Archive for the ‘Computer Security’ Category

« Older Entries

Mamadou Diallo still, inexplicably, using my email address all over the internet

Tuesday, June 18th, 2013

For some inexplicable reason, some guy who identifies himself as Mamadou Diallo, a.k.a. Bouba Diallo, has been creating accounts all over the internet using my email address for over two years now. I’ve written about this several times before.

It’s still going on… I just got email indicating that he created a Yahoo! account (“m.diallo76″) on May 6 using my email address. Needless to say, as has been my practice, I took over the account and closed it.

I wish I knew what the hell was going on here or what the perpetrator hopes to gain by doing this. I’ve wracked my brain but haven’t been able to come up with any ideas for how this might benefit him. Someone purporting to him posted a comment on my blog in November 2012, but it just made things weirder, without shedding any light on what’s going on. That comment probably really was posted by him, since the IP address it came from shows up as Dakar, Senegal in GeoIP lookups, and that’s where he claims to live in the accounts that he creates.

If anybody has any ideas about what might be going on here, I’m all ears.

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, email, Internet | 1 Comment »

Amend the ECPA to protect email privacy!

Thursday, November 22nd, 2012

The privacy of our email is protected by the Electronic Communications Privacy Act, passed in 1986, which requires law-enforcement officials to obtain a warrant to intercept and read private email.

However, the law has a critical flaw: it does not require a warrant for emails “left on servers” for more than 180 days. This made sense when people downloaded their email and deleted it from servers, but it’s completely obsolete in an era when email is left on servers so that people can access it from anywhere on any device.

A coalition of email service providers is seeking a revision of the law to treat email stored on servers the same as email stored on home computers. This revision should be written into law and signed by President Obama as quickly as possible to protect the privacy of American citizens’ email.

Please sign and pass on this petition to help convince President Obama and Congress to fix the ECPA!

https://petitions.whitehouse.gov/petition/amend-electronic-communications-privacy-act-protect-email-privacy/S2W89zXV

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , ,
Posted in Computer Security, Computers, email, Government activism, Internet, Politics | No Comments »

Have you enabled do-not-track?

Tuesday, October 30th, 2012

For a while now, the web browser vendors and major purveyors of targeted internet advertising have been working on a proposal for allowing users to prevent web sites from tracking their online activity and using it to “customize their web browsing experience,” a.k.a., displaying targeted advertisements which are, theoretically, tailored to the person viewing them.

Web tracking and targeted advertising is big business. In fact, some would say that without it, most of the free web sites you visit every day simply couldn’t exist. Facebook, HuffPo, Reddit, Gawker, etc. all pay the bills by selling advertising that is carefully targeted to individual users based on their past web browsing activity.

“Do Not Track” advocates say that users should have the right to preserve their privacy. Opponents, on the other hand, say that it improves everyone’s web experience by making it more likely that the content and ads they see will be interesting to them, and that (as noted above) without targeted advertising, many web sites simply could not afford to continue offering free content. Advocates respond by saying that whether someone’s web experience is targeted should be their choice, and that if targeted advertising becomes less profitable, web sites will be able to find other successful monetization strategies.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, Consumer activism, Internet, User Experience, Web | 1 Comment »

How to misread statistics, ArsTechnica edition

Saturday, September 29th, 2012

A recent security breach exposed the plaintext usernames and passwords of almost 100,000 members of IEEE, the Institute of Electrical and Electronics Engineers. The usernames and passwords were discovered by a researcher in 100GB of log files inadvertently left open to the public on an IEEE FTP server.

Leaving aside for the moment how incredible it is that the IEEE would employ someone so incompetent as to think it’s OK to put passwords in a log file (well-known best practice in the industry is not only that you don’t log passwords, but you’re even discouraged from logging usernames on login forms, because people so frequently type their password accidentally into the username field), I want to instead comment on this graph that ArsTechnica published in their story about the breach:

(The graph was apparently published by Radu Dragusin, the researcher who discovered the breach.)

More accurately, I want to comment not on the graph itself, but rather on the caption which ArsTechnica published beneath it: “A breakdown of the 18 most common passwords exposed by IEEE suggest [sic] that engineers aren’t much better than lay people at choosing secure passcodes.”

In December 2010, the Wall Street Journal published a similar graph in an article about the breach of passwords for 188,279 users at Gawker. “123456″ was the most common password there as well. That graph showed that approximately 3,077, or 1.6% of the 188,279 Gawker users chose the password “123456″. In contrast, only 271 of the 99,979 IEEE users, or 0.3%, chose that password.

Contrary to ArsTechnica’s caption, it would seem that IEEE users are “much better than lay people at choosing secure passcodes.”

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Posted in Computer Security, Computers, Internet, Journalism | No Comments »

Craigslist email-reply scam and what Craigslist could do to fix it

Tuesday, June 19th, 2012

UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.

I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at craigslist.org, and any responses sent to that address would be forwarded on to me.

Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.

I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”

Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at craigslist.org. Some of these responses even used my real name in them. I received six such emails in three days. Yikes!

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, email, Internet, Phishing, Spam | 72 Comments »

Ongoing large-scale distributed SSH brute-force attack

Sunday, December 4th, 2011

In the past, securing SSH on the public internet has been pretty much as easy as (a) keep your OS patched, (b) don’t let root log in with a password, and (c) run fail2ban to stop brute-force attacks.

Unfortunately, it looks like the bad guys have finally figured out how to put their bots to work running distributed SSH brute-force attacks. If so, then fail2ban is no longer going to be good enough, and more sophisticated (and inconvenient) measures are going to be needed.

Prior to December 1, the five machines I maintain with SSH servers accessible to the public have been probed by an average of 13 different IP addresses per day. On December 1, they were probed by 109 different IP addresses, a 738% increase over the prior average. On December 2 and 3, they were probed by 79 and 72 different IP addresses. Not as high as the first day, but still quite a jump!

I saw this increase across the board on five different machines on four distinct networks run by four different network service providers. I’ve been in correspondence with someone at the SANS Internet Storm Center who says he’s seen a similar spike on machines he maintains.

It seems clear to me that someone is engaging in a distributed brute-force attack trying to break into servers as root via ssh.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Posted in Computer Security, Computers, Internet | 14 Comments »

Post-mortem of security breach on my Linux server

Friday, September 16th, 2011

On the afternoon of September 15, I started getting some strange email messages from cron on my Linux server, which hosts my email, blog, DNS, and several web sites for various non-profit organizations I’m involved with.

(Background: One of the web sites, an old Drupal installation, handles scheduled tasks through a cron job that periodically fetches the URL /cron.php on the site. Each time /cron.php is fetched, Drupal checks if any scheduled tasks came due since the last time it was fetched, and executes the PHP code for those tasks. The scheduled tasks aren’t actually supposed to generate any output, so the cron job that fetches /cron.php shouldn’t generate any output and therefore shouldn’t cause cron to send email.)

All the sudden, the cron job that fetches /cron.php started sending me email every time that it ran. When I looked closely, I saw that the contents of the email were some strange, totally incomprehensible JavaScript fragment. I was incredibly busy, so although I thought it was curious that this should suddenly start happening, I didn’t immediately give much thought to it. After it had been stewing in the back of my mind for a couple of hours, however, I suddenly realized with a start that some script kiddie had almost certainly broken into the server and added malicious JavaScript to its pages, so I had no choice but to stop what I was doing and clean up the mess.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Posted in Computer Security, Computers, Internet, Web | 5 Comments »

Email identity thief strikes again

Wednesday, August 24th, 2011

This time, my email identity thief created an account using my email address at support.mozilla.com. I received email from the site in French asking me to confirm my email address.

I’ve reset the password on the account to prevent him from using it, but I can’t log into the account to see what profile information he specified or what he did on the site, because the site provides no way to recover a lost username. I’ve contacted webmaster@mozilla.com and asked them to provide me with the username as well as information from their logs about who created this account.

They’re a bit more likely to be willing to help then Skype, given that (a) they’re a collaborative, open-source organization and (b) I have an ongoing relationship with Mozilla, having submitted several core and Thunderbird patches and been nominated as a “Friend of the Tree”.

I’ve asked them at the very least, if they’re unwilling or unable to provide me with the username, to delete the account, since I don’t want accounts created by other people using my email address on sites all over the internet.

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, Internet, Web | 4 Comments »

IMPORTANT UPDATE on Brave New Foundation and Nation of Change

Friday, August 12th, 2011

I wrote several days ago about spam I received from Nation of Change at an email address which had previously only been shared with Brave New Foundation. Earlier today, I wrote about Nation of Change apparently attempting to cover their tracks after their unauthorized use of email addresses was discovered and reported by me.

I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:

  • Brave New Foundation does not sell, share or rent their email lists.
  • There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
  • Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
  • Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
  • Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
  • Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.

All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.

When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Computer Security, Computers, Internet, Politics, Spam, Web | 7 Comments »

Nation of Change trying to cover their tracks?

Friday, August 12th, 2011

I wrote recently about spam I received from a new, shady-seeming progressive organization called Nation of Change, sent to an email address that I had only ever used to subscribe to another organization’s mailing list.

I asked a lot of questions about Nation of Change, and thus far they’ve failed to respond to any of them. Here’s what has happened instead.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Computer Security, Computers, Internet, Politics, Spam, Web | 1 Comment »

« Older Entries