I become very ambivalent when reading Jane McGonigal’s Reality Is Broken. She has two main arguments. First, that playing interactive games is good for us as they supply intrinsic rewards that most people cannot attain in real life. That is why reality appears broken to many people. The second argument is that the energy of gamers should not only be a trivial pursuit of individual pleasures. Games should be designed so that they participate in solving the great problems of our times. There is much to like about these two ideas, however, I’m reminded of the old mind/body problem in philosophy. An important problem with gaming is that the mind goes on a trip, disconnecting with the physical body. Granted, the same thing happens when we read a book or watch TV, but gaming takes this to a new level. Arguably, one of the greatest health problems of 20th century people was this tendency to disconnect from our bodies. Until the point that virtual reality games make us more physically fully involved, it seems to me that gaming is simply moving us further in that direction.
The World Wide Web celebrated its 20th birthday a few days ago, August 6 in relative quietude.
Despite the fact that these type of “birthdays” usually are big news (so and so many years since Kennedy assassination, moon landing, 9/11 etc.), this was ignored by mainstream media. This is probably due to the start up of the World Wide Web at the time was not seen as big news. It is only when looking back that we can see that this was a really really big thing. Oh well, better luck in 2016.
To be hacked or not to be hacked, that is the question
whether it is nobler in the server to suffer the troyans and backdoors of outrageous cyber criminals
or to take arms against a sea of breaching
and by opposing end users
to die, to reboot no more-
and by a system crash to say we end
the World Wide Web, and the thousand social media
that flesh is heir to.
The famous quote by Scott McNealy “you have zero privacy, get over it” is frequently circulated these days. After the recent security breaches at organizations such as Sony, RSA and Oak Ridge National Laboratory Computerworld blogger Jaikumar Vijayan turned this into “you will get breached. Get over it”. He argued that the number of security vulnerabilities in combination with the wealth of hacking technologies available, made it impossible to avoid getting hacked.
I see this as a spiral and predict that our surrender to hacking technology will be increasingly dramatic. We can expect the following variations of the McNealy quote:
You have zero corporate secrets. Get over it.
You have zero national secrets. Get over it.
You have zero military secrets. Get over it.
You have no ability of safeguarding control over your Internet based military weapons. Get over it.
You have no ability of defending national infrastructure. Get over it.
I have difficulty seeing any strict line from one statement to the other. It is simply a slippery slope. One might ask: are there any limits to what we are forced to get over?
Malware is the most effective means of long-distance password theft. The concept is an umbrella term for all kinds of malicious code. In the old days, computer virus were created as pranks and you knew that you had one, since it in one way or another harmed the computer. Today, computer virus is big business, or rather, big cyber crime business. Computer virus is intended to be like a parasite, undetected, with the host alive.
There are three major genres: spying, remote control and identity/password theft. Spying is mostly targeted at the industrial secrets of major corporations. Internet spying has also effectively replaced much of the old cloak and dagger stuff of national governments. A well-placed malware can easily outperform the traditional efforts of the whole CIA, and this is no exaggeration.
The genre of remote control can take on different forms, most significantly that of the botnet. Infected computers are made into “slaves” and they can be orchestrated by the hundreds of thousands to send requests to the same homepage at the same time, triggering a crash.
The third genre, identity/password theft is the focus of this blog series. The most dangerous form of malicious code is the keystroke logger or the “keylogger”, actually a family name for a number of different programs with the same aim: logging/documenting the activity on the keyboard when the user encounters fields where personal information is to be inserted. The main concern is usernames, passwords, credit card numbers and other forms of identifying bits of information that can facilitate identity theft. The program will regularly send retrieved data to the malware owner.
21. The basic method is that the program simply registers what keys are pressed whenever forms are encountered. However, sophisticated antivirus programs are on the lookout for these activities.
22. Another method is therefore to simply access password data already stored at the web browser as well as the data connected to automatic form writing.
23. One security approach of countering basic key logging has been to avoid log in through the keyboard. Instead, login has been performed through the user clicking with the mouse on a virtual keyboard on the screen. Cyber criminals have countered by devising keylogger-programs that register the utility of the mouse.
24. Another way of dealing with most kinds of log ins is to take a screenshot after the relevant information has been inserted.
25. In addition to keystroke logging, the backdoor is a popular malware-form of password theft. If the virus can create an invisible backdoor to the computer, the cyber criminal can access whenever he or she wants. This method is mostly used for spying and remote control, but access to passwords and other forms of data will be very easy. Sometimes, the backdoor is combined with a traditional keylogger. The backdoor can be used to update the virus and indeed replace it whenever it is quarantined by the security program.
Well, do you have any of these on your computer? You cannot know for sure. Common estimations are that there are 30 new computer virus introduced to the Internet each minute. Sophisticated antivirus programs will discover most of them in time, but there’s usually a period of some 10 days before protection or cure can be downloaded to your computer. In addition, most of the viruses are not fixed. Increasingly, the major tool of security programs is to monitor for suspicious activity. Cyber criminals have increasingly responded by creating malware that disguises suspicious activity. “Your computer is safe,” says your security program. That is not an objective statement of fact. Your computer is never safe.
The new social network application color.com has been called Facebook for those with no privacy concerns at all. With color.com you have no privacy settings at all, perhaps doing overtly what Facebook is doing covertly. Color.com manages not only to violate privacy conventions/regulations, but also tears a fresh wound into the old and flawed copyright legislation. With this new social media, it becomes possible to walk down the street with your smart phone on and simply download everything that is on the mobiles of those passing by. Yes, this is sharing, but it is also an updated version of Napster. While these kinds of technologies are being developed, the legal arm of the major recording companies, RIAA, is in the business of suing LimeWire for trillions of dollars. Putting these two developments together, it would seem that the music business are several years, perhaps more than a decade behind their times.
But… Perhaps not. The judge on the LimeWire trial initially noted that this filesharing application was being sued for more money than the whole industry had made since Edison. Maybe they feel that this is the way to make money in the digital age? It seems lucrative enough. So, here’s a tip, allow color.com to grow and flourish and when they have peaked and been replaced by something else, simply sue them for $1 trillion.
Isn’t this a marvelous business idea? And you need not be afraid of the classical problem of attacking your customers. These copygrey businesses are not your customers or even your regular music fans. In this new world, the lawyers are your customers.
What joy it is to find an open wireless Internet connection when you really need one! However, surfing on an open network can be very costly. Today, unfortunately, the standard recommendation is to avoid them altogether. Basic advice is to either connect with encryption (HTTPS) or VPN -tunnel or both.
16. The point was brought home by freelance software developer Eric Butler in October 2010 as he released Firesheep, a Mozilla Firefox plug-in for sniffing out passwords on open Wi-Fi networks. The program exploits a long-standing weakness in the handling of secure log in in connection with cookies. A common procedure is to use encryption at the actual log in. Thereafter, whenever the user continues interacting with the website, the browser is equipped with a cookie that contains login data. This facilitates the surfing experience so that the user need not log in every time she does something. However, as the cookie is not encrypted, it becomes possible for a sniffer application to read the log in data, including user ID and password. Common targets for hackers became Hotmail, Gmail and Facebook.
17. Since the vulnerability is old and well-known, it had been exploited long before Butler. The traditional approach has been to combine a packet sniffer, such as Wireshark, with specialised software such as Hamster and Ferret. Such attacks were not limited to Wi-Fi networks but targeted the overall vulnerability of using conventional HTTP.
18. Another problem with open wireless hotspots was that the signal itself could be intercepted. With the right equipment, one could easily tune in on and download all interaction on an open network.
19. A slightly more sophisticated approach was to simply establish a hotspot as a service, but with the sole purpose of stealing information.
20. A variation of that approach is to impersonate a legitimate hotspot, such as at a library, University or Hotel. This is rather common and customers need always be careful on checking to see that they are logging in at the right network.
It is a curious thing that many programs and features that are developed to increase Internet safety, also can be used to destroy Internet safety. Perhaps the most obvious example of this is programs for packet analyzing a.k.a. packet sniffing. All Internet messages are chopped down into small packets that are reassembled once they reach their destination. Packet sniffing simply means intercepting traffic, copying the content and then allowing the packets to go on their way. These kinds of activities are done routinely in order to maintain Internet stability. However, the same instruments can easily be used for eavesdropping on Internet usage. Since Internet traffic tends to pass through a huge amount of servers, there are a multitude of passage points at which any individual message can be intercepted and discreetly copied. The most famous packet sniffer was the FBI Carnivore which did a major spy job 1997-2005. It has since been replaced by even more effective software.
A specific genre of packet analyzing is “password sniffing”. Once again, this can be useful for protection but can also be a tool for password theft.
11. Ettercap is a free and open source tool. It puts the network into so-called “promiscuous mode”. This allows the sniffer read everything and visualize everything passing through regardless of address and including the address of the computer sending the message. Ettercap can sniff out both username and password.
12.dSniff is designed for purposes of testing. Therefore it is good at visualizing traffic and can sniff out usernames, passwords, webpages being visited etc.
13. Cain and Abel is a multifunctional packet switching software, officially a “password recovery tool” which can be used both for sniffing out and cracking password hashes (see part two of this series of posts).
14. If you have access to the computer itself, it is also possible to sniff out passwords from the information that the system has dumped. There are many official tools available from major companies in this area.
15. Computer-based password sniffers can also sniff out passwords from other computers if they can utilize the promiscuous mode function.
In my first post in this series, I focused on the perils of leaving the computer unattended. However, various passwords on the Internet are open and accessible for theft 24/7. In addition, they can be accessed from any place. The most obvious way of doing this is through password cracking. All you need for this is 1) password cracking software and 2) access to a list of passwords. The first one is easy and the second one more difficult. However, any service that needs to check the authenticity of users logging in, need to save such lists in several places and make them accessible through many channels. Password lists have historically been notoriously difficult to contain. This creates a vulnerability that is countered by storing a cryptographic hash of each password. The idea is that even if you do get access to the list of passwords, it would be useless for you. Not so.
6. The basic technique for cracking a password is brute force. The program simply runs through and tests every conceivable combination until successful. The brute force method is crude but effective against shorter passwords. To guard against it, you should have a lengthy password since the difficultly increases exponentially with length.
7. For longer passwords, the dictionary method has proven very effective. Instead of running through a random combination of figures, as with brute force, the program runs through the whole dictionary. As most people only use a word, the password is eventually cracked. To guard against it, we are recommended to combine words or put in numbers.
8. However, the dictionary method can also be used to try each word in the dictionary against any other word or against any number at the start or at the end of the password (way we like to put them).
9. Building on the assumption that many people will build their passwords on their specific context and the things that are important for them, it can be possible to feed the program certain clues such as occupation, names of family members, address, etc.
10. Cracking software can also include functions for cryptanalysis. The dreaded rainbow table method has proven very successful. This effectively reverses the cryptographic hash procedure.
As personal computers have become more powerful each year, cracking has become easier even with more complex and longer passwords. The safety measure of “rehashing” the password will probably be more common in the future. We are not there yet.