badpassword
Latest
Hospital ransomware: A chilling wake-up call
If you had a loved one in the Hollywood Presbyterian Medical Center during its recent ransomware siege, would you be mad at the digital extortionists or the hospital? For me, the answer would be both. Hollywood Presbyterian declared a state of emergency over the ransomware on February 5th. The hospital issued a statement to press Wednesday evening on the 17th saying, "HPMC has restored its electronic medical record system ("EMR") on Monday, February 15th." The hospital isn't saying exactly when it paid the ransom, but it looks like they waited at least a week to end the file-hostage situation. Hollywood Presbyterian said its payment was 40 bitcoin, around $17K (not the 9K in bitcoin / $3.6 million initially reported).
RIP: Adblock Plus
I got a little too excited when the Interactive Advertising Bureau (IAB) chief called Adblock Plus (ABP) "an unethical, immoral, mendacious coven of techie wannabes." I immediately wanted to know when the next coven meeting was and how many stars to sew onto my witch cape. The chief's accusations of heresy came after ABP was disinvited from the bureau's Leadership Summit. IAB's chief further twisted the ceremonial dagger by saying they weren't invited "in the first place." After that splendid outburst of public bitchiness, finding and joining the ad-blocking coven was my destiny. But little did I know that any ad-free witchery Adblock Plus might've been storing up for future spell-casting was getting less ad-free by the minute.
Why the war on VPNs is one Netflix can't win
Netflix has started blocking users who try to bypass country-based content restrictions by using a VPN, beginning its enforcement last week with Australian subscribers. The problem is, by forcing customers to turn off their VPN, Netflix is putting them at risk of being maliciously hacked.
The RSA keynotes: a cautionary tale
On Feb. 29th, thousands of cybersecurity professionals will flood San Francisco's Moscone Center for RSA Conference, one of the security industry's largest and most authoritative events. This week, RSA announced its 20 keynote speakers, and if you heard a weird noise coming from Twitter, that was the InfoSec community releasing an exasperated collective WTF. In a plot twist predicted by no one, three of RSA's coveted keynote spots have gone to two actors and a producer from the TV show CSI: Cyber.
Google's creepy plan to kill the password
In the grab bag of Google/Alphabet's big projects for 2016 is Project Abacus. It's basically the company's plot to kill the password in cold blood, by replacing it with smartphone user authentication via an uncrackable collection of biometric readings. Abacus would lock or unlock devices and apps based on a cumulative "trust score" -- as your phone continually monitors and recognizes your location patterns, voice and speech patterns, how you walk and type, and your face (among other things). Like many things Google, it sounds miraculous. Your phone will just know it's you. And infosec pundits who believe we're stuck in password-hell Groundhog Day because "regular" people won't do security if it's inconvenient, will rejoice.
You say advertising, I say block that malware
The real reason online advertising is doomed and adblockers thrive? Its malware epidemic is unacknowledged, and out of control. The Forbes 30 Under 30 list came out this week and it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information. Or, as is popular worldwide with these malware "exploit kits," lock up their hard drives in exchange for Bitcoin ransom. One researcher commented on Twitter that the situation was "ironic" -- and while it's certainly another variant of hackenfreude, ironic isn't exactly the word I'd use to describe what happened.
Laugh the pain away with 2015's best infosec memes
As you might guess, infosec memes aren't as straightforward as Pizza Rat or Left Shark. That's because most of the time they run on one part inside jokes and two parts hacker history. They're usually technical, and they communicate an intimate knowledge of the slow-roasted levels of hell only understood by an information security professional.Recently, infosec coughed up two particularly transcendent and painfully hilarious memes.
The myth of Mariana's Web, the darkest corner of the internet
Chances are, like me, the first time you heard about the Dark Web it was described as a foul and depraved marketplace, where children, drugs, and pirated movies could be bought for mere Bitcoin. Tabloids paint it as a place where a veritable "Top 10" of our biggest fears resides. Opportunistic security companies sell threat intelligence services that allude to hunting for bad guys in dark dens that deal in organ harvesting, involuntary human experiments, and more.
In hacking, the blame game is purely for entertainment
As the holidays approach, I find myself missing the drama and spectacle of the Sony hack.You know, the kind of drama where a movie studio realizes it's under attack and decides that overacting will save the film. Or that threatening journalists to stop writing about it will put an end to all those "bad reviews" everyone's suddenly writing about Sony security. The holidays were made for this sort of thing. Can you even remember any of last year's Christmas specials? No. That's because watching Sony utterly fail to handle the epic breach with grace or wisdom was way more entertaining than seeing anything on ice last December.And then the whole twist, where FireEye points the finger at North Korea as a sort-of "red scare' Krampus in act three, well, that must be what people mean when they talk about the magic of Hollywood. Now, that's entertainment.
Yes, everyone has been breached
Oh, a company you do business with was breached? No biggie. You probably won't die or be sold to a Russian white slavery botnet cartel. Probably. But your data will.It's really hard to come up with a sector that hasn't been hit with a big data breach in the last five years. Health insurance files? Check. Classified government personnel records? Check. Hotels, banks, retailers, credit companies, crowdfunding platforms, online hookup sites, video game companies, Hollywood giants, cable and broadband providers... The list is endless.
Let's have an argument about encryption
Government officials have been vexed for quite some time now that they can't surveil communications that use end-to-end encryption. Never mind that to crack encrypted platforms open for one spy would mean to open them up for all spies. Just being able to roll WhatsApp, Telegram and iMessage into the Pentagon's bulk surveillance programs is good enough for them, thanks. Worrying about what that might mean to the intelligence gathering capabilities of their adversaries is apparently "not in their department."After the devastating attacks in Paris last Friday, U.S. officials wasted no time in using fear to insist that messaging apps using end-to-end encryption be "backdoored" for surveillance access, and rolled into the Pentagon's bulk surveillance programs.The internet, rather than treating the officials like children who want to smash the family piggy bank to collect copper pennies, has decided to argue with them.
'We take your security seriously'
Anyone who has even the slightest amount of contact with the internet is familiar with the scenario: An email or actual piece of mail arrives from a company who apparently handles some part of your connected life. The letter calmly identifies its author as a company you do business with, either by choice or by default. It blandly informs you that there has been a security incident in as little detail as possible. You have already heard about it on the news. It was probably a month ago and in more detail than in the letter currently staring back at you. Then the company's mass-missive assures you, "We take your security seriously."
The cyberpsychologist is in
My first session with a cyberpsychologist didn't go so well. She asked me to lay back on the couch, relax, and "think of cyber." "You know," she said, "what you do when you're angry." "Well, I don't really cyber when I'm angry-" She cut in, "Do you have penetration problems?" "No!" I stammered, "I ... I have I guess what you'd call cyber ... toys? I mean, when I want to penetrate a-" "Oh," she said acidly. "Then you must be dealing with feelings of cyber-castration. You were cut off from a network as a child, weren't you?" "Network!? Wait. Do you mean cyber, or do you mean cyber?" Okay, so my first cyberpsychology session might have actually been all in my head, but I'm far from alone in my confusion about whether the spokesperson for cyberpsychology — apparently a real term — means cyber (as in security) or cyber (as in sex).
The coming smart-thing apocalypse
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fearmongering and jargon with expertise, a friendly voice and a little levelheaded perspective. Like some people I know familiar with the ins and outs of digital surveillance (and startle like housecats when an app makes a geolocation request) I don't own any "smart" home items. My 1913 flat is well-connected to the internet, and my living room is a hacker's honeycomb hideout of entertainment playthings, but I'm far too pleased with my paranoia to own something from the class of spyware and advertising honeypottery known as the Internet of Things.
The problem with 'pumpkin spice' security bugs
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective. When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.
