Silk Road founder was tracked down by a Googling tax agent

FBI forensics! DEA investigation!
Sophisticated Tor-cracking techniques squeezed (or bought?) out of Carnegie Mellon!
We’ve heard (and written) all about the whiz-bang techno-smarts that went into the dismantling of Silk Road, the biggest dark web drug market ever, and the manhunt and unmasking of its mastermind, Dread Pirate Roberts.
But the New York Times (NYT) reports that identifying the Dread Pirate, now better-known by his real name, Ross Ulbricht, was more a triumph of investigative skills than a display of techno-smarts.
Indeed, the investigatory work had far more to do with the long, deep data trails we leave behind in our online travels than it does with piercing the anonymizing layers of Tor.
Finding Ulbricht really boiled down to this: a bunch of Google searches done by an investigator for the Internal Revenue Service (IRS).
Yep, it was a tax wonk who nabbed him.
That man’s name is Gary L. Alford, and he’s a special agent for the IRS.
Based in the Chelsea neighborhood of Manhattan, Alford was assigned to work with the Drug Enforcement Agency (DEA) as they struggled, unsuccessfully, to figure out the most basic element of their investigation: just who, exactly, was running Silk Road.
By mid-2013, the market had burgeoned into a massive enterprise, selling some $300,000 in drugs and other contraband every day, according to the NYT.
Alford was young, energetic, and dogged as hell: all characteristics that his superiors hoped would help to jumpstart an investigation that was stuck in the mud.
His preferred tool: Google. Particularly the advanced search option that lets you focus in on a date range.
After all, one of the few things investigators had to go on was Silk Road’s inception date.
The NYT quotes Alford, who describes what he recalls thinking to himself at the time:

I’m not high-tech, but I’m like, ‘This isn’t that complicated. This is just some guy behind a computer.’
In these technical investigations, people think they are too good to do the stupid old-school stuff. But I’m like, ‘Well, that stuff still works.’

Using the advanced search option to look for material posted within specific date ranges in May 2013 led Alford to a chat room posting made just before Silk Road had gone online, in early 2011, by someone with the screen name altoid.
The posting from altoid asked:

Has anyone seen Silk Road yet? It’s kind of like an anonymous Amazon.com.

Sounds a bit like an advertisement, doesn’t it? Given the posting’s early date, Alford suspected that altoid might have inside knowledge about Silk Road.
So Alford directed his searching at altoid, looking for everything he’d ever written: what the NYT compares to sifting through trash cans near the scene of a crime.
What he found was a message that altoid had apparently deleted but which had lingered in another user’s response.
In that conversation, altoid had asked for programming help.
He also gave his email: rossulbricht@gmail.com.
And who, Alford asked of the Internet, was this Ross Ulbricht?
A Google search for the name turned up a young man from Texas who, just like Dread Pirate Roberts, admired the free-market economist Ludwig von Mises and the libertarian politician Ron Paul.
He found other parallels as well.
Eventually, after asking a colleague to run a search on Ulbricht, the investigation struck gold.
Homeland Security agents had seized a suspicious package containing fake IDs at the Canadian border, addressed to Ulbricht’s apartment in San Francisco.
The agents visited the apartment, coming face-to-face with Ulbricht, who answered the door.
His face matched that on the bogus IDs, but the agents had no inkling that Ulbricht had anything to do with Silk Road.
But Ulbricht apparently couldn’t stop subtly advertising Silk Road: he mentioned to the agents that “hypothetically” anyone could go on a site called Silk Road and buy fake identification.
Armed with this fresh evidence to link Ulbricht to Silk Road, Alford called the prosecutor.
That’s when Ulbricht’s fate was sealed: it turned out that his address was a brief walk from a cafe from which the FBI knew that Dread Pirate Roberts had signed in to Silk Road.
Over the coming weeks and months, Ulbricht was put under full surveillance, and ultimately arrested at a public library on 2 October 2013.
So, as 2016 approaches, let’s all pause to consider the story of Ross Ulbricht, undone by words expressed long ago.
He thought he’d deleted those messages, but, even with the “right to be forgotten” (or, at least, the right in some parts of the world to get Google to hide search results about us), they lived on for Alford to find.
Alford couldn’t be at Ulbricht’s arrest, but he did receive a plaque.
The NYT reports that Alford’s superiors had it inscribed with this quote from Sherlock Holmes:

The world is full of obvious things which nobody by chance ever observes.

Well, it turns out that Gary Alford is one of those people who do observe. He’s a tax detective, and his magnifying glass was Google.
Readers, what data trail did you leave in 2015?
We should all bear in mind, as we get ready for a new year, that the words we leave behind in dusty chatrooms, in Facebook throw-aways or in Twitter snippets well might reappear to haunt us.
Whether it’s a future criminal investigation, a personalised marketing campaign, a targeted attack by cybercriminals, or any other sort of surveillance…
…the internet never really forgets.
Follow @NakedSecurity
Follow @LisaVaas
Sherlock Holmes image courtesy of Shutterstock.
View the original article here

The weird and wacky of 2015: strange security and privacy stories

This year was a big one for news about threats to our cybersecurity and online privacy.
Some of the major stories included big data breaches – such as Ashley Madison, TalkTalk and VTech, plus many more in between – while the political debate over encryption backdoors reached new levels of intensity after the terrorist attacks in Paris.
Serious security vulnerabilities in commercial products, like the Stagefright and OCtoRuTA bugs in Android, and the FREAK and LOGJAM problems in TLS/SSL, also raised widespread concerns.
Ransomware, the punch-in-the-face malware that scrambles your files and then demands money to buy the decryption key back from the crooks, was in the news all year long – more and more victims, caught without backup, ended up with little choice but to pay the ransom.
And, unsurprisingly, worries about ever-encroaching surveillance grabbed headlines throughout 2015.
But as we look back at the year gone by, we thought we’d highlight some of the oddball stories that may have slipped through the cracks.
Despite their quirkiness, these stories remind us how important cybersecurity and online privacy have become in all areas of our lives.
Here are some of the weirder stories we’ve covered this year.
Man seeking hacker for hire on Craigslist gets busted when cop answers his ad.
A Pennsylvania man attempted to use Craigslist to hire a hacker to wipe out his court records and $16,000 in fines he owed. Now Zachary J. Landis, 27, is facing up to four years in jail after an undercover cop answered the posting and Landis requested proof the “hacker” could do the job by wiping out some of his fines.
Maybe Landis would have been better off using an anonymous hacker-for-hire service.
Earlier this year, we noted the emergence of a hacker-for-hire site called Hackers List that acts as a job board for possibly illegal activity. Hackers List’s founder, a US Army veteran and cybersecurity “consultant” named Charles Tendell, claims his service doesn’t permit illegal activity.
It’s hard to imagine people using the site for legitimate purposes, but anyone who does go in search of hacking services should beware that hiring a hacker to do something illegal is at least as bad in the eyes of the law as doing the hacking yourself.
UK police were worried about apocalyptic Star Trek and X-Files fans.
Investigative journalist Dr. David Clarke published a book earlier this year about UFOs revealing that the UK’s Metropolitan Police were worried about violent, apocalyptic science fiction fans.
Clarke uncovered a memo written by the Metropolitan Police in the 1990s warning that fans of the X-Files, Star Trek and other sci-fi shows might commit acts of violence in the run-up to the new millennium.
There’s no evidence that the Metropolitan Police acted on the scaremongering memo, but it looks even sillier now, with the enormous popularity of the new Star Wars flick showing that millions upon millions of people love science fiction without posing any threat to society.
Given how much power law enforcement and governments have today to keep track of our activities – including our comings and goings in the real world, and online – we might want to ask: what other kinds of innocuous behavior will authorities start fretting about next?
Criminals still don’t understand how social media works.
We saw a lot of stories this year about crooks incriminating themselves with social media posts confessing their illegal activities, and fugitives giving away their location with geolocation on their devices, selfies and social posts.
Even self-described “hackers” can over-estimate their own cleverness while under-estimating law enforcement, such as the serial SWATter who said hackers can’t be caught in taunting voicemail messages, but was arrested a few weeks later.
There’s also the wacky story about a woman who fled the scene of an accident only to have her own car report her to the cops.
And there’s the case of Ross Ulbricht, a.k.a. Dread Pirate Roberts, sentenced to life in prison for running the underground website Silk Road, who was busted at least in part because of information left behind in a reply to an online post that he thought he’d deleted.
There’s an important lesson here for law-abiding citizens too – be very cautious about what you share on social media and elsewhere, such as location data. You never know how it could be used against you.
The rise of robots is scary to people, who sometimes react violently.
Robots, and artificial intelligence (AI) more broadly, are becoming more useful in many areas of our lives – and also more threatening.
As robots learn how to carry on discombobulated conversations and to write articles nearly as well as humans can, a number of leading tech gurus and scientists have begun warning that our very existence could one day be threatened by the rise of AI.
In this context, we saw several weird stories this year about people allegedly committing violence against robots, such as the “murder” of a hitchhiking robot, and a drunken attack on a joke-telling, rapping robot named Pepper.
Similarly, there was the story of a Colorado man who was arrested for popping caps into his computer for freaking him out with Blue Screens of Death. (You’ve never done such a thing. But you’ve wanted to!)
And after police in Switzerland seized a robot for buying drugs on the Dark Web, it’s starting to look like our public policies and legal systems are not quite ready to handle the rise of AI.
Although robots have enormous potential to help humans, we’re also increasingly worried about drones and talking dolls invading our privacy and harming our way of life.
Now it’s your turn.
Those are some of the stories that caught our attention this year.
What are you seeing out there? What are your thoughts on the weirdly worrisome security stories of 2015?
Let us know in the comments below.
Follow @NakedSecurity
Follow @JohnZorabedian
Image of girl in 2015 glasses taking selfie courtesy of Shutterstock.com.
View the original article here

Sony pulls 'The Interview' after 9/11 terror threat

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Sony Pictures is close to monopolizing security news with post-cyber-attack ripples.

Those ripples now include getting sued by ex-employees over privacy violations, being threatened with a terrorist attack similar to 9/11, having its film The Interview pulled from several cinemas as a result, and the subsequent announcement that Sony has cancelled the theatrical release altogether.

On the breathe-one-small-sigh-of-relief side of the ledger, it's received compliance with a DCMA takedown request from Reddit, which has banned users from sharing documents pilfered from the movie studio.

On Tuesday, those purportedly behind the hack threatened a terrorist attack on theaters and movie goers who attend screenings of The Interview.

The GOP had previously promised to deliver a "Christmas gift," which originally sounded like another batch of leaked data.

But in Tuesday's message, which Mashable reports was sent to itself and several other news outlets, along with new batch of Sony Entertainment CEO Michael Lynton's hacked emails, warned people to stay away from the movie, specifically mentioning the 2001 attacks on New York and the Pentagon:

We will clearly show it to you at the very time and places "The Interview" be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

A Department of Homeland Security (DHS) official who requested anonymity told Fortune that the DHS isn't aware of any active plot against movie theaters in connection with the attack against Sony.

From his or her statement:

We are still analyzing the credibility of these statements, but at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States. ... As always, DHS will continue to adjust our security posture, as appropriate, to protect the American people.

At least one New York theater canceled the premiere of the film, which is a Seth Rogen/James Franco comedy about a plot to kill North Korea's leader Kim Jong-Un.

Carmike Cinemas, a movie theater chain that's based in Columbus, Georgia, and which has theaters in 41 states, also chose not to show The Interview, according to The Hollywood Reporter.

In addition, the two stars canceled all of their upcoming press events, according to BuzzFeed, which was hosting an event with the two.

Sony announced yesterday that it wouldn't be releasing The Interview on Christmas Day as planned:

In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners' decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.

Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale — all apparently to thwart the release of a movie they did not like. We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.

In other fallout, two of the movie studio's ex-employees have sued the company for failing to protect their private information.

They'd like to turn it into a class action lawsuit of up to 15,000 former employees.

The plaintiffs haven't been specific about the amount of money they're seeking, but according to Money CNN, they want Sony to provide five years of credit monitoring, bank monitoring, identity theft insurance and credit restoration service. They're also seeking for Sony to be subject to regular privacy audits.

Finally, a ray of hope that somebody on the internet is going to take down Sony's doxed materials.

As it is, Sony on Monday warned the media not to publish the details of anything that was stolen in last month's breach.

By Wednesday, Reddit had acceded to a DMCA takedown request from Sony.

Reddit removed a hub for sharing the company’s hacked files, deleted posts, blocked individual user accounts, and banned a subreddit devoted to sharing the files.

However, as Reddit told Business Insider, "discussions and news stories" about the attack were unaffected by the bans - similar to how Reddit recently banned stolen celebrity nude photos but allowed discussion about the thefts.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Google and Facebook under fire from Dutch government over citizens' privacy

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Dutch government is clamping down on the way in which large organisations use its citizen's personal data.

The Dutch Data Protection Authority (DPA) threatened Google with a fine of €15m (£11.9m, $18.7m) on Monday, saying the search giant had breached various provisions of the Dutch data protection act via a privacy policy it introduced in 2012.

The company has been given until the end of February 2015 to change how it handles personal data, especially in regard to the tailoring of adverts based on keyword search queries, video viewing habits, location data and the content of email messages.

Jacob Kohnstamm, chairman of the Dutch DPA, said:

Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.

Kohnstamm explained how, under Dutch law, Google should have informed users that it was gathering data across a number of platforms - such as YouTube and Gmail - and obtained permission before combining or analysing that data.

The regulator has now demanded that Google obtains "unambiguous" consent from users before combining their data, "via a separate consent screen", rather than through its more generalised privacy policy.

It also ordered the company to add clarification to the policy so that users are better informed as to how each of the company's services is using their data.

Furthermore, Google is required to make it clear that YouTube is part of its setup, though the DPA did note that this already appeared to be underway.

Five other regulators - in France, Germany, Italy, Spain and the UK - have recently received a letter from Google detailing how it intends to comply with European privacy laws but the Dutch DPA says it has yet to establish whether the proposals will suffice within its own jurisdiction.

While the DPA's gripe with Google awaits resolution, it has now moved onto fellow data gatherer Facebook.

In another statement (in Dutch - view Google translate version) released on Tuesday it announced it would investigate Facebook's new privacy policy.

The social network announced last month that it intends to make changes to its policy, effective from 1 January 2015.

As Facebook has a physical presence in the Netherlands, the DPA says it is authorised "to act as supervisor", as per a European Court of Justice ruling on Google vs. Spain on 13 May 2014 (the 'right to be forgotten' case).

As such, it has asked Facebook to hold fire on its new privacy policy until it has had the chance to investigate how the changes may impact Dutch users, including how Facebook obtains permission for the use of their personal data.

The latest iteration of the policy states that Facebook can use:

your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

Given how the key points of the policy have not changed since it was last revised in November 2013, it seems unlikely Facebook will comply with the DPA's wishes.

According to The Telegraph, the company responded by highlighting how it is "a company with international headquarters in Dublin", which routinely reviews its policies and procedures with its own regulator, the Irish Data Protection Commissioner.

Facebook said it is confident that its new privacy policy is compliant with all relevant laws.

Follow @Security_FAQs

Follow @NakedSecurity

Image of Dutch citizen courtesy of Shutterstock.

View the original article here

Teenager pleads guilty to massive Spamhaus DDoS attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A 17-year-old London schoolboy who was arrested last year has pleaded guilty to a distributed denial of service (DDoS) attack of unprecedented ferocity launched against the Spamhaus anti-spam service and internet exchanges, including the London Internet Exchange.

Given that he's a minor, he can't be named.

The Register quoted a police statement that said that the boy also admitted last week to money laundering and possessing child abuse images.

He's out on bail pending sentencing on 9 January, the statement said:

A 17-year-old male from London has this week (Wed 10 Dec) pleaded guilty to [offences under the] Computer Misuse Act, money laundering and making indecent images of children offences, following a National Crime Agency investigation. He was arrested in April 2013 after a series of distributed denial of service (DDoS) attacks which led to worldwide disruption of internet exchanges and services. On his arrest officers seized a number of electronic devices. He has been bailed until 9 January 2015 pending sentencing.

He's admitted to having a hand in the biggest DDoS ever recorded: one that at times was reported to be as large as 300 gigabits per second.

Traditionally, even large botnets are only able to deliver hundreds of megabits or a few gigabits per second, as Naked Security noted at the time.

The attackers used large-scale DNS reflection, taking advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

It was very effective. While the attack didn't break the internet's backbone when it launched in March 2013, it managed to slow the internet around the world.

But the 17-year-old didn't pull all that off all on his lonesome. He was reportedly one of multiple arrests.

In April 2013, another suspect was arrested in Spain.

In fact, the teenager's arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive DDoS.

We're on the brink of a new year. Unfortunately, this kid has made choices to put his talents to use in a way that means he'll be in court soon into the coming new year.

Bad choice. Regrettable choice.

Will he do jail time? Will he cough up names of others involved in the attack?

Time will tell.

But if I had been in on this caper, I'd be very, very worried about getting a knock on the door.

Follow @LisaVaas

Follow @NakedSecurity

Image of hacker courtesy of Shutterstock.

View the original article here

Delta Airlines flaw lets others access your boarding pass

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Have you travelled on planes in recent years?

If so, I'm sure you've had your fair share of security seriousness at airports.

One of the strictest, and perhaps the most peculiar, exchanges I've overheard went something like this:

You can't take a 110g tube of toothpaste through security, Sir.But, look! It's close to half empty. There's 60g at most in there. Weigh it, you'll see.Sorry, Sir. If you want to carry more than 100g of toothpaste, buy two 100g tubes.I don't want to carry 200g of toothpaste. I want to carry 60g of toothpaste. In fact, I am carrying 60g of toothpaste.I'm sorry, Sir, I don't make the rules. I'm just following orders.

And as for finding out whether your mother-in-law managed to board her connecting flight in Singapore, having been worried about getting lost in Changi airport?

Forget it.

Actually, unlike the dentifrice disaster story above, the lockdown of passenger lists is a good thing.

The privacy of passengers should be strongly protected, so no complaints there.

So, what a disappointment to read that Delta, and apparently other US airlines, didn't seem to see it that way.

Hackers of NY denizen Dani Grant found that out last week when she received a URL from Delta that led to her boarding pass.

(She didn't say in her post but it looks from the screenshots like a non-HTTPS URL; that's a concern for another time.)

The SNAFU was just like last week's flaw at AliExpress, the online retail portal of Chinese e-commerce megabrand Alibaba.

By changing characters in a parameter in a URL, AliExpress users could retrieve the home address and phone number of other users.

At least in the AliExpress case, you had to login as someone first, before accessing the data of anyone.

In Dani Grant's case, arbitrarily changing even a single character in her URL brought up other people's travel plans, without any authentication stage at all.

A bit more URL fiddling, and she had a boarding card for a third passenger on a different airline:

We'll ignore that this makes a mockery of the security precautions at many airports.

Let's look at why this is a problem in general terms, by forgetting the in-flight safety angle for a moment, and considering the cybercrime side of things.

Both the Delta Airlines and the Alibaba URL vulnerabilities play right into the hands of online scammers and social engineers.

In many, if not most, online scams, the crooks don't need to know that you are flying to Florida this evening, arriving at 19:45.

They just need to know that somebody is going to be on that plane, or some other plane, to be able to tweak their criminality to target that person.

And if they can automate the process of recovering that sort of information by simply scraping URLs until they get lucky, they can attack even more broadly.

Of course, this raises the question, "As a consumer, how can you tell if a website is guilty of this sort of data leakage carelessness?"

Sometimes, you'd be wise to assume there's a problem, for example if the confidentiality of a web page relies on some text in the URL, but the text looks far from random:

But even then, proving there really is a vulnerability is tricky, because:

You might get close by trying nearby strings (e.g. id=32767, id=32768), but not close enough to hit paydirt. (Maybe you needed to try id=42766 instead?) You might actually hit paydirt, and then what? (Whom do you tell? What if you just broke your country's equivalent of the Computer Misuse Act?)

"Having a go" at URLs to see what you can find is not a good idea, and we don't recommend it.

Even if your motivation is pure, you could end up in trouble if you don't have explicit permission.

A court might form the opinion that you knew jolly well you were going after data that wasn't yours, and find you at fault.

All we can recommend is that if you do encounter what you consider to be security through obscurity, report it and ask what the company concerned has to say about it.

Dani Grant did just that in the case above; Delta, bless their hearts, replied to her, and didn't try to brush it under the carpet, either:

[We] certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print [your] boarding pass from our website.

That's not as good as a clear statement that the problem is being fixed, and how solidly, but it's a good start, not least because it explicitly admits the flaw as an insecurity.

By the way, if your company deploys "secret" URLs for any purpose, whether customer facing or internal, why not review how they are generated, distributed and used?

Don't make the same mistakes as Alibaba and Delta...

Follow @duckblog

Groovy image of aeroplane courtesy of Shutterstock.

View the original article here

The 12 Days of Christmas - all the answers to the #naksecquiz

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We've just finished running our 12 Days of Christmas #naksecquiz.

For the first 12 working days of December, we revisited the big stories of 2014, one per day.

Each day, we included a quick quiz question related to the day's material, and invited you to submit your answers.

And each day we gave away Naked Security T-shirts to 5 lucky winners.

We thought this would be a fun way of looking back over the ups and downs of the year.

A huge "Thanks!" to everyone who took part – we received close to 3000 answers to the 12 questions.

Close to 80% of the answers submitted were correct.

Here's how you did:

Lots of you answered more than one question correctly, but only seven people got a perfect 12 out of 12:

We'll let you know who's won the Ueberprize, open to those who got every question correct, once we've told the winner...

...If they want to be identified, of course!

We couldn't include everybody's favourite story, but here's what we chose.

Click on the text Day N to view the story for each day.

Click on the text Day N+1 to view the question and answer for the previous day.

Story: The game "Talking Angela" provoked a stream of comments from people who claimed it was a cover for paedophilia, even though all the evidence (and common sense) said that it was not.

Moral: Make sure brain is in gear before engaging mouth.

Story: XP passed over into unsupported mode in April 2014. But many diehard users said they would neither update to a more secure version of Windows, nor switch to a different operating system.

Moral: Do it for the rest of us, because XP's insecurity doesn't just hurt you.

Story: The "Heartbleed" bug affected any software using OpenSSL. Servers could be tricked into leaking random fragments of private data. No knowing what a hacker might get, so everyone scrambled to patch it.

Moral: Many eyes make all bugs shallow? Piffle. This bug was there for years.

Story: Numerous Aussies woke up one morning to find their iPhones locked and a $100 ransom demand displayed. Crooks had done a remote lock and wanted money to sell you back the unlock password.

Moral: Pick a proper password.

Story: The developers of the free and popular encryption software TrueCrypt suddenly announced, "It's insecure. Don't use it." Seems they just decided they'd had enough. Goodbye users.

Moral: Buy Sophos's SafeGuard product instead.

Story: Mobile malware has been around for ten years already. It all started with Cabir, a Symbian virus for Nokia phones from 2004.

Moral: There's nothing new under the sun.

Story: Law enforcement took out a bunch of servers behind the infamous malware families Gameover and CryptoLocker. Sadly, new crooks appeared to fill the void.

Moral: Keep your guard up.

Story: SophosLabs in Hungary measured a single zombie-infected PC on a regular network connection sending 5,500,000 spams in a single week. 75% of the spam advertised dodgy pharmaceutical sales; the rest sent out malware.

Moral: Kill-a-zombie today.

Story: Apple and U2 signed a deal to give you the new U2 album for free. But they didn't ask you. Whether you wanted it or not, it just turned up in your iTunes.

Moral: Ask for permission. Even if you are Bono.

Story: The "Shellshock" bug was found in Bash, a command processor common on OS X and Linux. You could trick Bash into running commands a server wouldn't notice, even if it was programmed to be really cautious.

Moral: Still think Linux and OS X have some sort of magic security shield?

Story: You could bypass Snapchat's claimed "auto-deletion" of photos by fetching them onto a site called SnapSaved.com. Guess what? SnapSaved.com got hacked.

Moral: You uploaded a selfie to the internet. What did you think was going to happen?

Story: We went out of our way to convince you that there's never a good reason to choose a weak password. You may as well choose a good one every time, especially if you use software to help you with the randomness.

Moral: There's never a good reason to choose a weak password.

Because there isn't a Day 13 article, there isn't anywhere to click for the answer to the final question from Day 12.

So here it is.

We asked you to make sense of the six characters MXIPCZ by using what we called a "Caesar Salad" cipher.

Shift 3 letters along 3 places; 2 letters along by 2; and 1 letter by 1.

For example, shifting MXIPCZ with the "shift key" 122333 would give NZKSFC, although that doesn't make sense.

If you treat the possible keys as the permutations of the string 122333, denoting the amount to shift each letter, you'll find there are only 720 (6x5x4x3x2x1) possible keys.

In fact, you only need the unique permutations (or combinations), of which there are just 60.

You could write a quick program to print them all out and then look for the obvious one. (We used Python and its itertools module.)

Or you could just write out three rows of characters, shifting each letter one, two or three characters in each row, like this:

Scrambled = MXIPCZ Shifted 1 = NYJQDA Shifted 2 = OZKREB Shifted 3 = PALSFC

Now choose one character from each vertical column, and see if you can make anything like a word.

If you can, cross-check that it matches the "shift key" pattern of 3 letters by 3, 2 letters by 2 and 1 by 1.

We think the answer's obvious: NAKSEC.

Follow @duckblog

View the original article here