If you get hacked because you clicked on a link about Brittany Murphy shuffling off this mortal coil, you most probably deserved it. Just saying.
As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.
Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!
I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.
I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.
The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.
I’m using LastPass, and I’m prettay, prettay paranoid..
OK, before I get started with this blog entry, I want to be up font with you. I have become a cliche… I am writing this from Starbucks whilst sipping a cafe mocha and leeching off their free ‘lectricity. I have truly become one of those stereotype bloggers. Shoot me now. Anyway, on with the post…
It seems that the German government is getting together with ISPs to set up a help line for citizens whose PCs are infected with malware. The ISPs will watch network traffic for signs of communications between zombie computers and their evil controllers. When the ISPs detect malware activity, they will direct users to a website with instructions on getting their computers free of viruses, worms, back doors and the like. For users who need additional help, 40 government employees will staff a call center dedicated to helping out. (This truly sounds like a job from hell…).
This is a great idea, which other countries should consider with one twist; vendors such as Microsoft, Apple, Adobe, and the like should be required to kick in some funding for this type of work. After all, it is their software which opens the doors to cybercriminals and (potentially) cyberterrorists. Maybe pegging the amount they have to pay to the number of security advisories issued by the CERT about their software would make sense. It would be pretty easy to gauge the success of this type of an effort by tracking and publishing stats on the numbers of infected machines before and after. As for the cost beyond the vendor kickins, there are a lot of places in the US federal budget to get the money from…
What do you think?