which controls China’s largest instant messaging (IM) service with over 478 million users.
    •  He is regarded as one of China’s most desirable bachelors.
    • Born in 1971, on the island of Hainan, China, but grew up in Shenzhen.
    • Ma uses the nickname "Pony" which is derived from the English translation of his family name, which is "horse."
    • In 1993, he earned a BS in software engineering from Shenzhen University.
    • After graduation, Ma worked for China Motion Telecom on Internet paging systems.
    • He then worked for Shenzhen Runxun Communications on Internet calling systems.
    • In 1998, Ma and five classmates started Tencent, a pager for local telecoms.
    • They began the company with $120K, earned by playing the stock market.
    • He was soon inspired by ICQ, the world’s first IM. It did not have a Chinese interface.
    • By 1999 Ma and his team developed Open ICQ (OICQ) with a Chinese interface.
    • When he could not sell OICQ to the telecoms, he offered it as a free download
    • Within nine months, OICQ’s registered user number surpassed 1 million.
    • In 2000, AOL, which bought ICQ, filed an IP lawsuit against OICQ. Tencent lost.
    • In December 2000, Tencent formally changed the name to QQ (OICQ’s nickname).
    • Unfortunately, Ma hadn’t been unable to make money with huge user base.
    • OICQ was supported by his meager paging business.
    • Ma asked for bank loans and even talked to others about selling the company.
    • In 2000, the US firm IDC and a Hong Kong telecom invested$2.2 million for 40%.
    • By 2000, beeper users declined and mobile phone started to become popular in China.
    • Ma worked out a service that enabled QQ users to send messages directly to handsets.
    • He then convinced local telecom operators to share revenue through message fees.
    • This service contributed over 80 percent to the company’s total revenue.
    • Ma then added paid avatars and games and advertising.
    • By 2001, Tencent started to make a profit and its registered users surpassed 500M.
    • A QQ account, which consists of random numbers, became a status symbol.
    • Special QQ account numbers, such as 88888 or 66666 (6 and 8 are lucky numbers in China) were sold, or stolen and then sold, at a high price in the black-market.
    • Sometimes users would register ten or more times to get a number they liked.
    • Ma tried to charges for registration, but the users revolted. He soon dropped charging.
    • In 2003, Tencent released its own portal QQ.com to offer online games.
    • In June of 2004, Tencent issued its IPO in Hong Kong. Within a few months, the stock prices rose nearly 60 percent. Ma himself was worth $190 million.
    • In 2005, Tencent launched Paipai.com, a C2C platform, competing with Alibaba.com
    • Ma was named a Global Business Influential by Time magazine.
    • Because other companies offered free IM, Ma looked for new ways to make money.
    • One way was with the development of new paying services such as an IM product solely for businesses in China called RTX.
    • Tencent also added profits by licensing the QQ brand name to another Chinese company to produce products like toys with the QQ name.
    • 2010, Pony Ma ranked Forbes rich list No. 249, the mainland No. 6.
  • HBGary Hacked – The Real Story
    • The inside story according to Arstechnica.com
    • HBGary Federal CEO Aaron Barr thought he had found the hackers of Anonymous
    • He was preparing to name those responsible for the groups actions, including the DDOS attacks against MasterCard, Visa, and other enemies of WikiLeaks.
    • When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating.
    • HBGary’s servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced.
    • SQL Injection Compromised Database
      • HBGary Federal’s website was powered by a custom CMS.
      • Unfortunately for HBGary, this third-party CMS was poorly written.
      • It was susceptible to a kind of attack called SQL injection.
      • Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers’ own choosing.
      • The CMS, allowed the hackers to retrieve data from the database.
      • The attackers grabbed the user database from the CMS with usernames, e-mail addresses, and password hashes for the authorized users.
    • Password Cracking
      • The user database stored only hashed passwords, which had been mathematically processed with a hash function to yield a number from which the original can’t be deciphered.
      • To make cracking harder, good password hash implementations will use:
        • Iterative hashing, where the output is hashed multiple times.
        • Salting; where random data is added before hashing.
      • The CMS used MD5 with no iterative hashing and no salting.
      • Passwords were highly susceptible using a simple look-up table.
      • CEO Aaron Barr and COO Ted Vera used short passwords with six lower case letters and two numbers, which could be looked up very easily.
      • Their passwords were trivially compromised.
    • Aaron and Ted reused their password. They did not follow best practices.
      • Instead, they used the same password everywhere for e-mail, Twitter, and LinkedIn.
      • For both men, the passwords allowed retrieval of their personal e-mail.
      • They also used these passwords to access other servers.
    • Ted Vera’s password was used for administration of HBGary website.
      • The hackers limited access to the site using the compromised password and user name.
      • Then by applying a simple exploit to elevate the user privilege to the highest level, the hackers gained access to the entire site.
      • This elevation vulnerability should have been patched in January 2011.
      • It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
    • Aaron Burr’s password was used to administer HBGary’s email 
      • HBGary used Google Apps for its e-mail services.
      • This password gave then access to all of HBGary’s email.
      • It’s this capability that yielded access to Greg Hoglund’s mail, administrator of rootkit.com.
      • They used Greg’s email account to gain remote access to rootkit.com via social engineering. They convinced one of the admins to reset the password and give remote access.
      • They then logged in as Greg, switch to root, and defaced away! The attackers dumped the user database for rootkit.com for everyone who’d ever registered on the site.
    • Quick summary
      • A Web application with SQL injection flaws and insecure passwords.
      • Passwords that were badly chosen.
      • Passwords that were reused.
      • Servers that allowed password-based authentication.
      • Systems that weren’t patched.
      • A willingness to hand out credentials over e-mail.
      • If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn’t have caused the cascade of failures that followed.
  • The Problem with the Dancing Pigs
    • In computer security, the dancing pigs problem (also known as the dancing bunnies problem) is a statement on user attitudes to computer security: that users primarily desire features without considering security, and so security must be designed in without the computer having to ask a technically ignorant user.
    • The term has its origin in a remark by Edward Felten and Gary McGraw:
    • Given a choice between dancing pigs and security, users will pick dancing pigs every time.
    • If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a message describing the potential dangers of the applet — he’s going to choose dancing pigs over computer security any day.
    • If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life’s savings, and impair your ability to have children," he’ll click OK without even reading it. Thirty seconds later he won’t even remember that the warning screen even existed.
    • One study of phishing found that people really do prefer dancing animals to security. The study showed participants a number of phishing sites, including one that copied the Bank of the West home page: For many participants the "cute" design, the level of detail and the fact that the site does not ask for a great deal of information were the most convincing factors.
    • Two participants mentioned the animated bear video that appears on the page. Participants in general found this animation appealing and many reloaded the page just to see the animation again.
  • Trivia of the Week: Computer Geeks Break Pi Record
    • Two computer geeks have calculated the number pi to 5 trillion places, on a single desktop and in record time.
    • That’s 2.3 trillion digits more than the previous world record held by the Frenchman Fabrice Bellard.
    • Japanese system engineer Shigeru Kondo and American student Alexander Yee achieved the result using a program created by Yee and a desktop computer built by Kondo.
    • The program took 90 days to compute the 5 trillion digits and over 60 hours to verify the result.
    • The number Pi has an infinitely long decimal expansion which never repeats.
    • The computer built by Kondo has 96 GB of RAM and over 39 TB of disc storage.
    • Roughly 22 TB of disc was needed to perform the computation.
    • The algorithm used to calculate the digits of Pi was developed by Yee.
    •  and, as he claims, also holds the record for digit computations for many other famous
    • Yee’s algorithm uses a series with faster convergence, known as the Chudnovsky formula.
    • Kundo and Yee’s website: http://www.numberworld.org/