My ebook, OWNED: Why hacking continues to be a problem, is now available on Amazon.com. I’ve been patiently waiting for Smashwords to resolve its ebook “meatgrinder” issues with Amazon, so that I only have to deal with one publishing channel, but almost two months have passed and I’ve read no word of any progress.
Adding the book into Amazon was incredibly easy. I signed into the Digital Text Platform site, completed the “Add new item” form and then uploaded the book and cover. After uploading the book, I made sure it looked okay in the Kindle preview window and then clicked the “Publish” button. It took less than 10 minutes. It does take 2-3 days for the book to be buyable, but that’s not a big deal.
I’m really interested in seeing how the book is going to do on Amazon. In a way, the delay was good, because it gave me a chance to establish an online presence through this blog and Twitter.
If you’re interested in previewing the book but don’t have a Kindle, there is Kindle for PC and of course you can preview and purchase the book in many different ebook formats (including Kindle) at Smashwords.com. The book is also available on the iPad through iBooks.
Some of you may not know this, but an individual needs permission from a company to ethically hack its assets, perform penetration tests or look for vulnerabilities within Web applications. A person can’t just hack a company’s Website, socially engineer their employees or do Web-based drive by malware installs under the guise of protecting the public’s interests. Doing so will only get the person into trouble – not only with the company, but law enforcement as well.
What people need to realize, is that 15 minutes of fame is not going to prevent them from getting into trouble. Law enforcement is going to pounce on them like a jungle cat on a mouse. If they’re really unlucky, law enforcement will already be monitoring their target and they’ll be arrested as soon as they successfully hack something.
If you know someone that is thinking of becoming a superstar by hacking some company’s Website, please do the person a favor and try to talk the person out of it.
If your online email account was recently hacked and you don’t know how it happened, you really need to give some thought as to how it might have occured to prevent it from happening again. Even if your home computer is fully patched, your anti-malware software is up-to-date, and you’re mindful of what email you open and Websites you visit, you may still be at risk. Here are some ways that your password might have been stolen that you may not have considered.
I was up until 3:30am this morning researching something on the Internet and then all of a sudden, my desktop firewall pops-up a message asking me if I want to allow an unfamiliar “.exe” file to access the Internet. My firewall is setup, so that anytime an executable that I haven’t marked as safe wants to access the Internet, it prompts me if I want to let it out. “Oh great,” I thought to myself, “I must have been hit by some type of zero-day exploit.” I click the disallow button and right after I click the button I think, “Wait. What was the name of that executable again?” Doh!
So then I’m sitting there thinking to myself, half-awake, that it really doesn’t matter if I go back to that Website, because at this point, I’m just going to save this VMware image for analysis. I go back to the Website, click on link and sure enough, I get the firewall prompt again. The file is named plugin-container.exe. “What the heck is this?” I think. A quick Google check and yes, you probably already know this – it’s a Firefox process that runs your plug-ins under a separate process.
I recall reading headlines over the past week that Firefox has a new crash protection feature, but I didn’t realize this was it. The crash feature is mentioned in the release notes and on Mozilla’s blog, but there is no mention that this feature spawns a new process named plugin-container.exe. Lame.
I hate when stuff like this happens, but I guess it’s to be expected when I’m half asleep at the keyboard.
After reading the post and comments at Cyber Arms the other day about Trusted Computing (TC) and the Trusted Platform Module (TPM), I decided to spend some time at the Trusted Computing Group Website. I was introduced to the concepts behind TC several years ago and while I agree that it has its strong points, I have my own concerns and issues with the technology that I won’t get into here. As a result, I haven’t paid much attention to its development over the years.
While browsing the TCG Website, I stumbled upon an article that struck me in a negative way:
An open letter to Bill Gates, Steve Jobs, Paul Otellini, Steve Ballmer, Dirk Meyer, Michael Dell, Larry Ellison and Jim Whitehurst
As you know, the world has been fighting hackers for over 15 years. Despite best efforts to secure networks and computers against compromise, we continue to lose systems, credentials and information to the enemy every day. Direct attacks against vulnerable assets, social engineering, phishing, taking advantage of poor security practices, malicious email and infectious Websites continue to be effective across the entire globe. No one is safe. We clearly have a problem and there are no indications that the situation will improve anytime in the near or distant future.
The reason why I am addressing you regarding this matter, is because collectively, you are the only ones that can initiate the changes necessary to make computing secure. Here’s why:
Across the globe, world leaders are being briefed about the threats and risks to critical infrastructure and national security. Politicians are being told tales of cyberwar, disruptions to power and transportation systems, financial chaos and what could be the end of civilization as we know it. Technical gurus demonstrate how easy it is to compromise and take control of a system, like the main act in the center ring of a circus, to instill shock and awe into the crowd of curious onlookers. And why are these things being done? To gain support for cybersecurity initiatives and spending against the threat de jour – the hacker.
But is everything being presented the truth, the whole truth and nothing but the truth? I’m not so sure that it is.
As difficult as this may be to accept, people are being brainwashed into believing that it’s acceptable for computers to be insecure. While this might seem like an absurd idea, let me present four real world scenarios to help you understand why it’s true.
Would it be acceptable for you to go into a restaurant and be served undercooked chicken 8 out of 10 times? Of course not, because you know that if you ate it, you could get sick and even die. You expect the chicken to be properly cooked each and every time it’s served to you, right?
If your Hotmail, Gmail or Yahoo password is hacked, you need to do more than just change the password
It seems like a lot of people’s online email accounts are getting hacked these days, with no clear indication of how the hackers are obtaining passwords. If you suspect or know your account has been hacked, change your password. If you haven’t changed your password within 30 days of this post, change it now – just in case hackers already have your password but haven’t used it yet. There are some other things you may want to consider doing as well:
1. Change your security question and/or the answer to the question. Don’t make the answer something that can be successfully guessed. If possible, make the answer so obscure, that it’s impossible to guess. For favorite color, for example, don’t use the primary colors. Use something like “ripe tomato” for red, “banana boat” for yellow or “Mountain Berry Blast” for blue. Don’t use a question that can be answered by viewing your Facebook or blog page.
The recent AT&T security breach that disclosed 114,000 Apple iPad e-mail addresses is lingering on the Web like a bad smell in an enclosed car. Some details on how it was done are provided on gawker.com under the “Breach Details: Who did it, and how” section. This post will explain the user-agent header and HTTP request elements, and provide an example of parameter tampering that makes a breach like AT&T’s possible.
DISCLAIMER: What I present below has nothing to do with the AT&T site itself.