Scary thought seen at blogoscoped in an article by Philipp Lenssen's. He raises a point that I have not fully explored. With our increasing use of and dependence on "elsewhere" hosted services such as Google and Windows Live, what would you do if your account was hacked?

Another factor that in my mind increases the risk, is that with more and more services available via a single sign on, if your account is compromised you could have a great deal of vulnerability across a very large surface in a very short period of time.

Take Google for instance. If my account was compromised the attacker would have access to my:

• Email, and Archives (GMail)
• Contacts (GMail)
• Notes (GMail)
• Appointments and Schedule (GMail)
• Documents (Google Docs)
• Photo Albums (Flickr and Picasa)
• Blogs and Blogs I have access to. (Blogger)
• AdSense Account

Now I operate by the rule that anything I store on someone else's server is accessible to the world anyway. For that reason I don't store any family or professional secrets, medical info etc online, however even my day to day info would be a goldmine for a potential identity thief. Or to a competitor.

But increasingly more and more information is being hosted behind fewer and fewer federated logins. Which means you can have large areas of your online life compromised by losing a single password.

Not to mention the potential damage that could be done just by having access to your account, such as sending emails that actually DO come from you (just not actually authored by you), to everyone in your contact list.

It does not take long to think of nightmare scenario's. So as Philipp asked "What would you do" if this happened to you? Do you have all that data and email backed up somewhere? Even if Google or Microsoft restores your access to your account, some or all of your data may be gone.

Has anyone had something like this happen to them? If so what did you do to regain access and did you lose anything irreplaceable?

Something to think about!

Cheers,

Robert Porter

Like most of us I use a number of FTP sites in the course of my daily work. I use FileZilla, I have a U3 compatible version on my USB Thumbdrive, and the "regular" client installed just about everywhere else.

FileZilla like most clients, has an address book that you can store connection information, including usernames and (optionally) passwords in. And on my thumb drive and home clients I do store the passwords, and I typically also create a SplashID entry in my primary password keeper. I sync SplashID to my phone, or I used to, until a combination of Vista, Windows Mobile 6, and Vista's new replacement for ActiveSync now called Windows Mobile Device Center, rendered syncing unworkable. (Story for another post!)

I recently had need to communicate the username and password for an FTP login to someone else, and without access to my stored passwords and due to my inability to remember 38,359 passwords off the top of my head I was out of luck. Until I remembered Microsoft Network Monitor!

I fired up NetMon and created a new Capture Tab as shown: (Click on the image for a full size view)

Then in the Display Filter I entered a filter expression that consisted of the destination address I wanted to capture traffic going to, and the protocol I was interested in, in this case FTP.

(The latest versions of NetMon have intellisense for filters built in which makes writing filters much easier. Not using a filter means you would have to wade through several hundred to a few thousand lines of captured traffic on a typical network.)

Then I fired up my FTP client, switched back to Network Monitor, started the capture, switched back to the FTP client and initiated a connection. Once the connection was complete, I switched back to Network Monitor and stopped the capture and there was my password!

Now this works best if it is a non encrypted connection, although having not tried it with an SSH connection I am not sure if it would not work there as well.

There are dozens of good network sniffers and packet capture utilities out there, I use NetMon and WireShark as my two standbys. NetMon I use for day to day captures when I am diagnosing web services traffic, or local network issues, WireShark I bring out when I need the "big guns" looking for intrusion or other wide area issues, like traffic trends etc.

Cheers,

Robert Porter

Intel recently announced that they had developed a research prototype processor that can perform calculations at the rate of more than one trillion floating point operations per second. While consuming about the same amount of power as a light bulb!

That's a lot of calculation horsepower. The prototype is an 80 core chip about the size of human fingernail. The last attempt to attain this speed was in 1996 when the ASCI Red computer benchmarked a calculation rate of one teraflop. ASCI was a system that used 10,000 Pentium Pro processors and consumed 500kW of power and another 500kW of power to cool the room it was in!

The Intel press release and related information is available here and contains a lot of interesting information including the prediction that this type of computing horsepower may well be available on our desktops within a decade.

Which makes me boggle, and scares me a little. With advances like this in sheer brute force computing power cracking encryption keys will become much easier! We were more or less safe from brute force attacks against encryption keys and hashes because the computing horsepower required to crack them was impractical to assemble.

But with chips like these available, I sure hope the Crypto folks are thinking about a whole new approach! Don't misunderstand, I think the benefits of this breakthrough are potentially amazing, but all technology can and has been used for both good and evil.  And this is the equivalent of the digital nuclear bomb!

Well, as someone once said, you cannot put the genie back in the bottle!

Cheers,

Robert Porter

Less than a day after IE7 was released various and sundry pundits began to loudly proclaim that IE7 had a “major” vulnerability in it. Further it was described as a “new” vulnerability, and to the uneducated reader would seem to indicate that IE7 was less secure than it’s predecessor. FUD in action.

Sigh…

Okay, everyone, take a deep breath. Hold it, okay let it out slowly. It’s all right, the world is still there. And guess what, some people make a living spreading FUD. (Fear Uncertainty and Doubt) especially where Microsoft is concerned.

The “flaw” was reported by Secunia here it is actually on older flaw that is still present in IE6. It’s risk rating is very low. And according to Microsoft the vulnerability is not in IE but rather Outlook Express, although IE is used as a vector to exploit the vulnerability. (Now, I still consider that a vulnerability in IE no matter how you slice it.)

The point is this is a known exploit (shame on MS for not patching it yet) but not a new vulnerability and not one known to have been exploited in the wild. What all this amounts to is that MS bashers are once again attempting to impune all that MS has done to make the OS and it’s systems more secure, because it’s fun to beat up on MS.

In other words, there is no value add from these reports, they just strive to cause confusion, they don’t clearly identify the source of the issue, the risks involved or even deliver factual information. Anyone can take a poke at any major institution or person of interest. It’s our national pastime it seems, but I would respect someone a lot more for being clear, concise and factual than for casting FUD around.

Robert Porter

Hmmm