Saturday, January 10, 2009

New WV State Police site infested with malware

The Charleston Gazette-Mail reported this morning that the WV State Police is in the process of launching a new site to report crime.
CHARLESTON, W.Va. -- It won't replace calls to 911, but the West Virginia State Police soon will launch a Web site that it hopes will make reporting crimes easier.

The Web site, www.wvcrime.com, will allow the members of the public to submit an anonymous tip or a full-blown crime report, said State Police Sgt. Christopher Casto.

The site will be ready "in the next few weeks," he said. "It's in the finals stages of testing and setting up."

The site will cut down on phone calls to the State Police and will allow people to make complaints without talking directly to a trooper, Casto said.

"We're hoping that people will be more comfortable reporting crimes if they can do it anonymously through their computer," he said.

Readers report when they visit the site that get a message, "Your computer might be infected and to click OK to install Antivirus2009." Hackers have inserted javascript that links to the site that holds the actual malware.

Antivirus2009 is a very bad piece of malware that affects computers running Windows.

I was able to load the site in OS X and Linux earlier this afternoon, but now Google is on the case. When I visit the site now I get a Google Safe Browsing warring that the site is infected with malware.

Back in September the WV State Bar site was blacklisted for containing malware.

Update: The malicious java script redirected to a blank page for about a day. It's now redirecting to the malware again. Thanks to my buddy, and former law firm IT director, Paul McNeely who has kept his eye on this and has provided updates.

Labels: , , ,

Secure your social networking passwords

It amazes me that an 18-year-old hacker can break into a Twitter admin account and start changing the passwords of famous users with a dictionary attack script. Creating complex passwords is Security 101. Some, including Michael Arrington of TechCrunch, say this breach is proof that Twitter isn't ready for prime time. I disagree. It's not a Twitter problem. It's a problem of not having a strong password policy and users not picking strong passwords.

In general strong passwords:
  • should be at least seven characters long
  • should not contain your user name, real name, or company name
  • should not contain a word you can find in the dictionary
  • should contain a combination of uppercase and lowercase letters, as well as numeral and symbols
Also when changing a password, the new password should be significantly different from the pervious password. Passwords that increment (Password1, Password2, Password3...) are not strong. And passphrases are more secure than passwords. A passphrase is a sequence of words rather than just one password.

If strong passwords aren't required by the service in question, weak passwords are a user problem and are probably just as much of a problem on other social media sites. One way to address this is to require users to use secure passwords. LiveJournal is an example of a service that now requires strong passwords. In fact, LiveJournal has a stronger password policy than my bank.

Facebook, on the other hand, doesn't appear to have any sort of strong password policy at all.

The other way to address this problem is education. The press that the Twitter data breach have generated will hopefully let the general public know that weak passwords dangerous.

Labels: , , ,

Saturday, January 03, 2009

The Mac turns 25

As Dave Winer points out, we are nearing the 25th anniversary of the introduction of the Macintosh. In 1984 I was a undergraduate at Marshall University and I spent hours typing papers on electric typewriters and going through gallons of Liquid Paper Correction Fluid. When I first got to use a Mac when I entered graduate school in 1990 it was truly a life changing event.

At the time we were using the Mac Plus to write and edit our college newspaper. If I remember correctly there where 13 of them in the newsroom, including the one at the news editor's desk. When I became managing editor I got to inherit the powerful Mac SE 30 which also had an external hard drive. The Mac Plus booted from a floppy and all your work had to be saved to yet another floppy.

My first law firm IT job in 1999 was working at a firm who used only Macs. The machines where mainly iMacs and PowerBooks. This was in the days before OS X. OS 9 was a simple system to administer, but not without it's faults.

Below is a young Steve Jobs introducing the Macintosh on January 24th 1984.

Labels: , ,

Disgruntled ex-employee takes JournalSpace offline for good

There are posts from TechCrunch and Slashdot this morning about the blogging service JournalSpace being completely taken offline as a result of a malicious act from a disgruntled ex-employee. According to the JournalSpace blog the employee in question decided to depend on RAID as the only backup of the SQL database of users posts. As pointed out the the Slashdot headline, Mirroring is Not a Backup Solution, and any IT employee worth their salt should know this.

The Slashdot story says:
The site had been in business since 2002 and had an Alexa page rank of 106,881. Quantcast said they had 14,000 monthly visitors recently. No word on how many thousands of bloggers' entire output has evaporated.
According to the JournalSpace blog and also reported by TechCrunch:
It was the guy handling the IT (and, yes, the same guy who I caught stealing from the company, and who did a slash-and-burn on some servers on his way out) who made the choice to rely on RAID as the only backup mechanism for the SQL server. He had set up automated backups for the HTTP server which contains the PHP code, but, inscrutibly, had no backup system in place for the SQL data. The ironic thing here is that one of his hobbies was telling everybody how smart he was.
This story should be a reminder that every organization should have a backup, disaster recovery and business continuity plan. It is also important to have a plan to deal with insiders threats and not let one person make all the decisions about backup, disaster recovery, and business continuity.

Labels: , , , , , ,