At a recent security conference Michael Welch, the deputy assistant director of the FBI’s Cyber Division, gave a speech where he discussed the issue of SCADA security.

Information Age magazine reported on his speech and quoted Welch as saying:

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city."

… It’s great that Welch acknowledges the work we have to do in this area and even went so far as to suggest the FBI will double the size of their Cyber division in the next 12 to 18 months.

Sound too good to be true? Then it probably is.

A story on PoliceLedIntelligence.com shows the FBI’s budget for Cyber will increase by $19.6 million, or approximately 12 percent.

The majority of the funding increase will be used to expand their operation from 8 hours/5 days to 24 hours/7 days.

They even explained this to Congress, justifying their need for the funds:

"Because threat actors operate globally, a significant volume of cyber threat activity occurs outside of normal business hours."

Read the whole article >>>

It might not be as much of an increase as Sophos would like to see, but at least it’s something. And our next Testing The Limits guest can attest to the woefully inadequate state of cyber security these days. Here’s a little sneak peek at what he has to say on the topic:

“As a rule I stay away from “the sky is falling” scenarios, but since you asked. By 2015 the overall threatspace will be ten times worse than it is today. Think about that. There will be TEN breaches as critical as the RSA attack. There will be TEN Google Aurora’s. There will be TEN Stuxnets. There will be 300 thousand new malware variants a day. ”

We’ll post the next Testing The Limits guest interview later this week, so check back then to find out who our security expert is!

While an unofficial source said they suspect it’s benign, they also added, “But we just don’t know”.  The thought of an attack drone being hacked is a chilling to say the least.  Jalpnik has a nice write-up of some of their historic missions (and the virus) but this seems to reinforce the hypothesis that the United States is entering a “Code War”.

Here’s the crux:

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

For those interested, we have a new whitepaper on Software Security Testing.

While only two of these hacks really impacted a company I use heavily, I thought I’d do a quick countdown on the top hacks of 2011 and the associated costs.

7) DropBox
The file-sharing site opened the doors for four hours this week, allowing anyone with a login to access other accounts.  It turns out that it was a self-inflicted wound and DropBox broke their own authentication system.  While the finacial impact probably won’t be released, just browse through the 600+ customer comments to see how the issue and their response impacted their brand.  It’s a bug, not a hack, but certainly something that could have been avoidable with ample testing prior to a full launch.

Responsible: Themselves.

Cost: A self reported “much less than 1%” of their more than 25 million users were impacted to an undisclosed extent.

6) MovableType / PBS.org
In a pure retaliation a group of hackers targeted PBS.org in response to an episode of Frontline’s portrayal of of WikiLeaks leaker Bradley Manning.  The hackers gained control of PBS.org and republished false information.  PBS was not able to immediately regain control and was forced to utilize their Facebook page as their primary news source.

Responsible: LulzSec.

Cost: One of their Sr. Correspondents, Judy Woodruff, wrote a post on “Calculating the Cost of an Attempt to Silence the Press”.  While they didn’t disclose any financial costs or specific user information loss, it has certainly been a struggle for them to regain control of their site and all of their content.

5) WordPress.org Pluggins

This malicious hack just happened yesterday.  Turns out a few of the code-development site’s pluggins were hacked and granted 3rd party access to sites using those pluggins.  Specifically, the popular pluggins AddThis, Wptouch, and W3 Total Cache.  So far it sounds like they’ve done a good job closing the door but it was open for a solid 24 hours.

Their advice; “any users of the three Trojanized plug-ins who updated them “in the past day” (meaning Monday or Tuesday) should upgrade those plug-ins immediately.”

They also remind us that the goal of many of these backdoor Trojan hacks is to gain password access for use on other sites, in the hope that users won’t be savvy enough to have site-specific or multiple passwords.

The InformationWeek.com article shares some other interesting information.  “Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabs”

Responsible: Unknown.

Cost: Not yet known, although according to InformationWeek.com “AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times”.  It’s unclear how many of those users updated the pluggins with the Trojan.

4) Sega
Sega’s account management system, “Sega Pass” was hacked after Sega West’s CEO made a couple confident comments in regard to their security system in wake of Sony’s hacks (see below for more on Sony).  In an interesting turn, the hacker group LulzSec offered to help find the perpetrators. with the added comment, “we love the Dreamcast”.

In case we needed another reminder to have multiple passwords, “[Sega] also cautioned that ‘if you use the same login information for other websites and/or services as you do for Sega Pass, you should change that information immediately.’”

Responsible: Unknown.

Cost: Sega lost key user information for 1.3 million customers including email addresses, date of birth, and encrypted passwords.

3) Citigroup
Citi lost some important data in this one – customer names, email addresses, contact information, and even account numbers.  While customers can’t rest assured that their accounts are safe Citi did add that, “customer’s social security number, date of birth, card expiration date, and card security code (CVV) were not compromised.” and that customers should remain on “high alert for scams, phishing, and phone calls purporting to be from Citibank and their subsidiaries.”

Responsible:LulzSec

Cost: A self-reported 1% of their 21 million customers (or 210,000 accounts) had their personal information stolen. There has been no mention of financial costs incurred.

2) Web Sever/Sites of the U.S. Senate, CIA, and FBI

There have been a few government sites and subsidiaries hit this year, including InfraGard, “a private, non-profit organization that exists to serve as a public/private partnership with the FBI”, the CIA and FBI’s Detroit office and the US Senate among others.

Antivirus vendor Sophos had a great contribution;

“While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are–in the worst cases–having their personal data exposed,” said Graham Cluley, senior technology consultant at Sophos, in a blog post. “There are responsible ways to inform a business that its website is insecure, or that it has not properly protected its data. What’s disturbing is that so many Internet users appear to support LulzSec.”

InformationTech has a more inclusive list of the government branches that have been attacked, mainly with DDoS attacks.

Responsible: LulzSec

Cost: InfraGard lost member data and all information stored on their website. The CIA’s pblic website was taken and the FBI’s Detroit office received a distributed denial of services attack to their phone system.  The U.S. Senate web server was attacked.

1) Sony / Sony Pictures / Playstation
Has anyone not yet heard about Sony’s 2011?  In case you haven’t, Google has over 2,000 recent articles on the issue.  The #1 biggest hack is probably not a list anyone would want to be on but here they are.

I’ve been a die-hard Playstation fan since PS1 first came out (the PS3 is an impressive machine and the ergonomics of the Xbox controller is horrible compared to the PS controller) but I’ve found myself thinking about switching to the Dark Side.  (I’ll spare you all from a rank on Sony’s lacking embrace of social media and off-console technology.)

At this point Sony is facing attacks from consumers, court systems, and just about every other nightmare you can imagine.  In just one example, Infinity Ward, one of the two publishers of the mulit-billion dollar Call of Duty series, made the lazy mistake of leaving security in the hands of the respective servers. When Sony was hacked it rendered their Modern Warfare 2 game “unplayable”.

Responsible: LulzSec

Cost: In April they were forecasting a cost of $170 million.  By the end of April that number was up to $1.5 billion.  By the end of May there are reports that the hacking (and their response) will cost them $24 billion dollars – nearly 10x their revenue for the same period.  [Infographic at bottom of the post]

Quite the list.  Here’s to hoping 2012 is the year of security improvements…

A professional statistician named Mohan Srivastava managed to discover a flaw in certain kinds of scratch-off lottery games that  allow a player to get a winning edge by doing some simple math. Wired has the whole story, and it’s well worth reading. The summary is this:

Scratch-off lottery tickets aren’t totally random. A computer prints the tickets so that a certain number are guaranteed to win – thus meeting the odds requirements set by the laws of different states. That means that a computer program has to spit out both winning and non-winning scratch-off lottery tickets. The game that Mr. Srivastava cracked had two components – a visible grid of numbers and a scratch-off section with more numbers. You play the game by scratching off the hidden section and looking for for tic-tac-toe patterns in the grid.

What Mr. Srivastava realized is that the winning tickets had a slightly different statistical distribution of data in the grid section than non-winning tickets. Knowing this, he could pick out winning tickets with 90% certainty, all without scratching a single lottery ticket.

What are some lessons for testers?

First: no system is honest or perfect, no matter what anyone claims. An audited system may have been checked for certain kinds of known flaws, but clever exploration can frequently reveal new bugs that weren’t previously known.

Second: there’s real money at stake here. The lottery generates billions of dollars in revenue for state and local governments. Having that money be put in doubt can be a serious problem. Wired also points out that a broken lottery can be a perfect system for money laundering.

Third: be honest. It’s always tempting to use your knowledge of bugs and flaws for evil, but Mr. Srivastava sets the right example for testers everywhere. He told the lottery commission about his find, and got the broken scratch-off game removed from the market.

Do you play the lottery?

Concern about privacy is hardly a new topic.  Back in 1999 Scott McNealy, then the CEO of Sun Microsystems notoriously said, “you have zero privacy.  Get over it.”  I love the brevity, Scott, but that is not going to get you on a Hallmark card anytime soon.  Yes, the web brought on a change in the level of privacy that users may expect, but the role of marketing has always been to predict the intent of potential customers by tracking user behavior.  Computers and the internet, however, have yielded a seismic shift in the cost, speed, availability and sheer amount of data – perhaps changing at a rate faster than humans can conceptually deal with, and thus creating debates about how to strike a balance in this brave new world.

In 2010, however, we’ve seen more information about the reconciliation of online and offline data. From cars, to finances, to the recent announcements about the TSA’s new full-body scanners, it’s no longer just our web browsing history that’s available to evil marketers like myself.  Here’s a quick rundown of a few privacy issues, how they can be exploited, and what you should know about protecting yourself:

Full Body Scanners

The US Transportation Security Administration (or TSA) recently deployed 450 full body scanners at airports.  The goal of the scanners is to provide security officials with a quick scan of a person for weapons and/or contraband.  The scanners, however, have raised concerns about safety and privacy.

While the radiation risk is to the employees operating the machinery, the privacy threat is real.  Airlines most likely knows your name, address, credit card, and anything else in their database from your online purchase.  From there, it’s not much a leap to determine precisely who you are.  Yes, you’re anonymous in number, but could airline industry marketers use such information?  What if a local gym, heath food store, or weight loss program did an instant analysis of your body fat and targeted their marketing at you? Is there any guarantee the images aren’t being stored?  Or shared? There’s a lot of uncertainty about the future of these scanners and the data they derive.

Short of refusing to fly, your options are limited.  The TSA, unfortunately, has the ultimate say in who gets on the plane and who doesn’t.  Plan for the worst, hope for the best.  …and maybe threaten to arrest them.

Social Networks

Social networks, like Facebook, LinkedIn and Twitter, face scrutiny on two sides.  The manner in which such companies handle and utilize user data is scrutinized, but also what information will be utilized by advertisers and/or made available to 3rd parties (whether it’s evil marketers or just “friends of friends”).

Want proof of users’ respective ignorance to the power of social networks?  Look no further than PleaseRobMe.com, who consolidated Tweets about people leaving their houses unoccupied.  While this behavior and data still exists (see people going on vacation for a couple weeks), sites like PleaseRobMe and YourOpenBook.org certainly illustrate the potential vulnerability of our over-sharing ways.

It’s not just nefarious individuals who can exploit this information, though.  Corporations have long been using Facebook to profile potential employees, but can now use publicly available data to fire current employees.  Governments are also beginning to utilize data — as the Israeli armed forces recently used public information on Facebook to track down draft dodgers.

Strides have been made — big-league players like Facebook and Google publish straightforward info on how to manage one’s privacy settings.  (See Facebook Privacy Controls and Google Privacy Center)… not all global powerhouses from the past have been so user-friendly.

Behavioral Marketing

Google is a data magnet, consuming and harvesting everything in its field of in.  From mining unsecured Wi-Fi data, to Street View (and getting banned by the Czech Republic), watchdog groups have long been wary of any one company having so much data (read as: power).  Needless to say, they know a lot about you.

Companies like X+1, however, take it a step further by harnessing this information for the good of marketing.  WSJ.com recently did a nice article on the power of X+1 and their rival companies.  To oversimplify, X+1 cross references data from numerous sources to paint a picture of you as an individual.  X+1 can then use this information to serve you relative marketing promotions.  I find this level of targeting fascinating but there are tools that you can use to opt-out of this granular level of targeting.  NAI has a tool to let you mass opt-out of behavior targeting across many companies.

Location-Based Services

Location-Based Services (or LBS) such as FourSquare, Gowalla, and Facebook Places, are the essence of removing the privacy layer between you and retailers.  LBS games allow you to “check in” at your favorite companies, thereby allowing them to offer you specific promotions.  While the games are currently only triggered by specific “check in” actions, there are a lot of people concerned with the potential privacy exploits.  As CNET points out, “Facebook application developers are able to store their own check-in data in the Facebook Places database and retrieve information from the database.”  In English, this means that companies could potentially access your history and more personal information than you anticipated.

Cars

For better or worse, this ain’t your father’s car.  Automobiles are becoming more wired by the day.  To be more specific, vehicles are becoming more wired for the better while drivers are becoming more wired for the worse.  Driving while texting is now banned in several US states, including uTest’s home state of Massachusetts.

GPS-based speed limits are one of the original tools of monitoring your location.  Basically the software would cap your speed based on your global coordinates, preventing motorists from exceeding the local speed limits.  Cool in concept, but are people willing to drive cars that can be remotely turned off at any point?

There’s been talk of a possible solution, though: blocking your cell signal.  The logistics of these requirement are still years away and becomes more of a political discussion than a privacy one, unless the technology utilizes your cell phone’s location to automatically turn your phone on/off to calls and data.

Before either of those concepts reach implementation I’m hoping that before we get to that point we have Google cars hit mass market (I cannot wait for the day that I can cruise down the highway to work at 100+mph… from the back seat while playing Angry Birds).  Google Cars will certainly have privacy concerns, though as it will inevitably know where and when you’re going, and possibly who you’re with (via cell phone and/or RFID’s).  And if Google wants some “test drivers” for this world-changing innovation, I think I may know where they can find ~31,000 beta testers.

I’m interested in hearing what tech/privacy options you think will be have the biggest impact (for better or for worse) in 2011.  And how will you tell your parents to protect themselves online?  As for me, I’m going into private browsing mode.

Yesterday, the security company WebRoot came out with a study discovering similar results. After surveying 1,500+ social network users with geolocation-ready mobile devices, WebRoot found that more than half (55%) of respondents fear the loss of security and privacy, and 45% are very concerned about letting potential burglars know when they’re away from home (ah yes, the now shut down PleaseRobMe experiment comes to mind).

What’s most interesting to us is that 39% of those surveyed by Webroot said they use geolocation services, but take a look at the number of people that have fallen prey to social network cyber-criminals:

• Nearly a quarter of respondents (22.4 percent) were victims of a phishing attempt to steal their social network password.
• About one in six (16 percent) reported a malware infection in the past year that originated from a social networking site.
• One in nine reported at least one of their social network accounts had been compromised or hijacked.

Even in the face of these risks, many consumers admitted to engaging in risky behaviors:

• Nearly one third (31 percent) accepted a friend request from a stranger.
• A majority (76 percent) clicked a link sent or posted by a friend on a social network site.
• Twenty-nine percent have shared their geolocation with people other than their friends.
• One in nine used a location-based tool to meet a stranger (e.g. check out Scout – the new dating LB app)

While we all get excited when new features (like geo-lo) are added to Twitter, Facebook and other social networks (I know I do!), it’s worth taking a step back and thinking about the potential dangers of giving away so much personal information. So, why do you check-in? What do you see as the primary motivators for doing so? Are they worth the risks?

After tracking down Alex Brie, a developer who first discovered the issues, PC World reported:

“After Brie’s calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store…[and] Brie speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple’s iTunes servers and skip the normal security steps, or run an automated scripted program.”

According to Engadget, Apple responded last night:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns…

I was under the impression that the App Store approval process was brutal. So, how did this rogue developer get through? What additional security measures and tests need to be put into place to prevent account fraud?

The hackers claim they reported the flaw to AT&T before sending their discovery to the fine folks at Gawker. AT&T, on the other hand, was not pleased to see their security problems appear in a popular tech blog at all, and had this to say in an email to their iPad customers:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.

…

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.

So who’s to blame for a problem like this? Is it AT&T, or do the hackers themselves deserve some of the blame for the public way they handled their disclosure? Give us your thoughts below.

What you’re looking at is an Internationalized Domain Name, or IDN for short.  It doesn’t contain western or “Latin” letters, and chances are everything you know about URLs is about to get turned backwards (in this case, literally).  What’s worse is that different browsers handle this kind of domain name differently, and there’s no one right answer.

Are you a software tester?  Then your ship has come in because IDNs open up a whole new category of software bugs.  Let’s take a look at a few big trouble areas, but hang on tight because this gets goofy fast.

From the ICANN annoucement:

The three new top-level domains are السعودية. (“Al-Saudiah”), امارات. ( “Emarat”) and مصر. (“Misr”). All three are Arabic script domains, and will enable domain names written fully right-to-left.

Right to Left TLDs
Take a look at the URL in the first paragraph (which goes to the Egyptian Ministry for Communications and Information Technology).  After the http:// you’ll see the Misr (Egypt) TLD, followed by a period, and then the domain name.  This makes sense because Arabic is written right-to-left, but it would be like reading the BBC’s URL as http://uk.co.bbc.www.

Of course, you can’t write out any old URL right-to-left – just those from certain languages.  Which means that when it comes to parsing domain names, figuring out the language is an important first step to knowing whether the TLD comes first or last.

New Opportunities for Phishing
The next problem is even worse, and there’s no good solution.  If you open the first URL in Firefox, you’ll notice that the URL bar shows it as a long string of Latin text.  Safari, on the other hand, displays it properly.  Click the images below to see what I mean.

Why does Firefox break the URL?  Because IDNs have the potential to be very dangerous for web security and phishing.  As more languages are approved for IDNs by ICANN, the number of valid character sets will grow.  This introduces conflicts with international characters that look very similar to Latin characters.

For example, Russian Cyrillic will be a huge problem according to this article from Mashable.  The Russian letters р, а, and у are treated as totally different characters from the Latin p, a, and y.  Conveniently, they’re also the first five letters to paypal, meaning the Cyrillic раураl.com is a totally different domain from paypal.com (copy and paste those two domains in your URL bar – you’ll see).

This opens a whole new approach for phishing attacks. For this reason, Firefox defaults to displaying IDNs as gibberish to help manage this confusion.  Safari, on the other hand tries to guess whether it should show the real text or gibberish. Either way, that’s only in the URL bar and not in actual links, meaning everyone has to be more careful.

Same Domain, Different Names
The fact that certain browsers handle these domains differently is yet another problem.  The valid form of the Egyptian URL above is http://موقع.وزارة-الأتصالات.مصر/, however it could also be http://xn--4gbrim.xn—-ymcbaaajlc6dj7bxne2c.xn--wgbh1c.  Those are one and the same, even though they look entirely different.

Conclusion
Software testing just got a lot more complicated, but here are a few ideas to get you started with IDNs:

• First, does it matter if the app handles IDNs at all?  Not every app cares about URLs.  Use good judgment before testing.
• Next, does the app handle international URLs with IDNs correctly?  Feel free to use this URL as a test:
  http://موقع.وزارة-الأتصالات.مصر/
• Does the web app handle right-to-left domain names correctly?  Again, use the URL above as a test.
• How does the app handle domains that could be phishing targets?
• Is the app able to differentiate between the international and Latin versions of a domain?

Did I forget anything? Let me know below.

Earlier this week, South Park lampooned the social media giant (along with Jim Cramer, chat roulette, Tron and Yahtzee) in an episode with major usability undertones. You can watch the entire episode here, but in case you’re at work, here’s brief synopsis from Wikipedia:

When Kyle, Cartman and Kenny make Stan a Facebook profile without his knowledge, he becomes frustrated with everyone asking him for friend requests. After he gets fed up with Facebook, Stan tries to delete his profile but is sucked into a virtual Facebook world. Meanwhile, Kyle starts trying to find ways to get more friends on Facebook after he drastically starts losing them due to his befriending of a third-grade friendless Facebook user, who everyone thinks is a loser.

Compared to other South Park “guests”, Facebook made it through the episode relatively unscathed, and for that they should be thankful. That said, it’s still South Park, a place where weaknesses must be exploited. So, here are a few feedback items I was able to relate to typical user feedback:

Security: Stan has an account created by his friends, without his knowledge. Embarrassing pictures of him are posted without his approval. Of course, in the real world, Facebook has developed numerous features to let users control such things. In fact, Facebook ranked #1 amongst all leading social media companies in this category during our Social Media Bug Battle from 2009.

Usability: Throughout the episode, Stan expresses deep frustration with the Facebook UI. He doesn’t know how to update his relationship status, much to the chagrin of his girlfriend, Wendy. He’s completely clueless about how to add friends; how and when to “poke” them, to say nothing of fertilizing Farmville crops. Deleting his profile is another story entirely. But shortly after being “sucked in” to the Facebook world, he’s a virtual pro, having amassed over 800,000 friends.

Content: Stan hates Farmville. He doesn’t want to get updates from his grandmother or her friends and he really, really doesn’t want to play Yahtzee. Of course, Facebook has made it incredibly easy to customize what you see in your feed, who’s updates you receive and what activities you choose to participate in. As soon as my mom starts sending me quizzes about which 80′s sitcom star I am, she’s blocked. Sorry mom.

Gawker says the episode explains “everything that is annoying with Facebook.” Perhaps from a cultural perspective – which I suppose would have to include all social media – but from a software and user experience point of view, this statement couldn’t be further from the truth.

Consider that South Park’s critiques of the Facebook application are nothing new. Similiar feedback on security, privacy, content and overall usability are likely submitted to the Facebook product team on minute-by-minute basis. This is especially true when Facebook decides to update its UI, as evidenced by the thousands of whiny posts from users, as well as a dozen or so front-page TechCrunch stories. In other words, there’s no shortage of this type of feedback.

The point is that Facebook is listening to its users. More importantly, it is incorporating these suggestions into each new version. Other software companies would be wise to emulate this practice (just leave Yahtzee out of it).

Lastly, you know you’ve arrived when South Park dedicates 22 minutes to you.  So congrats, Facebook!