Today I found myself thinking of Terminator 3, specifically the plotline in which all kinds of random computer crashes are spreading across the internet.

For obvious reasons.

In today’s real world incident, it’s a bug in an auto-pushed update for widely-used security software by CrowdStrike, ironically used to protect mission-critical systems. In the two-decade-old movie (pardon me while I turn to dust), it’s Skynet spreading itself across the internet.

At the time, I thought the nuclear strike would wipe out a lot of internet infrastructure, destroying major nodes and leaving pieces of Skynet disconnected from each other. A commenter remarked that he’d been doing research for a novel and experts agreed that enough of the major nodes and infrastructure would survive the attack to keep the network functioning.

The interesting thing: Neither of us had heard the story that ARPANET (the internet’s predecessor) had been designed for that scenario. These days, it’s pretty much repeated as gospel… but apparently it wasn’t a design goal, and the idea that it was can be traced back to a 1991 article in Network World magazine that conflated ARPANET with a different network design, which was never actually built. (via)

From there it took on a life of its own for the same reason many urban legends (and conspiracy theories) do: it made a better story.

Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

The year is 2006. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2011. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2022. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

Corporations haven’t learned. Unfortunately, their customers have learned from all this training. And so has the fraud industry. Even if you’re usually savvy about this sort of thing, you can get caught up if the circumstances put you just off-balance enough to line up the holes in each overlapping layer of security.

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don’t know how to pronounce my bank’s name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch – they didn’t raise red flags. Cory Doctorow on “Swiss-cheese security.”

And here I am, in 2024, complaining on my blog about…well…you know.

Interesting point at The Intercept: Don’t trust cropping tools for security.

If you crop an image for security reasons, make sure you know whether the tool you’re using crops the data (like most image editors) or just the displayed image (like embedding an image into a PDF/Word doc/etc.) If it’s only cropping the display, people can still get at the full image!

Also, make sure the EXIF doesn’t include a thumbnail of the original!

My advice: if opsec is an issue,

  1. Use an actual image editor.
  2. Save the file without any metadata.

(via Schneier on Security)

Update: Interesting that this article came out just before news of some actually broken tools for Android and Windows that do save over the data…but don’t properly truncate the file, so if the interesting bits happen to have been in the extra space left over, they can still be recovered!

Phishers: Hi, we’re your bank, please click on this attachment for important information.

Security experts: Never click on an unexpected attachment in an email even if you think you know who it’s from. It’s likely to be malware or a scam to steal your login credentials.

Actual banks: Hi, we’re your bank, please click on this attachment for important information. 🤦‍♂️

Seriously, I HATE these systems. The way they keep phishing and malware techniques believable — and have for years! — is worse than any supposed security advantage in not just using email. Half the time the info isn’t any more sensitive than a receipt would be. Or heck, even just “There’s a new message in your account, please log in to see it and use your own bookmarks to get there.” That’s actually more secure!

:sigh:

It’s really too bad all the schemes to add end-to-end security to email over the years have been either too cumbersome to take off for general usage or vendor-specific.