WikiLeaks exposes thousands of sources in written-password SNAFU

Inside Julian Assange's War on SecrecyThe cone of silence over WikiLeaks’ thousands of sources – many of whose lives are at risk if identified – has been shattered, all thanks to the most mundane, all-too-human security screwup imaginable.

To wit: WikiLeaks founder Julian Assange wrote down the password on a piece of paper, and then forgot to change it later.

The security breach has thrown open the doors to WikiLeaks’ entire archive of 251,000 secret U.S. diplomatic cables.

To the horror of the media partners it has worked with in the past to carefully redact the documents – The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde – WikiLeaks has published its entire archive, unredacted, putting in danger several thousands of people whom the U.S. has tagged as being at risk if exposed. The documents also cite more than 150 whistleblowers.

“We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,” the organizations said in a joint statement.

“Our previous dealings with WikiLeaks were on the clear basis that we would only publish cables which had been subjected to a thorough joint editing and clearance process. We will continue to defend our previous collaborative publishing endeavour. We cannot defend the needless publication of the complete data – indeed, we are united in condemning it.”

The media partners made it clear that this time, with this move, Assange got no help from them. “The decision to publish by Julian Assange was his, and his alone,” they said in the statement.

Der Spiegel has chronicled the archive’s publishing, tracing it back to a meeting between Assange and David Leigh of The Guardian.

According to the account, as the British journalist recounts in his book “Inside Julian Assange’s War on Secrecy”, Leigh and Assange at one point sat down to discuss how Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.

PasswordAccording to Der Spiegel, Assange placed the file on a server and wrote part of the password on a slip of paper. To make it work, one had to complete the list of characters with a certain word.

Can you remember it? Assange asked. Of course, Leigh said.

“At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn’t know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder,” according to Der Spiegel.

With the dataset in the hands of Domscheit-Berg, Leigh went on to describe his meeting with Assange in his book. In the book, however, he included not only the portion of the password on the slip of paper, but also the part he had been asked to commit to memory.

What followed included feuding between Domscheit-Berg and Assange, attempts to prove that Assange wasn’t trustworthy, and the eventual disclosure that not only was the entire dataset circulating, but that the password could be found in Leigh’s book.

At this point, fingerpointing is rampant. WikiLeaks’ Twitter feed blames The Guardian. The Guardian is protesting its innocence, putting out a statement claiming that it had been told the password was only temporary.


WikiLeaks

It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method.

The U.S. Embassy in London and the U.S. State Department were notified of the possible publication on August 25 to enable officials to warn the named informants. Hopefully, this has given them enough time to remove themselves from harm.

Whether that is possible for all the sources who’ve been put in harm’s way is an open question.

But one thing is certain: The platforms to which whistleblowers have hitherto brought their leaks are compromised. They are as riddled with security holes, as flailing with common human weaknesses, as the most ridiculed home user running an unsecured wireless network and the most inept office worker writing down his password on a Post-It note.

Let us hope that this carelessness, this breathtaking lapse in security hygiene, leads to no loss of life.


UK student loans targeted by phishers in latest spam campaign

Student in OxfordWith British students about to start another year at university, the last thing they probably want to hear is that there is a problem with a student loan.

But that’s precisely the camouflage that online scammers are using to steal personal information today.

An email, claiming to come from Directgov UK, tells students that there is a problem with the online account for their student loan, and they need to update their account urgently.

Here’s a typical spammed-out message we’ve seen in our traps:

Student loan phishing attack

Subject:

Student Loan Update.

Message body:

Dear Student Finance Customer.

We at HM Government noticed your Student loan online log in details is incorrect and need to be updated.

DOWNLOAD THE ATTACHMENT TO UPDATE YOUR ACCOUNT NOW

Regards
Inline Verification. Directgov UK.

Attached file:

Student Loan Update.html

Clicking on the HTML attachment is not a good idea, however, as it will urge you to enter your details which are then sent via a website to the phishers.

Student loan phishing attack

Sophos products block the message as spam, and block the webpage that the HTML form is attempting to post the personal information.

Remember to always be suspicious of unsolicited attachments. Also, I would hope that a good student would have noticed the grammatical mistake in the phisher’s email..


‘Peeping Tom’ webcam blackmailer jailed for six years

Luis Mijangos. Picture credit: Nick Ut/APA man from Southern California who hacked into over 100 computers, and used personal information stolen from them to extort sexually explicit videos of young women and teenage girls, has been sentenced to six years in prison.

32-year-old Luis Mijangos, an illegal immigrant from Mexico who was living in Santa Ana, California, was arrested last year after a lengthy investigation by the authorities.

Mijangos infected his victims’ computers with malware, allowing him to gain access to their email accounts, turn on their webcam to take secret movies, and search their PCs for sexually explicit and intimate images and videos.

In some cases, Mijangos also posed as some of the victims’ boyfriends to convince them to send him nude pictures.

At this point, things got really nasty. Mijangos would threaten to post his victims’ intimate images online unless they provided him with more sexually explicit photos and videos for his personal gratification.

In at least one instance, Mijangos posted naked photographs of a woman on her friend’s MySpace page.

Mijangos, who is confined to a wheelchair because of a medical condition, was sentenced to six years in prison by US District Judge George King.

Before sentencing, Mijangos apologised to his victims:

"To all the victims I want to say that I'm sorry. I'm ready to do the right thing and stay out of trouble."

WebcamMijangos is far from the first hacker to take remote control of webcams to spy upon victims.

For instance, in early 2005, Spanish authorities fined a student who captured movie footage from unsuspecting users, and arrested a 37-year-old man who spied on victims via a webcam while stealing banking information.

The following year, Adrian Ringland, from the English town of Ilkeston, Derbyshire, was sentenced to jail for ten years after admitting posing as a minor on internet chatrooms and using spyware to take explicit photographs via children’s webcams.

And in 2008, a 27-year-old Canadian man was charged with using spyware to take over the webcams of women as young as 14 and coercing them into posing naked for him.

Perhaps the most eyebrow-raising incident I have heard of, however, is the case of the man who is alleged to have displayed error messages on his potential victims’ laptop screens, tricking them into taking their webcams into the shower with them.

With many home users keeping poorly-defended PCs in their bedroom, there is clearly considerable potential for abuse – particularly amongst the young. The message is simple: keep your PC protected against the latest threats with anti-malware software, security patches and firewalls, and if in any doubt unplug your webcam when you’re not using it.

Picture credit: Nick Ut/AP

Protecting others from getting ripped off – online or offline

This week, I’ve been attending and presenting at a conference in Brisbane, Queensland, entitled Seniors’ Fraud Protection Symposium.

The event was organised by the Queenland cybercops – the same guys who brought you Fiscal the Fraud Fighting Ferret – and aimed to get law enforcement, business and industry groups to work together to reduce the exposure of seniors to financially-oriented crimes.

Of course, seniors (loosely defined in Australia as anyone 50 or above) aren’t automatically at a higher risk of getting ripped off.

After all, seniors have, by definition, more life experience – which might include getting ripped off in their youth, and learning an important lesson as a result.

But seniors who have already retired from full-time work, and who are relying on returns from existing investments to survive, must be considered at high risk of financial scams.

Many Aussies currently living on government-mandated retirement investments have seen their nest-eggs implode recently. If you’d made compulsory investments all your life in an official, government-approved, household-name superannuation fund only to find out that the smooth-talking company running the fund had feet of clay all along, you too might easily be tempted to try something out of the ordinary to top up your retirement savings.

Lottery scams were one of the ‘extraordinary’ investment opportunities covered at the conference.

When most people think of lottery scams, they think of those emails awarding you a prize in a lottery you didn’t even enter. Those scams are unsophisticated and rather obviously bogus. After all, you can’t legally win a lottery you didn’t enter.

But there’s another class of lottery scam. These don’t feel like internet scams, because they’re kicked off by professional-looking documents delivered by old-fashioned snail-mail. Nevertheless, these scams often rely on a cyber-element to give them credibility, and cyber-technology such as cheap internet telephony to offer toll-free entry by phone or fax.

Never forget that even a professional-looking printed document backed up by a professional-looking website, and endorsed by objective-looking reports talking up the business, might still be a total scam. Anyone can publish reports saying company X is excellent – including company X itself. Self-boosting like this is called astroturfing. You make yourself seem to have support, right down to grassroots level. But the grass is completely fake.

Some of these lottery operations might argue they’re not really scams – they may be technically legal, albeit only just – but they are nevertheless astonishingly unwise investments, made to look attractive with a bit of lustrous Web 2.0 polish.

Ironically, just the morning after I returned from the event, a colleague – not yet half way to senior age – dropped a lottery scam letter on my desk, asking for comment.

This scam carefully avoids saying, or even implying, you’ve already won a prize, but that might be because the same company was previously outed in local news – in Queensland, no less.

Back in 2009, the company was sailing even more closely to the wind, dubbing their document an “Acceptance Form”. Now, it’s just a “Notification of Entry Eligibility.”

The premise is simple. You give the company, your personal details in writing, including your credit card number, expiry date and CVV code – those secret three digits on the back, which you ought never to write down.

They take AU$20 from your credit card to buy you 8 tickets in the Irish lottery (tickets you never receive yourself) over the coming month. That accounts for about AU$16 of your entry fee. The remaining $4 enters you into what’s described as a syndicate which will enter you into 24 lottery draws in the next four weeks – two each week in Ireland, Spain and Germany. You will share in any winnings your syndicate makes.

Now read the small print. Your $4 “syndicate” consists of 600 lottery tickets per week- 200 each in Ireland, Spain and Germany. Whether there is one person or 1,000,000 in your “syndicate” over the next four weeks, the total investment of the lottery scammers on your collective behalf remains the same: 2400 lottery tickets.

So your collective chance of winning is not increased at all by the number of “syndicate” members. At the same time, your stake in any winnings is divided by the number of members.

Let’s imagine, for a moment, that the lottery scammers attract 1,000,000 entrants this month. That’s perfectly possible, since they’re promoting their scam worldwide, and offering what they claim are toll-free phone and fax lines in 19 different countries to help suck you in.

The lottery scammers would take in a cool AU$20,000,000 each month – a turnover just short of AU$250 million per year. AU$4,000,000 per month – or nearly $50,000,000 a year – would be the “syndicate” fees.

Now let’s assume, even with just 2400 tickets between the lot of you, that your syndicate collectively wins the AU$67,000,000 which the scammers unrealistically tout as the maximum value of your possible prizes. You’d get out just AU$67 each.

For this outlandish and absurdly unlikely outcome, you’d be paying $4 to win $67 – odds below 18-to-1. But for that 18-to-1 return, you and your other syndicate members would need to win lottery prizes not just once, but repeatedly throughout the month.

And how likely is that? The Irish Lottery feels obliged to tell you. The official approximate odds of winning any one lottery draw – for a minimum prize of about AU$3 million – are 1 in 8,145,060. So, assuming 2400 tickets, your syndicate would have about 4000-to-1 odds of getting back $3 each ($3 million split 1,000,000 ways), all for an initial investment of $4. In other words, if you’re really, really lucky in any one month, you’ll lose only $1, rather than the whole $4.

Worse still, you don’t actually share in all the prizes your tickets might win. The scammers’ terms and conditions allow them to keep any prizes other than the top-level jackpots. And, of course, the scammers have your credit card details – including the CVV needed for card-not-present transactions – and a bunch of other personally identifiable information.

Don’t fall for this sort of nonsense. And protect others from getting ripped off, too.

Friends don’t let friends get scammed online. Or offline, for that matter.