Tag: Malware

We Demand Compromised Security!

A few weeks ago, Apple announced that their new OS encrypts data so that Apple literally can not access it without the user’s permission. Google followed by announcing their new Android OS will do the same thing. This has been done ostensibly to prevent the government from forcing Apple to divulge information stored in someone’s accounts. This might prevent law enforcement from executing a search warrant delivered to the company. It might also, however, block agencies from getting phone data without a warrant or notification of the user, as they are want to.

Naturally, law enforcement types don’t like this. Their supporters are up in arms over Apple “enabling criminals” by forcing the government to get a warrant and get your password if they want to search your electronic persons, papers, houses and effects. So the WaPo has proposed a “compromise”:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

In short, the WaPo wants the technically impossible: a backdoor that isn’t really a backdoor. And we should entrust this backdoor into every phone in the country to law enforcement — comprising God knows how many people. We should entrust this backdoor to a group of people who recently did this:

For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies.

Calling it “spyware” is a nice term of art. A more precise description is that it is a keylogger which transmits to third-party servers — without encryption — every key typed on a computer. Passwords, private communications, credit card numbers … all of that is transmitted in clear text. If your child (or you) use a laptop with this malware and someone has a basic packet sniffer nearby, they could take over your life.

(The cops have responded to the EFF, claiming that only an “ultra-liberal” organization who is “more interested in protecting predators and pedophiles than in protecting our children” should care that their software is one of the most unsafe things you could put on your computer.)

This is the group we should trust with backdoors to every cell phone in the country, according to the WaPo.

Burn the Computerized Witches!

Holy shit:

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering slow growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies’ systems.

The NOAA isolated and cleaned up the problem within a few weeks.

Of course they did. The NOAA has scientists in it to whom computers are not a magic talisman. So they probably cleaned it up with standard software.

If I gave you ten years, you could not imagine what EDA did.

The EDA, however, responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally held databases.

It then recruited an outside security contractor to look for malware and provide assurances that not only were EDA’s systems clean, but also that they were impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.

EDA’s CIO, fearing that the agency was under attack from a nation-state,

A nation-state? Did he really think that Libya was planning to hit us where it really hurts — at the EDA? Not nuclear weapons or air-traffic control, but an agency so obscure and useless, most Americans couldn’t identify it on a bet? What’s the worst they’d do? Stop another absurd expensive useless boondoggle being inflicted on some poor community?

EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.

The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.

$823,000 for an investigation into malware? $688,000 for long term … ? I … you … but … this … you gotta …

images

These are the people who we are supposed to trust to look over our electronic communications, to check our cell phones, to keep our information …

Oh, crap:

Another day, another slipup by the Internal Revenue Service.

The incident involves the unwitting exposure of “tens of thousands” of Social Security numbers, according to a recent audit by the independent transparency and public-domain group Public.Resource.org. The identifying numbers were on the Internet for less than 24 hours after being discovered, but the damage was done. And unfortunately, the data-breach concerns some of the most sensitive types of transactions: Those made by nonprofit political groups known as 527s.

Information about 527’s is supposed to be public. However, those forms are supposed to have the SS#’s blacked out. A significant number didn’t. No word yet on whether there was any political bias in the numbers revealed or if all of them were.

This is it, folks. This is the government that is supposed to run our healthcare, move our economy, give us jobs, educate us, feed us, house us, make sure we don’t get fat, force us to breast-feed our children and defend us from terrorists. And they’re responding to malware with a literal sledgehammer and posting documents with our private information on it.

Stupid scammers got caught..

Was home today and got a call my Caller ID identified as from a “unassigned” number 425-998-1533 (I will get back to that number in a bit) on which a lady whose accent I immediately placed as Asian told me that my home computer had transmitted an error code to them because of malware infection. Right! That’s beyond the obvious red flag. I suspect that their usual victims must not have a clue about computers, or run more virus and malware software than Fort Knox on their PCs like I do, but I immediately realized something was seriously off with this call. When I prompted her for more details she told me she was a rep from a company called Alertsoft. She started telling me that she represented my computer manufacturer. I was on my computer so I immediately looked up “Alertsoft”, and from that web site that clearly shows that it was put together by someone whose first language is not English, I deduced that that her claim was false.

My first guess was that this was some crooks trying to sell stuff to unwitting and unknowing people, but as the conversation went on that changed. When I asked her for my computer’s brand she was clearly stumped and she tried to give me a run around. I realized that something seriously wrong was going on when she told me she needed my IP address to run a scan of my computer. If she was working for my manufacturer and her company received a malware alert from my machine as she claimed, the IP address would have to already be known to them. She was trying to scam me. No doubt about it. I had to do some considerable research because this information does not come out easily on searches – they must have put some serious time, effort, and money hiding their actual schemes and scams from being noticed – but while she was trying hard to bullshit me I hit the jack pot. It is a big scam.

I was not going to give her either my IP address or a credit card number, which she assured me was only needed for verification purposes and to which no charges would be applied, like she asked. So I prompted her for an IP address on their end I could ping, for verification on my side, you know, and at that point I think she realized she was caught and hung up on me. I immediately dialed that number I gave above (go ahead and do so yourself)back and got a recording warning the user that this number was being used by scammers that “phish for identity and user data to exploit”. They are some kind of Middle Eastern scam organization involved in criminal activity that ranges from stealing people’s identities – with all the consequent problems – to tricking them into letting them compromise their computers and downloading software they then use to commit other such types of crimes with.

Neither your computer manufacturer nor anyone that operates security software would be calling you on the phone and asking you for your credit card, for verification purposes or otherwise, and then for an IP address they can use to download software to your computer on. There is no shadow group out there that scans all the world’s computers for malware. Just like you do not win the lottery in Spain if you didn’t buy a ticket, or are too stupid to live if you believe a Nigerian government official that needs your bank account information, to transfer hundreds of millions of locked dollars from an oil sale, and promises you a few million in return for that help.

Buyer beware. If they call you from Alertsoft or any other such bullshit company don’t tell them anything other than to fuck off and die.