Free The Passwords With Sslstrip

An anarchist superhacker has just released a powerful little program called "sslstrip." The C.S.A. barely understands even the most simple computer operations, but here's our boneheaded explanation of how it works: on encrypted web pages, the letter "s" appears at the end of "http." This program strips the "s" away, leading the victim to an unencrypted but otherwise identical version of the page. The victim then enters their log-in information unaware that the attacker is recording what they type. The program requires its operator to be between the victim's computer and its internet connection, such as on a free wireless internet server. And that's about it. You can read more about the details here and here.

Clearly there are uses for this program far beyond merely harvesting credit card numbers and Facebook passwords, as most users of sslstrip will probably do. Imagine there's a password for, say, a secure network containing information that may be useful to people facing persecution. And imagine that some users of that network are lazy, unaware, and apt to sign-in to the secure network at Starbucks. Well, if you're in the right place at the right time, sslstrip will allow you to get the log-in info for such a network.

Is that a little too vague? Here's a concrete example: an FBI agent logs-in to his network from a laptop at a coffeeshop. An sslstrip user harvests his password, then logs-in to the network to see whatever information is there. Or imagine the victim is an employee of a multinational corporation that does naughty things to trees or beagles. Or works for a private military firm. Or whatever.

Now imagine that those people are too cautious to log-in at Starbucks. So instead of sitting in an overstuffed armchair while stealing their passwords, the attacker uses an antenna to access the wireless network in their building, cracks the code to their secure wireless network, and then harvests their password.

Or imagine the intended victim doesn't use a wireless network at all. Then the attacker has to put a piece of hardware between the target computer and the network. Which means they may need to use some social engineering to access the building within which the victim uses the computer, perhaps by posing as an electrician who has to fumble with a bunch of wires. And so on and so forth.

Those are just some of the possible scenarios. Of course using sslstrip in those ways is completely illegal and the C.S.A. strongly discourages and condemns such uses, along with illegal activity of any kind.

Check back here for updates on this story, as it appears to be gathering steam across the series of tubes. You can download sslstrip here.

The Day's News...

Sorry for the delay between posts. The C.S.A. is in the midst of relocating and revamping this site to a vastly superior, more secure location. The new site will have much superior functionality that will allow for more frequent updates, greater ease of use, and much, much prettier design. Formal announcement coming soon; in the meantime, munch on this:

• Watch an advertisement on a video screen in a mall, health club or grocery store and there's a slim - but growing - chance the ad is watching you too. Small cameras can now be embedded in the screen or hidden around it, tracking who looks at the screen and for how long. The makers of the tracking systems say the software can determine the viewer's gender, approximate age range and, in some cases, ethnicity - and can change the ads accordingly.

• Bad economic times are forcing the NYPD to slow down plans to assign 800 officers to the area near Ground Zero and Wall Street. The NYPD planned to deploy the officers along with 3,000 networked security cameras to Lower Manhattan; to date, 300 cameras have been installed and 30 police cars with roof-mounted cameras have begun reading license plates of passing and parked cars. And a 28th-floor command center is up and running, monitoring the spycam feeds.

• The new director of national intelligence told Congress on Thursday that global economic turmoil and the instability it could ignite had outpaced terrorism as the most urgent threat facing the United States. The assessment underscored concern inside America’s intelligence agencies not only about the fallout from the economic crisis around the globe, but also about long-term harm to America’s reputation. The crisis that began in American markets has already “increased questioning of U.S. stewardship of the global economy,” the intelligence chief, Dennis C. Blair, said in prepared testimony.

The Day's News...

• A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week. On the afternoon of Oct. 24, a Unix engineer was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day. Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m. Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.

• The relationship between photographers and police in Britain could worsen next month when new laws are introduced that allow for the arrest - and imprisonment - of anyone who takes pictures of officers 'likely to be useful to a person committing or preparing an act of terrorism.' A person found guilty of this offence could be liable to imprisonment for up to 10 years, and to a fine.The law is expected to increase the anti-terrorism powers used by police officers to stop photographers, including press photographers, from taking pictures in public places.
  

• The U.S. housing market lost $3.3 trillion in value last year and almost one in six owners with mortgages owed more than their homes were worth as the economy went into recession. The median estimated home price declined 11.6 percent in 2008 to $192,119 and homeowners lost $1.4 trillion in value in the fourth quarter alone. The U.S. economy shrank the most in the fourth quarter since 1982, contracting at a 3.8 percent annual pace, the Commerce Department said. Record foreclosures have pushed down prices as unemployment rose. More than 2.3 million properties got a default or auction notice or were seized by lenders last year.

• C.S.A. Strategy Quote Of The Day: "Fashion is what you adopt when you don't know who you are."-- Quentin Crisp