Security

Todd Shriber, communications director for Rep. Denny Rehberg (R-MT), tried to hire hackers at attrition.org to change his college GPA for him. He corresponded in email with “Lyger” and “Jericho” (former Phoenix resident Brian Martin, who runs attrition.org), who strung him along and then published the entire email correspondence on their site. To keep things entertaining, they made some odd requests: From: security curmudgeon ([email protected]) To: Todd Shriber ([email protected]) Date: Wed, 9 Aug 2006 17:30:44 -0400 (EDT) Subject: Re: Question for you or other Attrition members : Wow, I feel dumb now. I honestly cannot rember if there were pigeons on : campus or not. A lot of crazy squirrels, but I can’t remember pigeons. : Just for my own edification, why do you need to know that? I’ll find out : for you. Hey, squirrels work fine. First, let’s be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can’t trust anyone and everyone that mails such a request, you might be an FBI agent, right? So, I need three things to make this happen: 1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus. 2. The information I mentioned so I can find the records once I get into the database. 3. Some idea of what I get for all my trouble. When he replied that he no longer lives near his campus (he’s in D.C., and attended Texas Christian University), they told him that any old photo of a squirrel would do–and he sent them one. They ended their trolling by claiming that they had been caught, and that Shriber shouldn’t even visit their website anymore: From: lyger ([email protected]) To: Todd Shriber ([email protected]) Bcc: security curmudgeon ([email protected]) Date: Sun, 27 Aug 2006 03:15:31 -0400 (EDT) Subject: Re: the squirrels are nice here… On Sat, 26 Aug 2006, Todd Shriber wrote: ": " I’ll take a quick look on Saturday and get the changes ": " to you immediately following that. Let me know if it’s ": " OK for me to log into that site. todd… no more.. omfg we are SO busted.. fuck fuck fuck FUCK FUCK everything was PERFECT until their night noc ran a reverse udp traceroute back to one of the hosts we had set up after that, straight DOWNHILL. i’ve already been called twice by my isp asking about unusual activity, some other shit about access attempts to a federally monitored system they have everything in logs including the rot-26 stuff that finally got me access all goes back to your login sorry i really fucked up BAD theyre prob gonna end up calling you since they have your info just duck and run if you can, i’m going deep underground if they ask about me or attrition we don’t know each other you know youre just as guilty and liable so when they come knocking dont say anything without a lawyer and when you ask them to put the gun down say it nice because that shit isnt fun man dont even visit attrition.org again theyre trying to check web logs one last email should be ok but we’re so fucked sorry Paul McNamara has covered the story at Network World, and it’s summarized at Talking Points Memo. The full email correspondence is up at attrition.org, but their server is having some trouble handling the traffic they’re now receiving on this. UPDATE: Welcome to Todd and/or his colleagues at the U.S. House of Representatives! Domain Name house.gov ? (United States Government)IP Address 143.231.249.# (Information Systems, U.S. House of Representatives)ISP Information Systems, U.S. House of RepresentativesLocation Continent : North AmericaCountry : United States (Facts)State : District of ColumbiaCity : WashingtonLat/Long : 38.8933, -77.0146 (Map)Distance : 1,975 milesLanguage English (United States) en-usOperating System Microsoft WinXPBrowser Internet Explorer 6.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)Javascript version 1.3Monitor Resolution : 1024 x 768Color Depth : 32 bits Time of Visit Dec 22 2006 8:55:54 amLast Page View Dec 22 2006 8:55:54 amVisit Length 0 secondsPage Views 1Referring URL http://blogsearch.go…Todd Shriber&ie=UTF8Search Engine blogsearch.google.comSearch Words todd shriberVisit Entry Page http://lippard.blogs...n-tries-to-hire.htmlVisit Exit Page http://lippard.blogs...n-tries-to-hire.html UPDATE: Todd Shriber has been fired. ...

The December 17 New York Times has a great article on airport security, with quotes from Bruce Schneier and Matt Blaze. A few key paragraphs: The root problem, as some experts see it, is the T.S.A.’s reliance on IDs that are so easily obtained under false pretenses. “It would be wonderful if Osama bin Laden carried a photo ID that listed his occupation of ‘Evildoer,’ ” permitting the authorities to pluck him from a line, Mr. Schneier said. “The problem is, we try to pretend that identity maps to intentionality. But it doesn’t.” … WHEN I asked Mr. Schneier of BT Counterpane what he would do if he were appointed leader of the T.S.A., he said he would return to the basic procedures for passenger screening used before the 2001 terrorist attacks, which was designed to do nothing more ambitious than “catch the sloppy and the stupid.” ...

For the second time this year, Microsoft has issued a notice of a remote code execution vulnerability in Word for which there is no patch. Their suggested workaround is “Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.” If you rely on exchanging Word documents for your business, this means shut down your business or risk infection with zero-day malware that can compromise your systems. Secunia has rated this as “extremely critical," their most serious vulnerability rating. The last time this happened was in May, and it took Microsoft 26 days to come up with a patch, during which time there were attacks on various enterprises from systems in China. This problem affects Word 2000, 2002, and 2003 for Windows, Microsoft Works 2004, 2005, and 2006, Word Viewer 2003, and Word 2004 for Macintosh. I recommend switching to OpenOffice and Macintosh. If you must use Windows in a business environment, this presents a strong argument for not giving users administrative rights on their own machines (or at least not on the user they login as to use Word) in order to limit what damage can occur from the exploitation of a vulnerability like this. UPDATE (December 15, 2006): There have now been three such Word vulnerabilities discovered in the last two weeks! ...

Declan McCullagh reports on the FBI using remote activation of cell phone microphones to eavesdrop on nearby conversations. He comments on a few models that are particularly vulnerable to exploitation: Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said James Atkinson, a counter-surveillance consultant who has worked closely with government agencies. “They can be remotely accessed and made to transmit room audio all the time,” he said. “You can do that without having physical access to the phone."Nextel says that they didn’t participate in the eavesdropping on a couple of mobsters who were allegedly listened in on using this technique–both using Nextel cell phones. The same story reports that a 2003 lawsuit revealed similar monitoring of conversations occurring in cars featuring OnStar. UPDATE (December 5, 2006): Bruce Schneier has commented on this story, and his readers have some interesting comments.

News.com has a nice article about how Global Crossing (my employer) has criticized the extension of CALEA wiretapping rules to VoIP and broadband: Paul Kouroupas, vice president of regulatory affairs for Global Crossing, strongly criticized the Federal Communications Commission’s broadening of a 1994 law–originally intended to cover telephone providers–as disproportionately costly, complex, and riddled with privacy concerns. His company is one of the world’s largest Internet backbone providers. “Our customers are large Fortune 500 companies–not too many of those companies are conducting drug deals or terrorist activities out of Merrill Lynch’s offices or using their phones in that way,” Kouroupas said at an event here sponsored by the DC Bar Association. “By and large we don’t get wiretap requests, yet we’re faced with the costs to come into compliance,” which he estimated at $1 million. ...

Ann Coulter’s column last week was titled “Historic victory for Diebold!" She claims that “For the first time in four election cycles, Democrats are not attacking the Diebold Corp. the day after the election, accusing it of rigging its voting machines. I guess Diebold has finally been vindicated." Just because the election wasn’t clearly rigged doesn’t mean that Diebold has been remotely vindicated, and the 2006 election continued to produce evidence that Diebold e-voting machines should not be used. As Brad Friedman points out at the Huffington Post, there were major problems with electronic voting machines in Denver, as well as problems opening the polls on time in Pennsylvania, South Carolina, Ohio, Georgia, North Carolina, Indiana, and Ohio. Problems with early voting using electronic voting machines occurred in Florida, Arkansas, Missouri, Ohio, Tennessee, Virginia, Texas, and California. The Electronic Frontier Foundation received about 17,000 complaints by 8 p.m. on election day; Common Cause received 14,000 by 4 p.m. John Gideon of VotersUnite.org put together a searchable database of reported election problems. Bruce Schneier also gives a recap of electronic voting machine problems at his blog, with Florida’s 13th District presenting the biggest issues, where 18,000 votes apparently disappeared in a race where a difference of 386 votes decided the outcome (described in a separate post). The outcome of the election doesn’t change any of the existing data about the problems with Diebold voting machines. As usual, Coulter gets it all wrong. When it comes to voting, she should worry more about her own problems than comment on a controversy where she’s clearly completely ignorant.

You can watch it at Google Video. Everyone should be aware of the issues raised in this documentary.

SAIC was commissioned to perform a study on security issues in Diebold voting machines by the State of Maryland. One of the conditions Diebold set on the report in return for allowing access to their machines for the study was the right to redact whatever they wanted from the public version of the report. The public version of the report (PDF) was 38 pages. The unredacted version was 152 pages plus 41 pages of appendices. The private version of the report has now been leaked, and Rebecca Abrahams writes about the differences.

The TSA badly failed a recent set of tests at Newark’s Liberty Airport. TSA screeners missed 90% of the guns and explosives that testers put through the system. TSA’s response? Immediate action to try to find out who leaked the results. (Via Bruce Schneier’s blog.)

Security researcher Chris Soghoian, a graduate student at Indiana University’s School for Informatics and an intern at Google, set up a website that functions as a boarding pass generator for Northwest Airlines. The site contained a form that allowed you to fill in name, flight number, destination, and all of the other information on a boarding pass, and would display a boarding pass that would be indistinguishable from the real thing at the TSA security checkpoints. He pointed out that the identity check at the TSA checkpoint amounts to nothing more than a comparison between the name on a picture ID and the name on a boarding pass, and that this provides no security whatsoever. I’m not sure what threat this check is even supposed to be trying to mitigate. At best, it is an attempt to piggy-back on the check against the no-fly list (which is itself a complete joke) that is performed by the airlines when you purchase a ticket, but clearly that fails as his boarding pass generator is one of several ways to create a boarding pass in a name other than your own–including modifying the displayed text generated by any airline’s online site or even purchasing a ticket in any name you choose. The latter was displayed vividly by a couple of guys who purchased tickets in the names of “Al Kyder” and “Terry Wrist” (link includes video). In my opinion, the only actual purpose served by checking for a valid boarding pass at the TSA checkpoint is to reduce the number of people passing through the checkpoint in order to most efficiently make use of security resources. It does not otherwise have any effect on security; it provides no deterrent to an attacker. It is not effective in screening out those with malicious intent, and it is not even effective in verifying identity. Congressman Ed Markey (D-MA) has called for Chris Soghoian to be arrested. He was visited and interrogated by the FBI, then went to stay at his parents’ house. Friday night, the FBI broke their way into his apartment, seized his computers, and generally trashed his place. Lesson: Point out U.S. security weaknesses, and you will be punished. Those responsible for the weaknesses and idiocy of U.S. “security theater,” however, will not be held accountable. This is one of the rare times when Michelle Malkin actually says something correct. Other coverage: Jim Harper, author of the excellent book Identity Crisis, at the Technology Liberation Front and at Cato@Liberty (this post does a good job of pointing out the problems with the TSA identity check). Bruce Schneier, at his blog. And there’s some rather good coverage in multiple posts at BoingBoing. The problem that Soghoian pointed out was previously described in February 2005 on Slate.com by Andy Bowers, and in 2003 by Bruce Schneier in his Crypt-o-Gram newsletter. So yes, Kip Hawley is still an idiot. UPDATE (November 2, 2006): Bruce Schneier has written a detailed description of the flaw in the security design of the TSA identity check, and makes the same point that even if the flaw is corrected it doesn’t add any real security because it’s just a check of the no-fly list.