Russian Hacker Justice

This week there were a number of stories like the one in the Wall Street Journal and NBC News about the Russian hackers who managed to get credit card numbers for millions of customers at Hannaford Brothers Co. (4.2 million cards), Discover (2 million cards), and NASDAQ (10,000 corporate logins).  It was amazing that the announcements were saying how wonderful it was that these computer criminals had been indicted for "harvesting data, including, among other things, credit card, debit card, and other customer account information from within the compromised networks, and exfiltrating that data out of the compromised networks."  It was almost like someone was out there looking for this type of thing and caught someone.  I wish.  

It was obvious from the indictment that these individuals had been long-time criminals, going back 10 years.  Some of the named co-conspirators have been in jail since 2008.  

In 2003, Albert Gonzalez was stealing millions of bankcards while working as a government informant for the US Secret Service . [He is listed as a co-conspirator in this case. ] If you want to read a good story of the whole affair, see James Verini, The Hacker Who Went into the Cold, New York Times Magazine, November 10, 2010.  It will scare you, if these kinds of things can.  

This clever piece of work was done with the help of Shadowcrew.com an organized band of thieves.  The server that they were able to study, had 4000 accounts on it, some probably duplicates, but more than five individuals needed to make their scheme work.  Gonzales, like the current crop of professionals,  worked at his business by studying the card machines that banks use – the hardware and software of them and going after the managers and supervisors of companies that used them.  He accessed the point of sale system for Marshalls and T.J.Maxx so he wasn’t’ stealing one credit card at a time.  He stole half, to all, of the transactions between the stores in the US, Canada and Puerto Rico.  

These are professionals in way that our staffs of computer security experts are not.  The credit card industry should be the best of the best, and they do pretty well, but the stores that feed into that system don't.  How long can we let this go?  A rational person would think 10 years was probably too long to have an organized group stealing credit card numbers by the hundreds of millions.  Why can't we get some interest in changing to the more secure credit card system where the cards are a little less easy to duplicate and stealing the number doesn't help?  

Somebody in all of these hacked locations is taking "acceptable risks" with my credit card numbers, and most of the ones of people in the country where I live.   Sure, the card issuing places will gladly give you another one, after the first losses start to show up.  Is that OK?  Is it enough?  No.

This is why God made Government.  If the credit card system can't be secured, then it has to be regulated into doing the kinds of things it has to to be acceptably secure.  The credit industry knows what that is, but they really don't want to spend the money.  They would rather issue new cards and write off the losses.  On the political side of this, Russia and China protect hackers and we don't seem to be able to do much about it.  If it takes 10 years to bring the second indictment, it is fairly sure the Feds are not paying attention, and not very motivated to rooting these guys out.  If it takes 10 years, then the losses subsidize the Russian gangs at our expense.  Is anyone in the credit industry willing to say, "This is not an acceptable risk"?    For heavens sake, stand up!

http://www.amazon.com/s/ref=nb_sb_noss?rh=n%3A133140011%2Ck%3Adennis+f+poindexter&keywords=dennis+f+poindexter&ie=UTF8

China: Reach out, Touch a Journalist

For those who may have missed it, Jim Sciutto wrote an interesting opinion piece for the Washington Post on paying attention to what the Chinese do to control their outlets to the Internet.  [see China’s blackout of U.S. media can no longer be ignored - http://www.washingtonpost.com/opinions/chinas-blackout-of-us-media-can-no-longer-be-ignored/2013/07/10/2bdea62e-e7f5-11e2-a301-ea5a8116d211_story.html] 

These are his main points:

1.     The Chinese censor their Internet.  They have their own versions of Twitter, Facebook and YouTube.  They ban certain outlets like the New York Times and Bloomburg News and target specific stories on The Wall Street Journal and U.S. news services. 

2.     They block sites as a punitive or policy matter – sometimes both. 

3.     We have granted 700 visas to Chinese journalists, but they will block our journalists for stories that they don’t like.  He votes for a more reciprocal policy for visas. 

4.     We need to more aggressively deal with China on these matters, rather than accept them as acceptable internal policies. 

He certainly has good points and more detailed discussion in his full article, but he may have overlooked some important points, perhaps for lack of space.  The Chinese, as they demonstrated with Google and the New York Times/Wall Street Journal cases do not just try to govern their own Internet;  they want to govern the whole Internet, including the part owned, and operated, by the United States. 

The Chinese approach to Google asked them to restrict the flow of pornography, as they defined it, to China – and to Google users in the United States.  It sounds like the height of arrogance, but to them, it is just regulating the flow of information to their own population, by any means possible. 

In both the New York Times and Wall Street Journal cases, the Chinese hacked to get the sources of stories published about their leaders.  They can’t stop the stories directly, so they go after the sources, wherever they are.  As Jim points out in this article, they control the press of other countries by controlling their visas. 

They do the same with dissidents anywhere they can find them.  As The Shadows In the Cloud series of reports done by Shadowserver Foundation, et al, shows the information being stolen was coming from Indian embassies in Belgium, Serbia, Germany, Italy, Kuwait, the United States, Zimbabwe, and the High Commissions of India in Cyprus and the U.S.  A massive effort to find out what one person, the Dalai Lama, was going to be doing.  They have the resources and time to focus on disruptions in their movement forward. 

The Chinese pretend that they just enforce their internal policies and have every right to do what they do, but we find out more and more that it is not just at home that they attempt to enforce their internal policies.  They reach into the borders of many countries. 

I agree that more has to be done, but I’m not sure diplomacy is the best course here.  We have played a very passive role in our response to hacking by the Chinese, while they use every excuse and side-track of Edward Snowden, to try to diffuse their fault.  We need more than treaties and agreements to stop this kind of attack.  There is no such thing as deterrence in the hacking world, and we need to bring back that concept.  They need some painful reminders that attacking another country has consequences.  So far, they are the only ones handing those out. 

http://www.amazon.com/s?ie=UTF8&field-author=Dennis%20F.%20Poindexter&page=1&rh=n%3A283155%2Cp_27%3ADennis%20F.%20Poindexter

Microsoft Tightens Security and Strangles the Customer

After 45 years of doing computer security, I thought I knew a little about it, but Microsoft has done some things to convince me otherwise.

I got a new X-box, not because I wanted one, but because my original burned up last week.  I like the design better, and it is is wireless, making it easy to connect to the Internet.  This was probably the first mistake, of many, that I was about to make.

I signed in using my account name and password, the same one I had used for the previous couple of years, but the error message said I had the password wrong.  Unlike almost everyone I know, I write down my passwords, so it took awhile to find the old one.  My password book goes back 4 years and has a lot of them in it.  Finding the most current, with the right user name, was easy enough.  I had it right, but Microsoft insisted it was wrong.

There is a reference to an X-box webpage, so, I logged into my Microsoft account and went to it on a regular PC.  The account logged me in and took me to the correct site and logged me in there too.  It came up with my old X-box user name, which is the same one I was using on the new box.  So, in desperation, and I mean that sincerely, since I generally won't do help desks, I chatted with a nice guy somewhere in the world of English-speaking help.  He went through my entire account and matched it up with the x-box, only to find that I was using the right password all along.  By some imaginative looking around, he discovered the password and user name were associated with the old X-box and not the new one, so we deleted references to the X-box altogether.  When I rebooted the X-box, it worked fine.

The next day, it didn't.  Since I am a Mac user, I didn't even blink when it failed to log in.  I put in the user name and password from the previous day and nothing.  The behavior was not the same as yesterday, and it just kept sending me around in circles, reentering each over and over.  Anyone who tries this without a keyboard understands the frustration of it.

So, for another attempt at help desk international, I went back on the PC.  This time, a new person took me though an entirely different routine which ended in 2-factor authentication, not something I am fond of after my experience with it and Google, but it was "different than Google", which could be good or bad.  When we were all finished with the process, I had an 18-letter password, which Microsoft generated for me.  Not being very intuitive, I asked, "What's this?"

"Abagail", who was smiling when she said it, said "This is your new password."  I could log in with this password and just set the "log me in" setting on the X-box and would not have to enter it again.  I know what this means, and so does anyone new to security.  I won't be changing my password - ever.

Not thinking this was such a good idea, I asked her about how this was going to be changed.  Go back to the PC and log in to the X-box site, and follow the same procedure for new 18-letter password that takes a few days to enter on an X-box without a keyboard.  Since Microsoft sent me a code on my cell to confirm I was changing my password, it passes for 2-factor authentication.  I still am not sure what happened to my original password and user name two days ago, but by now, I wasn't thinking clearly.

I bought a card for X-Box Live and thought I would see what is new on the X-box since my old one died.  Quite a bit was promised.

I scraped off the number on the back and entered it where X-box says to "redeem code".  I do this all the time with Amazon, so I know how this part is done.  As it turns out, Microsoft and Amazon don't have their cards made in the same place, and the Microsoft card is so secure it takes a jackhammer to remove the frangible cover sheet, the part that keeps the code from being read in the store.  I tried that number 5 or 6 times before calling another help desk person who was not very helpful.  You are obviously not reading the number right or not entering all the numbers.  There should be 25.  Mine has 21.  The jackhammer removed the first 4.  Can you give me the first 4? No, return it to the store and get a refund.

So in two days, I find that since my first X-box, Microsoft has revolutionized security.  They have done what they always do and insure they protect their business interests first, and the customer can sit quietly and color.  There is not an ounce of documentation on any of this that is sold with the device or the card.  You have to get help and that help is pushing you through areas of darkness that are complicated and necessary to keep some little kid in Nebraska from using an X-box on his Mother's home network, when he is only allowed to use his Father's.  They should never have divorced anyway.

I still remember those long codes on the back of Microsoft software.  They worked most of the time.  Now, you don't get the codes, the software, or any rights to anything you buy.  It is not hard to figure out why the popularity of these products is so low on Amazon.  People who use Amazon's system find Microsoft's annoying.