The good guys have always spent time researching to understand how the bad guys operate, in order to turn the tables and catch them. A honeypot is probably the best example of this.
A honeypot is a system that purposely appears to be super-vulnerable to the attackers who eventually find and attack it, while the good guys watch and learn. In theory, what they learn is used to develop newer and better tools. While this has utterly failed in the Antivirus world, it has been a fairly successful strategy in the hacking world.
In a decidedly Spy vs. Spy revelation, it seems that attackers are using honeypots to catch infosec researchers. The Zeus bot makes use of a fake administrator interface, complete with a guessable password and trivial SQL vulnerability meant to alert the attackers to the investigation so they can respond accordingly.
Friday, November 5, 2010
Friday, October 22, 2010
Man In The Browser (MITB) Attacks
A new botnet named Feodo has been discovered. It doesn't seem to have much new about its internal workings, but the linked article gives a good description of how Man In The Browser attacks work.
Feodo rewrites specific banking app web pages in order to add input fields, such as PIN numbers and other personal information, that the bank wouldn't normally request on the unmodified version of the page.
Feodo rewrites specific banking app web pages in order to add input fields, such as PIN numbers and other personal information, that the bank wouldn't normally request on the unmodified version of the page.
Friday, October 15, 2010
Information Security Strategy Generator
I don't usually post sites with swearing all over them, but this one was too good to pass by.
The site whatthefuckismyinformationsecuritystrategy.com automagically generates realistic sounding security strategies. Just hit reload to generate a new one. They pay people good money to come up with these kinds of statements.
I got this: Monitor vendor access and restrict personal use of computing resources by removing admin rights on critical assets
The site whatthefuckismyinformationsecuritystrategy.com automagically generates realistic sounding security strategies. Just hit reload to generate a new one. They pay people good money to come up with these kinds of statements.
I got this: Monitor vendor access and restrict personal use of computing resources by removing admin rights on critical assets
Microsoft Hopelessly Battles with an Angry Dragon Inside Its Own Network
Ok, the headline is exaggerated, but only a bit.
Microsoft's squeaky-tight security was bypassed by hackers who subsequently used their uber-hardened servers to send spam about cheap viagra, penis enlargement, and other services that don't come with a dubious EULA. Oh, and they even launched an attack against an information security blogger.
I can't wait to hear the spin on this one.
Microsoft's squeaky-tight security was bypassed by hackers who subsequently used their uber-hardened servers to send spam about cheap viagra, penis enlargement, and other services that don't come with a dubious EULA. Oh, and they even launched an attack against an information security blogger.
I can't wait to hear the spin on this one.
Tuesday, October 5, 2010
Antivirus Companies Finally Do Something About Their Own Website Security
In an industry where security companies have gotten rich enough to practice what they preach, you'd expect them to be setting the example when it comes to secure coding practices. It's the age old story about the cobbler's kids wearing crappy shoes.
You would expect security companies to hire coders that have at least a basic knowledge to do their jobs securely. How is it that so many such company websites would be afflicted with something as blatant as Cross-Site Scripting flaws? What makes this worse is that some of these companies offer secure web hosting, and post bulletins about other company's security issues! Someone isn't doing their homework.
Some of the companies that should know better: Symantec, Eset, and Panda.
You would expect security companies to hire coders that have at least a basic knowledge to do their jobs securely. How is it that so many such company websites would be afflicted with something as blatant as Cross-Site Scripting flaws? What makes this worse is that some of these companies offer secure web hosting, and post bulletins about other company's security issues! Someone isn't doing their homework.
Some of the companies that should know better: Symantec, Eset, and Panda.
Friday, October 1, 2010
Tired of the crap "news" websites are posting about Stuxnet?
F-Secure has posted a bit of a FAQ to help people interested in understanding the Stuxnet worm issue to get more realistic information, versus the omg-CNN-style garbage that has been going around so far.
Is it targeting Iranian nuclear plants? We don't know.
All this conjecture reminds me of the days when hundreds of STONED virus variants were running rampant, and McAfee started pretending they were totally different, and gave them fancy names just to make them sound like different beasts. (for example, Michelangelo). The same virus, with 2 or 3 lines changed suddenly became a totally amazing technological advance hell bent on the worse possible destruction. Just sayin...
Is it targeting Iranian nuclear plants? We don't know.
All this conjecture reminds me of the days when hundreds of STONED virus variants were running rampant, and McAfee started pretending they were totally different, and gave them fancy names just to make them sound like different beasts. (for example, Michelangelo). The same virus, with 2 or 3 lines changed suddenly became a totally amazing technological advance hell bent on the worse possible destruction. Just sayin...
Blackberry Encryption Cracked
Elcomsoft, the overseas infosec group who seem to be able to break into just about everything, have now cracked the Blackberry encryption mechanism.
It seems like only yesterday when certain freedom-free countries were complaining that they couldn't read Blackberry messages sent by their own hostile population.
It seems like only yesterday when certain freedom-free countries were complaining that they couldn't read Blackberry messages sent by their own hostile population.
Only 1.7% of sites blocked by Scandinavia's "child-porn" filters are actually child porn
It seems that most of the sites on the anti-kiddyporn filters are simply fake. As well, they found that simply reporting sites that have kiddy porn, instead of blocking and ignoring them, got them immediately removed at the ISP level.
Which leaves the author of this story wondering what the list is for in the first place, since it is so easy to get the sites removed.
This is the same type of lip service that has been keeping the antivirus industry alive for years. It doesn't matter that 90% of the functionality claims are useless for absolutely everything except marketing.
Which leaves the author of this story wondering what the list is for in the first place, since it is so easy to get the sites removed.
This is the same type of lip service that has been keeping the antivirus industry alive for years. It doesn't matter that 90% of the functionality claims are useless for absolutely everything except marketing.
Friday, September 24, 2010
First Worm To Deliberately Attack SCADA Systems Found
In June, Belarus antivirus company VirusBlokAda reported a new bug with some interesting features. The Stuxnet worm they discovered was programmed to specifically attack industrial control systems, and reprogram the controllers to hide the changes from view using a methods almost identical to those used in 1980's - 90's stealth viruses.
The last time someone hacked up a SCADA system like this, it caused a 3 kiloton explosion that was reported as having been the most monumental non-nuclear explosion and fire ever seen from space.
The last time someone hacked up a SCADA system like this, it caused a 3 kiloton explosion that was reported as having been the most monumental non-nuclear explosion and fire ever seen from space.
Thursday, September 23, 2010
ZoneAlarm caught using fake antivirus scare tactics
In a world where its getting harder and harder to tell the good guys from the bad, Checkpoint's ZoneAlarm is now being marketed using the same techniques used by said bad guys. The new scare tactic ads look so much like the non-professional spam ads we all know and love, that their own customers are looking for a more serious vendor to deal with.
Let's see if everyone has learned their lessons and refuse to click on it.
Let's see if everyone has learned their lessons and refuse to click on it.
Tuesday, September 14, 2010
Personal Information is Big Business Now
The personal information aggregation industry has grown to the point that companies have sprout up specializing in each aspect of collecting and selling everything they know about you. This goes a lot deeper than simply tracking what web pages you visit, as these companies also monitor what you look at on a web page, mouse movements, your age and sex demographics, and so on.
And you thought Facebook was starting to look intrusive...
And you thought Facebook was starting to look intrusive...
Burglars Said to Have Picked Houses Based on Facebook Updates
According to New Hampshire’s WMUR Channel 9 News, three local men, Mario Rojas, Leonardo Barroso and Victor Rodriguez, have burglarized more than 18 homes in the Nashua area of New Hampshire simply by checking status updates on Facebook and then pillaging the houses of victims who announced on the social network that they were not home.
Thursday, September 9, 2010
Twittering Too Much?
The Register posted an article about a bug that could cause Internet Explorer to post tweets just by visiting a website like this one. Of course, since the exploit works by stealing the credentials of other active sessions in your browser, Chris' concept can be tweaked to access just about any site where people tend to stay logged in, such as facebook or gmail.
Of course, just about every other browser in existence has already fixed this bug.
Of course, just about every other browser in existence has already fixed this bug.
Thursday, September 2, 2010
Pentagon Going Postal
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas. Of course, this doesn't come without a laundry list of issues that have to be dealt with first.
Interesting Out-of-Band Communication Technique
Apparently the Mafia has found a way to communicate with their bosses spending time behind bars. Many sport and music television programs allow viewers to send SMS texts which are then displayed on a scroller at the bottom of the screen. Savvy Mafiosi have been using this function to send status messages to their bosses, who would theoretically be able to watch the game from within their cells.
So when you see messages like "Luigi loved his new cement shoes", you have an idea what may be going on there.
So when you see messages like "Luigi loved his new cement shoes", you have an idea what may be going on there.
Using a Blackberry in the UAE?
Apparently Arabic blackberries aren't the only devices with neutered security controls. According to Slate, mobile phone company Etisalat is the digital certificate authority in the UAE. This would allow Etisalat to decrypt any messages relying on their services.
It is worth noting that Etisalat is already known to spy on their Blackberry users, by deliberately keeping copies of all emails passing through the service.
It is worth noting that Etisalat is already known to spy on their Blackberry users, by deliberately keeping copies of all emails passing through the service.
Friday, August 27, 2010
Dumpster Diver Picks The Wrong Time To Dive
A 37-year-old dumpster diver is recovering with serious injuries after he was trapped in the back of a dump truck. No word if he found anything of interest.
Thursday, August 19, 2010
Mailbox Security
A certain university provides a 2 dial pad lock-looking doohicky on their student mailboxes.
Only 2 numbers needed to crack this? Sure key locks are easy to break, but merely shoulder surfing the GIANT CHARACTERS makes a 5-minute brute-force attack overkill.
That, and the manufacturer is clearly a Star Wars fan.
Only 2 numbers needed to crack this? Sure key locks are easy to break, but merely shoulder surfing the GIANT CHARACTERS makes a 5-minute brute-force attack overkill.
That, and the manufacturer is clearly a Star Wars fan.
Are You Working With a REAL Security Expert?
The attrition.org website has been posting exposés of security "veterans" who sound like they've been around the block, and seemingly single-handedly invented the information security industry. However, even some of the so-called famous experts are charlatans at best, ripping off their customers and potentially causing them more harm than good.
One example provided is Dr. Ali Jahangiri, who's entire career is so dubious that not only is his resumé in question, entire books that he has "authored" appear to have been entirely plagiarized. Much of the information is so out-of-date that it would only be of interest in a historical sense if this information wasn't already widely available on the Internet for free. Worse, they demonstrate that his Information Policy Templates, which sell for $150 / CD, are all ripped from various places freely available on the Internet, save for 2.
I don't fully agree that everyone on the list is a charlatan, though. For example, professional social engineer Ira Winkler is on the list merely for having a larger-than-life ego. It fails to recognize that extreme self-confidence is a requirement for any social engineer, which makes this hardly a surprise.
What differentiates consultants like Ali from the bad guys? If their credentials don't add up, and their work seems to be ripped off from someone else and repackaged as something new, you may have hired a thief into a position of trust. They haven't only ripped off their sources, they're also stealing your money.
One example provided is Dr. Ali Jahangiri, who's entire career is so dubious that not only is his resumé in question, entire books that he has "authored" appear to have been entirely plagiarized. Much of the information is so out-of-date that it would only be of interest in a historical sense if this information wasn't already widely available on the Internet for free. Worse, they demonstrate that his Information Policy Templates, which sell for $150 / CD, are all ripped from various places freely available on the Internet, save for 2.
I don't fully agree that everyone on the list is a charlatan, though. For example, professional social engineer Ira Winkler is on the list merely for having a larger-than-life ego. It fails to recognize that extreme self-confidence is a requirement for any social engineer, which makes this hardly a surprise.
What differentiates consultants like Ali from the bad guys? If their credentials don't add up, and their work seems to be ripped off from someone else and repackaged as something new, you may have hired a thief into a position of trust. They haven't only ripped off their sources, they're also stealing your money.
Friday, August 13, 2010
Heartland denies systems involved in new data breach
It seems that Heartland Payment Systems, the company that achieved unwanted celebrity status last year for suffering the largest credit card data breach ever, is back in the news. This time they are spinning out ways to downplay yet another major data breach.
A Heartland spokesperson is suggesting that somebody hacked into a system between Tino's Greek Cafe and Heartland, resulting in numerous fraudulent charges to the customer's credit cards. Jeff Nori, co-owner of Tino's plenty to say about the breach.
Thanks to jimmiejaz for the scoop.
A Heartland spokesperson is suggesting that somebody hacked into a system between Tino's Greek Cafe and Heartland, resulting in numerous fraudulent charges to the customer's credit cards. Jeff Nori, co-owner of Tino's plenty to say about the breach.
Thanks to jimmiejaz for the scoop.
Wednesday, August 4, 2010
Lock Picking For Dummies - Part II
Tuesday, August 3, 2010
One Reason Nobody Trusts Microsoft's Security Controls
Ever wondered why you are always told to buy firewall software, even though your router probably has a firewall built in, and your operating system probably does too?
Ever wondered why you have to pay for antivirus software, even though it would be fairly trivial for the operating system manufacturer to add this by default - or at least alter the obvious weaknesses that make the viruses so rampant on that specific platform in the first place?
Ever wondered why you have to pay for additional privacy controls, even when the operating system claims to have privacy built into the operating system?
Internet Explorer just became less private thanks to Microsoft bowing to the advertising agencies. That's right - they dropped the ball. The ability to mess your screen up with animated advertisements everywhere you look trumps all security and privacy controls, again.
Microsoft is falling behind so badly, next thing you know, they'll be making an iPad clone. I wonder what "new" security issues will come of that.
Ever wondered why you have to pay for antivirus software, even though it would be fairly trivial for the operating system manufacturer to add this by default - or at least alter the obvious weaknesses that make the viruses so rampant on that specific platform in the first place?
Ever wondered why you have to pay for additional privacy controls, even when the operating system claims to have privacy built into the operating system?
Internet Explorer just became less private thanks to Microsoft bowing to the advertising agencies. That's right - they dropped the ball. The ability to mess your screen up with animated advertisements everywhere you look trumps all security and privacy controls, again.
Microsoft is falling behind so badly, next thing you know, they'll be making an iPad clone. I wonder what "new" security issues will come of that.
Lock Picking For Dummies
The humble paperclip seems to be all that's need to break into anything lately.
Several years ago, Mythbusters found several ways to beat biometric locks that until that episode, had supposedly never been broken before.
Have the companies promoting biometric technologies done their Follow-Up? Of course not.
The Biolock 333 is a $200 piece of crap technology that can be opened quicker with a paper clip than it can be by swiping your finger properly. This is more pathetic than cracking a Kryptonite D-Lock with a Bic Pen. At least a standard lock takes a little longer to crack.
2 thumbs down for this so-called secure product.
Several years ago, Mythbusters found several ways to beat biometric locks that until that episode, had supposedly never been broken before.
Have the companies promoting biometric technologies done their Follow-Up? Of course not.
The Biolock 333 is a $200 piece of crap technology that can be opened quicker with a paper clip than it can be by swiping your finger properly. This is more pathetic than cracking a Kryptonite D-Lock with a Bic Pen. At least a standard lock takes a little longer to crack.
2 thumbs down for this so-called secure product.
Monday, August 2, 2010
A DEF CON speaker was detained at the US border and asked about his involvement with the Wikileaks.org whistle-blowing website. They returned his laptop, but three of his cell phones were confiscated, and will probably never be seen again.
After mentioning this during his presentation (which was about onion routing), he was greeted by FBI agents who hoped to probe him. One of the spooks was quoted as saying "sometimes it's nice to have a conversation to flesh things out."
After mentioning this during his presentation (which was about onion routing), he was greeted by FBI agents who hoped to probe him. One of the spooks was quoted as saying "sometimes it's nice to have a conversation to flesh things out."
Friday, July 30, 2010
Trojan Cell Phone Apps
First the iphone and now android phones have been center focus for trojan applications that collect personal data and send it off to some nefarious foreign server. One of the trojan apps is a simple desktop wallpaper manager.
Ever wondered why some companies have such strict policies about what you may or may not install on your company-issued cellphone?
Ever wondered why some companies have such strict policies about what you may or may not install on your company-issued cellphone?
Tuesday, July 27, 2010
MoD Squad Loses an Unencrypted Laptop Every Other Day
For the past 2 years, the British Ministry of Defense has been on a losing streak. 120 laptops are known to have been stolen, and 220 more went missing one way or other. Most of them did not use encryption.
What else did they lose?
What else did they lose?
- 593 CDs, DVDs and diskettes
- 215 memory cards
- 96 USB hard drives
- 13 cell phones
- 600,000 records of recruits and potential recruits
Dell Blames Their Own Staff for Spybot Infected Motherboards
Instead of admitting it was a huge corporate blunder, Dell blames a handful of its workforce instead of its own processes and governance, for a recent spat of infected server-class motherboards.
Dell claims all infected motherboards have been replaced.
Dell claims all infected motherboards have been replaced.
Technician Aboard the BP Oil Rig that Exploded Shut Alarms Off To Avoid Waking Up The Crew
Apparently the system that monitors and controls drilling operations was running Windows, and kept crashing with the famed Blue Screen of Death (BSoD). An alarm that goes off to alert the crew to dangerous levels of combustible gases was shut off to avoid waking anyone up. Aren't BSoD's and alarms meant to wake people up and alert them to problems?
Monday, July 26, 2010
Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect
A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.
An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source.
This article analyzes some of the newer techniques being employed.
An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source.
This article analyzes some of the newer techniques being employed.
Thursday, July 15, 2010
FBI Raids ‘Electronik Tribulation Army’ Over Witness Intimidation
FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.
Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlled HVAC system.
Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlled HVAC system.
How Hard Is It To Hack The Country Infrastructure?
Wired have published a very good article refuting hacker claims of being able to "shut off the Internet", and explain why critical infrastructure attacks so rarely succeed.
It is still important to note that critical infrastructure attacks have succeed before.
It is still important to note that critical infrastructure attacks have succeed before.
Internet Luring - 2 Cases, 2 different outcomes
2 Internet child luring cases that occurred recently ended with 2 very interesting outcomes.
In the first case, a police officer was charged for trying to "communicate with a minor" for some sort of evil deed. The undercover officer who busted him was found to be guilty of luring since the evidence showed that the accused officer repeatedly turned down girls who claimed to be under-aged. In the end, it sounds like the cop harassed him into the communications that occurred, and that in no way did the officer try to "persuade" the apparently under-aged teen.
In the second case, a man is charged with a similar offense for chatting up a 13 year old boy for some extra-curricular grown-up activities. The accused argued that the boy's profile stated that he was 18 years old. However, in chat transcripts, the boy repeatedly told him that he was actually 13. The accuse states that he did not believe the boy was under-aged because of *unverified* profile information, and that the boy typed much too fast to be so young.
Isn't it obvious? If you are hitting on someone online, and then they tell you repeatedly that they are under-aged.... isn't that a sign to RUN AWAY FROM THEM? Such acts of willful blindness have rarely convinced the courts, and certainly this one wasn't fooled.
In the first case, the accused appears to have been pressured and entrapped. In the second, the accused seems to have been exercising a textbook case of confirmation bias.
In the first case, a police officer was charged for trying to "communicate with a minor" for some sort of evil deed. The undercover officer who busted him was found to be guilty of luring since the evidence showed that the accused officer repeatedly turned down girls who claimed to be under-aged. In the end, it sounds like the cop harassed him into the communications that occurred, and that in no way did the officer try to "persuade" the apparently under-aged teen.
In the second case, a man is charged with a similar offense for chatting up a 13 year old boy for some extra-curricular grown-up activities. The accused argued that the boy's profile stated that he was 18 years old. However, in chat transcripts, the boy repeatedly told him that he was actually 13. The accuse states that he did not believe the boy was under-aged because of *unverified* profile information, and that the boy typed much too fast to be so young.
Isn't it obvious? If you are hitting on someone online, and then they tell you repeatedly that they are under-aged.... isn't that a sign to RUN AWAY FROM THEM? Such acts of willful blindness have rarely convinced the courts, and certainly this one wasn't fooled.
In the first case, the accused appears to have been pressured and entrapped. In the second, the accused seems to have been exercising a textbook case of confirmation bias.
Wednesday, July 7, 2010
Microsoft Officially Out of the Vulnerabilities Loop
Companies have finally started to realize that giving Microsoft free security consulting is losing them money overall.
VUPEN, who used to be known as FrCIRT, who used to be a 0-day vulnerability disclosure site, have ceased sending free vulnerability reports to Microsoft to help them fix their security woes. Instead the reports, exploit code, patches, and whatever else they produce goes straight to their paying customers - none of whom are Microsoft.
VUPEN, who used to be known as FrCIRT, who used to be a 0-day vulnerability disclosure site, have ceased sending free vulnerability reports to Microsoft to help them fix their security woes. Instead the reports, exploit code, patches, and whatever else they produce goes straight to their paying customers - none of whom are Microsoft.
Sunday, June 20, 2010
How Not To Get Scammed
Many skills employed by petty thieves, street scammers and pickpockets are similar to those used by social engineers. For example, they are masters of manipulation, using social pressure, distraction and psychology to dupe people into parting with their money or other belongings.
BBC recently wrote tips on how not to get scammed. The experts cited throughout the article come from the excellent TV series The Real Hustle. This show is mandatory viewing for those interested in how scams are conducted, and certainly demonstrates a lot of overlap with the Social Engineering world. There's an American version of the show now, but stick to the British one - it is much better, and doesn't come across as a re-enactment.
BBC recently wrote tips on how not to get scammed. The experts cited throughout the article come from the excellent TV series The Real Hustle. This show is mandatory viewing for those interested in how scams are conducted, and certainly demonstrates a lot of overlap with the Social Engineering world. There's an American version of the show now, but stick to the British one - it is much better, and doesn't come across as a re-enactment.
Thursday, June 17, 2010
An Interesting Lie Detection Method
Forget expensive fMRI-based lie detection or iffy polygraph tests, give your suspect a pencil and paper and get them to draw what happened - a new study suggests their artistic efforts will betray whether they are telling the truth or not.
Wednesday, June 16, 2010
If it can be stolen, someone already has their eye on it
When companies think about theft, they often omit items they feel would not be of interest to outsiders. Because of this, they often leave things in accessible areas, expecting that they will not be stolen or tampered with.
A group of junior highschool students recently planted 12 apple trees. Within a few days, 3 of the $100 trees were uprooted and stolen. We can only hope the perpetrators are caught and dealt with appropriately.
While a typical school does not have the resources to protect their student's outdoor projects, corporations should be automatically building mitigating costs into their projects right from the start.
Moral of the story? There is a thief for everything that is left unattended.
A group of junior highschool students recently planted 12 apple trees. Within a few days, 3 of the $100 trees were uprooted and stolen. We can only hope the perpetrators are caught and dealt with appropriately.
While a typical school does not have the resources to protect their student's outdoor projects, corporations should be automatically building mitigating costs into their projects right from the start.
Moral of the story? There is a thief for everything that is left unattended.
Saturday, June 5, 2010
Will your company win the competition? I hope not!
Social engineering has evidently earned a new level of respect from hacker community: For the first time, this year's Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies -- over the telephone instead of the Internet.
Thursday, June 3, 2010
Do virtual thieves haul their loot in virtual trucks?
A virtual thieving spree could have real life consequences for culprits in Finland, where police are investigating the theft of virtual furniture on a social networking site popular with teenagers.
"Significant amounts of virtual property" were stolen from around 400 users of the Habbo Hotel virtual hotel, where visitors can create a character for themselves to hang out with friends, take care of virtual pets and furnish their own rooms for a fee, Finnish police said Tuesday.
"Significant amounts of virtual property" were stolen from around 400 users of the Habbo Hotel virtual hotel, where visitors can create a character for themselves to hang out with friends, take care of virtual pets and furnish their own rooms for a fee, Finnish police said Tuesday.
Can humans be infected by computer viruses?
British scientist Dr. Mark Gasson from the University of Reading inserted a contaminated version of an ID computer chip, normally used to track pets, into his hand to help prove that the chip was able to pass computer viruses on to other external control systems.
Dr. Gasson's chip allows him to pass through security doors and activate his cell phone. It uses ambient electromagnetic energy to transmit data. Through a series of tests, Dr. Gasson was able to show that the chip affects all surrounding computerized systems and if any other implanted chips connect to the system, they too would be damaged by the contaminated chip.
Thursday, May 27, 2010
TV mindreader let off jury duty - because court officials feared he may wreck trial
Drew McAdam's act includes reading thoughts, duplicating drawings done in secret and bending cutlery Uri Geller-style.
He turned up at court after being called to sit on a case.
But the 54-yearold was sent home after officials recognised him as the human lie detector on Five's Trisha chatshow.
A court source said: "Could you imagine being the accused and turning up to find yourself facing The Interrogator?
Wednesday, May 26, 2010
Data Destruction
How many times should a hard drive be overwritten before one can safely assume its data is no longer retrievable?
A lot of shady software vendors tell you that you should overwrite repeatedly with various patterns, such as the 35-pass method created by Peter Gutmann more than 30 years ago. Some of these packages are free, most of them cost some arbitrary amount of money. All of them are a waste of money.
Even Mr. Gutmann stated that any hard drives that came out after the early 90's MFM and RLL drives can simply be overwritten once with random data. Sticking a decommissioned hard drive into any unix-like box, or booting the system with a live-CD version of Linux, and simply overwriting it with "dd if=/dev/urandom of=/dev/" will do the trick, and it won't cost you anything.
A lot of shady software vendors tell you that you should overwrite repeatedly with various patterns, such as the 35-pass method created by Peter Gutmann more than 30 years ago. Some of these packages are free, most of them cost some arbitrary amount of money. All of them are a waste of money.
Even Mr. Gutmann stated that any hard drives that came out after the early 90's MFM and RLL drives can simply be overwritten once with random data. Sticking a decommissioned hard drive into any unix-like box, or booting the system with a live-CD version of Linux, and simply overwriting it with "dd if=/dev/urandom of=/dev/
Friday, May 21, 2010
Unbreakable Encryption already Broken
After 10 years of hearing different theories of how quantum mechanics can be used to implement unbreakable encryption, a fellow Canadian has done the deed, and discovered a fairly simple method for deriving the secret keys used in an encrypted communication. It seems appropriate to mention that every time scientists start talking like salesmen, calling their "discoveries" unbreakable, unbeatable, undetectable, etc, someone comes along to prove the theory wrong. Ah well, better luck next time.
IBM hand out free malware at a security conference
Rather pathetic news today. IBM gave away USB sticks at the AusCERT security conference which were infected by a 2-year old virus that spreads when Windows automagically executes setup.exe / autorun.ini . There's no excuse for such sloppiness, but of course, this will be ignored and brushed under the carpet.
Thursday, May 20, 2010
Lie Detectors seem to work in Cartoon-land
Although it's questionable as to whether lie detectors actually detect lies, or just record varying levels of stress, they clearly work on the Simpsons. In a future post, I'll put together a few links on how to pass the lie detector, whether you are telling the truth or not.
Until then, you can see generally how they work on youtube.
Until then, you can see generally how they work on youtube.
Artificial Life Breakthrough
In the early 90's, a lot of studies went into artificial life. Are computer viruses alive? The J. Craig Venter Institute have created what appears to be the first Artificial Life entity that is truly alive and functional. Will the bad guys get ahold of this technology and use it to wage bio-warfare on humans like they did with computer viruses and worms on software and the Internet? Possibly. Time will tell if this technology manages to do a few useful things first.
Hacking the Hackers
Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.
Saturday, May 15, 2010
Bears In A Honey Trap
In the Bible, Delilah seduced Samson in order to discover the source of his super-human strength. When she got what she was after, she sold the information and services to the enemy. The use of Sex as a spy technique of compromise is exactly what makes James Bond style movies so fun to watch.
Using sex to dig up secret information is not always the stuff of fiction and mythology. A sexy girl named Katja Gerasimova, who seems to have a sexual affinity for pro-democracy activists, just happens to also be a spy for the Russian government. Once the deed has been done, she posts her raunchy sex and drug exploits on the web in order to expose the activists publicly, making them look like petty criminals and subsequently discrediting their political affiliations.
It isn't only Russia that uses sex to dig up and exploit secret information, but also India, China, Saudi Arabia, Poland, United States, and so on.
Using sex to dig up secret information is not always the stuff of fiction and mythology. A sexy girl named Katja Gerasimova, who seems to have a sexual affinity for pro-democracy activists, just happens to also be a spy for the Russian government. Once the deed has been done, she posts her raunchy sex and drug exploits on the web in order to expose the activists publicly, making them look like petty criminals and subsequently discrediting their political affiliations.
It isn't only Russia that uses sex to dig up and exploit secret information, but also India, China, Saudi Arabia, Poland, United States, and so on.
Sunday, May 2, 2010
Fun with Secret Questions
Does your bank allow you to come up with your own "secret question", to be used as authentication when you phone in? Most people who get to create their own questions usually ask the regular things like "Mother's high school nickname" or "Colour of step-brother's best friend's neighbour's dog's nose".
Bruce Schneier, one of the few sane veterans of the internet security industry, has come up with a way to make it a lot more fun. One of my favourite examples:
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
Some of the ideas given in the Comments section are gold.
Bruce Schneier, one of the few sane veterans of the internet security industry, has come up with a way to make it a lot more fun. One of my favourite examples:
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
Some of the ideas given in the Comments section are gold.
Friday, April 30, 2010
Dumpster Diving
The term dumpster diving conjures up the image of youngish urban explorer types with flashlights, digging through garbage bins in search of gold - in which the gold includes things such as electronicky bits, books, CD's, and that sort of thing. There are even freegans base their entire life - including nutrition - by harvesting the massive amounts of edible goods that people throw away every day. You can even buy books that purport to teach the skills necessary to be a better dumpster diver!
However, there is a more nefarious type of dumpster diver - one who steals identities and confidential company data. Companies lose millions and millions of dollars worth of data every hear straight from the garbage bin - hard drives with payroll data, proposal documents, human resource lists, and so on. A grey-hat hacker once reported that he discovered a bag of corporate credit cards in the garbage. A little research showed that the company had just been bought out a few days earlier, so it was likely they were all issued cards to reflect the new company name. This same fellow also found, in the same dumpster, a hard drive that he described as "barely working", but after trying the hard drive freezer trick he managed to find the human resources and payroll records from the same company that threw out the credit cards. Pretty good catch.
We could make up all kinds of worse-case-scenereos about this level of data breach. Every company should develop and uphold a Data Destruction Policy, and use tools and techniques to sanitize their sensitive information before tossing their unused and nonworking hardware. Why make it easy for the bad guy?
However, there is a more nefarious type of dumpster diver - one who steals identities and confidential company data. Companies lose millions and millions of dollars worth of data every hear straight from the garbage bin - hard drives with payroll data, proposal documents, human resource lists, and so on. A grey-hat hacker once reported that he discovered a bag of corporate credit cards in the garbage. A little research showed that the company had just been bought out a few days earlier, so it was likely they were all issued cards to reflect the new company name. This same fellow also found, in the same dumpster, a hard drive that he described as "barely working", but after trying the hard drive freezer trick he managed to find the human resources and payroll records from the same company that threw out the credit cards. Pretty good catch.
We could make up all kinds of worse-case-scenereos about this level of data breach. Every company should develop and uphold a Data Destruction Policy, and use tools and techniques to sanitize their sensitive information before tossing their unused and nonworking hardware. Why make it easy for the bad guy?
Sunday, April 25, 2010
Using Embedded Commands in Social Engineering
Using a technique known as preloading, you can convince someone to think of something, even believing that they came up with the thought independently. The reality is that you purposely implanted the very idea in their memory. I can't get into extreme examples here in a blog format, but you already know that when I tell you do not think of a black cat, you will automatically think of a black cat. The phrase "think of a black cat" is there in the sentence you heard well before you received the reasons you should ignore it.
And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat. You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.
This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.
Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else. We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4. For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.
I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.
Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple. I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.
I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not. Tell me a number from 1 to 4. The last digit of this ticket."
He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1. "You too," I said. "Choose a number".
She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"
I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."
She chose 4. Of course, and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.
How did I do this so smoothly? Pay attention to the words I used to make sure I got the numbers I was expecting. Tell me a number from one, two... four. You two. There's only four...
The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.
And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat. You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.
This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.
Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else. We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4. For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.
I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.
Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple. I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.
I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not. Tell me a number from 1 to 4. The last digit of this ticket."
He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1. "You too," I said. "Choose a number".
She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"
I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."
She chose 4. Of course, and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.
How did I do this so smoothly? Pay attention to the words I used to make sure I got the numbers I was expecting. Tell me a number from one, two... four. You two. There's only four...
The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.
Friday, April 23, 2010
Dr. David Matsumoto explains Microexpressions
Lie detection has always fringed somewhere between science and outright hooha. Regardless of opinion, where the theories begin to generate reproducible outcomes is quite interesting. Dr. Matsumoto demonstrates how the brain is a bit slower than the initial response mechanisms. You put on a look of disdain while nodding "yes" to a question, then your conscious mind says "Oh wait, I meant to lie here", forcing you to catch up with a more appropriate expression. These brief lapses of disguise are known as microexpressions.
Learning to spot these sudden shifts in facial expressions has been catching on as a new public security trend, and is now even taught to airport personnel. More on this in future posts.
Learning to spot these sudden shifts in facial expressions has been catching on as a new public security trend, and is now even taught to airport personnel. More on this in future posts.
Wednesday, April 21, 2010
Are you smarter than a 3rd grader?
In the 80's, my high school buddy Pob and I used to spend hours, days and weeks getting to know our school's computer network. We were asked to leave our grade 9 class and help teach computer science to the grade 10 students, and similarly help the grade 11 folks when we were in grade 10. For security purposes, our teacher used a longer password (stationwagon) than the lowest scoring student (bird).
Instead of punishing kids who realize at such a young age that people use such obvious passwords, its time to educate them so they get a chance at being the next information security guru. When they're ready, we need them.
Instead of punishing kids who realize at such a young age that people use such obvious passwords, its time to educate them so they get a chance at being the next information security guru. When they're ready, we need them.
Study: Frequent password changes are useless
One of the biggest problems with changing passwords too frequently is that users invariably will forget the new one. Wouldn't it be nice for administrators if they could simply teach users how to construct a stronger password, and then get them to stick to it? Constantly changing complicated passwords causes users to write them down on sticky-notes where others may see them. The reality is if an attacker has a system's password hashes to crack, they already have the access needed to steal data or whatever it is they are up to. Also, once a password has been cracked, the attacker is likely to use it right away - not three weeks down the road.
As Microsoft indirectly points out, companies would save enormous amounts of money if they didn't have to dedicate administrative hours to resetting passwords just as frequently as the policy requires them changed.
However the reality is there are various industry standards that mandate policies on frequent password changes. The bigger your organization is, the more likely you are bound to one of them. This is unfortunate, and thus a well-meaning policy ends up costing companies more than the risks it supposedly mitigates.
As Microsoft indirectly points out, companies would save enormous amounts of money if they didn't have to dedicate administrative hours to resetting passwords just as frequently as the policy requires them changed.
However the reality is there are various industry standards that mandate policies on frequent password changes. The bigger your organization is, the more likely you are bound to one of them. This is unfortunate, and thus a well-meaning policy ends up costing companies more than the risks it supposedly mitigates.
Subscribe to:
Posts (Atom)