Thursday, November 25, 2010

Learning from the Past - "Happy Thanksgiving you turkeys"

Happy Thanksgiving! 

For those who had never heard, or may have forgotten, I decided to write about a Thanksgiving "hacker event" that took place in the 1980's, a time when I was getting involved with computers and was devouring everything that I could find on computers and their various topics. It was kind of like a "'Twas the night before Christmas" story but with presents that nobody wanted. 

Back on November 28, 1989 the technicians at WNET (Channel 13) in New York City were preparing for their annual Thanksgiving Day celebration when a message popped up on their computer screens.

"Happy Thanksgiving you turkeys from all of us at MOD". 

Actually, the full message read,

"Haha! You want to log in? Why? It's empty! HAHAHAHAHA! Happy Thanksgiving you turkeys, from all of us at MOD." 

This message would also be seen by teachers and librarians as well.

It was signed by: Phiber Optik, Acid Phreak, Outlaw, Corrupt and Scorpion, five members of the Masters of Deception. Later during an NBC News broadcast on November 14, 19901 , Phiber Optik, found out to be Mark Abene and Acid Phreak would take responsibilities for sending "the message".

Within hours, a mysterious group of computer hackers known as the Masters of Deception (MOD) had erased nearly all the information contained on a WNET educational network called the Learning Link.


Perception. Based upon the above information, what would be your perception of a hacker? Got it? OK, put a bookmark there and let's continue...


A later, separate, but related story1 that was taken from a U.S. Newswire on July 8, 1992, wrote of the MOD in an indictment that...

A computer hacker is someone who uses a computer or a telephone to obtain
unauthorized access to other computers.

As we have seen, hackers can often be their own worst enemy. One hacker that was interviewed on a separate occasion commented:
"It's not just winning that counts but making sure that everyone else loses." 2

People's perceptions of the hacker and hacker culture were being formed by things that were said and done by hackers and in at least the case referenced above, the legal profession.

You look at a person or group that is generally marked by intelligence, resourcefulness and curiosity and because of motivation and criminal activity ends up giving the entire group a black eye.

So what can be learned from the past?

For starters:
  1. Don't do anything illegal.
  2. Don't destroy data.
  3. Let your imagination and curiosity go.
  4. Examine your motivation... Since we are talking about the past, it'd be nice for people to revisit the days of MIT's TMRC and their Coke machine, etc. If you're not familiar with that, I'll leave that one to your own digging, but there is worthwhile reading in a lot of real "old school hacks" and what is, or should be the true motivation for people.

Anyway, Happy Thanksgiving!

Sunday, November 14, 2010

Simple SQL Sinks Cyber Security

TinKode injects his own plans after UK MoD spends £650m in new funding for cyber security.
Please see the full story here.

What's the moral of this story? Sometimes the most elaborate plans are foiled by a simple, fixable issue.

The second moral is that copycat criminals and script kiddies abound. Perform your own audits and see where your security is lacking and then fix it.

SQL injection? Seriously?!?!

Saturday, November 13, 2010

David Kernell, the "Sarah Palin Hacker" is Sentenced to 1 Year and 1 Month

Yesterday, November 12th, David Kernell, the former UT student was sentenced to 1 year and 1 day for 
breaking into Sarah Palin's email account by guessing the answers to her personal information and performing a password reset (to popcorn) of her Yahoo! mail account (gov.palin@yahoo.com). According to CBS News, "he had to correctly answer the question, "Where did you meet your spouse?" The correct answer was: "Wasilla High.""1


After gaining access to her account, he posted screen shots of his activity to 4chan.


Notable quotes from this and a related article...

  • "...has been sentenced to a year and a day with the judge recommending the term be served in a halfway house, not prison. "2

  • "In breaking into Palin's account, the F.B.I. said at the time that Kernell left an easy trail to follow." 3

  • Asked outside court if she thought the charges against Kernell were excessive, Palin said, "I don't know, but I do think there should be consequences for bad behavior." 4
Now, obviously, the legality of Mr. Kernell's actions aren't a subject for debate, but I would like to bring up a few interesting thoughts.

First, the prevalence of sites asking for personal information is pretty pervasive. Many sites will ask you  "What is your mother's maiden name?", "Where did you meet your spouse?" or "Who was your second grade teacher?" While the first question is pretty easy to find, people tend to overlook the plethora of information that is available on the Internet about themselves and tend to think that their favorite ice cream flavor or some other "personal" question is hard to "guess". Browsing through Tweets or Facebook posts would probaly provide the needed information for the attacker to be able to reset the target's password or at least obtain more information.

The second fact that I wanted to point out was from the audit trail left behind by Mr. Kernell posted evidence of  his exploits on 4chan's website. This seems to be typical for the "hacker" who's motivation is for the thrill of the conquest. The need for recognition points to this person committing this act for notoriety rather than financial gain or for political espionage.

Remember, "Loose lips, sink ships!" wasn't just a truism for World War II. A person shouldn't be the source of his opponent finding out information about him.


Sources:
1 http://www.cbsnews.com/stories/2010/11/12/national/main7047981.shtml
2 Ibid
3 Ibid
4 http://www.cbsnews.com/stories/2010/04/23/politics/main6425263.shtml?source=related_story

Thursday, November 11, 2010

10 Riskiest Places to Give Out Your Social Security Number

I recently read an article that speaks about and lists the 10 Riskiest Places to Give Out Your Social Security Number. From colleges and banks to government to medical offices, the list runs the gamut or common places that you basically either have to use your social security number as an identifier or that your number is listed regularly on a variety of common forms, etc.

With the rise in identity theft and the convenience (to the companies) in mind, what's a person to do to protect yourself?

What can be done? For starters, regularly monitor your credit report for suspicious activity

Also, ask the company or agency that you are dealing with if your social security number is required. You'd be surprised at the responses that I've received what I asked if it's needed and they say, "No. That's just on there."

Getting and reading a copy of the company/agency/business' privacy and/or confidentiality policies helps understand what the company that you are dealing with is actually going to do with the information.

Of course, online identity protection and security could take a series of articles and is not covered in this story.

For more information on your Social Security Number and what to expect, you can check out this link.