A couple of days back, I was at my in-laws doing some browsing on their PC. Now my in-laws have a Windows XP laptop, that isn’t secured, which is fine because as far as I can tell, I’m the only one that uses it. Most of them now go to their phones or tablets for internet access–nobody uses PCs anymore!!
Environment News Service, an environmental focused news website this week accused Malaysian government hackers of attacking it after it ran a story implicating Sarawak governor Tun Abdul Taib Mahmud of corruption and graft. As a result, the site was down for 2-hours, before the site manage to re-gain control.
“The attack on our site came from a Malaysian government entity as identified by their IP address,” Sunny Lewis, editor-in-chief of Environment News Service (ENS)
But what exactly is an IP address, and how did ENS identify it?
Let me explain.
Last week, while I was flying from KL to London, I noticed a strange anomaly on the screen of the boarding gate at KLIA. Closer inspection revealed that it was an anti-virus warning that signaled the computer had been infected by a Virus (almost 2 days ago!!). As a techie, I quickly deduced 3 things from the screen.
One, the computer was running Windows, and probably an outdated version of Windows. Two, the computer had been infected with Conficker–Conficker was a pretty infamous threat, back in 2008!! And yet, here we are, at Malaysia’s most prestigious airport, and we have a computer infected by a virus that pre-dates the iPhone 3G. Three, the computer is probably part of a larger network, and never gets patched or updated–probably. If it were patched, it wouldn’t be infected with a ol’ grandmother of a virus.
As an added bonus–I could easily see the user of the system. That’s a delicious bit of information for any hacker to have.
Heaven forbid, the virus on the computer screen at KLIA not spread to something important–like control tower or Sky Train controls.
These days, everything is a computer. Your phone is a computer, your watch will one day be a computer, so too is your car. But when was the last time you patched and updated these systems? When was the last time you updated the firmware on your router–or even when was the last time you updated the software on your laptop? Some of you probably haven’t done this before–I’m looking at you Android JellyBean and iOS5 users.
So the display screens at the airport are computers–but so are the Automated Teller Machines (ATMs), and trust me when I say this, some of them run on windows….gasp!!
Are some laws worth following–in other words, are some Laws so idiotic that they should be ignored completely?
That sounds anathema, because we have a romanticized definition of the law, we define the Law as a broad general agreement a society undertakes, and the law keeps society from tearing itself apart. In other words, the law is so sacred because without it–we descend into anarchy, so ignoring the law is akin to promoting anarchy.
But I’m not speaking of “The Law”, I’m speaking of “A law”, specifically an Act of Parliament. “The Law” refers to a vast conglomeration of many things, including constitutions (state and Federal), statutes, precedence of case law and Acts of Parliament. I’m not sure what a statute is–but I roughly know what an Act of Parliament is, and it surely isn’t a broad general agreement that society depends on to stave off Anarchy–rather an act of Parliament is a law brought into effect by Parliament–nothing more nothing less.
To my techie mind, that means that 222 Members of the Malaysian Parliament got together to enact a piece of legislation. Romantically we think this is the people’s will–the Rakyat voted these people into power and they now wield this power to enact laws that will protect the Rakyat. A glorious cycle of virtuosity that only democracy can deliver. That’s wishful thinking, realistically it’s a law brought into effect by 222 voting members of Parliament whose collective IQ would probably not exceed that of the Zoo.
So when these 222 MPs ge t together and enact legislation to regulate technology–I get a bit uncomfortable. Not only do most of them not have engineering qualifications, half of them don’t even have a website. Having these MPs enact legislation that will regulate a field they’re clueless about, is akin to getting open heart surgery from a car mechanic.
On a side note, a techie like me has a hard time understanding why we have 222 seats in Parliament. It would seem, that in a first past the poll system, you’d want to have ODD number of seats, to avoid the situation where 111 members belong to Barisan, and the other 111 belong to Pakatan (what happens then?). That’s just ONE of the many things an engineer would quickly realize is wrong with the entire system–and that’s why we only have 3 engineers in Parliament (at least according to the Sinar Project).
You all know how much I love nearlyfreespeech, it’s one of the best hosting providers out there. Here’s one more reason, recently they alerted me to a suspicious number of login attempts to my wordpress site, which usually means someone was trying to hack it.
If you remember the post I did about the RHB bank scam, it’s quite common for hackers to inject pages onto a wordpress site to help them carry out banking scams. This was probably something similar.
Fortunately, the guys over at nearlyfreespeech were not just kind enough to log the attempts and alert me, but even automatically disabling the login page of the site to prevent something similar happening. Good on them!
Nearlyfreespeech is a great hosting provider and this just proves my point. Check out the email below:
When you get behind the wheel of your car, and hit the road–you’re implicitly trusting ever other road user to play by the rules. You trust no one will go out of their way to crash into you, or that no one would swerve into you for an insurance claim, you even trust that pedestrians won’t hijack your car as you stop at the red light.
Sometimes you mitigate these risk, by locking your doors and keeping your distance, but fundamentally you’re placing a lot of trust on your fellow road-user. You have no way of knowing for sure that they’ll be good boys and girls–but you go about your daily car ride trusting that they’ll do what is right. In cases where you don’t trust anyone, you don’t use the road. I know a lot of people who won’t drive in India because they don’t trust road users there–and some foreigners refuse to drive in Malaysia for the same reason.
Society works on trust, and without it–society just wouldn’t work.
Think about it–you might not trust the restaurant waiter with your credit card–but you just ate at the restaurant without viewing the kitchen. Dying from poisoned food is far more serious than credit card fraud, yet you’ve trusted the restaurant not to poison you, but not with 16 digits from your bank. Sometimes you’re trusting people without even knowing it.
And the same is true for the internet, The Internet Protocol(IP) that governs the whole internet till this day, is a highly ’trusting’ protocol that prioritizes speed and simplicity over security and privacy. In much the same way that it’s faster and simpler just to trust the restaurant not to poison you than it is to inspect the kitchen and verify the ingredients–the Internet Protocol accepts everything as true and routes data accordingly. Other protocols like SMTP and POP3 that are used for email employ the same levels of trust, that’s why you can never trust an email–it’s just too easy to spoof.
Essentially everyone on the internet trust everyone else to play by the rules. For example when Pakistan decided to block youtube in their borders, a mistake made by their local telecoms managed to take youtube down for several hours worldwide simply because everyone trusted the information Pakistan was sending them. Nowhere else in the world does such a high level of trust exist as on the internet–and nowhere else is it more dangerous.
Last month alone I’ve received 6 phishing emails asking me to change my RHB banking password. I always wondered what would happen if I’d actually clicked on one of the links in the email–and today I did just that. Immediately I was transported to a dodgy world of sophisticated deception, and soon realized this was far more complicated that I initially expected.
Before I proceed a friendly word of caution–Kids don’t try this at home–the scam is an elaborate ploy geared towards robbing you of your cash, and if you’re not sure what you’re doing–chances are you’ll be a victim yourself. The simplest way to avoid a scam like this is to never click on an email from the bank–regardless of how genuine it looks. Banks never send you email–so don’t expect one from them. Not even a Christmas card.
But if you’d like to see what happens when you click on one–read on:
First there’s the email, it was (supposedly) from sshccserv356@rhbgroup.com. Quite deceptive, and if you visit rhbgroup.com you’ll find that it’s the legitimate RHB Bank website. So it appears this email from rhbgroup.com would be legitimate as well.
Except it’s not.
Email is a remnant of the internet past–it was created at a time when security wasn’t a priority, hence Emails lack any form of authentication (validating whom the email is from) which allows them to be easily forged. This inherent insecurity is what Emails should never be trusted, especially when those emails come from external sources like a bank.
That’s why your bank will NEVER send you an email. It’s too easy to forge. So rest assured that every email you receive from the bank is a fake (there are exceptions of course, like transfer notice etc, but those emails don’t require any action from your end)
Analysing the email further, I find the first victim of the scam. A website called pjpan.co.uk, a pajama-store (of all things). The website url was all over the email-header, which just like every other aspect of the email could be spoofed. Why the scammers chose to us pjpan.co.uk was beyond me, but they did. In any case the email was sufficiently obfuscated that trying to determine its origin would be difficult and probably pointless as well.
On April 28th, 4 men were caught for installing card-skimming devices on ATM cash machines in Bangkok Thailand. They were all Malaysian.
On the 14th of May, 6 men were caught for installing similar devices in ATM machines in Jakarta Indonesia. They were all Malaysian.
On the 8th of June, 2 men were convicted in Singapore for installing card-skimming devices on ATMs in Singapore. They were both Malaysian. I wrote about this more than 2 years ago, when some DBS customers noticed withdrawals from their accounts occurring in Malaysia.
The truth is we all have something to hide–secrets we wished the world would never know. A political stance we once had, a video of ourselves after too many drinks, or even just a sentence we once uttered at a party somewhere. If you think you’ve got nothing to hide–you should think harder.
So, when European Court of Justice recently ruled that Google had to comply with certain request from individuals to remove links to websites with their personal information–privacy advocates were delighted that we now had the ‘right to be forgotten’. Mario Gonzalez had requested Google to remove a link to a digitized article in La Vanguardia newspaper about an auction for his foreclosed home. Google refused, Mario sued, and the links were removed–only they weren’t.
The understatement of the month would be calling this a peculiar moment. This is far from peculiar–this is straightup WTF?!
My favorite encryption software, TrueCrypt, has been abruptly and mysteriously shut-down(que dramatic music!!!). The official TrueCrypt website now only has some information on ‘alternatives’ and offers the following advice.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
TrueCrypt was really awesome, it had features like full-disk encryption and even encrypted volumes within encrypted volumes for ‘plausible deniability’. The anonymous authors of the software have apparently thrown in the towel on what was the best free encryption software on the web.Yes, TrueCrypt was free just like Apache and OpenSSL, and just like them was pervasively used by tech-savvy web users. So any vulnerability on TrueCrypt would have severe ramifications–just like Heartbleed had for OpenSSL.
To avoid any ‘heartbleed-like’ issues with TrueCrypt–an initiative from within the security community was kicked off to perform a full security audit on TrueCrypt. Support for the initiative wasn’t hard to come by in the wake of recent developments like PRISM, specifically the revelations that the US government was intentionally making encryption software weaker to allow exploitation further down the road.
But just when the audit was making good progress the TrueCrypt team dropped their bombshell. Brian Krebs suggest that the shut-down is legit, and this isn’t some web-site hack or hoax. The speculation churning machine (a.k.a the entire internet) has been rife with guesses as to what really occurred, but honestly no one has the answer, except the authors of TrueCrypt–who are anonymous.
The problem for people who are using TrueCrypt–is what to do? TrueCrypt recommends bitlocker, but BitLocker isn’t available for basic version of Windows–the version most people use? Also, Bitlocker hasn’t been audited either and forgive me if I’m still a bit edgy about using Microsoft products. What with them spying on my Skype conversations and all.
I’m sticking to TrueCrypt for now, and wait till the dust settles before I decide to re-encrypt my drives with a new piece of software.After all the audit hasn’t found any serious flaws, and even if it did I’m betting someone will fork the code as soon as it happens