Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Data Corruption at ma.gnolia

This blog entry has taken me a while to post, largely because I really didn’t wanted not to have to post it at all.

I have been a huge fan of social bookmarking ever since i first heard of it. For me it just makes so much sense. I store all my bookmarks online, so whether i’m on my macbook, my office pc, my mobile phone or using someone else’s computer i have access to the sites i love.  But its more than that, i’ve signed up to a number of groups of like minded peers, and am now part of those communities. I can see the sites that my friends have discovered, and access those resources, quite often these sites that i come across in this slightly serendipitous way are the real gems.

magnolia logo

Having played with several social bookmarking sites i’d settled on ma.gnolia.com as the site that worked best for me. It was easy to use, worked graphically, had some nice tools, a great community, and i found Larry Halff the founder very likable.

Disasterously in early February magnolia’s suffered catastrophic data corruption. The database which was approaching half a terra bit (500gb) became corrupt. While backed up, the backup was simply backing up live data and not making archived duplicates go could not be roled back to an earlier version. After several attempts to recover the corrupt data, it was decided that there was no hope of recovery of the datastore. Larry managed to come up with some tools to recover individual users datastores from cached local and google data, and suggested other social bookmarking with good communities that users might migrate too.

Typically of Larry,  has been very open and very honest about the whole thing, sharing his experience so other people can learn from it. In the video below Larry Halff talks to Chris Messina of citizen’s garden about the history of magnolia, what happened with the data corruption and what the future holds for magnolia.

Larry Halff Discusses ma.gnolia.com
Larry Halff discusses ma.gnolia.com past,present and future with Chris Messina

I simply can’t imagine how much pain magnolia must be feeling right now, having spend to much time and effort to build up the site and the community surrounding it. While to ma.gnolia’s credit  i’ve never heard them once blaming anyone else or coming up with excuses. as an IT manager i have some idea how much pressure there must have been from users to maximize running speed and performance even at the expense of back-end services like backup and recovery.

I was lucky in that i had a recent backup and i was mirroring my bookmarks on delicious, what i miss mos though is the sense of community. I hope that magnolia does make a recovery and comes back bigger and better than ever, and that i and the rest of the magnolia community get an opportunity to help in whatever way possible.

One lesson that maybe we could all learn from this, is that we all need reliable back up plans of our own, and shouldn’t rely on internet based services too much because you really dn’t know when disater can strike.

Data Corruption at ma.gnolia

I’ve been rated on blogged

I got an email from the people at blogged this afternoon, to say that they had recently rated my “World of  IT Blog” with a score of 8.3.  This means I made it into the top 10 in the Information Technology Section alongside sites like the awesome Tech Crunch.

image0011

The rating is based on frequency of updates, relevance of content, site design and writing style.

This is immensely flattering for me, not only because i’m human and everyone likes to hear that their peers appreciate their work, but also because I always struggled in English classes at school, (spelling was never my strength, in fact I failed my o’level english a couple of times before eventually passing).

I started the world of IT blog about a year ago, mainly to see how the technology worked and to experiment with various forms of social networking because it was becoming more and more important to my work in IT. But have kept it up because I kind of enjoy writing it (althouth lately I have not had time to update it as often as I would of liked). Hopefully this rating will be the motivation I needed to update more regularly.

During the last year have been asked to write a couple of pieces for technology section of the local paper (The Journal), I have enjoyed this immensely, its been great to work with pro writer and to get their feed back on my articles (my thanks to Lewis Harrison). I have also been lucky enough to get to preview and offer advice on a series of articles on web 2.0 by Justin Souter in b.daily , this was another enlightening process, watching how ideas grow and develop as we discussed them. I like to think that these experiences have helped improve my writing generally and are improving the experience for you the reader.

I’d like to finish by thanking Blogged for the rating, the many other Tech Bloggers out there (you’re doing a great job!) and of course you my audience for your support and feedback (do please leave a comment and let me know what you think of the blog and any improvements or change you’d like to see!)

I’ve been rated on blogged

Viruses target social networks

Last week i fell victim to a virus. More correctly i fell victim to  a piece of maleware / spyware. Being as i a work in IT it didn’t cause to much of a problem, but it did make me take another look at the whole spyware problem.

The first think that surprised me wass that my current anti virus/maleware software had not picked it up. I’m a bit of a security control freak and actually run online, gateway , server and desktop Av, none of which detected or matched the patterns in this virus. The virus managed to set up its own proxy server on my machine, bypass my own proxy server, disable my local Av software and  run a number of exe files that mimicked the windows alert modules telling me the system had detected a problem and offering to install software to help. In fact even when i ran deep scans with trend, and spybot search and destroy, 2 leading titles in anti maleware they reported that my system was running normally with to viruses found. It was obvious that i did have a problem, in that there were around 160 exe files running and a new windows explorer window appearing every couple of minutes. It didn’t take long to do a quick google search on the individual exe files and find something that could remove it.

The second thing that surprised me, how easily i almost fell for providing my credit card details on a machine i knew to be affected. After 2 days of working on my laptop, while the very time consuming deep scans ran on my workstation,  I was so pleased to have found something that promised to kill the virus for once and for all that i very almost, went ahead and payed the $30 for an online license.

The third thing worth mentioning is how i fell for getting the virus in the first place. I guess it was a cross between a social engineering attach and a straightforward maleware attack. I in short i got a message on facebook inviting me to view a movie clip from a friend, this then took me to what looked like that persons you tube account, but where you would expect to see the movie playing there was a message saying that my version of flash player was out of date and to click to continue, the usual warning popped up before installing. All of which i clicked through, as it look so similar to a genuine flash updater. Next think you know i’ve restarted and all sorts of pop ups are saying a virus has been detected and linking to software products to purchase to remove this.

When you think about it, this is genius. The latest generation of internet users are very into social networks, but are much less tech savvy when it comes to security, and protecting themselves. They are so used to clicking ‘yes’,  ‘install’, ‘accept’, ‘i agree’, without reading anything of what they are actually agreeing to that they are easy targets when it comes to installing harmful stuff, like maleware and viruses. I myself am a classic example, busy day in the office and a box pops asking me to agree to an update to software i trust from a person i know and i say yes without a second thought.

It would seem that i am nt the only one thought, cnet this week reported on the koobface virus currently hitting facebbok users, and there are no end of others popping up everyday.

Viruses target social networks

Will the VAT reduction make any difference at all?

I have had to adjust the VAT codes and prices on my Epos systems (electronic point of sales – otherwise known as tills) and online shop this week. The reason? The government think that they can eradicate the credit crunch by reducing VAT by 2.5%, for 13 months.

Am i missing something here? Surely any school kid can see that this will never work in a million years. Firstly 2.5% is not nearly enough to restore confidence, energy costs are still rising for many of us and
that will more than offset the VAT saving. Secondly there is nothing to force companies to pass on the savings, and for the millions small of retail companies the cost and time required to relabel their entire product range it simply doesn’t make sense. Especially when you consider the extra cost of having to deal with additional requirements for small change, and the physiological factor that people like round prices. Then there is the cost factor, if government has less money in its pockets, then its going to be spending less and that is bad for businesses in the Uk, and not only will this money have to be repaid but there is also the interest.

I can see that changing VAT may seem the simplest way to have an effect on people that are spending, but surely it will have an inflationary effect if some companies put up their prices to keep prices on the shelves the same as before the vat change. Surely a change to income tax would have a more controllable and noticeable effect?

I seem to remember during the recession of the early 90’s that there were campaigns to buy british, to ensure that what spending did take place was having an effect at home. This reduction in VAT will benefit the cheaper foreign manufacturers as much if not more that british businesses, and british families.

As i type this up sitting on my sofa at home, the news on tv is talking about increasing numbers of housing repocessions, increased redundancies more businesses going bust etc, etc, etc. I can’t help but think that a 2.5% reduction in VAT is like trying to stop the recent floods with a seaside bucket and spade.

Will the VAT reduction make any difference at all?

Who’s Responsible for Data in the Cloud.

While trawling through the internet i came accross an a couple of articles that made me think, about

The first one was on the bbc technology site and it talked about cloud computing and the US Patriot Act, this is similar to the UK’s anti terrorism legislation and as far as i can see it gives the US government the right to look at data stored in the states if they think that it might include information about terrorists.

You might me thinking, well what does that have to do with me i’m not an american, so what if the americans can look at data within their own country. But what you have to remember is that many many services like amazons S3 data storage, hotmail, skydrive and gmail are all hosted in the states, so any data stored on these is covered by the Patriot Act.

What’s i bet that if they really wanted to they could make these laws extend to any data travelling through there network, so if you send an email, a twitter message, a file or any other string on ones and zeros and its routed through the us or any ther country they would be at liberty to read that information, and use it to whatever purpose they saw fit.

This got me to thinking as a system administrator, if i’m storing data in the states and viewing it on terminals in the Uk, do i need to adhere to both the Uk’s data protection Act and any american version of the same act, or does the data protection act only apply to data held on citizen of a particular country, if so do what laws do i have to adhere to if i have a mailing list which contains data from people in several different countries.

The second artical i came accross was something on tech crunch about a German Politician, that had a legal ruling made to prohibit the local german version of wikipedia from accessing information on the main wikipedia database in miami.

The focus of my thoughts here really is were does responsability lie if an english company say has a website hosted in the US, but bought and paid for in the UK, and you want to take them to stop them from false advertising, do you persue the Uk company, or the US isp hosting their data? And what if for example the banner ads you object to on the site as simply embedded links to data on a video server in say germany. In fact the whole area of links seems quite complicated, if you for example display an rss on your site from elsewhere on the internet and they say something that is could be slanderous are you also guilty of slander and howdoes this work across borders, i mean something may be deemed slanderous in one country but not another. There was talk yesterday that the german politicians background in the german police was protected under german law, but does that extend outside of germany.

what are you thaughts on this?

Who’s Responsible for Data in the Cloud.

German Politician Blocks Local Wikipedia

Techcrunch reported today that German Politician Lutz Heilmann, has taken legal action in the county court of Luebeck (North Germany) resulting in them issuing an order preventing the German Wikipedia (Wikimedia e.V.) from linking its domain wikipedia.de to the Web site wikipedia.org, as long as the German language version of wikipedia.org makes certain statements.

According to OhMyNews these statements include Heilmann’s past as a member of the police in East Germany – as well as allegations that he has threatened an ex-boyfriend, Focus Online suggested that Heilmann objected to claims that he had interrupted his studies at university, and that he had participated in a business venture involving pornography.

What this shows is that while being a Politician may have given the Heilmann the power to order a local german version of the free online public contribution encyclopedia site to remove its links to the main database, it did not give him the power to shutdown the parent site wikipedia.org which is hosted in miami. Furthermore taking such drastic action drew even more attention to the entry, currently ranked number 1 on wikirage. But was he right t take legal action? There is currently a lot of web chatter about the rights and wrongs of this court action and about the rights to freedom of speach versus the wrongs of slander and liable. Its interesting to see that the views on “freedom of speach” vary so widely between nations and  raises some very interesting questions about the need to have some universal laws in a world so connected by the internet.

I guess that given the nature of wikipedia, we should maybe be more surprised that this isn’t happening more often. While wikipedia can be a fantastic source of information and in the main is quite accurate, it was been criticised by many academic institutions for often being inaccurate and not being what they would consider to be a good and reliable source of information. Some institutions and local authorities have gone as far as to banned it on on their networks.

Heilmann has now issued a statement saying that because the offending remarks have been removed no further action is required, and the connection between the german version of wikipedia and wikipedia.org will soon be restored.

German Politician Blocks Local Wikipedia

Civil servant fined after leaving ‘top secret’ docs on train.

Senior civil servant, Richard Jackson, pleaded guilty to negligence at City of Westminster Magistrates Court yesterday. The 37 year old Cabinet Office official, was fined £2,500 and will have to pay £250 costs.
Jackson was charged under clause 8.1 of the Official Secrets Act, which deals with safeguarding information.

The court was told that Jackson, who had taken the documents home by accident, was under ‘Extreme pressure’ and was “physically sick” when he found they had gone missing. Prosecutor Deborah Walsh responded saying “There’s ample evidence that Mr Jackson failed to take such care to prevent the unauthorised disclosure of the documents as somebody in his position may reasonably be expected to take.”

A member of public found the highly sensitive Whitehall intelligence files relating to al-Qaida and Iraq on a service from London’s Waterloo to Surrey on 10 June. The lost documents were then passed on to BBC security correspondent Frank Gardner.

One of the documents was believed to be a seven-page report by the joint intelligence committee entitled “Al-Qaida vulnerabilities”, the other believed to contained an assessment of Iraq’s security forces commissioned from the committee by the MoD,.

It would seem that there was not one, but a catalogue of errors in June:

Firstly top secret documents were accidently take home, accidentally!. Documents stored in a bright orange folder to identity them as top secret documents, accidentally taken home!

Then having discovered the documents had been accidentally removed, they were returned the following day, via public transport. Knowing the seriousness of the documents they were then left on the train. Presumably knowing he was carrying these documents, Jackson didn’t even both to check he still had them when exiting the train.

Finally having discovered his mistake, he delayed reporting them missing, or trying to locate the documents, as his immediate line managers were abroad.

To make matters even more complicated it would seem that Jackson didn’t even work for the Cabinet Office at the time the documents were lost, but was on secondment from The Ministry of Defence.
Obviously mr Jackson pleaded guilty and was ultimately to blame here, but you also have to question as to whether the system for the storage and handling of such documents key to nation security is fundamentally flawed.

Source: BBC , Guardian, Official Secrets Act

Civil servant fined after leaving ‘top secret’ docs on train.

Virtual murder, leads to real life arrest.

Earlier this week I wrote a post about Wayne Forrester, the 34 year from here in the Uk, jailed for life for murdering his wife after she changed her facebook status to single. Well in a strange turn of events I find myself blogging once again, this time about a real arrest following a virtual murder.

Mayumi Tomari a Japanese woman of 43, was taken 620 miles from her home in Southern Miyazaki to Sapporo for questioning by police on suspicion of illegally accessing a computer and manipulating electronic data, to kill off his in game avatar.

It is believed that the old piano teacher became so enraged that her online husband (in computer game MapleStorey) had unexpectedly divorced her, that she used logon information the 33 year old office workers had given her while they were happily married (in the game) to delete his account. It is believed that the two have never met in the real world and that the man made the complaint to police after finding his avatar (character that represent’s him in the game) was dead.

While she has not yet formally been charged she could face a 5 year prison sentence or a fine of more that £3,000 if convicted. There have been several arrests in the past for virtual crimes, but unlike this case these usually involved corresponding material gains in the real world.

I think this is a case of real life being stranger than fantasy. Also in the news this week was the story of a blogger arrested in Newcastle and charge with offences under the obscene publications act for describing what he would like to do to a geordie pop star in girl band Girls Aloud. The blurring of reality and virtual reality has to make you wonder what will be next? Will we start getting actual speeding fines for racing cars on online games, or worse still tax bills for virtual purchases.

My advice to Japanese office workers considering a quicky divorce from their online spouses – change your password first!
My advice to this victim, if your behavior results in murder in the virtual world, stay single in the real world!  Finally my advice to miss Tomari’s piano students – keep practicing she’s obviously easily upset!

Sources: the telegraph, The Yomiuri Shimbun, associated news

Virtual murder, leads to real life arrest.

FBI Honeytrap Darkmarket.ws is sprung

Following a two year undercover operation in conjunction with a number of other international law enforcement agencies, this week the FBI nabbed 56 Cyber Criminals and prevented an estimated $70 million in frauds.

Reports in Computer weekly state that the Uk’s Serious Organised Crime unit worked closely with the FBI Cyber Crimes Division and that arrests were made in London, Manchester, Leicester, Humberside and South Yorkshire.

The operation revolved around online ‘carder’ forum, Darkmarket.ws, where members buy and sell stolen credit card data, login credentials, other financial information and devices used to carry out certain financial crimes.

Darkmarket.ws was shuttered on 4th October 08, Master Splyntr blamed this on the site drawing too much attention after fellow administrator known as Cha0, aggresivetly marketed a high quality card skimmer on the site.

The site was registered in June 2006 and believed to have had 2,500 members, attracting 563,299 hits last month, Most members believing the site to be ran out of Eastern Europe, but it was almost exposed in 2006 when uber-hacker Max Ray Butler cracked the site’s server and announced to the underground that he’d caught Master Splynter logging in from the NCFTA’s office

In an FBI press release Cyber Division Assistant Director Shawn Henry states that ‘in a world of rapidly expanding technology, cyber crimes can be perpetrated instantly from anywhere in the world’ and explains the importance of being flexible and creative in their approach to this sort crime that taking them to online forums more and more frequently.

While the operation would appear to be a huge success, there has been some criticism from victims of these crimes, suggesting that the FBI actually set up and ran the site as a honey trap. German public radio went as far as to suggested that Master Splyntr the man believed to be behind the site was actually an FBI agent and that a Darkmarket server was located in an FBI building in Pittssburgh.

Researching this subject did beg the questions, how do you pay when your buying a stolen identities online from a bunch of cyber criminals? And what does a cyber criminal actually look like, are we talking an Arthur daily style character in a sheep skin jacket and sovereign rings, a Gordon Gecko in a sharp business suit or a pimply teenaged geek like the kid in war games?

Sources:  FBI, wired, itworld

FBI Honeytrap Darkmarket.ws is sprung