Categories
My Opinion

My Connected Device is Listening

My Android phones have been listening to me for years. I have no doubt about this. When I started talking about something absurd late last year – “can you use hand lotion to condition a leather chair” – and then decided to look it up on my phone, the first suggestion google makes upon entering “Can you use” was “Can you use hand lotion to condition leather products”. And that’s just one example.

People call me paranoid for saying this, but I’m not. I just understand (or at least pretend I understand) what’s going on inside our connected devices.

Speech Recognition in the Cloud

If you have an Android phone with the Google+ Launcher applied, try this: Turn it on and just say “OK, Google”. This automatically opens the voice to text search box where you can talk to the device and get it to do things like a search or send an email or whatever. I’m sure the Fruit Company phone can do the same thing. And the one from Macrohard. It’s amazingly unamazing in a world where rapid technological advancement has made us jaded.

What’s actually happening here is really quite amazing: The phone is constantly listening for specific voice queues, and when they are triggered it starts doing stuff. It gets even more impressive when you start dictating. You can actually see the phone guessing and correcting itself in real time as it does to make sure it gets everything exactly right. And watching this happen it’s clear there is a lot of contextual semantic processing going on out there in the cloud.

What we have here is the dream of speech recognition come true in the cloud. And now that we have it people are (and should be?) terrified.

Your Samsung TV is Eavesdropping on Your Private Conversations

Earlier this week the tech media and everyone else suddenly got very interested in connected devices and their listening capabilities. In the Terms of Service for Samsung’s Smart TVs a line was discovered that said:

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party

The reporting was quickly followed by a statement from Samsung saying:

If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV

George Orwell fans with better memories than me immediately caught on to the striking similarities from the book 1984:

And the world burned for days.

The Clash of Dreams and Reality

What we have here is a clash of dreams and reality. In our dreams we want to be able to talk to our devices and have them do our bidding. In Star Trek they had the Universal Translator. You can now get much the same feature by downloading the Google Translate app on your smartphone. Try it. It’s absolutely mind blowing. But for this technology to work we can’t just rely on our phones or computers or TVs. Language is complex and can’t be simplified to algorithms that can run on our local devices. For this technology to work we need the Cloud. And that means literally recording and sending your conversations over the web to a server that then parses the data, gleans the meaning of it, and acts according to your instructions.

In short, when you talk to your device your device needs to actually understand what you are saying. Which is why your Samsung Smart TV and your cell phone and probably your computer and any other connected device in your house is in fact listening to you all the time

The Question Isn’t If You are Being Recorded, But Who Listens

Most people will find this revelation rather unsettling, but the reality is this is not new. It’s been going on for years. And it’s a direct response to what we as consumers have been asking for.

The bigger question is who’s listening. The device and service companies are pretty much unanimous in saying they are not recording and not listening. The recordings are purely for the computers. And in a way it is probably believable (unless you are talking about that website that wants to sell your face on a book. They are totally listening). I don’t actually fear the companies (much), but I do question their encryption algorithms.

Post-Snowden we have confirmation of what many of us have known all along: If you put it on the Internet the US intelligence system will be listening in. So does this mean that someone is sitting in a bunker somewhere in the US (or elsewhere) listening to our conversations while we watch TV, or eat dinner, or chat with our phones within reach? Not unlikely.

Somewhere George Orwell is shaking his head in shame while dictating his next novel through his phone.

Categories
WordPress

The DDoS and the Damage Done

With this notification we would like to inform you that our in-house Website Performance Monitoring System (WPMS) has signaled that your account constantly uses a large amount of the server’s CPU resources. These excessive requests consume an abnormally high amount of CPU resources and endanger the overall performance of the server. Your account consume more then 55703.75 CPU seconds and 102195.00 CPU executions for the last 24 hours. (…) Unfortunately, your website’s server resource usage is not suitable for this server and that is why we will no longer be able to host it there.

This is the message that waited for me in my inbox when I woke up last Thursday morning (grammar errors and typos included). A quick visit to mor10.com confirmed my panic: The site was down, replaced by a 503 error. Logging into my site admin panel I discovered the hosting provider had locked down my site banning access to any incoming visitors. And for good reason. A quick inspection of the resource logs showed something dramatic had happened during the night. Here are screenshots of the weekly stats and the execution log for the preceding 24 hours:

Weekly stats graph showing dramatic increase in activity
Weekly stats graph showing dramatic increase in activity
Executions log graph showing dramatic jumps in activity
Execution log shows extreme variance in activity caused by the server dropping in and out of service

Thus began what would become a 16 hour battle with arrogant and ignorant tech support “specialists”.

Categories
WordPress

Your blog has been hacked. Actually, maybe not. The Pingback Exploit.

This morning I got an email from a person named Sam Browne with the ominous subject line “Your blog has been hacked“. The email read as follows:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco. Your blog has been hacked, and is being used to attack other sites. The specific URL and IP address involved in attacks is in the list below.

Please scan your blog and clean it.

Complete information about this is at:

http://samsclass.info/125/proj11/wpbots120613.htm

Now I get a lot of crazy emails from a lot of crazy people so my initial reaction was that this is another one destined for the spam pile. But at the bottom of the email was a list of about 50 sites that were supposedly hacked and looking through it I got curious. On the list, which included a site I managed years ago, I found URLs like wordpress.org, viper007bond.com, and woothemes.com. The chance of any of these sites being hacked and used to spam Mr. Browne is pretty close to zero so clearly there was something else going on here.

Browsing the responses to Sam’s Twitter stream it became clear that many of the people who had received the same email (apparently it was sent to thousands of email addresses) had done their due diligence by checking their sites for exploits only to find they were in fact not hacked. My guess is that if we were to check all the sites on the list we’d find very few sites with hacks on them. But the claim that the sites were attacking Mr. Browne’s site are still true!

Your WordPress site can be tricked

It is a poorly kept secret that with some simple code you can turn a WordPress site into a tool of evil. Hidden in WordPress core is a function called XML-RPC that allows users to send emails to WordPress and then get WordPress to do things like publish posts. The feature also powers pingbacks – essentially messages sent to other sites when they are being linked to –  and it is very useful if you want to use a 3rd party application to write posts or you want to email posts to your site. This function can unfortunately be exploited to make your site send requests to target sites, thus becoming an accomplice in a DDoS attack.

It is disturbingly simple: A few lines of code will trigger a cascade of requests to your WordPress site that then in turn send pingback requests to a specified site. Multiply that by a hundred or a thousand or a million sites like yours and you have a perfectly orchestrated DDoS attack executed by proxy through your and other sites. Which seems to be what happened to Mr. Browne. Again, not an attack but an exploit.

Based on the list of sites provided by Sam and my own observations of spam comments it seems clear that a large portion of the sites that are taking down Sam’s site are in fact not infected but instead vulnerable to the pingback exploit. In fact it appears any standard install WordPress site without Akismet activated is vulnerable to this exploit. Which is a serious problem.

Solutions, current and future

This exploit is well known by the developers that build WordPress and it is being worked on. However as of right now your WordPress site may become part of the problem unless you take a simple step to prevent it: Go to Settings -> Discussion and turn   off. Some are suggesting removing the XML-RPC feature all together by deleting it from the WordPress install. This is a terrible idea and should not be done. WordPress core is not something you should mess with and the XMLRPC function is used for more than just sending out pingbacks, most notably to allow a user to post to the site using email or 3rd party apps.

Moving forward it’s clear this needs to be addressed in WordPress core so new users do not inadvertently become bots. What exactly that something is is up for debate. Simply disabling XML-RPC is not a solution yet leaving it completely open is an equal non-starter. Bottom line is a push needs to be made to get core updated in some way to curb this problem going forward. WordPress powers 20% of the web and will continue to take over more of the space so these exploits will be exploited more and more if nothing is done.

Categories
WordPress

Brute force attacks call for an end to the default “admin” WordPress user

UPDATE: Chris Rudzki filed ticket #24078 in Track on April 13th to get the suggested username removed. There is some contention in the comments but overall it looks like this may be implemented.

UPDATE #2: Just published an extensive post on the lynda.com blog with security tips and what to do if your site falls victim to this attack.

WordPress is under attack by brute force hackers. The target: WordPress installs with the username “admin” and other common test users (“Admin”, “test”, “Administrator” etc). While this is disturbing the more disturbing fact is that as it stands WordPress is encouraging new users to set up an admin account with the username “admin” thereby perpetuating the situation. This cannot continue.

If you are running a WordPress site there is a good chance you will become the subject of a brute force attack aiming to get login access to your site through the default admin account. For the layman this means a computer goes to the login page on your site with the username “admin” and tries every password under the sun to see if it can get in. In the last few days two major hosting companies – HostGator and CloudFlare – have released reports that tens of thousands of sites are under attack from a “well organized” individual or group.

Others have written extensively on the subject (here, here, here, here, here, etc) so I won’t reiterate what they have said better than me. Instead I will point out an obvious flaw in WordPress itself that is amplifying the problem and that can be easily fixed:

Problem: “admin” is still the default user name

Screen grab of the WordPress 5 minute install with "admin" set by default as the username
Even in version 3.6 “admin” is still the default username in WordPress

If you’ve been around for a while you know that in the past the first user created when WordPress was installed was always called “admin”. This lead to a barrage of brute force attacks on WordPress sites and was deemed to be enough of a vulnerability that by version 2.9 the user was prompted to set the admin user name manually.

 

So why are there so many sites that still have an admin user with the username “admin” even with the vulnerabilities and the ability to set the name manually? Simple: Like you can see in the image above, the suggested admin user name is still “admin” and will be used unless the user explicitly changes it to something else. And while seasoned WordPress users are aware of this and avoid using the name “admin”, new users are given no indication that using “admin” as the username is a bad idea.

In fact I would argue the current setup in which the username is automatically filled out with “admin” encourages new users to use the name thereby making them more vulnerable.

Solution: “admin” shouldn’t be an option

Considering the history of the “admin” user name and the fact that people still use it (because it is still the default and WordPress suggests they do) two things should be done:

  1. Force the user to set a username herself by not providing one in the field
  2. Add a filter that prevents “admin” from being used as a username

None of these are technically complex, and similar filters are used by other services and applications to avoid this exact issue.

As WordPress takes over a larger and larger share of the new site market it is more important than ever to ensure that new users are not led down a dangerous path. Suggesting “admin” as the username for the first user is precisely the type of path the new user should never be led down. I rest my case.

Categories
Browsers News

Internet Explorer Alert – Critical Product Vulnerability

This just dumped into my inbox. Since so many people use Internet Explorer 6 or 7 and it talks about a very bad security issue I thought it important enough to warrant a repost (for the full details visit http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx.

Basically the bulletin says that if you have automatic updates turned on, your computer will be updated shortly. This may mean your computer will reboot itself. By the way, if you don’t have auto updates turned on, do so right now. It’s not safe otherwise (that goes for Mac users too btw).

Executive Summary

This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051.

Recommendations

Microsoft recommends customers prepare their systems and networks to apply this security update immediately, to help ensure that their computers are protected from attempted criminal attacks. Please visit http://www.microsoft.com/protect to apply the security update.

PUBLIC BULLETIN WEBCAST

Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin:

Title: Information About Microsoft December Out-of-Band Security Bulletin
Date: Wednesday, December 17, 2008 1:00 P.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448&Culture=en-US

Title: Information About Microsoft December Out-of-Band Security Bulletin #2
Date: Thursday, December 18, 2008 11:00 A.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449&Culture=en-US

To remain informed about security threats and solutions, please subscribe to the Microsoft Security News Letter