Schneier on Security
A blog covering security and security technology.
« WiFi Cracking Kits |
| I Was Named as One of the Top 10 Science and Technology Writers »
May 7, 2010
Cory Doctorow Gets Phished
It can happen to anyone:
Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.
The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.
The whole story is worth reading.
Posted on May 7, 2010 at 6:56 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Karma's a bitch, ain't it. Hope his bank account got vacuumed...
This is just like an aircraft accident. Its a chain of reasonably innocuous events occurring which normally don't occur, and any one event not occurring would have broken the chain and prevented the accident.
If it hadnt gotten foggy, if the taxiways hadnt been full, if the other plane hadnt blocked the exit, if they had not added 50,000# of fuel just before takeoff, if they hadnt been confused about which exit ramp to use, if the captain hadnt been the top dog at the airline for 30 years, if english had been the native language of the participants, if two transmitters had not transmitted on the radio at the same time then it would have been "holy crap did you see what almost happened!" instead of "Oh @#$!" (followed by a loud noise).
But it makes me feel better to know it could happen to someone like CD. Makes me wonder why my slow-to-patch IE7/XP box that I surf porn and download cracks with all night doesnt get owned MORE often than it does.
Link is down. Its Cory after all so I am not surprised.
OK, from the post above it's not clear what happened (well the cause is clear, but I wonder what was next) and link is down, so I feel a little disappointed.
Yeah, go ahead click that shorten URL...
Doesn't original Twitter (or whatever site was phished) login site use SSL? Unless phishing site acquired valid SSL certificate *and* the web browser doesn't display the organization the certificate is for (or there is NUL character bug of in SSL certificate parser in web browser)...
I thought he was pretty clear about the outcome - when he saw where the phished password was going, he immediately sat down and started changing his password on every site where he had used that password (including Twitter). There wasn't enough time for the attackers to actually exploit the password he had inadvertently given them.
On the "for want of a nail" aspect, it was interesting to read the recent Dutch report on last year's Turkish Airlines crash in the Netherlands (http://www.ntsb.gov/aviation/Netherlands-EHAM.htm). Not directly security related, but very much a matter of a combination of circumstances leading to a fatal crash.
IIRC you once linked to a paper which said that the easier people to con are those who knows a lot about the trade. Because they think their knowledge protect them.
I wanted to add this quote from the story:
"But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do."
Am I the only one wondering who is Cory Doctorow?
This also exposes an issue for small-screen interfaces: be careful what data you elide.
Remember people, change your passwords occasionally.
There are so many attack vectors that anyone can be hit ...eventually.
>The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.
i'm not the only one thinking his first mistake was failing to identify this as spam/scam, right?
i guess twitter has a certain hostile effect toward one's security scrutiny.
@Brandioch, how would changing passwords every once in a while help in this case?
I rather suspect you will be alerted to the phish by the balance of your bank account long before you get around to changing your passwords on your own.
I know other URLs are spoofable, but this is just one of the reasons I don't click on obfuscated URLs.
"Brandioch, how would changing passwords every once in a while help in this case?"
By allowing him the chances to remember NOT to use the same password on systems that have become more important to him.
I just don't use the same password on accounts that are important to me. Seems a lot easier. Sometimes adding complexity adds risk of mistake.
@Henning: Exactly. It was so horrific its easy to remember a lot of details to pontificate upon ad hoc. Actually the thing I found most striking (although this was after the actual crash occurred) was the fact that there was no verbal communications between the tower and the fire crews, just an alarm. So when the fire crews drove down the (fog-shrouded) runway and came to a flaming airplane (the one which had actually gotten airborne however briefly and thus no one survived), they simply stopped and started putting it out and they didnt realize there was ANOTHER one (the one with potential survivors) until 20 minutes later.
@Matej, anon: there's something Schroedinger-ish about a tinyURL link to an article which may or may not be warning you about careless clicking of links, but you wont know til you click it...
I like how he describes the stars aligning to result in a successful phishing attempt. It's an insightful analysis of a situation that makes me really believe that it could happen to me, as opposed to nonspecific warnings that "even smart people can fall victim if they are unlucky".
I think that the more experienced you are the more stars have to align to make an attack like this work. In this case the biggest 'stars' were the small smartphone screen and the distractions that caused him to not be as vigilant as he might normally be. Others might only need the distractions and fall for it in spite of being able to see the whole URL on a larger screen. Or they might fall for it even though they were already logged into Twitter and shouldn't have had any reason to log back in. Expertise may not be a panacea, but lack of expertise makes you much more vulnerable.
Cory Doctorow is a an award winning Science Fiction author and advocate against DRM. He's released his own works under the Creative Commons license to promote better copyright laws. He's also know in tech circles because of his Boing Boing blog.
Why the animosity toward Doctorow?
@wiredog 'Hope his bank account got vacuumed'
Fervernt supporter of da RI double-A are yeh?
"But I’m not one of those naifs."
One of the hardest lessons I have to instill in engineers. Humility.
"You are a lowely user. Yes you are. Yes. Just because you know more than your
end users doesn't make you any better then them. There will always be a tech or scam 'bout
which you know nothing."
I consider Humility (along with ethics) as necessary controls on human behavior.
"before I started strictly using long, random strings that I couldn’t remember for passwords"
Is there a Password Safe app for smart phones?
"kissed my wife goodbye"
Never heard it called that before. 'Park your wife in that chair, Mister!'
"If I’d been ten minutes later..."
We have a rush to do things. Crank out those widgets. Do you know anyone who cannot just let
a telephone ring? Someone who'll put you on call waiting while they answer another call? Someone
(not naming names) put us in the habit of Pavlov's dog. And it's being used against us
It's only when people stop breathing fast and think about what's likely and what's not. Did the behavior change?
Playing games in FB means having to reauthenticate to zynga at some point. Every individual application within an
organization needs a password...So people at work are constantly logging into UI's.
Kinda puts people in the habit of feeding passwords.
'Good news! your child porn is on the way in the mail! Click here if you want to cancel your order!'
'Subject: Notice: Contract terms breached.'
'IRS Notice of intent to confiscate your home due to TARP recoup'
'moment of distraction'
So I must devise a series of exercises. Falling overbackwards in a chair. (borrowed from a former employer)
Sitting and doing nothing while the phone rings. Meditation. Itemize all the BS people fill their lives with
(measuring in MB how many joke emails people get--gets their attention. So does showing them how many TV commericials
they are exposed to.)
And he's rude about parasites. If our cells handn't been parasited by mitochondria we'd all still be mats of green slime everywhere.
He is also a legend in his own mind.
This is not the place to air your grievances with Cory Doctorow's past behavior or online persona, whatever they might be. It's irrelevant, and also kind of boring.
I usually won't click on those shortened links without an intercepting proxy so I can see where I'll be redirected and decide whether I want to go there. Of course, that doesn't work so well on a mobile phone.
Some googling turns up some web services that will show you the real target. E.g.:
Good to know.
@ Mark R:
"Some googling turns up some web services that will show you the real target. E.g.:
Good to know."
If you trust such services.
i usually just use HEAD or GET and look at the raw response.
To those laughing at Matěj Cepl's tinyurl link, note the preview subdomain appended. Do that to any tinyurl and it will show a page telling you the url that is pointed at by the tinyurl without browsing to it. You don't need some sort of external service, at least not for tinyurl.
For tinyurl see also http://tinyurl.com/preview.php. You can accept a cookie from them which will make sure you always given a preview no matter what domain is used in the tinyurl. The main remaining evil thing is that you now rely on two sites rather than one to make sure your link works and that it will be more difficult to use an archive service to recover the old link if it goes broken.
True or False?
The solution to anxiety/uncertainty is prompt and immediate action.
"Is this you??" is a well known phishing tag on most social sites (social engineering sites?).
Didn't Bruce Schneier say "people will choose dancing pigs over security every time"? Egos and Videos are always perfect bait.
@ B F Skinner re: mitochondria.
My thoughts exactly. Mitochondria are one of the things that got me hooked on mol cell bio. And be sure to replenish with good bacteria after a round of antibiotics, too.
I am glad Mr. Doctorow told us what happened and how it happened. I appreciate clues.
Excess of confidence is never good for security, but it seems too many do not release that. As soon as they become "media-literate" and can easily spot most of scams and phishing, they get sense that they are now immune to all scams and phishing attacks, which is obviously not true. Actually, it is amazing how many people will enter a password when they cannot clearly see the full domain name, or establishing a ssh connect without checking the fingerprint first, or trust a PGP key received in insecure way with no sign by trusted key... Usually this neglect does not cause a problem, because the risk is fairly low, but it certainly exists... So with enough people, someone will be unlucky some day...
Well, and the same password for different sites even for unimportant ones is clearly a bad idea, but again a lot of people do that, and then they have to spend a lot of time changing in on all those sites (so, those sites are important enough after all to spend a lot of time changing this password everywhere when it leaked), but the problem is that it could leak from one of those unimportant site before even without you being aware of that!
Obviously, the browser that does not display the full domain name even once when user submit some information is broken. Especially so, when the submitted form contains the "password" input field. But it is a technical problem, which is relatively easy to fix comparing to user's mentality...
Strip "Cory Doctorow" from the story. Look at his assumptions and actions: they are reasonable. People make mistakes. When you make a mistake, acknowledge it, clean up, and move on.
Beating a dead horse, perhaps: online security is made difficult by the increasing complexity of our connected world. How many passwords did you need to remember in 1985? And you didn't have to think about Facebook. Or your social graph, and who's looking at it.
Those assumptions and actions were hardly reasonable, but those are common mistakes... Hopefully, this story will teach other people to not repeat them...
@fordpref: Close, but that was Gary McGraw. Your point still stands.
I've started thinking that web browsers should only allow you to send passwords to sites that are on an approved list. Browsers should always display the current URL when there's a password field on the screen.
There's a port of KeePass for Android called KeePassDroid... http://www.keepassdroid.com/
I was already using KeePass, so it was just a matter of transferring my database and key files over to my SD card.
I'm anonymous, so this isn't a boast, but...
I don't follow shortened URLs, and when possible I only put my password into sites I typed the URL of, or visited from my bookmarks. Even if my boss sends me a shortened URL, I MIGHT follow it, if it's important, with a work PC. Normally I ignore them as spam because if someone wants me to follow a link, they can send it to me - not just a "click this - it's legit - really..."
Then, even that's not enough in some cases... I got infected with "SecurityTool" in Opera - the first time a script has ever hijacked Opera for me! ...when I opened an old bookmark for a PC shopping site that went defunct and was apparently bought by or hijacked by malware authors.
The lesson? Eternal vigilance - and even that will only get you so far. I could stay off the net entirely, but... no risk, no reward.
Some would say you have not gone far enough.
For instance you could connect to the Internet via an older PC with no hard drive and an OS on ROM such as CD/DVD.
Most people do not actually need storage for their web browsing (just their downloads which is another issue) so as a solution it actually works reasonably well providing they "power cycle" or "hard reset" before and after doing sensitive stuff.
As for downloads if you must (for whatever reason) a "clean" removable pen/thumb drive should provide sufficient storage. Once downloaded remove the pen drive, reboot the machine with a "cold boot virus/malware scanner", update the signiture files, put the pen drive back in and scan it. If it passes you can then "walk it" across the "air gap" to your main machine.
Although not perfect (I've built a proof of concept "air gap crossing malware" which I've loosely described on this blog befor) it does get you that little bit further. Oh and you can improve it quite a bit by ensuring you use different OS's for your browsing / scanning / main activities (say Linux / OpenBSD / MS Win respectivly).
Oh and as always "backups, backups, backups" always "check your backups", not just that you can read them and reinstate from them, but scan them with AV software. You may have been one of the unlucky folks that got hit with a zero day etc.
Oh and that thing with different OS's applies to checking backups as well...
Although I'm not aware of anybody yet doing it concevably malware could replace your backup device driver with one that encrypts your backups transparently for a time period of say three months then encrypts your hard drive deletes the key and leaves a ransom demand on the console...
If you think it sounds a little far fetched remember we have seen "insider attacks" do just this and likewise some cracker attacks do similar, it's yet to go "mass market" via "fire and forget" malware but I'm guessing it is just a matter of time...
There is also a Blackberry KeePass client.
And a Linux version.
And, though at times inconvenient, one password (auto generated) per login is my choice.
I usually use http://unshort.me service before I click on any of the ubiquitous shortened URLs. You never know where the link takes you. It might take you to jobs website while you are still at work.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.