Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

December 6, 2015

Does Your Hello Barbie Have An STD? (IIoT)

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 3:36 pm

[STD = Security Transmitted Disease]

Internet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bug by Dan Goodin.

From the post:

A recent review of the Internet-connected Hello Barbie doll from toymaker Mattel uncovered several red flags. Not only did the toy use a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but those servers were also vulnerable to POODLE, an attack disclosed 14 months ago that breaks HTTPS encryption.

The vulnerabilities, laid out in a report published Friday by security firm Bluebox Labs, are the latest black eye for so-called “Internet of Things” devices. The term is applied to appliances and other everyday devices that are connected to the Internet, supposedly to give them a wider range of capabilities. The Hello Barbie doll is able to hold real-time conversations by uploading the words a child says to a server. Instant processing on the server then allows the doll to provide an appropriate response.

Bluebox researchers uncovered a variety of weaknesses in the iOS and Android app developed by Mattel partner ToyTalk. The apps are used to connect the doll to a nearby Wi-Fi networks. The researchers also reported vulnerabilities in the remote server used to communicate with the doll.

Insecure baby monitors, hacked dolls are only the leading edges of the Insecure Internet of Things (IIoT).

Dan’s post has the details of the Security-Transmitted-Disease (STD) that can infect Hello Barbie servers and hence the dolls themselves.

When dolls, toys and other devices develop video capabilities, amateur porn will explode on the Insecure Internet of Things (IIoT). With or without the consent of the porn participants.

If you want a secure internet-of-things, the avoid the sieve stacking stacking strategy of current software fixes, which layers broken security software on top of broken software:

present-IT-stack-plus-security

Software security starts from the bottom of your software stack and goes upward.

For all the wailing of software developers about the inability to have perfect software, realize that sql injection attacks were the #1 attack in 2013. That is more than fifteen years after the attack was documented.

Don’t buy into the “we can build perfect software” scam. No one is expecting perfect software, just software that doesn’t have 5+ year old flaws in it.

Is that too much to expect?

Heavy civil penalties for 5+ year old bugs in software might help the software industry remember to avoid such bugs.

December 5, 2015

JAERO: Classic Aero SatCom ACARS signals [Alert: Rendition Trackers]

Filed under: Government,Privacy,Security — Patrick Durusau @ 9:28 pm

JAERO: A program to demodulate and decode Classic Aero SatCom ACARS signals by Jonathan Olds.

From the webpage:

JAERO is a program that demodulates and decodes Classic Aero ACARS (Aircraft Communications Addressing and Reporting System) messages sent from satellites to Aeroplanes (SatCom ACARS) commonly used when Aeroplanes are beyond VHF range. Demodulation is performed using the soundcard. Such signals are typically around 1.5Ghz and can be received with a simple low gain antenna that can be home brewed in a few hours in conjunction with a cheap RTL-SDR dongle.

In the advent of MH370, Classic Aero has become a well-known name. A quick search on the net using “Classic Aero MH370” will produce thousands of results. The Classic Aero signals sent from satellites to the Aeroplanes are what JAERO demodulates and decodes.

I am sure rendition trackers have these and even more sophisticated passive tracking capabilities but I pass this on as a possible starting place for would be civilian surveillance specialists.

Governments are obsessed with surveillance, so much so that civilians need to return the favor, building passive and distributed systems of surveillance that surpass anything governments can obtain.

An interesting hobby to intercept such signals, which are falling in your yard right now, and even more interesting hobby if you capture those signals and share them with other hobbyists. Perhaps even some data science types who can munge the data to bring out interesting insights. Such as on rendition flights.

A couple of tips: Disguise your external receiving equipment to look like a disgruntled satellite TV subscriber (is there any other kind?). Probably a good idea to not discuss monitoring aircraft or other government activities at the local barber shop.

I’m not a conspiracy theorist about government activities but if they didn’t intend someone harm, then why do they keep secrets? If you think about it, none of the many decried data leaks over the last 50 years have resulted in a single American being harmed.

Some of them were embarrassed and probably should have gone to jail (Oliver North) but for all the conjured harms of data leaks, not one has made a whit of difference.

Makes me wonder if secrecy is a means to conceal incompetence and venal criminal wrongdoing.

You?

Become a Mini-CIA Today!

Filed under: Government,Privacy,Security — Patrick Durusau @ 3:54 pm

New software watches for license plates, turning you into Little Brother by Cyrus Farivar.

From the post:

We now live in a world where if you have an IP-enabled security camera, you can download some free, open-source software from GitHub and boom—you have a fully functional automated license plate reader (ALPR, or LPR).

How very cool!

I know some privacy advocates may be troubled by this development but think of the old adage:

When guns are outlawed, only outlaws will have guns.

Applying that to surveillance:

When surveillance is outlawed, only outlaws will have surveillance.

Yes?

With the OpenALPR software, neighborhoods that see a lot of police violence can track and alert residents to repeat offenders who are entering the area. Or drug dealers, pimps or other scourges of modern urban areas.

And it would be a counter to suddenly malfunctioning dashboard and body cameras worn by the police.

As I have mentioned before, there are far more citizens than government-based agents. If we start surveillance on them, they will have no place to hide and no where left to run.

Being IP enabled, you could set up a central monitoring station, possibly sharing information with citizens interested in real time “traffic” information.

PS: If you keep the video or scanning results, be sure it is streamed to a heavily encrypted drive.

December 4, 2015

Leaving Pakistan in the Stone Ages

Filed under: Cybersecurity,Government,Privacy,Security — Patrick Durusau @ 10:47 am

BlackBerry gets bounced from Pakistan after saying no to backdoors by John Zorabedian.

From the post:

BlackBerry is saying “no” to government backdoor access to communications on its services and devices, in actions that speak louder than words.

Earlier this week, BlackBerry announced it is shutting down its operations in Pakistan and will leave the country by 30 December, after refusing to provide Pakistan’s government with backdoor access to its customers’ communications.

Marty Beard, BlackBerry’s chief operating officer, wrote on the company’s blog that the Pakistan Telecommunications Authority told mobile phone operators in July that BlackBerry would no longer be allowed to operate in the country for “security reasons.”

Beard said that Pakistan wanted unfettered access to all emails, BBM messages and other Blackberry Enterprise Service (BES) traffic, but the company refused on principle:

Finally, a viable alternative to bombing countries back into the Stone Ages. Just leave them technologically in the Stone Ages. See how their citizens, businesses, crime lords, etc. feel about that!

If Pakistan was demanding backdoors from BlackBerry, you have to wonder what demands have been made on other communication service providers. Yes?

One hopes that such service providers, including those that control the pipes in and out of Pakistan will take stances like that of BlackBerry.

Would be sad to see Pakistan suddenly go dark on the Web but choices do have consequences. Isolated from the modern communications networks used by other countries, government officials will have lots of time for their paranoid fantasies.

Best prepare for a sudden exit of capital and bright minds from Pakistan once it goes dark. Not altogether sure communications should be restored even if the government changes. Let it stay dark as a lesson about governmental over reaching for the rest of the world.

PS: If you want a less extreme lesson first, cut Pakistan off of the Internet for a week, just as a warning to its government.

December 2, 2015

Signal Desktop beta! [End-to-end encryption] e3

Filed under: Cybersecurity,Government,Privacy,Security — Patrick Durusau @ 2:36 pm

Signal Desktop beta!

From the post:

Today we’re making the Signal Desktop beta available. Signal Desktop brings the trusted private messaging experience of Signal to the desktop, with a simplicity that allows you to seamlessly continue conversations back and forth between your mobile device and your desktop computer.

Private messaging, now with all ten fingers

As always, everything is end-to-end encrypted and painstakingly engineered in order to keep your communication safe – allowing you to send high-quality private group, text, picture, and video messages for free.

(graphic omitted)

Multiple devices, single identifier

Signal Desktop is a Chrome app which links with your phone, so all incoming and outgoing messages are displayed consistently on all your devices. Your contacts don’t have to guess where to message you, and when you switch devices the conversation you started will already be there.

(graphic omitted)

Android devices only, for now

For the initial Signal desktop beta, only linking to Android devices is supported. Follow us on twitter for updates on when the iOS app supports Signal Desktop.

View source

All of our code is free, open source, and available on GitHub. This allows experts to verify our protocols and our implementations.

Like everything we do at Open Whisper Systems, dedicated development is supported by community donations and grants. Signal Desktop contains no advertisements, and it doesn’t cost anything to use.

Terrorists don’t use encrypted messaging, but that is not a reason for you to avoid end-to-end encryption.

From the How do I help? page:

  • Spread the word – Open WhisperSystems is a collaborative open source project and does not have a dedicated PR department. We rely on our users to help explain the benefits of using our software. Friends don’t let friends send plaintext!
  • Help your fellow users – Join our mailing list and assist new and existing users, or help shape the future of the project by participating in the discussions that are held there. We also appreciate assistance with marking issues as duplicates in our GitHub repos, answering questions that are raised in the form of issues, helping to reproduce bugs while providing additional details, or performing other forms of triage.
  • Contribute code – If you have Android or iOS development experience, please consider helping us tackle some of the open issues in our repositories. Pull requests for new features and functionality are also welcome.
  • Contribute moneyBitHub is our experiment in collaborative funding for open source projects. Donating to our BitHub pool provides an additional incentive for developers to contribute their work and time. You can also donate to Open WhisperSystems via the Freedom of the Press Foundation.

The Open WhisperSystems project is where it is today because of your help and support. Thank you!

To market end-to-end encryption, would e3 be a good logo?

Ex. If e3 is banned, only criminals will have e3.

December 1, 2015

New Rule for Software Patches: Don’t Make Things Worse

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:36 pm

Security Advisory: Dell Foundation Services Remote Information Disclosure (II)

From the post:

Dell Foundation Services starts an HTTPd that listens on port 7779. The previous service tag leak was fixed by removing the JSONP API.

However, the webservice in question is still available; it is now a SOAP service, and all methods of that webservice can be accessed, not just the ServiceTag method.

One of the methods accessible is List GetWmiCollection(string wmiQuery) – this returns the results of a given Windows Management Instrumentation (WMI) query, enabling access to information about hardware, installed software, running processes, installed services, accessible hard disks, filesystem metadata (filenames, file size, dates) and more.

Amazing isn’t it?

The post recommends removal of Dell Foundational Services. Same way you cure Adobe Flash security problems.

Ding-Dong! Flash Is Dying!

Filed under: Cybersecurity,HTML5,Security — Patrick Durusau @ 6:47 pm

Flash, HTML5 and Open Web Standards

From the post:

Adobe has a history of pioneering and advancing industry standards. We embrace standards and, where none exist, we create them.

Flash has played a leading role in bringing new capabilities to the web. From audio and animation, to interactivity and video, Flash has helped push the web forward.

Today, open standards like HTML5 have matured and provide many of the capabilities that Flash ushered in. Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that. So today we are announcing Animate CC, previously Flash Professional CC, which will be Adobe’s premier web animation tool for developing HTML5 content while continuing to support the creation of Flash content. Adobe Animate CC will be available in early 2016. In addition, Adobe will release an HTML5 video player for desktop browsers, which will complement Adobe’s support for HTML5 on mobile. [Visit the Primetime blog for more information].

I didn’t realize we lacked a standard for web insecurity. Certainly Adobe Flash set the standard for maximum cyberinsecurity. I don’t know that I would brag about it.

Adobe says that new standards aren’t mature in “web gaming and premium video” and so will keep promoting Flash for those use cases. I take that to mean standards geeks and implementation experts need to double down in both of those areas.

The sooner Flash is just an unpleasant memory the more secure we will all be in the present.

I first saw this in a Facebook post by Alex Brown.

November 28, 2015

Paris Terrorists and the Kansas City Shuffle

Filed under: Government,Security — Patrick Durusau @ 8:20 pm

The Kansas City shuffle was described by Mr. GoodKat (Bruce Willis) in Lucky Number Slevin, “is is when everybody looks right, you go left.”

The security forces in Paris were victims of a self-inflicted Kansas City shuffle.

Stacy Meichtry and Joshua Robinson detail in: Paris Attacks Plot Was Hatched in Plain Sight how the Paris attackers:

  • used their real names
  • used their real IDs
  • used unencrypted, simple messaging to coordinate

While the Paris attackers were in plain sight, “left,” the Paris security and intelligence services were laboring over electronic debris from innocent civilians, worrying about encrypted messages and other futile and meaningless activities, “right.”

No doubt while preparations for the Paris attack were ongoing, intelligence agencies around the world were laboring to decrypt encrypted messages, mining every growing databases composed primarily of electronic debris from innocent civilians, and engaging is other utterly futile and meaningless activities.

Moreover, none, repeat none of the current data mining activities would have identified the Paris terrorists before the attack or have disclosed their plans.

Intelligence agencies have no profile for a terrorist, short of participating in a terrorist attack, and even then, apprehending a known terrorist taxes their capabilities.

Without a useful terrorist profile, all the data mining in the world won’t help intelligence agencies stop terrorist attacks.

If anything, looking “right,” and wasting government funding on more looking “right,” while terrorists go “left,” is as classic a Kansas City shuffle as I can imagine.

Is your police or intelligence agency victimizing itself and you with the Kansas City shuffle?

November 27, 2015

Hello Barbie (Hello NSA) [Barbie Spy edition]

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:43 pm

hello-barbie

‘Hello Barbie’ doll can be hacked, researcher warns by Andrew Blake.

From the post:

Mattel’s “Hello Barbie” is one of the hottest toys this holiday season, but researchers warn that a security flaw that affects the Wi-Fi-enabled doll is capable of quickly turning Christmas into the creepiest time of the year.

Retailing for about $75, the “Hello Barbie” is perhaps the most advanced action figure on the market: between being Wi-Fi-ready and equipped with speech recognition technology, Mattel claims the doll “can interact uniquely with each child by holding conversations, playing games, sharing stories and even telling jokes.”

Take every occasion to teach your children to be cybersecurity aware.

The new ‘Hello Barbie’ toy is the latest in such occasions.

The moral here is that anything you say out loud, even to a seemingly innocent doll, can be captured and used by those who intend you ill.

Watch for post-Christmas stories of holiday “activities” capture by rogue ‘Hello Barbie’ toys.

Who would have thought Americans would pay for the privilege of bugging their own homes? Go figure.

Update: As of 17:00 UTC on November 29, 2015, a popular search engine reports 9,020 “hits” on ‘hijack “hello barbie”‘.

No sales figures have been reported as of yet.

UK – Investigatory Powers Bill – Volunteer Targets

Filed under: Government,Ontology,Security — Patrick Durusau @ 4:53 pm

I saw a tweet earlier today that indicates the drafters of the UK Investigatory Powers Bill have fouled themselves, again.

Section 195, General Definitions (1) has a list of unnumbered definitions which includes:

“data” includes any information which is not data,

However creative the English courts may be, I think that passage is going to prove to be a real challenge.

Which makes even more worried than I was before.

A cleanly drafted bill that strips every citizen of the UK of their rights presents a well-defined target for opposition.

In this semantic morass, terms could mean what they say, the opposite and also be slang for a means of execution.

Because of the Paris bombings, there is a push on to approve something, anything, to be seen as taking steps against terrorism.

Instead of the Investigatory Powers Bill, Parliament should acquire 5 acres of land outside of London and erect a podium at its center. Members of Parliament will take turns reading Shakespeare aloud for two hours, eight hours a day, every day of the year.

Terrorists prefer high-value targets over low and so members of Parliament can save all the people of the UK from fearing terrorists attacks.

Their presence as targets will attract terrorists and simplify the task of locating potential terrorists.

Any member of parliament who is killed while reading Shakespeare at the designated location, should be posthumously made a peer of the realm.

A bill like that would protect the rights of every citizen of the UK, assist in the hunting of terrorist be drawing them to a common location and help prevent future crimes against the English language as are found in the Investigatory Powers Bill. What’s there not to like?

November 25, 2015

MagSpoof – credit card/magstripe spoofer [In Time For Black Friday]

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:49 pm

MagSpoof – credit card/magstripe spoofer by Samy Kamkar.

From the webpage:

  • Allows you to store all of your credit cards and magstripes in one device
  • Works on traditional magstripe readers wirelessly (no NFC/RFID required)
  • Can disable Chip-and-PIN (code not included)
  • Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
  • Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
  • Easy to build using Arduino or other common parts

MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.

Note: MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST and Coin.

Non-legal use of MagSpoof is left as an exercise for the reader.

I first saw this in Four Short Links: 25 November 2015 by Nat Torkington.

November 23, 2015

Cancel Thanksgiving and Christmas Travel Plans (U.S. State Department)

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 7:47 pm

The State Department has issued a “Worldwide Travel Alert” from November 23, 2015 until February 24, 2016.

This is not a joke, or at least the State Department doesn’t consider it to be a joke.

From the Worldwide Travel Alert:

The State Department alerts U.S. citizens to possible risks of travel due to increased terrorist threats. Current information suggests that ISIL (aka Da’esh), al-Qa’ida, Boko Haram, and other terrorist groups continue to plan terrorist attacks in multiple regions. These attacks may employ a wide variety of tactics, using conventional and non-conventional weapons and targeting both official and private interests. This Travel Alert expires on February 24, 2016.

Authorities believe the likelihood of terror attacks will continue as members of ISIL/Da’esh return from Syria and Iraq. Additionally, there is a continuing threat from unaffiliated persons planning attacks inspired by major terrorist organizations but conducted on an individual basis. Extremists have targeted large sporting events, theatres, open markets, and aviation services. In the past year, there have been multiple attacks in France, Nigeria, Denmark, Turkey, and Mali. ISIL/Da’esh has claimed responsibility for the bombing of a Russian airliner in Egypt.

U.S. citizens should exercise vigilance when in public places or using transportation. Be aware of immediate surroundings and avoid large crowds or crowed places. Exercise particular caution during the holiday season and at holiday festivals or events. U.S. citizens should monitor media and local information sources and factor updated information into personal travel plans and activities. Persons with specific safety concerns should contact local law enforcement authorities who are responsible for the safety and security of all visitors to their host country.

The State Department left out a more likely danger, that you are crushed by a coin-operated beverage machine you are trying to cheat out of a drink or treat.

I know that agency budgets are under assault but asking U.S. citizens to shelter in place, that’s what don’t travel means, for the next three (3) months is a bit extreme.

Next thing you know, the Department of Homeland Security will start storing grenades and ammunition at every tenth house just in case they are cut off by terrorists from their supply base.

Every agency will try to outdo the others in whipping up fear of terrorists.

Let’s tell the State Department thanks but no thanks for the injection of paranoia into our holiday season.

In fact, the State Department makes it easy for you to send that message:

Call 1-888-407-4747 toll-free in the United States and Canada or 1-202-501-4444 from other countries from 8:00 a.m. to 8:00 p.m. Eastern Standard Time, Monday through Friday (except U.S. federal holidays).

That’s 13:00 UTC until 01:00 UTC the next day, in case you are overseas.

Relevant U.S. federal holidays are: Thanksgiving Day (26 November 2015), Christmas Day (25th December 2015), New Year’s Day (1 January 2016), Martin Luther King, Jr. Day (18 January 2016), George Washington’s Birthday (15 February 2016).

Enjoy your holidays despite terrorists and their cheer leaders in the State Department and press. Imagine how little news coverage terrorists would get if left to their own devices.

Televisions, Furniture and Appliances (TFA) versus Terrorists (TFA is winning)

Filed under: Government,Security — Patrick Durusau @ 3:52 pm

Holiday concerns in the United States should be focused on unstable televisions, furniture and appliances (TFA) rather than terrorists.

The U.S. Consumer Product Safety Commission reports:

…injuries and fatalities associated with television, furniture, and appliance product instability or tip-over.

Of the estimated annual average of 38,000 emergency department-treated injuries (2011–2013) and the 430 reported fatalities occurring between 2000 and 2013 associated with tip-overs, staff noted the following:

Breakdown by victim (image to replicate the formatting):

unstable-tvs

While all levels of government spend $billions on hunting terrorists in the United States and coming up dry, You Are Safer Than You Think, we know that televisions, furniture and appliances are injuring and killing far more U.S. citizens than terrorists.

Spend a few extra dollars this holiday season and insure the stability of televisions, furniture and appliances, new or old in your home. That expenditure will increase your safety measurably more than the $billion billions being spent by the government on terrorists they can’t seem to find.

Until after the fact of a terrorist attack that is.

Chart and data from: Product Instability or Tip-Over Injuries and Fatalities Associated with Televisions, Furniture, and Appliances: 2014 Report.

November 21, 2015

Manufacturing Terror

Filed under: Government,Security — Patrick Durusau @ 9:19 pm

Manufacturing Terror: An FBI Informant Seduced Eric McDavid Into a Bomb Plot. Then the Government Lied About It by Trevor Aaronson and Katie Galloway.

From the post:


Anna would go on to lead McDavid and two other activists in their 20s in a loose plot to bomb targets in Northern California. Maybe in the name of the Earth Liberation Front. Or maybe not. Fitting for the muddied plot, their motivation was as unclear as their targets. Anna, at the direction of the FBI, made the entire plot possible — providing the transportation, money, and a cabin in the woods that the FBI had wired up with hidden cameras. Anna even provided the recipe for homemade explosives, drawn up by FBI bomb experts. Members of the group suggested, in conversations with her, that they regarded her as their leader.
At trial, McDavid’s lawyer, Mark Reichel, argued that the FBI had used Anna to lure McDavid into a terrorism conspiracy through the promise of a sexual relationship once the mission was complete. “That’s inducement,” Reichel told the federal jury. “That’s entrapment.” The jurors weren’t persuaded, however. In 2007, McDavid was convicted of conspiring to use fire or explosives to damage corporate and government property, and he was sentenced to nearly 20 years in prison, one of the longest sentences given to an alleged eco-terrorist in the United States. At the time of his conviction, the FBI had built a network of more than 15,000 informants like Anna and the government had classified eco-terrorism as the No. 1 domestic terrorism threat — even though so-called eco-terrorism crimes in the United States were rare and never fatal.

Seven years after his conviction, the government’s deceit was finally revealed. Last November, federal prosecutors admitted they had potentially violated rules of evidence by withholding approximately 2,500 pages of documents from McDavid. Among the belatedly disclosed documents were love letters between Anna and McDavid and evidence that Anna’s handler, Special Agent Ricardo Torres, had quashed the FBI’s request to put Anna through a polygraph test, commonly used by the FBI to ensure informants aren’t lying to agents as they collect evidence. The new documents also revealed which of the letters and emails the FBI’s Behavioral Analysis Unit had reviewed before offering instructions on how to manipulate McDavid and guide him toward a terrorist conspiracy.

David was released earlier this year as part of an unusual settlement: He agreed to plead guilty to a lesser charge of general conspiracy in exchange for his immediate release. Yet when his lawyers demanded to know why the government had withheld evidence that had been specifically requested before trial, the government made a veiled threat to throw McDavid back into prison for violating the terms of his plea agreement.

The full story is much longer and makes a great read, holiday discussion issue.

This is another example of why I advocate a leak upon possession policy.

Whatever protest a government official may make, they may even be telling the truth as known to them, but it doesn’t mean the government isn’t lying to them and via them to the public.

The only way to combat systemic and widespread deception by government is for citizens to obtain concealed information and to leak it for use by other citizens.

November 20, 2015

The History of SQL Injection…

Filed under: Cybersecurity,Security,SQL — Patrick Durusau @ 5:04 pm

The History of SQL Injection, the Hack That Will Never Go Away by Joseph Cox.

From the post:

One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerability discovered two years before he was even born.

That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It’s been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies.

“It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.”

But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against.

So why, in 2015, is SQLi still leading to some of the biggest breaches around?

SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back then, Forristal went by the handle rain.forest.puppy, but he’s now CTO of mobile security at cybersecurity vendor Bluebox security.

Joseph’s history is another data point for the proposition:

To a vendor, your security falls under “…not my problem.

Android Smartphone+ for Christmas?

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:59 pm

I say Android Smartphone+ because Swati Khandelwal reports it’s a gift that keeps on giving.

This Malware Can Secretly Auto-Install any Android App to Your Phone

From the post:

Own an Android Smartphone?

Hackers can install any malicious third-party app on your smartphone remotely even if you have clearly tapped a reject button of the app.

Security researchers have uncovered a trojanized adware family that has the capability to automatically install any app on an Android device by abusing the operating system’s accessibility features.

Swati has a video of this remote installation in action. This is not theoretical hack.

Full Disclosure: I don’t have an iPhone either.

November 18, 2015

State of Georgia Mails Out 6 Million+ SSNs, Birthdays, etc.

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 9:19 pm

In the race to be the most cyberinsecure state government, the Georgia Secretary of State sent out 6 million voter records that included social security numbers and birth dates, along with other information about Georgia voters.

Unlike the Paris attack reporting, all of the foregoing has been verified and even admitted by the Secretary of States office.

Georgia: ‘Clerical error’ in data breach involving 6 million voters by Kristina Torres reports:

Two Georgia women have filed a class action lawsuit alleging a massive data breach by Secretary of State Brian Kemp involving the Social Security numbers and other private information of more than six million voters statewide.

The suit, filed Tuesday in Fulton County Superior Court, alleges Kemp’s office released the information including personal identifying information to the media, political parties and other paying subscribers who legally buy voter information from the state.

In response, Kemp’s office blamed a “clerical error” and said Wednesday afternoon that they did not consider it to be a breach of its system. It said 12 organizations, including statewide political parties, news media organizations and Georgia GunOwner Magazine, received the file.

So a “clerical error” doesn’t count as a data breach?

Given that even a sanity check for file size didn’t prevent this breach, leak, clerical error, I have to wonder why they are so certain about the number of organizations that received the file?

And who they may have shared it with since October of 2015?

That’s the other odd fact. The file was sent in October but it takes someone filing a lawsuit in mid-November for the breach, leak, clerical error to come to light?

How’s your state government’s security?

PS: The case details (but not the pleadings) can be found at: http://justice.fultoncountyga.gov/PASupCrtCM/CaseDetail.aspx?CaseID=70749412015CV268170.

Paris: The Power of Unencrypted Vanilla SMS (Network News: You are now dumber…)

Filed under: Cybersecurity,News,Security — Patrick Durusau @ 5:07 pm

After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS by Karl Bode.

From the post:

In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied in the amount of hallucination involved, the New York Times even having to pull one such report offline. Other claims the attackers had used encrypted Playstation 4 communications also wound up being bunk.

Yet pushed by their sources in the government, the media quickly became a sound wall of noise suggesting that encryption was hampering the government’s ability to stop these kinds of attacks. NBC was particularly breathless this week over the idea that ISIS was now running a 24 hour help desk aimed at helping its less technically proficient members understand encryption (even cults help each other use technology, who knew?). All of the reports had one central, underlying drum beat implication: Edward Snowden and encryption have made us less safe, and if you disagree the blood is on your hands.

You have heard that cybersecurity is too hard for most users?

Apparently cybersecurity is too hard for most terrorists too.

Perhaps we can gauge the progress of terrorist use of encryption by adoption of the same by the OPM?

Another consequence of the Paris attacks is more evidence for the proposition:

Network News: You are now dumber for having heard it.

There was no reason to speculate about how the attackers communicated with each other. Waiting for facts from the police investigation wasn’t going to harm the victims further.

Reporting facts about the Paris attack could have advanced public discussion of the attacks.

We will never know due to the network news generated cloud of mistakes, falsehoods and speculation around such events.

Update: See: Too little too late: The horror of Paris proves the media need to debunk rumours in real time by Claire Wardle.

A delightful piece on how fact-checking in real time isn’t all that difficult. Makes you wonder about the “value-add” of news reporting that doesn’t.

Follow First Draft on Twitter for more coverage on junk news and efforts to stem it.

As I said yesterday in Lies, Damn Lies, and Viral Content [I Know a Windmill When I See One]:

What journalism needs is pro-active readers to rebel against superficial, inaccurate and misleading reporting. Voting with their feet will be far more effective than exhortations to do better.

Unless and until there is economic pain from bad reporting, it is going to continue.

Using Twitter To Control A Botnet

Filed under: Cybersecurity,Security,Twitter — Patrick Durusau @ 10:44 am

Twitter Direct Messages to control hacked computers by John Zorabedian.

From the post:

Direct Messages on Twitter are a way for users to send messages to individuals or a group of users privately, as opposed to regular tweets, which can be seen by everyone.

Twitter has expended a lot of effort to stamp out the predictable abuses of the Direct Message medium – namely spam and phishing attacks.

But now, self-styled security researcher Paul Amar has created a free Python-based tool called Twittor that uses Direct Messages on Twitter as a command-and-control server for botnets.

As you probably know, cybercriminals use botnets in a variety of ways to launch attacks.

But the one thing we don’t quite get in all of this is, “Why?”

Many security tools, like Nmap and Metasploit, cut both ways, being useful for researchers and penetration testers but also handy for crooks.

But publishing a free tool that helps you operate a botnet via Twitter Direct Message seems a strange way to conduct security research, especially when Twitbots are nothing new.

Amusing indignant stance by naked security on yet another tool for controlling botnets.

Notice the “self-styled security researcher,” I guess Anonymous are “self-styled” hackers and “…a strange way to conduct security research…,” as though anyone would make appoint naked security as security research censor.

Software is neither good nor bad and the conduct of government, police departments, corporations, security researchers has left little doubt that presuming a “good side” is at best naive if not fatally stupid.

There are those who, for present purposes, are not known to be on some other side but that is about as far as you can go safely.

You can find a highly similar article at: Tool Controls Botnet With Twitter Direct Messages by Kelly Jackson Higgins, which supplies the link missing from the naked security post:

Twittor is available on Github.

Kelly reports that Amar is working on adding a data extraction tool to Twittor.

November 13, 2015

Bruce Schneier on (Not!) Secure Email

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:01 pm

Bruce Schneier writes:

I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security to not use e-mail, but instead use an encrypted message client like OTR or Signal.

From: Testing the Usability of PGP Encryption Tools.

If you need robust security, take Schneier at his word.

The Pentagon’s plan to outsource lethal cyber-weapons

Filed under: Cybersecurity,Law,Security — Patrick Durusau @ 5:51 pm

The Pentagon’s plan to outsource lethal cyber-weapons by Violet Blue.

From the post:

The Pentagon has quietly put out a call for vendors to bid on a contract to develop, execute and manage its new cyber weaponry and defense program. The scope of this nearly half-billion-dollar “help wanted” work order includes counterhacking, as well as developing and deploying lethal cyberattacks — sanctioned hacking expected to cause real-life destruction and loss of human life.

In June 2016, work begins under the Cyberspace Operations Support Services contract (pdf) under CYBERCOM (United States Cyber Command). The $460 million project recently came to light and details the Pentagon’s plan to hand over its IT defense and the planning, development, execution, management, integration with the NSA, and various support functions of the U.S. military’s cyberattacks to one vendor.

Violet’s post will bring you up to date on discussions of cyber-weapons and where a large number of questions remain, such as what law governs cyber-weapons.

It isn’t clear how worried anyone should be at this point because the Pentagon is following its traditional acquisition process for cyber-weapons. Had the Pentagon started hiring top name exploit merchants and hackers, the danger of cyber-weapons would be imminent.

Traditional contracting process? We may have quantum computing long before cyber-weapons from the traditional process post a threat to then outdated software.

But in all events, do read and pass Violet’s post along.

November 7, 2015

Fed Security Sprint – Ans: Multi-Year Egg Roll

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:26 pm

You may recall my post: Cybersecurity Sprint or Multi-Year Egg Roll?.

Back in June 2015, the White house ordered all agencies via Chief Information Officer Tony Scott, a 30-day security sprint.

I must report that the FBI didn’t get the memo.

If you want to help the FBI with its security efforts, email or call them with a link to my earlier posting.

I say that because today it was confirmed that the 30-day security sprint is turning into a multi-year egg roll. My concluding question in that post.

I read today about Crackas With Attitude (CWA), hacking in the Joint Automated Booking System (JABS) (think FBI and law enforcement access only)

Swati Khandelwal reports in Hackers have Hacked into US Arrest Records Database:

The hacking group, Crackas With Attitude (CWA), claims it has gained access to a Law Enforcement Portal through which one can access:

  • Arrest records

    • Tools for sharing information about terrorist events and active shooters

The system in question is reportedly known as the Joint Automated Booking System (JABS), which is only available to the Federal Bureau of Investigation (FBI) and law enforcement.

Today is November the 7th and as I track time, we are way past Tony Scott’s 30-day security sprint.

I did check and Tony Scott is still the Chief Information Officer for the United States and recently blogged about federal agencies using strong authentication over 80% of the time.

I guess that information resources like Joint Automated Booking System (JABS) must not be high enough priority to qualify for strong authentication.

Or perhaps Crackas With Attitude (CWA) have broken what the FBI considers to be strong authentication.

Maybe Crackas With Attitude (CWA) will dump raw data to the Dark Web from their hack. Give everyone a chance to see what the FBI considers to be low-value data.

November 5, 2015

#Won’tFlyList – ’til TSA is Gone

Filed under: Government,Security — Patrick Durusau @ 8:09 pm

TSA airport screeners’ ability to detect weapons declared “pitiful” by David Kravets.

From the post:

US lawmakers and federal watchdogs on Tuesday derided the Transportation Security Administration’s ability, or lack thereof, to adequately detect weapons and other contraband during the passenger screening process at the nation’s airports.

“In looking at the number of times people got through with guns or bombs in these covert testing exercises it really was pathetic. When I say that I mean pitiful,” said Rep. Stephen Lynch (D-Mass.), speaking Tuesday during a House Oversight hearing concerning classified reports from federal watchdogs. “Just thinking about the breaches there, it’s horrific,” he added.

Auditors from the Inspector General’s Office, posing as travelers, discovered enormous loopholes in the TSA’s screening process. A leaked classified report this summer found that as much as 95 percent of contraband, like weapons and explosives, got through during clandestine testings. Lynch’s comments were in response to the classified report’s findings.

David cites the testimony of Inspector General John Roth and testimony from Jennifer Grover of the General Accounting Office, both of which detail the appalling depth of TSA incompetence.

A new TSA administrator is quoted as saying the agency is undertaking a “full system review.”

With a 95% failure rate after being in operation for fourteen (14) years (as of November 19, 2015) the time for a “full system review” has long past.

At a 95% failure rate, abolishing the TSA won’t increase risks to passengers and will in fact save $billions in lost time due to airport security delays.

However, airport security is a well-heeled business and is firmly entrenched.

The best option is to start a #WontFlyList in the social media of your choice and ask frequent and infrequent flyers to volunteer what trips they won’t be taking until ineffectual airport security is removed.

Don’t limit the list to removing the TSA because it will just change its name. No, airport security must be in the hands of the airlines and as minimal as possible.

Threatened with financial ruin, the airlines will activate their lobbyists and circles of friends in Congress. Much more likely to eliminate the TSA root and branch.

My attention was first drawn to David’s article by a tweet from Cory Doctorow.

Some Holiday Spending Money (“bug bounty”)

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:38 pm

Vulnerability Reward Program

From the post:

F-Secure rewards parties who report security vulnerabilities in certain F-Secure products and services, also known as a “bug bounty” program. In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.

We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.

A “security vulnerability” is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (privately identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.

See the post for a list of products that are eligible under the “bug bounty” program.

I reported recently on the $1 million dollar bounty on the iPhone: Justice Department on iPhone Hacking: Call Chaouki Bekrar @Zerodium.

At the other end of the “bug bounty” world, you can find F-Secure, which offers:


The size of the reward is solely determined by an F-Secure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15.000.

If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.

On the higher end you might get a buzz for a day or two but the rewards aren’t enough to attract serious talent.

On the other hand, you won’t have a lot of competition so perhaps your odds will be marginally better.

Good hunting!

Pentagon Farmed Out Its Coding to Russia [Plus the Sad News]

Filed under: Government,Security — Patrick Durusau @ 3:04 pm

Pentagon Farmed Out Its Coding to Russia by Patrick Malone.

From the post:

The Pentagon was tipped off in 2011 by a longtime Army contractor that Russian computer programmers were helping to write computer software for sensitive U.S. military communications systems, setting in motion a four-year federal investigation that ended this week with a multimillion-dollar fine against two firms involved in the work.

The contractor, John C. Kingsley, said in court documents filed in the case that he discovered the Russians’ role after he was appointed to run one of the firms in 2010. He said the software they wrote had made it possible for the Pentagon’s communications systems to be infected with viruses.

The DISA official confirmed that the practice of outsourcing the work to employees in Russia violated both the company’s contract and federal regulations that mandate only U.S. citizens with approved security clearances work on classified systems, Kingsley’s complaint said.

On Monday, NetCracker and the much larger Virginia-based Computer Sciences Corporation—which had subcontracted the work—agreed to pay a combined $12.75 million in civil penalties to close a four-year-long Justice Department investigation into the security breach. They each denied Kingsley’s accusations in settlement documents filed with the court.

The sad news is there is no mention of either NetCracker or Computer Sciences Corporation being banned from government contracts in general or defense contracts in particular.

If you were a CIO and discovered that a contractor had violated primary security requirements for a contract, or failed to discovered that a sub-contractor had violated such requirements, how eager would you be to sign up with either one again?

One of the fundamental problems with government IT security is the lack of any meaningful penalty for failing to provide IT security.

Unless and until the government holds its own staff, contractors and sub-contractors liable for accountable in some meaningful way, such as severance (w/o benefits), forfeiture of current contracts plus civil/criminal liability, government IT security will continue to be a sieve.

November 4, 2015

The Disappearance of Privacy in the UK

Filed under: Government,Privacy,Security — Patrick Durusau @ 2:00 pm

Investigatory Powers Bill: what’s in it, and what does it mean? by Matt Burgess.

From the post:

Internet service providers will have to store the details of every website people visited for 12 months if the new draft Investigatory Powers Bill is passed, the government has confirmed.

The measure was announced by Home Secretary Theresa May in the House of Commons and is included in a raft of new powers intended to reform the way MI5, MI6, GCHQ, and others use surveillance powers.

May said that “communication records up to 12 months” will have to be stored by internet and communications service providers.

This means the individual webpage — “just the front page of the websites,” in May’s words — will be kept. She distinguished between domains visited and “content” — including individual pages, searches and other information — which will not be stored.

In a lengthy statement to parliament, May reiterated that the powers were intended to allow security services to protect the public, and particularly children, against threats including terrorism, organised crime and sexual predators.

At least from the standpoint of protecting the public and children from organized crime and sexual predators, full monitoring of government offices would do more good than surveillance of the general public.

As far as terrorism, people in the UK, those old enough to remember less pleasant times in Northern Ireland, know that the modern “terrorism” is a fiction, wrapped in a lie and hidden behind national security interests.

The interests of the security agencies and their contractors are the only ones being served by concerns over “terrorism.”

The Investigatory Powers Bill, all 299 pages, is online.

Curious, is anyone working on a comparison of the Investigatory Powers Bill and the Patriot Act?

The full text of the Patriot Act (Public Law version).

I have read snippets of the Patriot Act but not in its entirety. It’s a difficult read because it amends some existing statutes, inserts entirely new content and creates new statutes as well.

A comparison of these two offenses against the citizens of the UK and the US, respectively, might prove to be useful in opposing them.

With the caveat that whatever new outrages against citizens are contained in the UK bill will be doubled down by the US against its own.

I first saw this in a tweet by Simon Brunning.

KeeFarce Cracks KeePass

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:40 am

Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager by Swati Khandelwal.

Swati advises that Denis Andzakovic has written and released KeeFarce on GitHub.

From the GitHub page:

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%

KeeFarce has been tested on:

  • KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.

This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.

It has a cool logo:

KeeFarce

I don’t have an estimate for when the Office of Personnel Management (OPM) will upgrade to Windows 7 making it vulnerable to KeeFarce.

Until that happens, use older hacking techniques (circa late 1990’s/early 2000’s) when targeting the OPM.

Personally I would mirror their backups, when they run that is, rather than doing anything fancy. What’s suspicious about a backup? That way you have current data without all the media hysteria.

PS: In case you want to become vulnerable or want a suggestion to make someone else vulnerable: KeyPass.

November 3, 2015

Honesty in Response to Critical Vulnerability (What Was He Thinking?)

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:33 pm

I’m sure you have read some variation on Critical Xen vulnerability went undiscovered for seven years by Mark Stockley over the past day or so.

Mark has a good summary of the issue, etc., but I want to highlight the response of Ian Jackson, who Mark quotes in his post:

Ian Jackson, a long-time open source veteran and a member of the Xen Project Security Team provides a response on the Xen Project blog.

He explains why he thinks some people have the impression that Xen is buggier than other similar products:

Unlike almost all corporations, and even most Free Software projects, the Xen Project properly discloses, via an advisory, every vulnerability discovered in supported configurations.

... For researchers developing new analysis techniques, Xen is a prime target. A significant proportion of the reports to security@xenproject are the result of applying new scanning techniques to our codebase. So our existing code is being audited, with a focus on the areas and techniques likely to discover the most troublesome bugs.

More interesting than that though is his honest appraisal of the state of computer security and what he sees as our collective attitude to it:

The general state of computer security in almost all systems is very poor. The reason for this is quite simple: we all put up with it. We, collectively, choose convenience and functionality: both when we decide which software to run for ourselves, and when we decide what contributions to make to the projects we care about. For almost all software there is much stronger pressure (from all sides) to add features, than to improve security.

Ultimately, of course, a Free Software project like Xen is what the whole community makes it. In the project as a whole we get a lot more submissions of new functionality than we get submissions aimed at improving the security.

In other words, if we want better computer security then it necessarily comes at the expense of something else (typically, something shiny.)

From a marketing/upgrade perspective, you know who wins in a struggle between features and security.

At least until consumers start voting with their feet in favor of security and not features. Liability for failures of security would help a lot to tip the balance in favor of security. Are there any common law judges listening?

One other bit of useful (if not encouraging) news from Mark’s post: The bug became apparent only when looking at logic flows and not code. Add another dimension to your analysis, logic flows.

November 2, 2015

Justice Department on iPhone Hacking: Call Chaouki Bekrar @Zerodium

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 5:01 pm

Somebody Just Claimed a $1 Million Bounty for Hacking the iPhone by Lorenzo Franceschi-Bicchierai.

From the post:

Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone.

Over the weekend, somebody claimed the $1 million bounty set by the new startup Zerodium, according to its founder Chaouki Bekrar, a notorious merchant of unknown, or zero-day, vulnerabilities.

zerodium

The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple’s mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.

This essentially meant that a participant needed to find a series, or a chain, of unknown zero-day bugs, not just one, according to Patrick Wardle, a researcher that works at security firm Synack. For example, the Chinese white hat hacking team Pangu already found a way to jailbreak the new iPhone, but that method didn’t work remotely.

The Justice Department should stop pestering Apple (Justice Department Press Gang News) and contact Chaouki Bekrar at Zerodium for an appropriate hack.

Magistrate Judge James Orenstein should find as a matter of fact (take judicial notice is the fancy way to say it) that the Justice Department has reasonable alternatives to forcing Apple into involuntary servitude to crack the iPhone in question.

The Justice Department would have to pay Zerodium for that service but better an honest commercial transaction than reviving slavery to benefit the government.

PS: Yes, I know the issue with Judge Orenstein involves an earlier version of iPhone software but the fact remains that the Justice Department hasn’t exhausted its remedies before applying to the court under All Writs. The government should have to show that the NSA, CIA, and commercial exploit vendors like Zerodium can’t help before turning to the All Writs Act.

PS: The Justice Department call follow @Zerodium on Twitter.

October 30, 2015

Apple Open Sources Cryptographic Libraries

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 3:51 pm

Cryptographic Libraries

From the webpage:

The same libraries that secure iOS and OS X are available to third‑party developers to help them build advanced security features.

If you are requesting or implementing new features for a product, make cryptography a top priority.

Why?

The more strong legacy cryptography that is embedded into software if and when the feds decide on a position on cryptography the better.

Or put another way, the more secure your data, the harder for legislation to force you to make it less secure.

Word to the wise?

I first saw this in a tweet by Matthew J. Weaver.

« Newer PostsOlder Posts »

Powered by WordPress