Meddling

It would’ve worked, too, if it weren’t for those meddling kids!

There are 614 posts filed in Meddling (this is page 39 of 62).

The Art of Deception

The recent LinkedIn password crisis got me looking for good book on hacking. Sadly, Kevin Mitnick’s book The Art of Deception is not that book. On the foreward page of the book, one reader scrawled a message that said:

WARNING! THIS BOOK COULD HAVE BEEN A MAGAZINE ARTICLE, FOR ALL ITS SUBSTANCE!

I got through about ten pages before I concluded that the previous reader was right. Mitnick’s a terrible writer, with many of his sentences tend to ramble and lack focus. It reads as if he was told by his editor to fill x pages and so he put little thought into what he is trying to say.

What’s more, much of what he says doesn’t rise beyond simple common sense. It’s not entirely Mitnick’s fault, as network security became far more sophisticated while he was serving time for his crimes. While he might have been a big fish when he was arrested in Raleigh in the early 90s, his hacking methods don’t compare to those used today. For instance, Mitnick recommends against writing down passwords, even though most security experts now agree that this policy encourages people to use simple, easy-to-remember passwords that can be easily cracked. Even if Mitnick was up on the latest techniques, though, it’s likely he can’t reveal these techniques due to terms of his parole.

What we’re left with is a book that is actually pretty boring. I’m a guy who enjoys learning about network security but even I can’t bear to finish this book.

Fake “morgue shooting” headline

"17 remain dead in morgue shooting spree"


A blurry image shared by the George Takei Facebook page showed an edition of the News and Observer that had a story headlined “17 remain dead in morgue shooting spree.” It looked fishy, so I went hunting for the source.

Turns out, Andy Bechtel already did the legwork:

So where did the fake N&O page come from? A Facebook friend points to the Brunching Shuttlecocks, a defunct comedy website, as the source of this image. If you happen to know more, please add a comment on this post.

Good job, Andy!

(For those who are curious, here’s the real front page appeared on September 7, 2001. [PDF] )

Your Paypal.com transaction confirmation.

I got a realistic-looking but fake notice in my email purporting to show someone spending money from my PayPal account. Needless to say, this is a phishing scam.

PayPal logo Transaction ID: 33746045
Hello supercoolguy@supercoolguy.educomnet,

You sent a payment of $357.48 USD to Xavier Parrish

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.

It may take a few moments for this transaction to appear in your account.

Seller
Continue reading

More on the LinkedIn password breach

I found this analysis from a fellow network security geek in the UK to be quite interesting:

…which lends a little weight to the theory that the file primarily contains hashes which some script kiddie could not crack with basic tools, and hence makes us wonder what he’s done with all the ones which he did crack – and how much of the LinkedIn corpus that would represent?

He’s got a point. So many tools exist to easily crack these password hashes. I just tried hashcat on them using the standard Ubuntu dictionary file and cracked 20,000 of them in seconds using just my lowly laptop. So why would the hacker pretend to need help cracking them? Why post to a hacker forum where one is certain to face ridicule?

This leads me to speculate that the hacker is either enormously clueless or (perhaps more likely) aiming to embarrass and/or blackmail LinkedIn. Was this a staged demonstration of a hacker group’s power to disrupt a high-profile site? A warning to others, like Facebook and Google?

Another amusing aside is that just yesterday I used LinkedIn to send a message to a stranger who might know an old friend of mine. I tried several times to leave my email address in LinkedIn’s contact message but finally gave up: LinkedIn’s anti-spam measures are quite clever and blocked every iterations of email address obfuscation that I tried.

It’s amusing that LinkedIn can be so good at blocking spam to its users while being so bad on keeping their accounts secure!

LinkedIn password leak is confirmed

I did some hunting for the password hash list which reportedly includes the passwords of 6.5 million accounts. After downloading the file, I did a quick search on my password “tXrNNb706+” (which has since been changed, duh):

grep -n `echo -n tXrNNb706+ | shasum | cut -c6-40` hacked.txt

This spit out the following:

4096152:b0a6f8fba1a954de7d60bf4dbc3805d1056cf443

Boom! My hash appears on line 4,096,152. Yikes!! It’s a good thing I use unique, strong alphanumeric passwords for all of my accounts! That password was only used for LinkedIn, so I know the hash list was collected from LinkedIn.

But why is this file only 6.5 million hashes, if LinkedIn has over 161 million users? My guess is that an exploit was placed on the LinkedIn servers during a certain timeframe and during that time it collected the hashes of these 6.5 million users. My compromised LinkedIn password was last changed in December 2011, about six months ago.

The whole incident has given me reason to rethink the password problem, and the problem of authentication, to see what better methods exist for proving identity in a digital world.

Bonus link: read this detailed analysis on YCombinator (warning: heavy geek quotient).

Bad Day For LinkedIn: 6.5m Hashed Passwords Reportedly Leaked

This is bad. Very, very bad. Unhashed passwords are a no-no. I’m shocked that LinkedIn has been so careless.

If you have a LinkedIn account, you should change your password immediately!

And always, always use a unique password for each and every service you use.

Already in the spotlight over concerns that its iOS app collects full meeting notes and details from a device’s calendar and sends them back to the company in plain text, LinkedIn user accounts are now said to have been compromised, with 6.5 million hashed and encrypted passwords reportedly leaked.

Norweigan IT webite Dagens IT reported the breach, with 6.5 million encrypted passwords posted to a Russian hacker site. Security researcher Per Thorsheim has also confirmed reports via his Twitter feed, stating that the attackers have posted the encrypted passwords to request help cracking them.

via Bad Day For LinkedIn: 6.5m Hashed Passwords Reportedly Leaked.

Neighborhood break-in causes little concern

RPD is just a phone call away


Thursday provided a bit of unexpected excitement in the neighborhood. I had just stepped away from my home office desk for lunch when I read an email from a neighbor, saying that she had seen suspicious men at another neighbor’s home and had called the police. Looking out the window, I was amazed to see three Raleigh Police cruisers parked down the street!

I found out from other neighbors who were outside that the house at the end of the neighboring street had been broken into. Officers had the house surrounded, believing the perpetrators were still inside. I chatted a bit with my neighbors until a K-9 officer returning his dog to his car let us know that no one was inside.

It seems the perpetrators left out the back door as officers arrived, having had time to stack TVs and an Xbox outside but no time to take them with them. Fortunately for the police, the burglars very thoughtfully left their getaway car sitting in the driveway! I smiled as I watched the car being towed away, knowing how much evidence the burglars must have left in it. I’m sure it’s only a matter of time before the hapless burglars are caught.
Continue reading

Mortgage junk mail

Official-looking mortgage junk mail


We recently refinanced our home with a new mortgage and that, as expected, triggered a flood of junk mail. Most of these letters are deceptively designed to look like they came from your mortgage company, mailed in an official-looking envelope. Some even include the name of the legitimate mortgage company on the front.

Some of the companies include:

Mortgage Protection Center
PO Box 9001
Burlington, NC, 27216-9925

Mortgage Protection Insurance
PO Box 619056
Roseville, CA, 95661-9978
Continue reading

Weather is here, wish you were beautiful


View Larger Map

Futzing around with Google Maps this morning, I noticed that the Mount Weather doomsday facility hadn’t been reviewed yet using Google Places. So I had a little fun writing a review:

I sheltered here during the Armageddon and would never do it again! The cots were way too hard, the rations were somewhat tasteless, my room had NO windows, and it was next to impossible to get the generals’ attention when the sheets and towels needed changing. What you see in the brochure doesn’t match the actual experience. Take my advice: the next time the world ends, steer clear of Mount Weather! Go with a Hampton Inn or similar chain. You’ll be glad you did!

Perdue makes emergency landing at RDU

So, uh, tell me again why our governor took the state jet to Greensboro, a city an hour’s drive from Raleigh even without a highway patrol escort? Does she have a clue about how much jet fuel costs nowadays? Is this good stewardship of our tax dollars?

Gov. Perdue’s plane made a safe emergency landing at Raleigh-Durham International airport this afternoon after a plane malfunction, her spokeswoman said Friday. No one was injured.Her plane was on the way to make to make a job expansion announcement when her plane exhibited unusual vibrations in connection with the retraction of the landing gear, and a decision was made to return to RDU, according to Chris Mackey, her press secretary.

via Perdue makes emergency landing at RDU | newsobserver.com projects.

Update: Here’s a state auditor report on the state aircraft operations, undertaken by then-state auditor Ralph Campbell, Jr. in 2005.

Update 2: My friend Warren has pointed out that Greensboro is closer to a 90 minute drive from Raleigh. Guess I’ll cut our governor some slack after all.