Starting Friday, Salesforce.Com had a fifteen-hour outage due to their having to “pull the plug” after a script went rogue and gave all comers full access to the database. Anyone logged in could do anything to anyone’s data.
Not cool. Restricting access was the right thing to do.
The interesting question in my mind is how people will evaluate this incident as it relates to their future judgment on the safety of SaaS platforms like Salesforce. I think people will overestimate the dangers for much the same reasons that many more people are afraid to fly than to drive.
When making estimates of danger, humans take the impact of an event much more seriously than the probability, especially if the probabilities are relatively small. Worse impacts cause us to overestimate probability, even where there is no correlation between the two. This leads to overly pessimistic projections on high-profile risks (Chinese hackers steal all our designs!). It also creates corresponding under-reactions to more present risks (Users can’t be bothered to use 2FA, easily get phished).
Success in information security, as well as business and life in general, depends on being able to view these numbers objectively. They’re just numbers, after all.
This was a very, very great loss for freedom… freedom of the mind that only a chaotic and open Internet can guarantee. It was a great loss for humanity as well.
Kottke shared Barlow’s rule for being an adult. I think it’s worth reproducing here. Read them and aspire.
1. Be patient. No matter what.
2. Don’t badmouth: Assign responsibility, not blame. Say nothing of another you wouldn’t say to him.
3. Never assume the motives of others are, to them, less noble than yours are to you.
4. Expand your sense of the possible.
5. Don’t trouble yourself with matters you truly cannot change.
6. Expect no more of anyone than you can deliver yourself.
7. Tolerate ambiguity.
8. Laugh at yourself frequently.
9. Concern yourself with what is right rather than who is right.
10. Never forget that, no matter how certain, you might be wrong.
11. Give up blood sports.
12. Remember that your life belongs to others as well. Don’t risk it frivolously.
13. Never lie to anyone for any reason. (Lies of omission are sometimes exempt.)
14. Learn the needs of those around you and respect them.
15. Avoid the pursuit of happiness. Seek to define your mission and pursue that.
16. Reduce your use of the first personal pronoun.
17. Praise at least as often as you disparage.
18. Admit your errors freely and soon.
19. Become less suspicious of joy.
20. Understand humility.
21. Remember that love forgives everything.
22. Foster dignity.
23. Live memorably.
24. Love yourself.
I like the dynamic tension between some of them. For example, 4 and 5, or 9 and 10.
I feel a responsibility to continue on what he started for us. You can help: donate to the EFF, the Freedom of the Press Foundation, and other causes that speak to you and that will help us hold the line against creeping corporatist fascism.
The Internet is the greatest opportunity humanity has had yet to avoid the tragedy of the commons – let’s not blow it.
Email scams have been a problem almost as long as there has been email. Today’s joint is not about the basics of that, I have dealt with those before. Scambusters is a great source of detailed information about these scams, and how to avoid being taken in. But what I want to explore here is a practice that is a source of some consternation: scamming the scammers. People reply to email scams as if they were interested in the “offers” or “opportunities.”
Their motivation for doing this is wasting the scammers’ time, supposedly keeping their attention away from others who might be taken in, while they are responding to people who, in turn, are determined not to become victims.
If you explore 419 Eater, you will find a lot of material there about this practice, including a page of discussion about whether or not this is ethical. What is not well-treated on that page is, the fact that emailing lies intended to induce action based on false pretenses is exactly as illegal when it’s in reply to same.
419 Eater has been around for fifteen years. A more recent innovation has been, not surprisingly, to automate the process of scam busting. One example is Re:scam, a service of the New Zealand org NetSafe. Its purpose is also to drain profitability out of email scamming, by wasting the scammers’ time in unproductive conversations but here using bots posing as willing marks, not volunteer cyber-vigilantes.
Now for the bad news. I forwarded an email to Re:Scam and a reply came back telling me the service was on hiatus. A forward to another site publicized recently, email@example.com, simply bounced. No specific word on why these are not currently functioning. Possible reasons include, issues with the technology working well… issues with the resource requirements (i.e., costs), and issues with the legal authorities. Again I caution readers on the legality and ethicality of fighting fraud with fraud.
Whenever a news story breaks about information security (usually a radically bad FAILURE thereof) then “security researchers” or “consultants” get trotted out by the media to give expert soundbites. David Kennedy was a keynote speaker at the recently-concluded Rochester Security Summit, so he’ll do for my example:
David is a security researcher – which means he’s a hacker. No, I did not just accuse him of a crime. He’s a wonderful guy and I would totally invite him to dinner.
The media have abused the the term “hacker” for years now. The original meaning of the word was simply, “One who is expert at programming and solving problems with a computer.” That expertise, together with an insatiable curiosity driving one to exercise it, is what genuinely makes a hacker.
Cyber-criminals may or may not be hackers. For example, if they wish to crack their way into some company in order to plunder its money or sensitive info, they might exercise their own high levels of technical skill. But they might hire technical capability, and not exercise it themselves. Or they might be what we call script-kiddies, people who find easy step-by-step recipes for creating digital mayhem, and use them to good effect against poorly secured targets. They might not even be criminals: they might be state-sponsored, and thus their actions are legal. At least under their nation’s laws.
But hacking is a set of problem-solving approaches, and a toolbox of techniques. It’s a way to accomplish a goal, and the goal’s goodness or badness is not relevant. Hacking is morally neutral. If, and only if, the goal of the hacking is a crime, then a hacker also happens to be a criminal.
Security researchers (like David) are employed to find ways that our information systems can be exploited. They might do malware reverse-engineering, or vulnerability discovery and analysis, or refinisng social engineering techniques. Most of our companies don’t employ them: it’s too specialized. Large providers and specialty firms (Verizon, FireEye) provide researcher talent, and we consume the output in the form of reports and alerts.
Independent researchers also work as consultants. They may help companies figure out what happened after an attack, or they may routinely provide bug reports to manufacturers. They may work on Red/Blue team exercises, where attacks are simulated and defenses are tested. Without question, Security Researchers are hackers. If they aren’t, they cannot function in that job.
After every other major breach in recent times, one of the things we’ve all been advised to do is to go to the credit reporting agencies and check for any unauthorized activity. And who are the credit reporting agencies? TransUnion, Experian and Equifax. Now we have news this week of Equifax having suffered a data breach of over 143 million Americans. That is about 40% of the population, and well over half of those who have any credit records at all. To help consumers begin to deal with it, Equifax has set up a site whose URL was apprently inspired by all the Equifax-themed phishing emails their staff have seen: https://www.equifaxsecurity2017.com. Regardless of the terrible URL, that is the correct site.
My personal advice is, go ahead and register for the Trusted ID service that finding your name on https://www.equifaxsecurity2017.com entitles you to. You can also choose to replicate a lot of what it offers by freezing your own credit reports and reviewing a copy of each one, which you can obtain via annualcreditreport.com.
Much has been made over the fact that the Equifax emergency site asks for some pretty detailed personal information before signing you up. My take on that issue is simple: Equifax had that information anyway, and much much more.
Here are a few other links to stories from the past few days. I have tried to filter out some of the more freaking-out ones.
So… this happened. A web developer for Time Warner Cable left data files unprotected on an Amazon Web Services machine. It held personal information on four million TWC subscribers. Possibly including me?
They won’t tell me.
I had an interaction with their customer service desk which included the rep telling me it was “fake news.” In spite of the fact that Time Warner has acknowledged the breach and stated that they are investigating. Then they generated a “ticket”, but I have received exactly zero communication about that.
Companies that have a data breach have a legal obligation to notify the affected people, but that has various deadlines, mostly measured in increments of months, 30, 60, 90 days. I suppose I will hear from them eventually, but I did not appreciate being told it’s fake news, and I did not appreciate being fobbed off with a (probably) fake ticket number.