A real “Low Orbit Ion Cannon” gives new meaning to “Denial of Service”

So, is it just me or is this life imitating art imitating life imitating art…. or… something?  Hopefully some gamer, geek or Star Wars fan can help me untangle the levels of overlapping nerd irony and the triple (maybe more?) entendre here.  Whatever.  It’s some kind of clever, linguistic, something-funny-in-there-someplace,  with a side order of potentially-worrisome-but-in-the-meantime-sci-fi-channel-awesomeness.

If “LOIC” already makes sense to you, skip to the bottom of the graphic.  If not, read on.  This won’t take long.

Ready ?

  • So there’s a video game series called  Command & Conquer.  In it is a weapon called the Low Orbit Ion Cannon, or LOIC.  It is a space-based platform that sends targeted beams of energy down through the sky and makes very specific things go boom.
  • The name was in turn co-opted by the authors of a tool, also called Low Orbit Ion Cannon, for stress testing a target system by subjecting it to a (simulated?) Denial of Service, or DOS,  attack.  For you ungeeks out there, a DOS atttack is essentially sending highly focused streams of packets against a specific machine or network to see if you can make it go boom.  Hence, the name.
  • They later open-sourced the Low Orbit Ion Cannon software into the public domain, whereupon it was used for both legitimate network testing and by people making all kinds of mischief, to wit, making various computers or networks go boom.
  • In other words, a tool originally developed to make networks safer from Denial of Service attacks was then used to commit Denial of Service attacks.  So far so good?

low_orbit_ion_cannon

Courtesy of Digital-digest.com

  • Recently, Boeing and the US Air Force revealed in a video animation and public statements that they had successfully tested a weapon that could completely disable computer systems in specific locations with extreme precision, e.g. kill the electronics in one building, but not the building next to it.
  • How did they do this?  An aerial platform that sends targeted beams of energy down from the sky and makes very specific things go boom.

Boeing calls the platform CHAMP. (What, no gamers on the project?) It appears to use  incredibly powerful electromagnetic pulse – EMP – to knock out the target’s computers and electronic equipment.  No mystery there, EMP has been kicked around as a weapon for decades.  Except… it does so on such a targeted basis that the aircraft carrying the weapon, itself full of wires and chips and electronics, is unaffected.  Whoa….

Anyway, I think the implications of this are kind of scary in the longer run, proliferation being what it is and all.  On the other hand, this EMP thing is the same stuff that saved Neo, Morpheus and the Nebuchadnezzar from the Sentinels in  The Matrix.  Maybe the human side of the conflict will stand a chance against Skynet after all.

SCAM ALERT: Facebook messages just came to a mailbox I don’t use for Facebook

QUICK HIT:  I just got an email from “facebook” with the usual annoying “You have notifications pending” but it came to an account that I don’t use for Facebook.

The link is to indonesianfilmfestival.com.au/trace/a/b/c/d/ and the actual sender address, you can see in the picture is q7frrf4s6rc9 (AT) async.norma.no.  Norma.No is the legitimate site of a Scandinavian industrial firm, so clearly something’s gone a wee bit amiss in their IT somewhere.

Anyway, for all you happy/active Facebookers out there, take some care and check sender fields, mouseover/hover over the links in those supposed FB emails, or of course, better yet, don’t click ANY links in emails and go log into FB yourself if you have notifications to see.  Screenshot below so you can see what not to trust.

 

SCAM ALERT: LinkedIn breach and eHarmony phishing, and what you should do about it

Sorry this is late in coming, I was tied up all day yesterday at an offsite. By now most people will probably have heard that about 6.5 million LinkedIn passwords were stolen and posted on a hacker Web site the day before yesterday.  (eHarmony was hit too in case you didn’t know that.) There’s good news and there’s bad news here:

The good news

1.  The only things stolen, supposedly, were passwords.  Why is that good news? Without the matching user account, they’re not very useful.

2.  The passwords were hashed, so MOST but not all of them remained encrypted.  Some were posted in clear text, but most were not.

3.  The actual password hack is an easy problem to resolve.  Just log in and change your password.

The Bad News

1.  We’ll probably see many more of the passwords compromised/decrypted soon.  Why?  Well, hashing is done by feeding your password into an algorithm that creates a meaningless string of characters, and there are many standard hashing algorithms of various sophistication and obsolescence in use (MD5, SHA-1 etc.)

Unfortunately, this means that unless the passwords were also “salted” (they weren’t), anyone with the algorithm can brute force lists of common passwords and produce the hash of that password.  I would be willing to bet a dollar that the passwords that were published in cleartext were common ones that either available libraries had pre-determined the hash for (e.g. password, 12345, mylogin, etc.) or they were simple ones that were easy to brute force. (There is by the way a wee bit of interesting stuff about how they did it, but we’ll get to that a bit further down).

2.  The really bad news is that the compromised passwords aren’t the real danger, the danger is the social engineering attacks that have already begun that play off users’ fears about the breach.  Even IF your password was published in the clear, without your account name, it’s useless.  However, most users who see only the headlines don’t know that or don’t understand the details enough to discern a scam like this one (thanks here to CBS/CNET for the example):CBS/CNET provided example of LinkedIn Phish

CBS/CNET provided example of LinkedIn Phish
http://asset3.cbsistatic.com/cnwk.1d/i/tim/2012/06/07/Screen_shot_2012-06-07_at_12.21.42_PM_610x168.jpg

So, what should you actually DO about it?

1.  Type the address for LinkedIn into your browser yourself, and change your password from the account-management screen.

2.  Use a strong password to prevent pre-published or easy decryption of the hash, and having done that, you can then ignore / distrust any email, legitimate or not that purports to come from LinkedIn regarding the breach and asking you to do anything about it.  (As usual, whenever possible, don’t click links in emails, type it in yourself and find what you need on the site you know is the real one.)

3.  Since many of us use the same password for lots of Web sites, you might want to update the password for those that shared the password you used for linkedin, and

4.  Finally and most importantly (for many reasons), read this strip from XKCD for some ideas on how to create very strong, easy to remember passwords, and for those who don’t already read it, it has the added benefit of introducing you to what is undoubtedly the greatest, nerdiest, smart-humor-est awesomest stick figure blog ever.

A final-note: For the nerd-herd, by the way, the brute forcing of password cracking was reportedly crowd sourced, which I find both neat and slightly scary.  Like the old SETI search that broke down radio noise from outer space into chunks for processing on “volunteer” pc’s all over the world, password cracking is a wonderful activity for divvying up among thousands of machines and harnessing supercomputer power without having to, you know, spring for a Cray. Wonder if the machines were voluntary, or done by renting a botnet

SCAM ALERT: Fedex emails, Best Buy text messages and in the news, new APWG report

Just another quick “Be careful” note….

Today, I get to warn you about scams I am aware because I’ve personally gotten all of them in the last 24 hours.  The first, which I hope and expect NO ONE should fall for, is a flood of “Fedex” notifications that are so badly written they’re actually entertaining.

What’s more interesting to me as a linguist is to see if you can localize the scammer based on HOW it’s badly written.  For instance, Russian speakers (and those of other related Slavic languages) will frequently make all kinds of errors with particles. You see, Russian has no “a”, “an” or “the” equivalents, so they often appear (and disappear) sporadically and in the wrong places.  See excerpts from my flood of (malware-laden by the way, please don’t open those attachments!) Fedex notices the last few days.

  • “Our courier couldn’t make the delivery of parcel.”
  • “Label is enclosed to the letter.”
  • “…information about the procedure of parcels keeping…”

You can almost hear the voice of The Count from Sesame Street.

Then I got a text message that said:

“Your entry last month has WON! Goto http://www.bestbuy.com.kvoq.biz/?claimid=212 and enter your Winning Code: “6655” to claim your FREE $1,000 Bestbuy Giftcard!”

What’s interesting about this one to me is the link sent via text.  This means essentially it is either:

  1. A phish in the classic sense, meaning it just asks you to divulge information on the destination page; or
  2. The link is malicious, which is kind of neat because, given the delivery via SMS, it would therefore (I assume) engage malware targeting either the iOS or Android operating system.

Given the deplorable, nearly non-existent state of mobile malware protections and smartphone anti-virus defenses, I elected not click the link from my phone to find out.  (Given that the domain was created on Monday of this week via anonymous registration in Panama, this seemed like a good site to avoid. )

Finally, in scam-related news, the Anti-Phishing Working Group published their report on H2 2011.  There’s a nice synopsis here, or you can download the full report from APWG’s Web site.

 

Columbia Researchers Put Metrics to Phishing Victims’ Gullibility

Researchers at Columbia University have built a small scale system that synthesizes phishing emails and measure the susceptibility of a targeted population to them.  First-round participants who fell for the simulated scams were notified of their mistake, but were NOT notified that they would also be re-targeted for future probing/attack.  As the guy who (warning, shameless plug alert) authored my company’s Cyber Safety Awareness Training product, I can’t say I’m surprised by the most depressing tidbit.  Even targets who were warned they were being taken online went as many as four successful scams before learning a bit of caution.

I’m just hitting a few highlights of course, but the full paper is an interesting read, available for download at

http://academiccommons.columbia.edu/download/fedora_content/download/ac:142665/CONTENT/metrics_hst.pdf

SCAM ALERT: Justin Beiber emails part of malware spreading over Facebook

Kaspersky Labs researcher Sergey Golovanov has a detailed post this morning about the the LilyJade worm, a technologically fascinating  bit of naughtiness that is spreading via messages about teen pop star Justin Beiber (though of course the content of the emails will change constantly.)  For users, all you need to know is, as always:

1.  Don’t trust messages, click on links or open attachments from anyone you don’t know.

2. Even if it’s from someone you do know, if the message seems generic, is totally off any topic you care about or seems out of character for the sender, same rules apply.  Their account may have been compromised.

3. If the message seems like it actually might be important, reach out to that person via alternate channel, e.g. phone call text or email to another account.  You may just make them aware of the fact their account is compromised and they didn’t know it.

4. Hover your mouse over all links in emails and see if the visible link and the underlying actual destination agree.  If they don’t, don’t click the deceptively labeled link.

5.  Never respond to online requests for personal information, passwords, login credentials or financial data except on a reputable web site you trust (e.g. Amazon, Zappos, eBay) where you TYPED IN THE ADDRESS YOURSELF.

For the really nerdy among you, who care about “cross-platform browser vulnerabilities or like reading code on a command line (dorks), the Kaspersky post is pretty interesting and detailed.

SCAM ALERT: Facebook, Gmail, Hotmail, Yahoo – “Rebates” and “New security measures”

Just a quick heads up to all – this post from security vendor Trusteer details the latest widespread, and technologically pretty smart, phishing / malware campaign against users of the big Web-based email services, as well as Visa and Mastercard.  A few articles out there too, but I like the original Trusteer post because it has pictures of the actual materials.

As always:

1.  Assume any email asking you to do, click or download something is fake

2.  Hover your mouse over the links in the email. The destination of the link should appear.  If it goes to a site you’ve never heard of, or the actual link disagrees with the one shown in the text, don’t click it.

3.  If you need something from any web based vendor you use and trust, amazon, gmail, or whatever, type the name in the address bar yourself.

Surf safely!

 

 

%d bloggers like this: