Identify bad guys through writing style

This month’s Social Engineer podcast discussed a tactic to identify bad guys through writing style, something the hosts expressed surprise was possible.

This won’t be news to anyone who minored in English or Communications or Journalism. A lot of factors go into style—where we grew up, where our parents are from, what we read growing up, our life experience, and it really is like a fingerprint. Fitzgerald’s Gatsby called everyone “Old Sport,” and we all have something like that, it’s just usually more subtle. I’ll say, “taste this,” when my wife or mother in law will say “taste of this.” That’s a regional thing. I pick up on that because I’m interested in language. A really good linguist can pick up on a lot more than that, and machine learning can potentially pick up on still more.

If you recall, it was the Unabomber’s long manifesto that brought down Ted Kaczynski.  Other forensics proved it, but the investigation began with his brother’s observation that the manifesto “sounded like Ted.”

Read more

“Windows Technical Support” ups its game–and so do I

It was bedtime and the phone rang. “Unknown name,” my Caller ID said, and the phone number was “1.” Sounds legit, right? No? I picked it up anyway. There was an audible delay after I said, “Hello.”

“Hello?” a distant voice said. “Hello?”

“Hello,” I said.

“Hello. My name is ‘Daniel,’ and I’m calling from ‘Windows Technical Support.’ How are you this evening?”

I really wanted to tell him my name was something obviously non-American, but I couldn’t think of anything so I told him I was fine. Next time I’m going to tell him my name is “Dhanesh.” After an introductory ramble, “Daniel” said my computer was sending alerts because it had lots of errors, and it was impossible for me to see them.

Read more

The publicity around security is a good thing

On one of the podcasts I listen to, two of the hosts questioned whether the publicity around recent security vulnerabilities are a good thing.

As a security professional who once studied journalism, I think it’s a very good thing, and it’s going to get better. I liken it to the rise of computer virus awareness. Read more

Hacker chasing, circa 1987

I’m catching up on reading. Next on my reading list is The Cuckoo’s Egg, (Amazon link), Clifford Stoll’s memoir of chasing down a computer hacker in the late 1980s. In it, he describes a very different world, ruled by mainframes and minicomputers, where Unix was something special, IBM still made PCs, but desktop PCs and Macintoshes only received occasional mention, and academia and the military owned the Internet, almost literally. And, oh, by the way, the Cold War was still raging.

The remarkable thing about this book is that it’s an approachable spy thriller, written in 1989, that explains computer security to an audience that had never seen or heard of the Internet. You don’t have to be a security professional to appreciate it, though it’s a classic in the computer security world–many people read it in the late 1980s and early 1990s and decided to get into the field. Read more

You need a Yubikey.

I mentioned the Yubikey as the ultimate solution stolen passwords on the excellent Yahoo Marx Train forum, and another member asked me to elaborate on it. Rather than take up a lot of space with some off-topic discussion, I decided it would be better to write about it here.

The Yubikey is the best solution I’ve seen yet for the problem of remembering passwords. I am a computer security professional by trade, but I will try to avoid as much techno-jargon as I can, and explain what I do use.

Read more

Words of wisdom from an unexpected source

I read something this past week that made me both hopeful and very sad all at once. The guy who said it is right. I won’t say his name, because in these toxic times, a person’s reputation can often get in the way of anything else they have to say.

[L]et’s model for the country something that the country desperately needs: people who have different ideas coming together, and in a civil way, discussing those differences.

That, more than anything, is what’s missing in Washington, what’s missing on Facebook, what’s missing on Main Street, and what’s missing on television, especially on the cable news stations and on Sunday morning talk shows. Read more

“Mario” from “Microsoft” calls the wrong guy

“Mario from Microsoft” called me last night. I’ve never heard a Mario with that kind of accent, and, I thought he worked for Nintendo. I’ll bet he gets that a lot.

“Microsoft has no reason to be calling me,” I said to “Mario.”

“Oh, we’re a Microsoft certified partner,” he said.

“That’s nice,” I said. “I’m certified too. What’s going on?”

“You are having computer issues,” he said. Read more

How to make an LG LD301EL dehumidifier drain the water out of a hose instead of the bucket

I recently came into possession of an LG LD301EL dehumidifier. It was supposed to be draining out of the hose, but it wasn’t. I figured out why.

If you have one of these or a similar dehumidifier, chances are you have the same problem. The instructions on the back of the dehumidifier aren’t as clear as they could be and the diagrams are tiny. The manual doesn’t quite seem to explain it either. If you don’t have the manual and don’t want to download one from a dodgy web site–and as a computer security professional I recommend that you don’t (more on that at the end)–here’s how to get it done.

Read more

Webcam spying gets more attention

So, apparently Miss Teen USA’s computer got infected with a webcam-spying remote access trojan. So someone got some sneaky pictures of her, and tried to blackmail her. Fortunately, instead, she decided to talk about it.

This is good. The majority of people don’t take computer security seriously enough. This could get some people talking, finally.

Unfortunately, the one effective technique against something like this–application whitelisting–isn’t available for the home versions of Windows. Most people think of application whitelisting is a corporate thing, but a signature-based whitelist would keep this kind of software from running on a home PC, which is the target for webcam snooping. Home users need it too. And unfortunately, it’s the people who are most likely to buy the cheaper home version who need it the most. Are you listening, Microsoft?

In the meantime, keep a piece of tape on your webcams, I guess.

But maybe now that Miss Teen USA is running around the talk show circuit talking about this stuff, people will start thinking that maybe, just maybe, bad stuff doesn’t always just happen to other people’s computers. Because it doesn’t.

As a security professional, I’m glad for anything that raises awareness. Because security awareness is one of the DSD Top 35 migitations–it’s #20. And of the 35, it’s the hardest to buy.

And if you’re not scared enough yet, it’s possible to do webcam spying not only with a laptop, but also with a smart TV. It’s a little harder with smart TVs because they’re all a little different, but nobody thinks about their smart TV, and the manufacturers rarely, if ever update them to fix security bugs. Fortunately, TV hacking is, as far as we know, more in the realm of theory right now than active exploitation, but it’s only a matter of time before that changes. The time to pressure manufacturers–or just stop buying smart TVs–is now.