Category: Tech

What do the Liberals want?

Electronic Voting!
When do we want it? Never!

Experts told CBS News that the ultimate goal of these hackers is not to necessarily change the outcome of the election; their main objective is to de-legitimize the outcome by sowing doubt, uncertainty and suspicion through a series of cyberattacks.

Successful operation, I’d say.

Foreign Actors compromise voters

Old-school cracks exploited the Arizona and Illinois State Board of Elections.
The story is weak on specifics regarding the Arizona crack, this statement is ambiguous.

While the hackers did not compromise the state network, they stole the username and password of an election official in Gila County, located in central Arizona.

That doesn’t tell us if the stolen username was the origin of the crack attempt or the result. If the origin, then it was either an infected machine the user used or s/he used the same username/password combination on other websites.
From the McLean County Clerk’s Facebook page regarding the Illinois crack:

The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application.
The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.

As a side note, headlines aside, no story that I’ve found actually says it was the Russians.

The Sound of Settled Science

Most Scientific Findings are Wrong or Useless:

Why it is a lie? Because it makes “it easy to believe that scientific imagination gives birth to technological progress, when in reality technology sets the agenda for science, guiding it in its most productive directions and providing continual tests of its validity, progress, and value.” He adds, “Technology keeps science honest.” Basically, research detached from trying to solve well-defined problems spins off self-validating, career-enhancing publications like those breast cancer studies that actually were using skin cancer cells. Yet no patients were cured of breast cancer. The “truth test” of technology is the most certain way to tell if the knowledge allegedly being generated by research is valid. “The scientific phenomena must be real or the technologies would not work,” Sarewitz explains.

That’s not how they work

When this is the goal: Officials predicted earlier this year that the newer model would find average overpayments of $1,739, up from the $1,047 identified during the first generation of the program.
And this is the result: The average overpayment identified under the newer model was $861 between May and August 2015, a drop from the $957 average during the same period in 2014.
This is not the correct conclusion: The department said it’s too early to say if the recalibrated system is meeting expectations.

Passwords

Do you have an account on one of VerticalScope’s domains? You may want to change your passwords.
Another 45M username/passwords leaked from 1000 web forums.
This happened before LinkedIn was breached and before the TeamViewer hack/breach.
From the story, this link to Leaked Source. It asks you to enter your email, usernames or other identifying data into the search field and checks if it is in their database of cracks. If it is, that account has probably been compromised depending on the type of encryption used in the sites database.
Don’t use the same password on different sites, try not to use the same username. Personally, I use Firefox’s browser password manager with the master password feature turned on and I have set Firefox to delete cookies when it shuts down. That way I only have to remember the master password and the rest are encrypted. Chrome and Explorer do not encrypt their remembered passwords, so anyone with access to the filesystem can see them.

University of Calgary

The single largest vulnerability in any computer system is between the keyboard and the seat.
This is what happened:
Patient Zero gets an email something along the lines like:
Dear Customer,
Courier was unable to deliver the parcel to you.
You can review complete details of your order in the find attached.
Yours faithfully,
Greg Marks,
Sr. Support Agent.

Which naturally has an attached zip file for you to open and examine this package you didn’t get.
Patient Zero tries to open the zip…except they haven’t upgraded WinZip or WinRar recently and it’s a spoofed name. It isn’t a zip file at all, it’s just named that.
The trojan is now on your system and here it gets more complicated based on the attackers, the variants of the virus, etc. Some will provide a point of entry for crackers to investigate the system/s, others will silently monitor the traffic for a while, the earlier variants will immediately start encrypting your system and any other network share attached to the system for which the user has write permissions. The later variants watch for backup processes to execute so that they can learn how to toast your backups too. (Which takes me on a separate rant on how using Windows/NFS shares for push backups without checking authentication is asking for trouble.)
So, PZ has toasted their system, toasted the company backups, toasted the company wide network share, because s/he was the accountant the Financial share is also toast. IT just ran basic backups to a Windows share instead of things like rsync over ssh to a root only mount and so the last three months of backups are also encrypted. Worst case scenario, the MIS system or production systems get done too.
What does the company do? You can’t ‘unencrypt’ it without the key. You get an email or a pop up telling you to send $20k worth of bit-coins to the attackers.
How to stop this
Lesson one: NEVER OPEN EMAIL ATTACHMENTS FROM YOUR EMAIL PROGRAM.
Obviously ignore them from anyone you don’t personally know, but secondly save them on your system and scan them with your anti-virus before you open them. Usually you right click on the file and can select ‘Scan with xyz anti-virus’.
Lesson two: Turn off your darned shares. If you access ‘Calgary Office Share’ once per week, you don’t need a network share on your desktop to it. Learn how to mount it on demand. Hint: type \\machine\share in the URL bar in your file browser.
Lesson three: Companies need to start firing people over this instead of just the IT people who enabled it.
Lesson four: Start using the ‘Junk’ or ‘Spam’ tag on your email program. ‘Mark as Junk’ in Thunderbird. They are fairly advanced Bayesian filters that learn over time. But you have to teach them. If you don’t mark an email as Junk or Spam, it won’t learn and can’t identify subsequent spam. This must be a habit.
Lesson Five: Never trust the company/internet provider anti-virus on the mail server, if it even has one.

Death By GPS

“Something is happening to us.”

Most death-by-GPS incidents do not involve actual deaths–or even serious injuries. They are accidents or accidental journeys brought about by an uncritical acceptance of turn-by-turn commands: the Japanese tourists in Australia who drove their car into the ocean while attempting to reach North Stradbroke Island from the mainland; the man who drove his BMW down a narrow path in a village in Yorkshire, England, and nearly over a cliff; the woman in Bellevue, Washington, who drove her car into a lake that their GPS said was a road; the Swedish couple who asked GPS to guide them to the Mediterranean island of Capri, but instead arrived at the Italian industrial town of Carpi; the elderly woman in Belgium who tried to use GPS to guide her to her home, 90 miles away, but instead drove hundreds of miles to Zagreb, only realizing her mistake when she noticed the street signs were in Croatian.

You, maybe. I won’t own one. .

The overreach

The FBI’s fishing expedition for precedent ends just like tech-minded people thought it would. It did turn out to be an effective lesson in outing the right as much in favour of rights infringement as the left.
The end of this legal standoff also means that no legal precedent gets set for the scope of government’s power to compel an unwilling company to cooperate in an investigation, for instance by writing special new software as in Apple’s case.
The final score? Apple and Google increased their public profile, and Microsoft looked like gov’t hacks. The battle for and against private encryption remains in status quo. Way to go, FBI. /sarc

Navigation