Kentucky election fraudsters found guilty

What might be just another run of the mill vote-buying scandal is made all the more interesting by the fact that some of the corrupting of the electoral process was down to exploiting a flaw in electronic voting machines.

The exploit was far more low-tech than those uncovered by the likes of Ed Felten as it exploited the poorly designed user interface which required voters to confirm their vote after they had pressed the button to make their voting selection. [via]

Edit: Bruce Schneier has of course covered the same story and has links to much deeper analyses of the situation.

Frenchman hacked President Obama’s Twitter account

BBC News reports that an unemployed man has been arrested by French police for hacking the Twitter accounts of US President Barack Obama and celebrities.

The unemployed 25-year-old was arrested on Tuesday after an operation lasting several months, conducted by French police with agents from the FBI.

He gained access to Twitter accounts by simply working out the answers to password reminder questions on targets’ e-mail accounts, according to investigators.

This is the same method that was famously used to hack into Sarah Palin’s Yahoo! webmail account and is yet another real world example of the failure of the typical password reminder function that the study by the University of Cambridge’s Computer Laboratory showed.

As I wrote previously that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. Particularly people such as President Obama where such information is easily researched.

Twitter phishing attack via Direct Messages

The F-Secure blog reports on a clever little phishing attack which uses Twitter’s own Direct Message service and URL shortening services.

Unsuspecting users will click the link provided in the message which comes from somebody they know as Direct Messages can only come from people you follow on Twitter. However the message is likely coming from a hijacked account and points to a URL which hosts a phishing page that looks like Twitter and is asking you to sign in.

Once they have your credentials they then send messages to all your contacts and their web of hijacked accounts grows exponentially.

The good news is that Twitter has reacted quickly to this attack and are closing down the avenues of attack.

Playboy TV content played on children’s television

BBC News reports that adult content from Playboy was accidentally played out on children’s TV.

TV bosses in the US have apologised after preview clips of the Playboy channel were accidentally played out on two children’s channels.

“We’re very, very sorry it happened – we know parents are concerned,” spokesman Keith Poston told local news station WRAL.

“It took about an hour or so once we were notified of the problem to actually get it fixed.

“It was a technical glitch and unfortunately it hit at the worst possible time on the worst possible channels,” he added.

The error occurred on the Kids On Demand and Kids Preschool On Demand channels where clips from Playboy TV appeared in the top right hand corner.

I suppose it could have been a glitch, but if it was then it was by accident the worst possible mix up of TV programming possible.

Also it seems to have taken quite a while for it to have been fixed once they had been notified. Could they not have simply taken the entire channel off the air?

It seems more likely to me that this was a deliberate and malicious act by somebody, perhaps a disgruntled former employee, that has access to the computer system used to automate the process of putting content on air.

What is your mother’s maiden name and other insecure security questions

Security Researchers at the University of Cambridge’s Computer Laboratory have produced a whitepaper titled Evaluating statistical attacks on personal knowledge questions.

Aside from the fact that the answers to these questions are readily findable for celebrities and increasingly easy to uncover through social networking sites for the average individual the researchers found that even guessing is good enough to render the system insecure if carried out on a wide scale.

There is a strong result that anything named by humans is dangerous to use as a secret. Sociologists have known this for years. Most human names follow a power-law distribution fairly close to Zipfian, which we confirmed in our study. This means every name distribution has a few disproportionately common names—”Gonzalez” amongst Chilean surnames, “Guðrún” amongst Icelandic forenames, “Buddy” amongst pets—for attackers to latch on to. Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.

I think that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. If you are sure that you’d never need to use the password reminder facility then you could just use a completely unguessable random alphanumeric string as the answer. Otherwise it would be a good idea to choose something memorable as your nonsense answer that you consistently use e.g. Throatwobbler Mangrove unless inexplicably that does happen to be your mother’s maiden name.

There has been other research in the last few years into this subject.

Microsoft researchers wrote Measuring the security and reliability of authentication via ‘secret’ questions

The hype of cyberwarfare used to control the internet

Ryan Singel writing for Threat Level believes that the Cyberwar Hype Intended to Destroy the Open Internet

With the rise of the internet nation states have begun to lose control of their citizens and have introduced ever more draconian laws to try and claw some of that control back.

The War on Terror was framed as a Cold War for the 21st Century and a fog of fear was spread over the population but that fog gradually lifted as people realised that they were not at risk from Al Qaeda. Even when a nutcase tried to ignite explosives in his underpants on an aircraft and politicians and the news media spewed rhetoric about this dangerous new tactic of the terrorists and how something had to be done most people soon went back to their lives as if nothing happened.

The powers that be needed a new threat with which to control the people and the Chinese hacking of Google and others provided them the framing to do it.

Western civilisation is now under the peril of being destroyed by China in the form of computer hackers.

Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell.

But that’s not warfare. That’s espionage.

We do not need as Mike McConnell to ‘reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.’

The ‘Google hacking situation’ was first and foremost the infiltration of the servers of private industry not an attack on the United States itself. The IT security of American companies is an issue where the US government can be of assistance by offering advice or notifying of specific threats that they’ve become aware of, but not through monitoring and controlling the internet.

24 Day 8: 9pm – 10pm

The subplot involving Dana and her criminal ex-boyfriend continues to annoy me with the stupidity of both the character and the plot. Not only is she endangering national security by allowing this to distract from critical work but she’s allowed herself to be blackmailed into becoming part of a criminal conspiracy.

Would her access of an NYPD computer network not be logged and cause questions to be raised? Plus is it likely that CTU would have a legitimate reason for the creation of a keycard to access an NYPD secure warehouse. Then all this is compounded by the fact that she then gives him a secure comlink so that they can communicate. Firstly there is no way that CTU would allow their staff to take equipment like that without having to sign it out and secondly any communications over their network would surely be logged if not actively monitored.

The subplot involving the radiation poisoning of the Russian mobster’s son is almost as bad. The doctor informs the elder brother that the patient has received a dose of 400 rems, not necessarily fatal although a slightly higher dose did kill Harry K. Daghlian Jr. and states that a bone marrow transplant is needed. So far so good, but then the doctor talks about administering drugs to flush out the radiation and warning that radiation is transferable through bodily fluids. Complete rubbish unless the guy ingested some of the uranium there is no radiation in him to need flushing out or that could be transferred to anyone else in his bodily fluids.

Jack’s impersonation of a German arms dealer was not all that convincing even if he did have a lovely graphical display for his encrypted bank transfer that went via multiple accounts to prevent it being traced.

Encrypting Locations Alpha 4 All Accounts Verified

Good scene with the CTU sniper taking out members of the Russian gang but did they seriously believe that a German arms dealer would come alone to a deal like this.

Parallel Algorithm Leads to Crypto Breakthrough

Parallel Algorithm Leads to Crypto Breakthrough [via]

Dr. Dobbs reports that a cracking algorithm using brute force methods can analyze the entire DES 56-bit keyspace with a throughput of over 280 billion keys per second, the highest-known benchmark speeds for 56-bit DES decryption and can accomplish a key recovery that would take years to perform on a PC, even with GPU acceleration, in less than three days using a single, hardware-accelerated server with a cluster of 176 FPGAs. The massively parallel algorithm iteratively decrypts fixed-size blocks of data to find keys that decrypt into ASCII numbers. Candidate keys that are found in this way can then be more thoroughly tested to determine which candidate key is correct.