Nice Computer – Shame If Something Happened To It

LabMD is a cancer testing center in Atlanta, GA.  In 2010, someone compromised its security and pulled its medical records. Soon after the break-in, LabMD was contacted by Tiversa, a cyber security firm who offered to sell them emergency incident response services. LabMD refused. Tiversa told the firm they’d notify the FTC unless the company hired its services. Again, LabMD refused.

Tiversa made good on its promise and contacted the FTC. The government agency pursued the measure to its fullest. LabMd was sucked into a lengthy legal battle which eventually bankrupted the company. There’s just one problem with this story: the hack never happened.  Tiversa made the whole thing up….



Cyber Threats Against Surgical Robots

Robot Surgeon

Things that would suck for one thousand, please, Alex.

Imagine — and why the hell not? — that you need an emergency appendectomy. Yours is about to explode because why-do-we-even-have-those-things? You are rushed into the operating room and placed on a table beneath a curious apparatus. “Get me a nerd, stat!” Somebody shouts.

A man in surgical clothing greets you. “Relax,” he says. “I’ve done a million of these.” He pushes a button and mask drops and smothers your face. The man’s credentials don’t match what your parents expected from their emergency room staff. The “doctor” is a computer operator, a Microsoft Certified Surgeon from ITT Tech. Your procedure begins when he selects “Appendectomy” from a drop-down menu. It is performed by a robot that immediately goes to work, carving into your body in search of an inflamed appendix.

Suddenly the robot orders silicon. Unexpected noises fill the room as the augmentation unit fires up. “WTF?” the operator types into his IRC session. “This thing’s going haywire.” Everyone in the channel responds in a similar manner: “LOL!” they type back. “This is serious shit!!!1!1!”, he anger-types. “ROTFLMAO!” they reply.

The robotic knives withdraw from your abdomen. The apparatus glides on tracks as it works its way towards your chest. It starts to make cuts around your nipples. The operator is agog; his jaw drops and he’s unsure what to do. The augmentation unit descends and attaches to your chest. Silicon starts flowing. The operator starts smashing his keyboard. “Why does this shit always happen on a Friday afternoon??!!” he screams. “LOL!” the IRC channel says.

So what happened? The hospital didn’t keep its goddam software up-to-date. The surgical robot was hacked. And now you have lady tits because 4Chan was in need of some afternoon LOLz.

Sound far-fetched? A team of researchers at the University of Washington in Seattle just hijacked a teleoperated surgical robot and documented its security vulnerabilities in a new white paper. Great! As if surgery wasn’t stressing enough, here’s one more thing to think about.

At least the guys at 4Chan gave you big ones. (They’re a little obsessed with breasts over there…)



HTTPS Happy Nice Time

As you may have noticed, here at JoeDog Enterprises Incorporated Ltd ESQ Inc., we switched from http to https last weekend. Exciting!

We warned you that such a move could be accompanied by unintended consequences. But keep in mind, not all side effects are bad. Just like painkillers can provide a little glow along with relief, some changes can provide unintentional benefits. Here’s the story of one of them.

This morning we noticed skiddie activity. That’s not unusual. Every morning we notice skiddie activity. Some asshole from 192.210.220.2  in Williamsville, NY is running an attack right now. Our http logs are filling with this activity:

192.210.220.2 - - [20/Apr/2015:08:32:35 -0400] "POST /xmlrpc.php HTTP/1.1" 
302 213 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

See that 302? That means our http virtual host is issuing a redirect to https. Here’s the thing: He doesn’t appear in the https logs. That means his stupid skiddie script is too dumb to follow the redirect. For the past hour he’s done nothing but causing meaningless redirects …

… and now he’s blocked.

UPDATE: Those 302s are now 301s as per Tim Funk’s recommendation. If skiddie can’t follow 302, he can’t follow 301 either….

UPDATE: That’s weird. My linky text is recommendation — as in “Tim Funk’s recommendation” — but magic is turning it into “Tim Funk’s 1 comment.”



Which Side Are You On?

During the First World War, the Ottoman government systematically killed 1.5 million Armenians. If you ever want to anger a large number of Turkish people, refer to that event as “genocide.”

On Sunday, New Pope did exactly that.

“In the past century, our human family has lived through three massive and unprecedented tragedies,” the Pope said at a mass to commemorate the 100th anniversary of the Armenian massacres. “The first, which is widely considered ‘the first genocide of the 20th century,’ struck your own Armenian people.”

It was a sentiment that didn’t sit well with a Turkish “hacker” known on twitter as @THTHerakles. On Monday, he brought down New Pope’s website. Writing in first person plural, he explained that it will remain down until New Pope appologizes.

“Taking sides and calling what happened with the Armenians genocide is not true. We want Pope to apologise for his words or we will make sure the website remains offline,” he said.

I suppose there are two sides to every issue — even genocide. The pope’s against it. Which side are you on, @THTHerakles?

As of this writing, the Pope’s website remains unreachable.

UPDATE: As of 10:38 EDT, New Pope is back online. It looks like he scaled vertically. There are now four A records for www.vatican.va. On each he has an apache server which is forwarding requests back to Oracle iPlanet. It’s just like New Pope to straddle the worlds of open source and corporate opulence.



The Number of the Beast

sixOn April 24, 1980 the Maragos Brothers, Peter and Jack, walked into a Philadelphia bar with a platinum-blonde and a fistful of dollars. While Peter wagered large sums of money on the Pennsylvania lottery, Jack spoke loudly in a foreign  language on a pay phone near the bar. At one point, he turned the phone toward his brother so it could capture the sound of the lottery machine as it printed daily number tickets.

This struck the bartender as odd.

That night Nick Perry was working the Pennsylvania lottery as an on-camera announcer. The first drawing was the daily number. “Six,”  Perry said as a ball was selected on the first machine. And now the second  number: “Six,” he said. Finally the third number matched the other two. Six-six-six was one of the numbers the Maragos Brothers wagered a lot of money on.

Nick Perry was born Nicholas Pericles Katsafanas, a son of Greek immigrants. He spoke the language fluently. So did Jack Maragos. It was the language he used on the pay phone in that Philadelphia bar. The bartender started to put two-and-two together and alerted authorities. Nick Perry and the Maragos brothers had rigged the Pennsylvania lottery.

Perry enlisted the help of WTAE art director Joseph Bock who created weighted ping-pong balls to use in the drawing. Bock weighted all the balls except four and six. In Philadelphia, the Maragos Brothers bet every combination of those numbers: 444, 446, 464, 466, 644, 646, 664, and 666. It was the devil’s own number that delivered that day.

Now Eddie Raymond Tipton appears to be walking in Nick Perry’s footsteps. The former information-security director of the Multi-State Lottery Association is accused of tampering with the lottery. As a condition of employment, Tipton was not allowed to play the lottery but on Dec. 23, 2010 he appears to have done exactly that. Tipton was filmed buying a ticket at a QuikTrip convenience store. That night, his number hit. The ticket was suddenly worth $14.3 million dollars.

Iowa authorities accused Tipton of using his privileged position to tamper with the machine. According to them, he inserted a thumb drive with altered the random number generator and allowed him to control the outcome. Good stuff.

His trial is now under way….



ISIS Unleashes Its Skiddies

skiddieThe FBI released a Public Service Announcement, you guys. According to the bulletin, ISIS skiddies have started attacking WordPress installations. They’re trying to exploit known vulnerabilities in an attempt to grab your personal and financial information.

Well, tell them to join the fscking club.

This site has been attacked so many times, that we’ve applied for Veterans’ benefits. Without checking the logs, we can confidently say that some asshole’s attacking it now. Why can we confidently say that? Because some asshole’s always attacking it!

The most frequent assault is a dictionary login attack. They pound the login page with an endless stream of login attempts. Here’s how we thwarted that one.

Your best defense against against these dicks is to keep your software up-to-date. If you operate in a specific region, you could always firewall off large parts of the globe. If we blocked Asia, we’d reduce attacks by over 50%. Don’t worry, Asia. We love you. But please get your software up-to-date.



Enter Sandman

sandmanLet’s face it. Online appliances are designed for the lowest common denominator. Consider an average person’s intelligence. Half of a manufacturer’s customers are dumber than that. If they lock-down a device too securely, they’re just setting themselves up for a lot of service calls. We all know how manufacturers feel about service calls.

Last week a Minnesota couple got a lesson in device security. One night they were lying in bed and music starting wafting into their bedroom. It appeared to come from the nursery where their infant slept. That’s odd, right? When an infant get its hands on music it’s more likely to eat the CD than put it in a player and hit “start.”

It turns out the music was coming from the Netherlands. Wait a second – you said they lived in Minnesota! Here’s what happened: The couple entered the room to investigate. The music stopped when they opened the door. Suspecting a speaker associated with their Foscam nanny-cam, they used its software to check for web sessions. They found one associated with an IP address registered in Amsterdam. Someone from that city had attached themselves to their nanny-cam and was watching them inside their house. Creepy!

This couple wasn’t alone. They discovered private interior scenes from inside homes throughout the world. “There’s at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens,” she told KTTC. “Every place that people think is sacred and private in their home is being accessed.”

It’s not clear how the camera was compromised. Foscam recommends your firmware be upgraded to the latest version so it could have been a bug. But they also recommend you change the default username and password so it could have been user negligence. Beyond that, they recommend placing the daemon on an alternative port and checking your logs at regular intervals. Sounds like these things were pretty insecure….

[KTTC: Nanny-cam Hacked For World To See]

[Foscam: How To Secure Your Device]

 



You Cannot Be Serious??!!

NQ Vault is an extremely popular app. It has more than 30 million users worldwide and it’s the recipient of many great reviews on Google Play. It’s a free download and pro upgrade costs $19.99.

The app is supposed to help secure your personal data. NQ’s website refers to the mechanism that protects those files as “strong encryption.” Is it? That depends. Do you consider XOR strong encryption?

XOR is a pretty common component in complex ciphers. By itself, XOR is easy to implement and requires little processing power. With a constant repeating key, it can be a quaint hack with which to hide files. As a security hacker recently discovered, this is how NQ implements its file protection.

ninjadoge24 encrypted a small png image using NQ Vault. He then examined the file in a hex editor. To his surprised it was only partially encrypted. It struck him as a substitution pattern. A thought quickly entered his head: “What if it’s just XOR? Like just fuckin’ XOR?”

To test his hunch, he entered the hex value of the unencrypted file into a hex calculator and applied XOR to it. Guess what? It matched the NQ Vault’s “encrypted” values.

Decrypting XOR is trivial. If you visit ninjadoge24’s blog, he’ll show you how to brute force your way through it.

Honestly, this should be considered a mother fscking crime. NQ claimed this app used “strong encryption” but you could bust it with all the computing power that’s generated by a hamster wheel.



Amazon Web Services Free Edition

(Or how to run a website on a shoestring budget)

Last fall, Your JoeDog moved this site into Amazon’s web cloud. He’s using a micro instance on the free tier. It’s free for a year then $0.017 an hour after that.

Note that “micro” part. We’re talking about a pretty lean server. When it first came online, this site screeched to a halt at semi-irregular intervals. It was running out of memory. To increase its capacity while remaining in the free tier, Your JoeDog added some swap. “How do you add swap space in AWS?” Glad you asked. Here’s how:

  $ sudo /bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
  $ sudo chown root:root /var/swap.1
  $ sudo chmod 600 /var/swap.1
  $ sudo /sbin/mkswap /var/swap.1
  $ sudo /sbin/swapon /var/swap.1

You can check your creation with the free command:

  $ free -m

By adding swap, Your JoeDog was better able to keep this site humming. Unfortunately, it still locked up. One day, it locked up for an extended period of time.

To monitor the site’s availability, we signed up for pingdom. There’s a free version which allows you to monitor a single URL and send text alerts. (Email won’t do us much good since that service is hosted here.)

Not long after the alerts were configured, one fired. The site was down(ish). Downish? What’s that mean. It was more like a series of brief outages. While this was going on, Your JoeDog’s inbox started filling with new-comment-needs-approval messages.

LINK SPAMMERS!! Some asshole was botting the site with unthrottled comment posts and they essentially DOS’d it.

To free up resources, Your JoeDog created an AWS database instance and moved his content from a local database with an export/import. There’s only one reason you shouldn’t do the same: cost. After the free period, you’ll be charged for that as well.

So what’s the moral of this story? If you can afford it, don’t waste your time on the free instance. These micro VMs are too light to handle traffic bursts. And if you’re a serious business, then you really shouldn’t bother. In the grand scheme of things, Amazon’s computing-for-lease is really inexpensive … except, of course, if you’re a lowly open source developer.

 



CENTCOM Gets PWND

baseYour JoeDog followed the events in France pretty closely. After reading two days of reports from the US and Europe, he had no fscking clue what was going on. The killers were captured and one was dead! Um, the killers are in the woods with helicopters overhead! Um, no, they’re inside a Jewish deli back in Paris. In a rush to publish, the only thing they did was add to our confusion.

And so it goes with the CENTCOM hack. Your JoeDog heard ISIS was inside Pentagon computers!!1!1!!! After sifting through news reports, it appears that ISIS simply defaced their Twitter and YouTube accounts. Wait a second — CENTCOM has a twitter account? What do they post besides “blew up some shit today!”

Is this a Big Deal? It depends on your perspective. From a security standpoint, it’s not. Imagine if you shared your GMail password with a friend and he started sending dick pics to everyone in your address book. That’s pretty much what happened. ISIS gained access to the accounts and pranked the military.

From a public relations perspective, it’s embarrassing. Unless they’re absolute morans, no sensitive data was compromised.  You wouldn’t link your bank account to your twitter feed, there’s no reason to believe CENTCOM would do the same with its operational servers. But at the same time, it paints US military as a careless organization. It didn’t use two-factor authentication, its credentials were easy to crack and/or it fell for a phishing expedition.

It does make you wonder what else they’re “protecting” with ‘password123′ or to what extent the people inside Central Command are click-happy. Those are speculative musings which may have no basis in fact. Still, you can imagine a military ass-chewing that began with the Commander-in-Chief and worked its way down to the lowliest private. Your JoeDog is glad he doesn’t work in CENTCOM today.