clock menu more-arrow no yes

Filed under:

Frosted Flakes: Buried By Hackers

New, 30 comments

Get more secure or get hacked.

messy technology

This week has sucked so far.

I’m not going into too much detail, but I have a site whose Office 365 accounts have been hacked through web access. This occurred because those user passwords were generated with an algorithm that uses a standard format of four characters and four numbers. The key is, apparently, that the four characters are always “pronounceable”, which means hackers just generate a list of, say, 250k possibilities, and then they slow attempt to log into your Office 365 account using known email addresses.

It’s been a mess of changing user passwords and making sure everything is working properly. We could enable multi-factor authentication which requires our users have a phone to which we could send a text message (as an example). Is that fair to our users who are not carrying company phones? Can we do that to them? Not at this point, anyway.

The situation is worse than this, but I’m not going into the rest of the details.

At another site, I misconfigured a mail server, only to be notified by the security at a customer site that it was being used to relay spam. It was a dumb mistake, but somebody out there found it very fast, another indication of just how precarious the situation with security is right now.

News

Annual Coaches vs. Cancer Game Set for Saturday - Huskers.com - Nebraska Athletics Official Web Site
As part of Saturday’s game against Ohio State, the Husker basketball programs and Athletic Department will recognize members of the Husker Athletic family and fans who been personally affected by cancer. It is part of the National Association of Basketball Coaches (NABC) and American Cancer Society’s Suits and Sneakers week.

Male scout team provides NU women’s basketball alternative practice options | Sports | dailynebraskan.com
Practice makes perfect, and for the Nebraska women’s basketball team, perfection can require a uncommon approach: an all-male scout team.

Big Ten NCAA Tournament Bracketology: Michigan State a #1 Seed - Off Tackle Empire
Michigan lurks just behind Michigan State in the latest NCAA Tournament bracket projections. Can the Big Ten still sneak 10 teams into the Big Dance?

Roundtable: What to make of the 2018 Coaching Carousel - Underdog Dynasty
Let’s talk about our favorite hires from the coaching carousel and who might be on the way out in 2019.

Ohio State stumbles, loses at home to Purdue 79-67 - Land-Grant Holy Land
The Buckeyes extend their losing streak to five games.

Game Wrap: Purdue 79, Ohio State 67 - Hammer and Rails
Purdue gets another road win as CE inches up the all-time scoring list.

Illinois’ comeback not enough against Wisconsin, 72-60 - The Champaign Room
Illinois drops another conference game at home.

Indiana loses to Northwestern, extends losing streak to five - The Crimson Quarry
The game was bad but the implications? Oh— those were so much worse.

Penn State investing in its basketball program doesn’t make dollars or sense - BT Powerhouse

Hiring a ringer (read: Hoiberg or Matta) to improve the program’s on-court performance wouldn’t add up

Interesting perspective. I’m pretty sure I don’t agree with it, but it’s still an interesting perspective. One might imagine Nebraska in this situation were it not for the great attendance at PBA and this idea that you don’t give up just because you haven’t succeeded before.

How to Fix the NFL Overtime Rules: What NCAA Football Says - Off Tackle Empire
If overtime rules made any sense, Pats-Chiefs would still be going on, and it’d be awesome.

NCAA oversight committee open to changes to targeting rule, overtime
"We would consider changes of how it's done from the officiating aspect of it, from the ejection aspect of it, but we think it needs more study," Lyons said. "It was a lengthy discussion. One of the biggest concerns is we don't want to go back and look like we're doing something that's not in the well-being, health and safety of the student-athlete, so if you back off the penalty, is it sending the message that this is OK and this is not?"

Virginia Tech’s transfer exodus now includes QB Josh Jackson - SBNation.com
Two years in a row, the Hokies have a ton of attrition.

Then There’s This

Lunar Eclipse Video Catches Meteorite Hitting the Moon
During the super blood wolf moon total lunar eclipse on Monday, cameras pointed at the moon captured the first known sighting of a meteorite slamming into the shadow-covered moon. This 24-second video of the impact was released by Jose Maria Madiedo at the University of Huelva in Spain.

Boeing’s flying car lifts off in race to revolutionize urban travel
Boeing Co said on Wednesday its flying car prototype hovered briefly in the air during an inaugural test flight, a small but significant step as the world’s largest planemaker bids to revolutionize urban transportation and parcel delivery services.

Hijacked Nest cam broadcasts bogus warning about incoming missiles – Naked Security

A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into “five minutes of sheer terror.”

I found this quote interesting:

They have a responsibility to let customers know if that is happening. I want to let other people know this can happen to them.

I’m gonna say bullshit . Companies with IoT devices should let customers know, but hey are they going to do that? Did you register your device so the company you bought it from has an email address for you? Did you give them your phone number?

Did you bother looking up support information on the web? Did you change the default password? Did you enable 2FA/multi-factor authentication? Did you see if there were security updates?

There are billions of these devices projected to go online over the next few years. They’re going to get cheaper, and you will be convinced that security cameras will make your home safer, that you really need your fridge to tell you when you’re out of milk, and that your energy usage will be so much more efficient if you have smart devices controlling your thermostat.

Never mind that you’re going to have more devices controlling your life, what’s really going to happen is hacking is going to get much worse. All of these devices will become nothing more than attack vectors for hackers. More bank accounts will be stolen, more of your money gone.

You need to start enabling 2FA on your personal accounts, like Facebook. 2FA is a pain in the ass, yes, but it’s not as big a pain as having your account stolen. You need to change default passwords on any device you install in your home. You need to use different passwords when you use different accounts.

When I tell this to people, I commonly get the response, “I can’t remember all these passwords.”

Bullshit.

You can remember what’s important to you. What you’re saying is that this isn’t important to you. Until your credit card is stolen. Or some guy is calling you on the phone, telling you you need to go to Walgreens, purchase four $100 Google Play cards and read him the numbers on them (this happened to my neighbor within the past couple weeks - he hung up the phone, came over and started frantically banging on our door asking for help).

If you don’t start doing this, your shit will be stolen.