The Spy Next Door: Stealing your life for £44

How easy can it be to steal your life?  For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account?  Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
Well for £43.83 all this is possible by using the Spy Cobra USB drive.  Once plugged into your Windows PC, it installs a hidden monitoring application in less than 20 seconds, after which the drive can be removed. From that point on every single key stroke is recorded, it records all websites visited and even takes screenshots of what is displayed on the screen, and stores these screenshots at regular intervals. The device even encrypts the information it stores locally on the drive, so you can’t tell what is being stolen.

All a perpetrator needs to do is to plug the Spy Cobra USB device into your PC, and return to collect your most important personal information which it has harvested from your PC at a later date, information which can be truly life stealing from an identity thieves perspective. You might think twice about allowing that friend or neighbour to use your home PC, or even leaving folk unattended in the presence of your PC while it is still logged on.

In the past I created such devices, however I found most Anti-Virus protection eventually caught up and stopped it from working, this is good reason to keep your anti-virus up-to-date, while disabling media auto-run within Windows can also help defend from similar spy USB devices from automatically installing. However looking at the way the Spy Cobra installs its spyware payload, I think it is likely it will not be detected by most Anti-Virus at present, this is something I will be researching further and reporting back on.

Hardware Key Logger

There are also hardware based keystroke recorders available for anyone to buy openly in the UK which most anti-virus applications can never detect. For the same £44 price as the Spy Cobra you could purchase the LM Technologies USB Keyboard Logger (see picture above). This ‘hardware’ key logger fits snugly between the keyboard and PC USB connection, and will record weeks of your keystrokes.  Hardware key loggers like this don’t require the computer to be in use or even switched on to be installed and often go undetectable by the operating system (PC) and anti-virus. Furthermore these devices are very difficult to spot, when is the last time you checked the keyboard cable going into the back of your PC?

Only twos days ago at libraries just around the corner from the Information Commissioner's Office in Wilmslow, hardware keyloggers were found attached to publicly used computers, no doubt the bad guys were trying to steal credit card and bank account credentials. http://www.theregister.co.uk/2011/02/15/hardware_keyloggers_manchester_libraries/

Andy Gray & Richard Keys Sky Sports Data Breach

First of all let me just stress I certainly do not approve of any of the sexist remarks made by Andy Gray and Richard Keys on Sky Sports last weekend (21st Jan 11). I have been watching live football nearly all my life and I have seen some really bad football officials in my time. I really don’t care about a football official’s gender, as long as they are the best officials for the job. Believe it or not, Premier League officials are ruthlessly vetted and monitored to ensure they are the best of the best. Indeed it is said women are better at multi-tasking than men, that may be considered a sexist remark in itself, but if this were true, then ladies are going to make better ‘lines-people’ than men, anyone who’s tried being a linesman will know it is about monitoring several things at the same time, I can tell you it’s not an easy job.

Anyway what business has the dismissal of Andy Gray and the resignation of Richard Keys from Sky Sports got to do with a ‘Security’ Blog. Well actually a lot, as something important has been missed by the media, probably because the media actually played a hand with this ‘something’ occurring in the first place. The mystical something at the centre of the whole story, is a breach of Sky’s information security. An insider of Sky has stolen Sky company information, namely a private recording of their football commentators, and then either passed or likely sold it to a newspaper for personal profit. I don’t know whether the recording was actually sold or not, but it’s fair to assume it was as no one is saying otherwise. If the stolen recording was sold for personal profit rather than being a whistle blowing exercise, then it really puts a whole new sinister slant on the whole affair. The ethics of which becomes even more murky when you consider the current fallout with the UK media involvement with phone hacking celebrities and politicians.

Thought Police
Personal privacy in the workplace also comes into play. Andy Gray and Richard Keys did not make their sexist remarks on air to the public, but in a seemingly private conversation. However, this conversation did occur ‘in the workplace’, and there are workplace discrimination laws against the use of such language. But it appears the Sky Sports commentators were unaware their conversation was being recorded. Look at it this way, I am sure the average office worker would deem it completely unacceptable to be recorded in their workplace, especially if those recordings were secretly analysed and then used against them. Their private comments were wrong, but I really doubt if everyone is perfect in this day and age, even an innocent phrase you really don’t fully understand can turn out to be offensive to someone. I remember many years ago being told off for using the phrase “brain-storming”, as it is a term which is offensive to people with mental disabilities. The choppy waters of political correctness, the right to freedom of speech and the ‘Thought Police’ are certainly full of pitfalls, and really brings into question how we define individuals privacy rights, it is starting to feel a little too Orwellian 1984 to me. I am sure Sky like most large UK based companies, provide all their staff with regular discrimination in the workplace training, so you could say the commentators should of known better, but to be balanced, I am sure Sky also have a whistle blowing and employee grievance process as well.

I think this whole affair is politically charged, as in the background we have Rupert Murdoch’s media empire’s intended takeover of Sky, so it is not surprising Richard Keys said “dark forces” were at work.

The Inside Threat Lesson
The lesson as a security professional, is hackers may well get all the limelight and write the media headlines, but in 2011 the greater security threat to a business comes from the inside. Whether a disgruntled employee, or an information thief employee out to make a quick buck, these are the everyday threats. Yet many companies continue to pay the price for these types of insider breaches, either by burying their heads in the sand and ignoring the problem, or not having the clarity to understand how to mitigate these type risk their own employees create. Just consider for minute, when you left you last job did you take any company confidential information with you? Most employees steal company confidential information, especially just before leaving the company, (http://www.pcworld.com/businesscenter/article/160041/nearly_twothirds_of_exemployees_steal_data_on_the_way_out.html). Yet many companies continue to ignore or tolerate this. This is bad business practice in the information age, as company information is a business asset, it has a real value to the business, therefore it needs to be protected, and it can actually be protected.

Lush Credit Card Data Breach

Before I go into my thoughts on the recent Lush website credit card data breach, I have some important advice to all Lush online customers. If you have bought anything from the www.lush.co.uk website between October 2010 and January 2011, and even if you think your credit or debit card hasn’t been fraudulently used, you must consider your credit or debit card to be compromised, so cancel your card and have it replaced. Also note this breach does not affect anyone who used credit or debit cards over the counter at Lush shops, as it’s an entirely different payment system.

When Lush announced their website, www.lush.co.uk had been successfully hacked last week (21 Jan 11), leading to thousands of their customer’s credit card details being stolen, I was genuinely surprised. I wasn’t surprised that yet another UK online business had completely shirked their responsibilities, in not properly protecting their customer’s information by neglecting one of the most basic of web application security vulnerabilities, and their compliance to the Payment Card Industry Data Security Standard (PCI DSS). What surprised me was unlike the other 99 in 100 UK companies that get successfully breached with such attacks, Lush decided to tell the world about their negligence. Yes Lush in my view were most certainly negligent, as the SQL web application vulnerability which is very likely to have led to the theft of their customer card details, is a vulnerability which has been around for over a decade. Negligent as if Lush they were PCI DSS compliant as they are required to be in accepting payments online, or even made a decent effort to become PCI DSS compliant, then such a simple web application vulnerability flaw would of been almost certainly weeded out.

Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.

However Lush’s breach announcement leaves me with a real bad bath bomb taste in my mouth, not because their language is so cheery, which would personally really annoy me if they were responsible for compromising my credit card, causing needles stress and inconvenience, and possibly even financial loss. It wasn’t that, but it was their direct message to the hacker responsible which they posted on their website, this message was nothing less than a pat on the back to the criminal responsible for the data theft. It certainly doesn’t take a formidable hacker to take advantage of weak web application security, in fact any semi-IT iterate school boy is capable. For me the blame lies a lot more with Lush than their hacker. For instance if I left my car keys in my unlocked car on a public street and my car got stolen, my insurance company wouldn’t pay out a penny, while the police would almost certainly point the finger of blame on myself. Same thing here, if you don’t securely code your web application (website) and do not follow the PCI DSS requirements, yes PCI DSS is mandatory for any business accepting card payments, then just like the car with the car keys left in the ignition, it is pretty clear where the fault and blame lies.

Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.

Is Club Penguin Safe for my Child?

Disney’s Club Penguin is an online multiplayer game with social networking elements. Played by 6 to 14 year olds, Club Penguin is accessed and played through any web browser. Each player logs into the game with their own account, and plays in the Club Penguin ‘game world’ as their own specific Penguin character. Players use their Penguin avatar to play a series of games within the Club Penguin world, which in turn earns them in-game money which they can use to buy accessories for their Penguin character. While playing players can see other players’s Penguins in the game world and can interact with them.

Club Penguin: Online Multiplayer

Beware of the in game Chat Capability
The player interaction, specially the ability to chat with other players is the prime area to be concerned about as a parent, as typically a child’s usage of Club Penguin goes unmonitored. I find most parents aren’t always by the side of their child when they play the game, and I even had one parent tell me she thought Club Penguin was just a regular single game, she didn’t realise other players played it as the same time. When a child signs up to join Club Penguin, an Email is sent to the parent asking for permission for their child to play the game, assuming the child didn’t provide their own email address instead of their parent’s email address. During this confirmation process, the parent is provided with a choice of ‘Ultimate Safe Chat’ and ‘Standard Safe Chat’, with the latter being selected on by default. Ultimate Safe Chat means your child cannot send or receive any typed messages from other players, they can only select from a predefined set menu of greetings to interact with other players in the game world. With Standard Safe Chat, typed message can be sent and received with other in-game players, although these messages are filtered by Disney.

Confirmation & Safe Chat Selection

Standard Safe Chat
Credit where credit is due, Disney do a lot behind the scenes to ensure Club Penguin is safe and savoury for very young children, as after all it is in their interest not have their brand name and game's reputation tarnished, this games does require parents to pay for a subscription. With Standard Safe Chat Disney use specialist filtering of all typed in messages, which not only prevents swearing, but prevents the revelation of a player’s personal information, so information like real names, phone numbers, email addresses are blocked. Disney also use moderators to patrol their game worlds and have a panic button (top right of the screen) to report players to a moderator, which is good to see. More information can be found on this Club Penguin webpage - http://www.clubpenguin.com/parents/player_safety.htm

What should I select Ultimate or Standard Safe Chat?
Well this all depends on your own view on risk, in my view, if you are concerned and do have a pre-teen child that plays Club Penguin unmonitored I would recommend selecting Ultimate Safe Chat. However if you do trust Disney’s chat filtering and monitoring, and keep a regular eye on what your child is doing within the game and like the idea of child chatting, then select Standard Safe Chat. If you do choose Standard Safe Chat, be vigilant in what child is doing in the game, see if they are spending time playing the games or chatting, look out for excessive typing on the keyboard. In my study I found younger children who play Club Penguin like to find and chat with their real world friends who also play the game, rather than players they do not know. The game does allow players to keep a ‘friends list’ of up 100 players, if you child has more than 10 friends on their friend’s list, you should take a closer look at what they are doing socially in the game. My last but by far my most important advise on Standard Safe Chat, is to ensure you sit down and educate your child, tell them what is acceptable to say and what is not acceptable to say in chat, don't rely on the Disney filtering, as this education will serve them well in future years, as inevitability they will move onto the major social networking sites like Facebook.

Account Name and Password
It is important to ensure your child does not share their Club Penguin password with anyone, even their friends. No one, not even Club Penguin support will ever ask for a Club Penguin account password. This is a really good opportunity to teach young children about using online accounts and passwords safely. I also wouldn’t recommend letting your child play Club Penguin anywhere outside the home, a shared computer with Club Penguin is a no-no and increases the risk of the account being compromised. As part of the authorisation process, parents can also create own Club Penguin parent account, which allows the parent to monitor some of your child’s activity in the game.  There is also a nice option of restricting the amount of time in hours your child can play Club Penguin.

The benefits in letting your child play Club Penguin far outweighs the risks in my view. Anything that encourages children to use the Internet and read at any age, while learning about online account/password safety and social networking safety can only be good, just make sure you sit down with your child and understand fully what they are doing online and educate them appropriately.

iPhone Security Guide

Last week a reporter asked for my opinion on iPhone Security, I said I thought it was a good idea.

But seriously, Apple are actually taking steps to better secure the iPhone, this is driven by Apple's desire to impact the business smart phone market more, and better compete with the likes of Blackberry, who are the dominate force when it comes to business smart phone usage. Blackberry has been widely adopted by larger enterprises not only because their devices are easy to centrally manage, but because it comes with a whole raft of essential business security features, such as device level encryption and remote wipe functionality.

When you think about it, you realise your iPhone is absolutely crammed with your personal information, think about the details within your Contacts list, Email accounts, Facebook account and even your personal photographs and videos all stored on the device, so if you care about your privacy and safety online, you may well concern yourself with the security aspects of your iPhone. The good news is Apple are making improvements to better secure the iPhone, and it's cousin the iPod Touch, which is equally security important considering the same personal information is generally kept on it as well. 

There are security settings and device usage methods you need to consider as a security conscious iPhone user, so here are my top iPhone Security tips; and they don’t require the purchase of any Apps either.

1. Always update your iPhone operating system software, known as the iOS, to the latest version. The iOS can be freely downloaded and applied to your iPhone via iTunes, ensure you check by syncing your iPhone at least monthly basis for new iOS updates. I do find some people very rarely sync their iPhones with iTunes, while others choose not download and install iOS updates.

There are a number of security vulnerabilities in past versions of the iPhone iOS which have since been resolved. Such as bypassing the iPhone’s Passlock security by opting to make an emergency call and typing in ### or using the main iPhone button to access a shortcut. Also there are additional security functions that are only available with the latest version of iPhone iOS.

2. Avoid connecting to Free WiFi Hotspots when you are out and about. You’ll probably have a 3G connectivity data access package anyway, so stick to this and using your own home WiFi. I find rogue WiFi access points often pose as legitimate looking wireless connections. I have found rogue WiFi access points using real Hotel names, Restaurant names and default WiFi Router names like Netgear and BTRouter, all in a bid to have you connect to them, or even worst have your device automatically connect. Connecting to a rogue WiFi access point may well give you the internet access you crave, but in turn it gives criminals (yes WiFi theft is a crime under UK law) access to everything you do while connected to the Internet, allowing the bad guys to steal your information, login into the same websites as you, including fully accessing your Facebook, Twitter and Email accounts. There is a solution to this issue, by using a VPN service to connect your iPhone securely to the Internet, I'll blog about this separately.

3. In case you lose or have your precious iPhone stolen, you will want to ensure all your peronsal stored information like Emails and pictures, as well as the potential usage of your phone's call credit and even your iTunes account are well protected, should your iPhone fall into evil hands. So it is imperative you review the following account settings on your iPhone.

a. Tap on ‘Settings”, then Tap “General’

b. Ensure “Passcode Lock” is “On”, if not I strongly recommend you enable this feature.  Next tap "Passcode Lock"

c. Now enter your passcode

d. At this point the most important setting to check to ensure is enabled, is right at the bottom called, “Erase Data”. Enabled it means if a bad guy enters your iPhone passcode 10 times incorrectly, all your information on your iPhone is wiped, this is not only a good feature but is essential for iPhone Security.

This setting should be on by default (thanks Apple), but if this option is turned off, a bad guy can keep trying your passcode until he or she gets it right. There are up to a maximum 10,000 possible combinations with a 4 digit code, these attempts are feasible work for a serious phone hacker to try, however they always first try, and are often successful with the typical most common four numbers used, such as 1234, 4321, 0000, 1111 and numbers 1950 to 2010 etc. 

e. If you are using a passcode with the above common 4 digits, change it to something more unique and less guessable.

f. If you want more security with your iPhone passcode and don’t mind the extra inconvenience that comes with it, you can change your passcode from a 4 digit number passcode to a "text"passcode.

To do this tap “Simple Passcode” to off and follow the instructions

You don’t need a complex password if you have the “Erase Data” option enabled, 5 characters or more should be sufficient, unless it’s something easily guessable like your name.

If you are a security nut, go with a password of at least 8 characters in length, made up of upper and lower case letters, numbers and special characters.

g. Don’t tell anyone or write down your iPhone passcode (obvious really)

h. Enable “Require Passcode” feature to a sensible timeframe. This feature automatically lock the iPhone after a set amount of time, requiring a correct passcode to unlock and use. My suggestion is to set this to 15 minutes, however if you don’t mind the inconvenience for higher security, you can set this to immediately come on or after 1 or 5 minutes of inactivity. I wouldn’t recommend setting it to 4 hours or ever turning it off, as it kills the protection the passcode provides.

4. Be careful about the Apps you download and install onto your iPhone, specifically be vigilant about the information you type into your iPhones Apps. There are 100,000s of Apps available, while Apple do their best to vet all these Apps, some dodgy Apps do get through the iTunes AppStore vetting net. Past dodgy Apps have stolen personal information, passwords and credit card details, so be wary when requested for sensitive information by an Application. Also check Application options for security features, you may not want to allow Apps like Facebook to be able to geotag your location.

5. Within your Safari web browser settings, to help prevent possible malware infection and spam messages, ensure Pop Ups are blocked.  A web browser cookie is a piece of information which records details about you and your access on specific websites, sometimes cookies can automatically log into a website, so could be dangerous in the wrong hands. In Safari's settings, you have the option to disable cookies if you are highly security conscious, however my suggestion is to occasionally delete your cookies by tapping "Clear Cookies", under "General", "Settings" then Safari, especially after visiting sensitive websites. While in Safari's settings, double check the "Fraud Warning" is enabled, which it should be by default.

6. Finally avoid storing sensitive information on your iPhone, such as your bank account details, website passwords, credit card details and your PIN codes.

The Human Factor: Turning your Prime Weakness into your Prime Defence

The slides from my talk on information security awareness at RSA Conference Europe 2010

The Human Factor: Turning your Prime Weakness into your Prime Defence 

Love it or Hate it, PCI DSS helps cut UK Card Fraud

UK card fraud is significantly decreasing, according to the “UK Cards Association” statistics UK card fraud is down 20% to £187m for the first half of 2010.

http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1037/

There are several reasons why card fraud in the UK has been dropping in my opinion:

1. Chip & Pin
Chip & Pin, known as EMV in the payments industry, has been highly successful in cutting "cardholder present" fraud, namely face to face debit and credit card transactions, since its adoption in the UK in 2005. Chip and Pin has forced card fraudsters to commit fraud against stolen UK cards in different ways, typically by using online payments or by creating counterfeit UK credit cards to use in countries where Chip and Pin hasn’t been mandated. However since 2005 more and more countries have observed the huge success of Chip and Pin in the UK, and have been adopting the same payment approach, this in turn is also helping to reduce UK card fraud, simply because the number of places where you are allowed to bypass Chip and Pin is reducing.

It has always been my strong view the US market should also take stock of the clear benefits and mandate Chip and Pin across North America. Aside from the clear security benefits of using two-factor authentication, it could finally lead to the removal of a biggest security weakness of all with our plastic, namely the black magnetic stripe on the back. The magnetic stripe has been around for 40 years and is not only a really outdated technology, but it seriously compromises the security of all debit and credit cards. The magnetic stripe holds the full credit card details in plain text, for one that it makes it very easy for the bad guys to steal card details in seconds by simply swiping any card within a £3 magnetic stripe reader. For instance the mag stripe allows for card skimming at cash points or within comphromised retail card readers. In addition that black stripe also makes it easy to create counterfeit cards, especially in comparison to the chip technology, which is very difficult to counterfeit. Unlike the magnetic stripe, the chip on our plastic is a constantly evolving technology, meaning it should keep a step ahead of the card fraudsters, not that card fraudsters have really ever managed to successfully crack a credit card chip yet, I mean why would they even bought at the moment when they can take advantage of the mag stripe weakness.

2. Anti-Fraud Systems
The increased anti-fraud schemes introduced by the card brands like Visa and MasterCard, and within banks is also having an affect in cutting card fraud. Schemes such as Verified by Visa and MasterCard’s SecureCode, known as 3D Secure in the payments industry, together with improved fraud detection systems operating behinds the scenes in the banks, is also playing a part in cutting cardholder not present fraud. These are typically ecommerce and over the phone transactions, where we can’t be certain the payee has their card in their possession or just simply has the details of the card in their possession, which may of course not be their card details.

3. Public Awareness
Public fraud and security awareness is improving; the UK public are being more security savvy when using their plastic, especially online, and so are becoming less likely to be victims of fraud techniques like phishing scams. I think the public are becoming more informed because they are learning the hard way after being hit with fraud, as opposed to any general security awareness that is going on.

4. Law Enforcement
Law enforcement is improving, more card fraudsters and hackers are actually being caught by the authorities. Despite the UK cyber enforcement still being very weak in my view, it is clear international card fraud law enforcement led by the US is improving, with many high profile card fraudsters being arrested during the last 12 months. Many of the top card fraudsters based outside the UK have world wide operations and often branch out into the UK market.

5. PCI DSS
Finally, and this is my main point, I think the adoption of PCI DSS is also playing a positive part. Many large scale credit card data breaches in the UK have occurred due to security neglect by UK merchants. The vast majority of UK credit card breaches are not disclosed to the general public because it is not in the interest of MasterCard or Visa, or merchant breached to do so, and there is no UK law which makes companies publically disclosure such data breaches.

However PCI DSS is helping medium and large UK merchants to become secure against card breaches. Even where UK merchants are not yet fully compliant with PCI DSS, there is still a vast improvement in the overall merchant IT security, pre-PCI DSS most merchants did little to secure cardholder data in their care. As I say on many occasions, there has been no known PCI DSS compliant merchants or payment processors that have ever been breached. Some folk believe Heartland were compliant at the time of their breach, which is untrue. One of the world’s most prolific card fraudsters, Albert Gonzales, who incidently is now behind bars, admitted to compromising and stealing card data from Heartland during their PCI assessment by exploiting SQL Injection vulnerability. The bottom line is you simply can’t have a SQL Injection vulnerability in your cardholder environment and be PCI DSS compliant.

Conclusion
To conclude, PCI DSS and the many other security measures is appearing to be making a serious impact on UK credit card fraud, however it is dangerous to rest on our laurels, as security is a continued game of cat and mouse; I know the bad guys are already becoming even more sophisticated in how they attack and steal credit card details. In addition less card compromises will probably lead to an increase in the value of credit card data on the black market, which in turn will fuel the demand and desire to steal card details all over again, where there is a will, there is always a way.

 Today’s low hanging fruit for UK card fraudsters is generally the smaller merchants, who perhaps take card details in their hundreds and low thousands, typically businesses such as hotels and small online businesses, who often neglect basic security practices and either not aware or fully understand their PCI DSS obligations, turning them into easy pickings for card fraudsters frustrated in trying to compromise the bigger merchants, although having said that not all large scale merchants in the UK are not PCI DSS compliant or as secure as you may think, you indeed as they may think.

An Evening with Samy, creator of the Samy MySpace Worm

Last night I was out talking security, drinking beer and eating curry with Samy Kamkar, following his presentation at an OWASP Chapter event in Leeds. Samy was responsible for writing and delivering the infamous Samy MySpace Worm in October 2005, which was one of the fastest growing malware infections to date.

Samy Kamkar

Samy delivered an excellent and fresh presentation at the OWASP Leeds Chapter meeting, highlighting several areas of new research and frankly new concern for us all. But I’ll save that for another blog posting once I’ve investigated it further, however you can read a little about one issue he discussed, which was highlighted in a recent BBC News report “The Web attack knows where you live” http://www.bbc.co.uk/news/technology-10850875

What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.

As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.

I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet - http://namb.la/popular/

A MySpace Samy Worm Infected Profile

Aside from the Samy text you can see,

there is script code you can't see which executes

Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.

Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.

No Data Protection in Outer Space!

I just found out my name is on board the IKAROS spacecraft, which is currently solar sailing its way from Earth to Venus. Apparently this is a benefit of my membership of the Planetary Society – yes I do have other interests outside information security.

IKAROS

For more info visit http://planetary.org/programs/projects/solar_sailing

http://www.guardian.co.uk/world/2010/may/17/space-yacht-ikaros-japan-venus

I don’t recall agreeing for my name to be sent into space, but I’m sure glad they did it, especially as this spacecraft may change course of interplanetary and interstellar exploration forever, plus the spacecraft could end up drifting in space for eternity, but I'll save further discussion on that for a different themed blog. So getting back to security, to be perfectly clear, an individual’s name on its own doesn’t require any protection and is not a requirement of legal acts such as the UK Data Protection Act. This is a common misnomer, it is only when you combine an individual’s name with another pieces of their personal information, such as a date of birth when it comes into scope of requiring protection. Although I have to say not many small UK businesses are up to speed with their legal data protection obligations.

I personally believe the Data Protection Act is outdated, and is in need of a major review and overhaul. The Act was written in the nineties before the Internet usage really took shape, and in this day and age of social networking and instant availability of UK citizen personal information, such within online electrical roll websites, there could be an argument there is actually little point in trying to make businesses protect certain aspects of our personal information anyway, because the horse has already bolted.

But even if my full personal details were along side my name on the IKAROS spacecraft, I would argue adequate data protection was in place. Due to the vacuum of millions of miles of space, my personal information isn’t exactly publically assessable. I consider my details to be certainly more secure in space than within the care of certain government departments and companies I could mention. I mean it’s not like I’m at risk of identity theft by extra terrestrials, or am I?