A cyber attack on a Springfield, Ill. public water utility resulted in the destruction of one of its pumps, according to a security expert.
While I would do away with alarmist statements like "This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic", and find it hard to give any amount of credibility to people that make such stupid pronouncements, the situation described in this article points out once again how SCADA systems are still not being treated at the level of sensitivity they should be.
Monday, November 21, 2011
Wednesday, November 16, 2011
Europe Bans X-Ray Body Scanners Used at U.S. Airports
The European Union on Monday prohibited the use of X-ray body scanners in European airports, parting ways with the U.S. Transportation Security Administration, which has deployed hundreds of the scanners as a way to screen millions of airline passengers for explosives hidden under clothing.
The European Commission, which enforces common policies of the EU's 27 member countries, adopted the rule “in order not to risk jeopardizing citizens’ health and safety.”
The European Commission, which enforces common policies of the EU's 27 member countries, adopted the rule “in order not to risk jeopardizing citizens’ health and safety.”
Police trick 19 criminals into coming forward with free beer
Undercover officers at Derbyshire police sent letters to dozens of people who had evaded arrest asking them to ring a marketing company to collect a free crate of beer.
A total of 19 suspects fell for the hoax and called the number on the letter, which put them through to police officers based at Chesterfield Police Station.
They were told that they needed to arrange a date and time for the free alcohol to be dropped off at an agreed address.
But instead of being handed free ale the wanted men found themselves confronted by police, handcuffed and under arrest.
A total of 19 suspects fell for the hoax and called the number on the letter, which put them through to police officers based at Chesterfield Police Station.
They were told that they needed to arrange a date and time for the free alcohol to be dropped off at an agreed address.
But instead of being handed free ale the wanted men found themselves confronted by police, handcuffed and under arrest.
Tuesday, November 8, 2011
What is Phlashing
Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.
Rich Smith, head of HP's Systems Security Lab, discovered the vulnerability and demonstrated the attack at the EUSecWest security conference in June 2008. In a real-world execution, an attacker could use remote update paths in network hardware, which are often left unprotected, to deliver corrupted and flash this to the device. As a result, the device would become unusable.
Rich Smith, head of HP's Systems Security Lab, discovered the vulnerability and demonstrated the attack at the EUSecWest security conference in June 2008. In a real-world execution, an attacker could use remote update paths in network hardware, which are often left unprotected, to deliver corrupted and flash this to the device. As a result, the device would become unusable.
Friday, September 30, 2011
Lie Detector Leads to Execution of Innocent Man
Chiang Kuo-ching, a Taiwanese airman was executed in 1997 for the rape and murder of a five-year-old girl. Military investigators tortured a confession out of Chiang after he failed to pass a lie detector “test.” Since then, DNA evidence and a palm-print have incriminated a different person.
Clenching your butt at the wrong time will cause you to appear guilty on a polygraph. It's time to throw this system out with the water dousers.
Clenching your butt at the wrong time will cause you to appear guilty on a polygraph. It's time to throw this system out with the water dousers.
Thursday, September 29, 2011
Scientists Can Use WiFi to Count Your Breaths and Spy on You
Wireless networks which measure received signal strength (RSS) can be used to reliably detect human breathing and estimate the breathing rate, an application we call "BreathTaking". Although an individual link cannot reliably detect breathing, the collective spectral content of a network of devices reliably indicates the presence and rate of breathing.
Thursday, September 8, 2011
Award BIOS Flashing Trojan
I used to talk about the possibility of a virus or worm writing boot code on hard drives, or flashing devices with new configurations, or even entirely new code. It seems there is now a trojan out there that does just that. Yes the site is in Chinese. But it describes a trojan that flashes Award BIOS code to add a few new functions on bootup.
Symantec has more details on how it infects the hard drive Master Boot Record (MBR) and specifically targets and alters the Award BIOS. Other BIOS brands are not affected.
Symantec has more details on how it infects the hard drive Master Boot Record (MBR) and specifically targets and alters the Award BIOS. Other BIOS brands are not affected.
Tuesday, September 6, 2011
Richard Branson lost his memoirs in blaze
Airline tycoon Richard Branson lost his autobiography and 15 years worth of handwritten notes when a fire ripped through his retreat in the British Virgin Islands.
This is a good time to remind everyone that your backups should be stored somewhere well away from the systems they are taken from. Otherwise they can both go up in smoke.
This is a good time to remind everyone that your backups should be stored somewhere well away from the systems they are taken from. Otherwise they can both go up in smoke.
Thursday, August 25, 2011
Ten years later, still the same malware?
At Blackhat2011 during an interview about ESET'S recent Global Threat Report, a reporter asked me why we still see very old strains of common, long-detected malware. After all, haven't we detected these threats in the wild for years by now?
Saturday, August 20, 2011
AES crypto broken by 'groundbreaking' attack
Cryptographers have discovered a way to break the Advanced Encryption Standard used to protect everything from top-secret government documents to online banking transactions.
Biclique Analysis allows 2 bits to be knocked off the key, speeding up brute force attacks by up to 5 times.
It still takes a little longer than you'll be around (trillions of years) to crack a 256 key this way. But they're well on the way.
Thursday, August 18, 2011
Anonymous is not unanimous
From a Pastebin post titled: Anonymous is not Unanimous.
Anonymous has a perception problem. Most people think we're a group of shadowy hackers. This is a fundamental flaw. Anonymous is *groups* of shadowy hackers, and herein lies the problem. Anonymous has done a lot of good in just the past 9 months. It has helped with other groups in providing aid to people on the ground in countries where "democracy" is a bad word.
The mainstream media needs to understand that Anonymous isn't unanimous. I've yet to see wide scale reporting make this distinction. A destructive minority is getting a majority of the press, while those of us who toil in the shadow doing good work for people at home and abroad go unthanked.
BART protestors didn't spring up out of thin air this week. Protests against BART have been ongoing for years. Where's the media coverage? If the media paid more attention to peaceful protests and general social unrest, I think hackers would be far less inclined to do things such as leaking data just to get the attention of the press.
Finally, hacking isn't just about breaking into web servers and leaking data to the public. Far from it. Hacking is just as much about breaking out of things as it is about breaking into things. Hacking is lifestyle, and a mindset. It is about learning more about the technologies we use and social norms we are subject to.
Don't let the actions of a few skew your perception of hackers as a whole.
@AnonyOps
Anonymous has a perception problem. Most people think we're a group of shadowy hackers. This is a fundamental flaw. Anonymous is *groups* of shadowy hackers, and herein lies the problem. Anonymous has done a lot of good in just the past 9 months. It has helped with other groups in providing aid to people on the ground in countries where "democracy" is a bad word.
The mainstream media needs to understand that Anonymous isn't unanimous. I've yet to see wide scale reporting make this distinction. A destructive minority is getting a majority of the press, while those of us who toil in the shadow doing good work for people at home and abroad go unthanked.
BART protestors didn't spring up out of thin air this week. Protests against BART have been ongoing for years. Where's the media coverage? If the media paid more attention to peaceful protests and general social unrest, I think hackers would be far less inclined to do things such as leaking data just to get the attention of the press.
Finally, hacking isn't just about breaking into web servers and leaking data to the public. Far from it. Hacking is just as much about breaking out of things as it is about breaking into things. Hacking is lifestyle, and a mindset. It is about learning more about the technologies we use and social norms we are subject to.
Don't let the actions of a few skew your perception of hackers as a whole.
@AnonyOps
Sunday, August 14, 2011
Pakistan Let China See Crashed U.S. "Stealth" Helicopter
Pakistan gave China access to the previously unknown U.S. "stealth" helicopter that crashed during the commando raid that killed Osama bin Laden in May despite explicit requests from the CIA not to, the Financial Times reported on Sunday.
Tuesday, August 9, 2011
"Spam King" Surrenders.
Sanford Wallace, a.k.a. "the Spam King," has surrendered to federal law
enforcement agents in California. Wallace has been charged with sending
millions of spam messages to Facebook users. He allegedly tricked users
into submitting their account login details. An estimated 500,000
Facebook accounts were compromised. Once he had access to compromised
accounts, he accessed their friends lists and posted junk messages on
their walls. Facebook won a US $711 million judgment against Wallace in
2009. Wallace faces charges of electronic mail fraud, intentional damage
to a protected computer and criminal contempt. He has been released
after posting US $100,000 bail.
I doubt many people are feeling sorry for him.
Sunday, August 7, 2011
Check out The INTRUDER Daily
The INTRUDER Daily is a newspaper style aggregation of information security news. Check it out!
Thursday, June 30, 2011
Software Can Copy Your Keys From A Photograph Taken 200 Feet Away
A new piece of software cleverly titled Sneakey makes it possible to copy keys using nothing more than a photograph, even if that photograph was taken from far away, according to Peter Murray at Singularity Hub.
In one demonstration, the software helped create working keys using a picture taken with a cell phone camera and a picture taken with a telephoto lens over 200 feet away.
In one demonstration, the software helped create working keys using a picture taken with a cell phone camera and a picture taken with a telephoto lens over 200 feet away.
Wednesday, June 29, 2011
The Navy Bought Fake Trojanized Chinese Microchips
The Navy Bought Fake Trojanized Chinese Microchips. They weren't only low-quality fakes, they had been made with a "back-door" and could have been remotely shut down at any time. If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.
The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect -- especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect -- especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
Is One of the LulzSec Members a Staffer at Facebook?
According to this pastbin page, one of the LulzSec members is a Facebook staffer.
From the article:
57. Name: Sean Lynch
58. Occupation: Software Engineer at Facebook
The text that follows describes a chat session that ends up exposing the probable identity of group member Joepie91. Oops.
A few other members are identified as well. I keep mentioning to colleagues how hacking has become a sport. I think articles like these, both for and against LulzSec and Anonymous, prove it quite well.
From the article:
57. Name: Sean Lynch
58. Occupation: Software Engineer at Facebook
The text that follows describes a chat session that ends up exposing the probable identity of group member Joepie91. Oops.
A few other members are identified as well. I keep mentioning to colleagues how hacking has become a sport. I think articles like these, both for and against LulzSec and Anonymous, prove it quite well.
Tuesday, June 28, 2011
Old Style MBR Viruses are Back
Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.
A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog.
If this reminds you of the 80's, it should. At least back then you could boot to your DOS rescue disk and type FDISK /MBR to get rid of boot sector viruses. Now that there is too much money to be made off of viruses, I'm sure this command no longer works.
A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog.
If this reminds you of the 80's, it should. At least back then you could boot to your DOS rescue disk and type FDISK /MBR to get rid of boot sector viruses. Now that there is too much money to be made off of viruses, I'm sure this command no longer works.
DMCA Takedown
Today we had to send out a DMCA Takedown Notice to a site that has stolen from me and my consulting firm twice in the past. Now we're in for round 3. We aren't sure what kind of nonsense game these charlatans are playing, but this time we decided an immediate takedown at the ISP level was required.
It is impossible to tell how much damage The Management Group have caused their unwitting customers. Even more pathetically, they appear to sell their lies to the US Government. I wonder if there are laws against that.
By openly stealing my content and making false claims about the origin of my published work, these guys do a disservice to all in the Information Security industry, and especially to their customers and partner organizations.
---- letter body follows ----
I am the sole copyright owner of the text content and IP rights being infringed at:
http://www.mgt-gp.com/articles/view/information-security-servicecapabilities
https://www.gsaadvantage.gov/ref_text/GS35F0658N/GS35F0658N_online.htm
The owner of these sites has been asked to remove this content twice in the past. After first claiming that he indeed is the writer of the Offensive Operations Model (A claim falsely repeated throughout the above named websites), the owner said he would remove the content and the fraudulent claims that he is the developer of the model. The Offensive Operations Model is a model I wrote in 1998 and was published by the IEEE in 2004, and is available online from many sites who do properly credit me as the author and developer. The owner of these above referenced sites has no right to abuse my copyrights in this manner. The entirety of text content on these pages was written by myself years before they appeared on these websites. After several phone calls from myself to the owner of these pages, the text disappeared only for a short time, and has at some point resurfaced with nothing more than a cosmetic makeover. This is now my THIRD time approaching these people about the offending content. I am willing to provide absolute proof via the WAYBACK MACHINE on archive.org which demonstrates clearly that the entirety of the text content of these pages was written by myself years before they began appearing on these 2 sites in question. Comparing this way shows the exact month and year that this person began stealing my work. The Offensive Operations Model that this person claims he wrote, is available from the IEEE website, and of course is listed with my name as the author.
Here is a link to an article I wrote about this thievery back in 2006. You will notice the mgt-gp site is specifically referenced. The link I proviced no longer works since the owner did change the URLs after I phoned him repeatedly.
http://penetrationtestdotcom.blogspot.com/2006_10_01_archive.html
Please note: At the time I initially caught this person stealing my content, there were 7 other sites infringing my content in the same manner. All sites removed the content without question, save for the owner of these two sites listed above. He is not only cheating me by claiming copyright to the Offensive Operations Model. He also cheats his customers since in our phone conversation in 2006 it was clear he didn't even know really what the Offensive Operations Model was.
This letter is official notification under the provisions of Section 512(c) of the Digital Millennium Copyright Act (“DMCA”) to effect removal of the above-reported infringements. I request that you immediately issue a cancellation message as specified in RFC 1036 for the specified postings and prevent the infringer, who is identified by its Web address, from posting the infringing text and references to the Offensive Operations Model to your servers in the future. Please be advised that law requires you, as a service provider, to “expeditiously remove or disable access to” the infringing content upon receiving this notice. Noncompliance may result in a loss of immunity for liability under the DMCA.
I have a good faith belief that use of the material in the manner complained of here is not authorized by me, the copyright holder, or the law. The information provided here is accurate to the best of my knowledge. I swear under penalty of perjury that I am the copyright holder.
Please send me at the address noted below a prompt response indicating the actions you have taken to resolve this matter. If this DMCA Takedown Notice needs to be sent to any other parties, please let me know who they are.
-----
DMCA takedown template written by attorney Carolyn E. Wright.
It is impossible to tell how much damage The Management Group have caused their unwitting customers. Even more pathetically, they appear to sell their lies to the US Government. I wonder if there are laws against that.
By openly stealing my content and making false claims about the origin of my published work, these guys do a disservice to all in the Information Security industry, and especially to their customers and partner organizations.
---- letter body follows ----
I am the sole copyright owner of the text content and IP rights being infringed at:
http://www.mgt-gp.com/articles/view/information-security-servicecapabilities
https://www.gsaadvantage.gov/ref_text/GS35F0658N/GS35F0658N_online.htm
The owner of these sites has been asked to remove this content twice in the past. After first claiming that he indeed is the writer of the Offensive Operations Model (A claim falsely repeated throughout the above named websites), the owner said he would remove the content and the fraudulent claims that he is the developer of the model. The Offensive Operations Model is a model I wrote in 1998 and was published by the IEEE in 2004, and is available online from many sites who do properly credit me as the author and developer. The owner of these above referenced sites has no right to abuse my copyrights in this manner. The entirety of text content on these pages was written by myself years before they appeared on these websites. After several phone calls from myself to the owner of these pages, the text disappeared only for a short time, and has at some point resurfaced with nothing more than a cosmetic makeover. This is now my THIRD time approaching these people about the offending content. I am willing to provide absolute proof via the WAYBACK MACHINE on archive.org which demonstrates clearly that the entirety of the text content of these pages was written by myself years before they began appearing on these 2 sites in question. Comparing this way shows the exact month and year that this person began stealing my work. The Offensive Operations Model that this person claims he wrote, is available from the IEEE website, and of course is listed with my name as the author.
Here is a link to an article I wrote about this thievery back in 2006. You will notice the mgt-gp site is specifically referenced. The link I proviced no longer works since the owner did change the URLs after I phoned him repeatedly.
http://penetrationtestdotcom.blogspot.com/2006_10_01_archive.html
Please note: At the time I initially caught this person stealing my content, there were 7 other sites infringing my content in the same manner. All sites removed the content without question, save for the owner of these two sites listed above. He is not only cheating me by claiming copyright to the Offensive Operations Model. He also cheats his customers since in our phone conversation in 2006 it was clear he didn't even know really what the Offensive Operations Model was.
This letter is official notification under the provisions of Section 512(c) of the Digital Millennium Copyright Act (“DMCA”) to effect removal of the above-reported infringements. I request that you immediately issue a cancellation message as specified in RFC 1036 for the specified postings and prevent the infringer, who is identified by its Web address, from posting the infringing text and references to the Offensive Operations Model to your servers in the future. Please be advised that law requires you, as a service provider, to “expeditiously remove or disable access to” the infringing content upon receiving this notice. Noncompliance may result in a loss of immunity for liability under the DMCA.
I have a good faith belief that use of the material in the manner complained of here is not authorized by me, the copyright holder, or the law. The information provided here is accurate to the best of my knowledge. I swear under penalty of perjury that I am the copyright holder.
Please send me at the address noted below a prompt response indicating the actions you have taken to resolve this matter. If this DMCA Takedown Notice needs to be sent to any other parties, please let me know who they are.
-----
DMCA takedown template written by attorney Carolyn E. Wright.
Tuesday, June 21, 2011
Amazon's cloud is full of holes
Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt, said on Monday that Amazon's Web Services is so easy to use that a lot of people create virtual machines without following the security guidelines.
In what they termed was the most critical discovery, the researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines.
But the consequences could be expensive: With those keys, an interloper could start up services on EC2 or S3 using the customer's keys and create "virtual infrastructure worth several thousands of dollars per day at the expense of the key holder," according to the researchers.
In what they termed was the most critical discovery, the researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines.
But the consequences could be expensive: With those keys, an interloper could start up services on EC2 or S3 using the customer's keys and create "virtual infrastructure worth several thousands of dollars per day at the expense of the key holder," according to the researchers.
Anonymous steals 10,000 Iranian government emails, plans DDoS attack
After hacking into the Iranian Government email sites and procuring 10,000 official's email addresses and their associated emails, Anonymous is planning a full day of DDoS attacks to mark the election day anniversary.
'LulzSec suspect' arrested by New Scotland Yard
New Scotland Yard has confirmed that it has arrested a 19-year old suspected hacker in Essex, UK, in connection with a series of hacks and denial-of-service attacks against a number of organisations.
It is being widely speculated that the arrest is in connection with the high-profile attacks by the LulzSec hacking group, which has claimed amongst its victims Sony, the CIA, the FBI, and the Serious Organised Crime Agency (SOCA).
It is being widely speculated that the arrest is in connection with the high-profile attacks by the LulzSec hacking group, which has claimed amongst its victims Sony, the CIA, the FBI, and the Serious Organised Crime Agency (SOCA).
Monday, June 20, 2011
Japan Criminalizes Creation, Acquisition or Storage of Computer Viruses
A new law in Japan makes creation or distribution of a computer virus without reasonable cause punishable by up to three years in prison, and acquisition or storage of a virus punishable by up to two years.
I am not sure how stringent their definition of "reasonable cause" is in this case, but it sounds like a good start.
I am not sure how stringent their definition of "reasonable cause" is in this case, but it sounds like a good start.
Sunday, June 19, 2011
Quantum Cryptography Not All It's CRACKED Up To Be.
This story is an easy-to-read easy-to-understand description of a flaw in quantum cryptography that allows an observer to determine the quantum key. Until now, this was theoretically impossible. If my 20 years in information security has taught me one thing, it is that hackers love impossibilities.
Saturday, June 18, 2011
The Amazing Orgasm Facebook scam
Sophos details the latest Facebook social engineering attack. A link purporting to be a woman having an exceptionally enthusiastic orgasm turns out to be a series of survey questions that once completed, makes money someone apparently in Finland. You'll never get to see the video. The survey questions are of the same ilk you find in connection with fake torrents.
Cleverly, the Age Verification prompt asks if you are above the age of 18 with the word "Jaa" written on the button. While Jaa appears to mean "Yes", it is actually Finnish for "Share". The trouble begins right about there.
Cleverly, the Age Verification prompt asks if you are above the age of 18 with the word "Jaa" written on the button. While Jaa appears to mean "Yes", it is actually Finnish for "Share". The trouble begins right about there.
PC World Confuses LulzSec with Batman
Why on earth is PC World thanking LulzSec? This article is far too similar to subplots in the Batman or Spiderman movies. Talk about mixed messages... PC World has lost any credibility they may have once had.
Read this article for a more appropriate response to LulzSec's behavior.
Read this article for a more appropriate response to LulzSec's behavior.
Con artists pose as security companies in growing scam
Criminals posing as computer security engineers are having success in calling victims at home and stealing their money, according to a survey issued Thursday by Microsoft. Fifteen percent of 7,000 computer users polled in the United States, Canada, U.K. and Ireland said they have been been contacted by a phone scammer, and 22 percent of those were tricked into following the fraudsters' directions, which included giving them remote access to a computer or providing credit card information. Seventy-nine percent of those suffered a financial loss as a result. Victims were out an average $875 in the United States, the survey found.
Thursday, June 2, 2011
Hackers stole secret Canadian government data
Hackers who attacked two of Canada's federal departments stole classified information before being discovered last January.
Hackers sent malicious emails to staff that appeared to be coming from senior managers. When staff opened the attachments, hackers found a path into the federal network, providing access to classified information.
The linked article contains a chronology of the attack.
Hackers sent malicious emails to staff that appeared to be coming from senior managers. When staff opened the attachments, hackers found a path into the federal network, providing access to classified information.
The linked article contains a chronology of the attack.
Saturday, April 9, 2011
Hacking ATM Users by Gluing Down Keys
Apparently thieves have begun gluing down the "Enter", "Cancel"and "Clear" buttons on certain bank machines. The guise is simple - some ATM machines also have a touch-screen display. If the customer is unaware of this, or just not thinking too clearly, they may enter the pin, and then not getting the results they expected, figure that the machine is broken. They then leave the machine unattended. The thief then presses the "Enter" equivalent on the touch screen, takes the money, and runs.
Condé Nast scammed out of $8 million with single spear phishing email
Condé Nast - the company that publishes popular magazines such as Vogue, GQ, Architectural Digest, Wired, Vanity Fair, and many others - has been nearly defrauded of almost $8 million with a single, well-crafted spear phishing email.
The perp was caught, but this case demonstrates how the proper use of reconnaissance can lead to an efficient, yet devastating attack.
The perp was caught, but this case demonstrates how the proper use of reconnaissance can lead to an efficient, yet devastating attack.
Tuesday, March 8, 2011
Nexus S Android Sniffs and Emulates RFID tags
The Nexus S Android phone is capable of reading and emulating RFID. An application called Farebot demonstrates how the phone could be used to emulate RFID fare cards. This apparently could make it cheaper and more convenient for transit riders. However, the software's author also points out how many of these cards keep records trip information in clear-text. This creates a bit of a privacy issue since it is so easy for this software to read cards from people who merely happen to walk close enough to you.
Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.
Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.
Friday, March 4, 2011
The HBGary story keeps getting more and more interesting
Another PDF file today - But well worth the read. The more we witness the fallout from Anonymous' exploits, the more interesting it gets.
According to a letter signed by 20 members of congress, HBGary and a law firm conspired to sabotage critics of the US Chamber of Commerce - namely U.S. Chamber Watch, Change to Win, the Center for American Progress, the Service Employees International Union, and others. In their attempt to halt free speech, it seems HBGary and their crew of goons may have carried out, or at least conspired to carry out actions that violate Federal law: Forgery, Mail and Wire Fraud, and Fraud and Related Activity in Connection With Computers.
According to a letter signed by 20 members of congress, HBGary and a law firm conspired to sabotage critics of the US Chamber of Commerce - namely U.S. Chamber Watch, Change to Win, the Center for American Progress, the Service Employees International Union, and others. In their attempt to halt free speech, it seems HBGary and their crew of goons may have carried out, or at least conspired to carry out actions that violate Federal law: Forgery, Mail and Wire Fraud, and Fraud and Related Activity in Connection With Computers.
During a recent password audit
During a recent password audit, it was found that someone was using the following password:
"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"
When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital.
I don't usually post jokes, but I think this is the first infosec joke I've ever heard. Feel free to post or send along some more if you know a good security joke.
"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"
When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital.
I don't usually post jokes, but I think this is the first infosec joke I've ever heard. Feel free to post or send along some more if you know a good security joke.
Wednesday, March 2, 2011
Apparently all today's Infosec news is a result of Anonymous' exploits
The servers at Morgan Stanley were broken into. I bet you already guessed it was the Chinese yet again.
It's getting very fashionable to blame the Chinese for most hacks against American computer systems these days. But this is news for an actually interesting reason. We would not have known about it if it wasn't for the emails Anonymous exposed from a company humorously referred to in media as "a cyber-security company working for the bank." Whoever they might have been.
Leaked emails seem to be the current source of daily news these days. It sure is more interesting than watching CNN.
It's getting very fashionable to blame the Chinese for most hacks against American computer systems these days. But this is news for an actually interesting reason. We would not have known about it if it wasn't for the emails Anonymous exposed from a company humorously referred to in media as "a cyber-security company working for the bank." Whoever they might have been.
Leaked emails seem to be the current source of daily news these days. It sure is more interesting than watching CNN.
Saturday, February 26, 2011
Hacking group infiltrates gas companies, hangs around for a while
An amateur Chinese hacking group infiltrated several of the world's largest petrochem companies (BP, Exxon Mobil, Shell, and others). McAfee, no stranger to creating cute names for anything that can bring them a little media, dubbed the attack "The Night Dragon", and says they were "very unsophisticated" and "incredibly sloppy". They admit that the group has pwned the systems in question for as long as 5 years. And how were these naive slow-witted clods were able to maintain their pwnership of said systems with McAfee on hand monitoring them? McAfee, in their infamous defeatist style, suggest the reason is that "the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility".
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
Creator of the fake water-witching bomb buster has finally been arrested
Get this. Some guy converts a star trek water gun with a wobbly antenna into a water dousing rod meant to sniff out bombs and anything else you want it to. And the forces in Iraq spend $120M to purchase these useless toys, jeopardizing the lives of all who were forced to put their belief in woo ahead of their will to live.
Well that guy has finally been arrested. That this device was known to be useless pretty much from the moment it was first publicized says a lot about military spending.
Well that guy has finally been arrested. That this device was known to be useless pretty much from the moment it was first publicized says a lot about military spending.
Tuesday, February 22, 2011
Why Penetration Testers Need To Remember The Good Old Days
As a penetration test trainer to fortune 500 companies, I often see a few students in the class phase out and stare off with glossy-eyed disinterest when I cover legacy systems and protocols. Examples of these "boring" topics include Windows NT, WEP, and ancient attacks like the 'Ping of Death'. They ask me "Why do we need to learn this stuff when it was fixed years ago?"
The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.
A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.
To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.
The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.
The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.
0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.
The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.
A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.
To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.
The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.
The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.
0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.
Canadian Dept of Finance almost knocked over by Chinese Hackers
Chinese hackers gained control of senior exec systems within the Canadian Department of Finance. Some systems remain offline until the investigation remains completed. CSIS is apparently on the job, and have been warning them for some time about the threats and risks.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
Sunday, February 20, 2011
God Hates Lousy Hackers
As much as I hate PDF files, this one is worth your time.
Westboro Baptist Church has openly challenged notorious Anonymous hackers to BRING IT! In their famous rambling style, the church sees any attack from Anonymous on their websites as a way to promote Westboro's message in the media.
Doesn't publicly requesting a group of hackers to hack your web sites instantly make it legal for them to do so?
Westboro Baptist Church has openly challenged notorious Anonymous hackers to BRING IT! In their famous rambling style, the church sees any attack from Anonymous on their websites as a way to promote Westboro's message in the media.
Doesn't publicly requesting a group of hackers to hack your web sites instantly make it legal for them to do so?
Wednesday, February 16, 2011
HBGary pretty much calls it quits
The backlash caused by Anonymous' release of HBGary emails has caused the security consulting firm to cancel public speaking engagements and shut down their trade-show booth. I'm sure security companies all over the world are checking their own security posture and avoiding saying really stupid things in public.
And we're back!
My apologies for being offline the past few months. I was dealing with surgery and recovery. I'm all good now, and will resume updating this blog. W00t!!
Subscribe to:
Posts (Atom)