IT World Canada has an interesting article on an issue a lot of my customers have been asking about lately:
Corporate IT administrators may have more to worry about than just the wave of smart watches, Google glasses and other wearable computing devices that could flood the enterprise soon. A recent survey of indicates that more than half of Generation Y workers are prepared to contravene corporate bring your own device and cloud computing policies if it cramps their personal and professional computing and social networking activity.
Showing posts with label spying. Show all posts
Showing posts with label spying. Show all posts
Monday, November 11, 2013
Tuesday, March 20, 2012
Communication costs in Canada about to skyrocket
Warrantless spying is about to cause Canada's already too high price of communications to skyrocket. Thanks Stephen Harper. Now even the police are getting greedy.
The Pwn Plug is a little white box that can hack your network
Built by a startup company called Pwnie Express, the Pwn Plug is pretty much the last thing you ever want to find on your network—unless you've hired somebody to put it there. It's a tiny computer that comes preloaded with an arsenal of hacking tools. It can be quickly plugged into any computer network and then used to access it remotely from afar. And it comes with "stealthy decal stickers"—including a little green flowerbud with the word "fresh" underneath it, that makes the device look like an air freshener—so that people won't get suspicious.
Monday, February 27, 2012
FBI turns off 3,000 GPS trackers after Supreme Court ruling
Andrew Weissmann, general counsel for the FBI, has announced that his agency is switching off thousands of Global Positioning System-based tracking devices used for surveillance after a Supreme Court decision last month. Weissmann made the statement during a University of San Francisco School of Law symposium on communications privacy this past Friday.
Monday, November 21, 2011
Illinois Water Utility Pump Destroyed After Hack
A cyber attack on a Springfield, Ill. public water utility resulted in the destruction of one of its pumps, according to a security expert.
While I would do away with alarmist statements like "This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic", and find it hard to give any amount of credibility to people that make such stupid pronouncements, the situation described in this article points out once again how SCADA systems are still not being treated at the level of sensitivity they should be.
While I would do away with alarmist statements like "This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic", and find it hard to give any amount of credibility to people that make such stupid pronouncements, the situation described in this article points out once again how SCADA systems are still not being treated at the level of sensitivity they should be.
Thursday, September 29, 2011
Scientists Can Use WiFi to Count Your Breaths and Spy on You
Wireless networks which measure received signal strength (RSS) can be used to reliably detect human breathing and estimate the breathing rate, an application we call "BreathTaking". Although an individual link cannot reliably detect breathing, the collective spectral content of a network of devices reliably indicates the presence and rate of breathing.
Thursday, June 30, 2011
Software Can Copy Your Keys From A Photograph Taken 200 Feet Away
A new piece of software cleverly titled Sneakey makes it possible to copy keys using nothing more than a photograph, even if that photograph was taken from far away, according to Peter Murray at Singularity Hub.
In one demonstration, the software helped create working keys using a picture taken with a cell phone camera and a picture taken with a telephoto lens over 200 feet away.
In one demonstration, the software helped create working keys using a picture taken with a cell phone camera and a picture taken with a telephoto lens over 200 feet away.
Wednesday, June 29, 2011
The Navy Bought Fake Trojanized Chinese Microchips
The Navy Bought Fake Trojanized Chinese Microchips. They weren't only low-quality fakes, they had been made with a "back-door" and could have been remotely shut down at any time. If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.
The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect -- especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect -- especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
Sunday, June 19, 2011
Quantum Cryptography Not All It's CRACKED Up To Be.
This story is an easy-to-read easy-to-understand description of a flaw in quantum cryptography that allows an observer to determine the quantum key. Until now, this was theoretically impossible. If my 20 years in information security has taught me one thing, it is that hackers love impossibilities.
Thursday, June 2, 2011
Hackers stole secret Canadian government data
Hackers who attacked two of Canada's federal departments stole classified information before being discovered last January.
Hackers sent malicious emails to staff that appeared to be coming from senior managers. When staff opened the attachments, hackers found a path into the federal network, providing access to classified information.
The linked article contains a chronology of the attack.
Hackers sent malicious emails to staff that appeared to be coming from senior managers. When staff opened the attachments, hackers found a path into the federal network, providing access to classified information.
The linked article contains a chronology of the attack.
Tuesday, March 8, 2011
Nexus S Android Sniffs and Emulates RFID tags
The Nexus S Android phone is capable of reading and emulating RFID. An application called Farebot demonstrates how the phone could be used to emulate RFID fare cards. This apparently could make it cheaper and more convenient for transit riders. However, the software's author also points out how many of these cards keep records trip information in clear-text. This creates a bit of a privacy issue since it is so easy for this software to read cards from people who merely happen to walk close enough to you.
Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.
Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.
Friday, March 4, 2011
The HBGary story keeps getting more and more interesting
Another PDF file today - But well worth the read. The more we witness the fallout from Anonymous' exploits, the more interesting it gets.
According to a letter signed by 20 members of congress, HBGary and a law firm conspired to sabotage critics of the US Chamber of Commerce - namely U.S. Chamber Watch, Change to Win, the Center for American Progress, the Service Employees International Union, and others. In their attempt to halt free speech, it seems HBGary and their crew of goons may have carried out, or at least conspired to carry out actions that violate Federal law: Forgery, Mail and Wire Fraud, and Fraud and Related Activity in Connection With Computers.
According to a letter signed by 20 members of congress, HBGary and a law firm conspired to sabotage critics of the US Chamber of Commerce - namely U.S. Chamber Watch, Change to Win, the Center for American Progress, the Service Employees International Union, and others. In their attempt to halt free speech, it seems HBGary and their crew of goons may have carried out, or at least conspired to carry out actions that violate Federal law: Forgery, Mail and Wire Fraud, and Fraud and Related Activity in Connection With Computers.
Saturday, February 26, 2011
Hacking group infiltrates gas companies, hangs around for a while
An amateur Chinese hacking group infiltrated several of the world's largest petrochem companies (BP, Exxon Mobil, Shell, and others). McAfee, no stranger to creating cute names for anything that can bring them a little media, dubbed the attack "The Night Dragon", and says they were "very unsophisticated" and "incredibly sloppy". They admit that the group has pwned the systems in question for as long as 5 years. And how were these naive slow-witted clods were able to maintain their pwnership of said systems with McAfee on hand monitoring them? McAfee, in their infamous defeatist style, suggest the reason is that "the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility".
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
Tuesday, February 22, 2011
Canadian Dept of Finance almost knocked over by Chinese Hackers
Chinese hackers gained control of senior exec systems within the Canadian Department of Finance. Some systems remain offline until the investigation remains completed. CSIS is apparently on the job, and have been warning them for some time about the threats and risks.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
Friday, October 1, 2010
Tired of the crap "news" websites are posting about Stuxnet?
F-Secure has posted a bit of a FAQ to help people interested in understanding the Stuxnet worm issue to get more realistic information, versus the omg-CNN-style garbage that has been going around so far.
Is it targeting Iranian nuclear plants? We don't know.
All this conjecture reminds me of the days when hundreds of STONED virus variants were running rampant, and McAfee started pretending they were totally different, and gave them fancy names just to make them sound like different beasts. (for example, Michelangelo). The same virus, with 2 or 3 lines changed suddenly became a totally amazing technological advance hell bent on the worse possible destruction. Just sayin...
Is it targeting Iranian nuclear plants? We don't know.
All this conjecture reminds me of the days when hundreds of STONED virus variants were running rampant, and McAfee started pretending they were totally different, and gave them fancy names just to make them sound like different beasts. (for example, Michelangelo). The same virus, with 2 or 3 lines changed suddenly became a totally amazing technological advance hell bent on the worse possible destruction. Just sayin...
Blackberry Encryption Cracked
Elcomsoft, the overseas infosec group who seem to be able to break into just about everything, have now cracked the Blackberry encryption mechanism.
It seems like only yesterday when certain freedom-free countries were complaining that they couldn't read Blackberry messages sent by their own hostile population.
It seems like only yesterday when certain freedom-free countries were complaining that they couldn't read Blackberry messages sent by their own hostile population.
Friday, September 24, 2010
First Worm To Deliberately Attack SCADA Systems Found
In June, Belarus antivirus company VirusBlokAda reported a new bug with some interesting features. The Stuxnet worm they discovered was programmed to specifically attack industrial control systems, and reprogram the controllers to hide the changes from view using a methods almost identical to those used in 1980's - 90's stealth viruses.
The last time someone hacked up a SCADA system like this, it caused a 3 kiloton explosion that was reported as having been the most monumental non-nuclear explosion and fire ever seen from space.
The last time someone hacked up a SCADA system like this, it caused a 3 kiloton explosion that was reported as having been the most monumental non-nuclear explosion and fire ever seen from space.
Tuesday, September 14, 2010
Burglars Said to Have Picked Houses Based on Facebook Updates
According to New Hampshire’s WMUR Channel 9 News, three local men, Mario Rojas, Leonardo Barroso and Victor Rodriguez, have burglarized more than 18 homes in the Nashua area of New Hampshire simply by checking status updates on Facebook and then pillaging the houses of victims who announced on the social network that they were not home.
Thursday, September 2, 2010
Using a Blackberry in the UAE?
Apparently Arabic blackberries aren't the only devices with neutered security controls. According to Slate, mobile phone company Etisalat is the digital certificate authority in the UAE. This would allow Etisalat to decrypt any messages relying on their services.
It is worth noting that Etisalat is already known to spy on their Blackberry users, by deliberately keeping copies of all emails passing through the service.
It is worth noting that Etisalat is already known to spy on their Blackberry users, by deliberately keeping copies of all emails passing through the service.
Thursday, August 19, 2010
Are You Working With a REAL Security Expert?
The attrition.org website has been posting exposés of security "veterans" who sound like they've been around the block, and seemingly single-handedly invented the information security industry. However, even some of the so-called famous experts are charlatans at best, ripping off their customers and potentially causing them more harm than good.
One example provided is Dr. Ali Jahangiri, who's entire career is so dubious that not only is his resumé in question, entire books that he has "authored" appear to have been entirely plagiarized. Much of the information is so out-of-date that it would only be of interest in a historical sense if this information wasn't already widely available on the Internet for free. Worse, they demonstrate that his Information Policy Templates, which sell for $150 / CD, are all ripped from various places freely available on the Internet, save for 2.
I don't fully agree that everyone on the list is a charlatan, though. For example, professional social engineer Ira Winkler is on the list merely for having a larger-than-life ego. It fails to recognize that extreme self-confidence is a requirement for any social engineer, which makes this hardly a surprise.
What differentiates consultants like Ali from the bad guys? If their credentials don't add up, and their work seems to be ripped off from someone else and repackaged as something new, you may have hired a thief into a position of trust. They haven't only ripped off their sources, they're also stealing your money.
One example provided is Dr. Ali Jahangiri, who's entire career is so dubious that not only is his resumé in question, entire books that he has "authored" appear to have been entirely plagiarized. Much of the information is so out-of-date that it would only be of interest in a historical sense if this information wasn't already widely available on the Internet for free. Worse, they demonstrate that his Information Policy Templates, which sell for $150 / CD, are all ripped from various places freely available on the Internet, save for 2.
I don't fully agree that everyone on the list is a charlatan, though. For example, professional social engineer Ira Winkler is on the list merely for having a larger-than-life ego. It fails to recognize that extreme self-confidence is a requirement for any social engineer, which makes this hardly a surprise.
What differentiates consultants like Ali from the bad guys? If their credentials don't add up, and their work seems to be ripped off from someone else and repackaged as something new, you may have hired a thief into a position of trust. They haven't only ripped off their sources, they're also stealing your money.
Subscribe to:
Posts (Atom)