thewayne: (Default)
Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.

*facepalm*

I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.
thewayne: (Default)
Whenever you use your cell phone, or a land line, your call is routed through a switch that uses something called SS7 routing.  It's an industry standard used literally around the world.  And it is insecure by design.  It became this way because SS7's predecessors began in those halcyon days of the internet when everybody was nice to each other and there were no bad people online, so trust, verification, and security wasn't baked in from the beginning.  Sadly, we now know that those days never really existed and we're really paying the price now.

You can now buy a cyber malware toolkit for about $1000 that will let you gain control of SS7 switches.  Bank accounts are being looted in Germany where malware and keyboard loggers have been used to suck credentials from personal and business accounts, then SS7 malware is used to intercept the SMS verification code sent by the bank to the "account holder", allowing accounts to be drained and tracking the criminals becomes very difficult.

I use PayPal in such a mode, tied directly to my checking account.  Perhaps I should see if I can point it at my savings account, and when I go to buy something from Humble Bundle or whatever, transfer funds to that account, make the transaction, and ignore it.

THERE. IS. NO. EASY. SOLUTION. TO. THIS.  The best solution is the keyfob authenticator that has the random number LCD display that changes every minute or so, but those are expensive to deploy and, if you lose the fob, a PITB to replace and re-integrate in to your account.  And they aren't 100% impervious to hacking, but they're damn difficult.

I use my bank via web browsing.  I access it via my phone through a fingerprint scan, likewise my main credit card, which also pops up an alert on my phone whenever a charge hits.  I have no idea how secure that fingerprint technology is for that purpose.  It is somewhat secure in that a fingerprint won't unlock my phone: for that, you'll need a code that isn't just a four digit number.

https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html
thewayne: (Cyranose)
There are various ways of stopping malware. Antivirus works by watching for strange behavior or if a program matches a known signature. The problem with signature matches is that it's very easy for a program to change its signature so that it won't hit in the protection program's database. This is known as a polymorphic virus (self-changing). Some malware encrypts itself.

The worst is ransomware. This is malware THAT ENCRYPTS YOUR HARD DISK. In doing so, all of your files get encrpyted, then a message pops up that says you will have to pay X number of bitcoins to get the decrypt key, and it will frequently have a deadline -- if you don't pay by the date, the decrypt key will be deleted and your files will be forever lost.

Some ransomware is written poorly, and some have been decrypted. Some security researchers have created web sites where you can upload an encrypted file and they can analyze the file and give you a key. But you can't count on that.

Backups are a form of protection, but some ransomware versions have sat silently and watched for a backup drive and encrypted it first. So your main recovery method might already have been compromised.

In other words, randomware is a bitch.

But some security researchers have come up with a very interesting approach to fighting it. They don't try to match a signature because that's a losing game. What they do is watch file system activity. If they see files being encrypted, the program identifies the activity and stops the process cold. So you may lose a handful of files, but you won't lose everything.

Here's what I just saw on Slashdot:

Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (phys.org)
Posted by BeauHD on Friday July 08, 2016 @06:50PM from the always-watching dept.

An anonymous reader quotes a report from Phys.Org:
Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.

"Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.


Let's look at that second to last line again: it detected 100 percent of malware samples and did so after a median of 10 files were encrypted. So on average, you'll lose fewer than that, but you will guaranteed lose one or two files. And you may or may not have other copies of those files.

Still, QUITE impressive. It's not a released product and will need the security community at large to pound it and try to break it, but still, pretty cool.

Personally, if I were relying on Windows computers and concerned about this, I think I'd install Deep Freeze. It's a program we used at a university that creates a frozen copy of your operating system. You install the OS, update it, install the programs that you need, update them, then you freeze it. In order to update the OS or the programs, you have to unlock the system, do the updates, then freeze it again. It's not perfect, but it's darn good. It's VERY hard for a virus to infiltrate a system protected by Deep Freeze. Not impossible, but VERY difficult. Your user data files (word processing documents, spreadsheets, photos, music, etc.) are stored in a different area on the hard drive as they change regularly.

In Linux and some other systems you can install a program such as Tripwire that watches the operating system to see if any files change. It theoretically could detect the system becoming infected and could halt everything and not let it run until it's cleaned up.

But a lot of virus makers these days are pretty darn brilliant and tricky. The best thing you can do is to keep your computer updated, only install programs from trusted sources and web sites, and NEVER open attachments that you were not expecting or specifically requested. That means when your Aunt Ethel sends you that cute kitty video that you don't open it. It just ain't worth it.
thewayne: (Cyranose)
Twice in one year. Every store, over a quarter million cards compromised.

The thieves got in through a Citrix portal used by employees on the road.

"...“The attackers somehow had login credentials of a district manager,” Curlovic said. “This guy was not exactly security savvy. When we got his laptop back in, we saw that it had his username and password taped to the front of it.”

ETA: why did a district manager have wide access to the company network? Managers should have access to financial databases. Even IT people should have controls to prevent a single password compromise from betraying the whole network. When I was at the police department in the '90s, we had two computers: one was used for administrative work and had no email or internet access, the other was our normal working computer. (there were no virtual machines back then) If I ever become a manager, I'm going to implement the same thing: your admin work will be done through a VM and won't have email access.

I think this manager who had his username and password taped to the front of the computer is fully deserving of a major demotion or outright firing. That is one of the most boneheaded moves that I've ever heard of.

http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/
thewayne: (Cyranose)
A couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.

It's now in the wild, and criminals are experimenting to see what they can do with it.

A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.

Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.

It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.

Oh, and credit card readers? Those are USB devices usually.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware
thewayne: (Cyranose)
The Blackhat security conference is coming up very soon, and with it, advanced information about all sorts of wonderful problems. In this case, two new ways to compromise smartphones.

First up, a report on a tool that's built in to all smartphones: Androids, Blackberrys, iPhones sold by Sprint. They haven't tested Windows phones yet. It's a management tool that allows the cell providers to update firmware in the phone through over the air updates, and the security implementation isn't very good.

Granted, this is a team of advanced security researchers, but they were able to get in and totally pwn the phones they were working with. They've notified the maker of the management tool and the cell companies, so a fix should be distributed over the next few months that will make this more secure. Also, no evidence of this being exploited in the wild.

http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/


Next up, an iPhone, if connected to a compromised Windows PC, can potentially be turned in to a botnet! This is interesting stuff as it has falsely been assumed that Apple had pretty tight security on its iPhones, which is broadly true, but they're also kinda slow pushing updates. I assume that the exploit would also be effective against iPads that also have cellular radios built-in.

http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks-to-windows/
thewayne: (Cyranose)
Obviously computer viruses have matured in their attacks over the last 30-some years. It used to be that a virus could be examined and compared against a database of signatures to see if it would be allowed or not, but that's not enough these days. In the bad guy malware markets, they now have automated test servers that take your malware and bounce it against every anti-virus product out there, and if it hits any of them, it alters the code and encrypts it until it's undetectable. Once your malware passes this test, it is uploaded back on the bad guy's distribution server and they receive a text message saying that it's good to go out and play.

This works for a limited amount of time, as soon as someone knows they've been compromised, they can isolate the software and send it off to the A/V people for analysis and signature updating, still, it might give the bad guys a day or so to run amok and possibly get some valuable information, until the A/V software is updated and the malware is re-processed and the cycle continues.

So basically the truism continues: The price of computer security is eternal vigilance. Anti-virus software is a good first-line defense, it will trap old malware and even newer malware where the obfuscator/encryptor didn't do a very good job. You just have to remain vigilant about opening attachments and careful about running software from untrusted sites. Regardless, you're still potentially vulnerable to zero-day exploits, not to mention the total lack of control over your information that's being held by other people.

It's an ugly world out there, you gotta stay on your toes, and you might still get compromised. I personally fell for a social engineering attack last week: got an email that Yahoo was doing an upgrade and you needed to change your password. I still mentally smack myself upside the head: I didn't look at the freakin' URL on the update page, and I kid ou not, it was Bob's Plumbing. I can't believe I did that. I immediately changed it again to a different pattern than the one that I use for everything else. So even experienced people occasionally have bouts of the stupid.

http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
thewayne: (Cyranose)
Yesterday Microsoft announced a zero-day exploit in the wild that was being actively used against people running IE versions 6 through 11. There is no true fix, but there are a couple of things that can be done to help. First, stop using IE is the recommendation from the US and UK governments. There's plenty of other good browsers: Firefox, Chrome, Epic, Opera, etc. Second, update your Flash player. If you must use IE, and you're running versions 10 or 11, there are a couple of things that you can do to protect yourself.

Krebs warning on the IE exploit: http://krebsonsecurity.com/2014/04/microsoft-warns-of-attacks-on-ie-zero-day/

Krebs writeup on updating Flash: http://krebsonsecurity.com/2014/04/adobe-update-nixes-flash-player-zero-day/
thewayne: (Cyranose)
Initially it was suspected that Heartbleed was only an attack on servers, it turns out that this is not the case. Heartbleed is an exploit of some bad code in a package called OpenSSL, which is normally run on servers and Linux machines. If a machine is running the compromised version of OpenSSL AND has been hacked so that it can be controlled remotely by ne'er-do-wells, then it is possible for them to do a reverse-Heartbleed attack against personal computers, tablets, smartphones, etc.

As an example, Facebook and Yahoo Mail look up URLs to grab a partial screen capture to link with your message. If you control the remote URL being looked up, it's possible to leverage an attack.

http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed


Meanwhile, a Canadian teen has been arrested by the RCMP for exploiting Heartbleed against the Canadian revenue service. As a result of his attack, the Canadians stopped accepting online tax return submission and extended the deadline.

http://news.slashdot.org/story/14/04/17/1414219/rcmp-arrest-canadian-teen-for-heartbleed-exploit

The shutdown of online returns: http://news.slashdot.org/story/14/04/10/1253227/canada-halts-online-tax-returns-in-wake-of-heartbleed


And it appears that the NSA has known about the exploit and been using it for their own ends.
thewayne: (Cyranose)
Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

thewayne: (Cyranose)
Big merchants like Target have to get an annual audit that their IT systems are secure for processing credit cards. The level of audit varies, depending on whether or not they store credit card info internally. For example, Amazon stores your credit card so they have a (theoretically) more stringent audit.

Small merchants, like a mom & pop coffee house, don't normally get audited, they just send in a questionnaire to Visa/Mastercard.

The problem is, every merchant that has been hacked has passed the audits. In one case, they were being hacked WHILE BEING AUDITED. And it wasn't noticed.

The issue is that the auditors are not doing a really comprehensive job. They look for some things and miss others, like the merchant who was storing unencrypted credit card info for five years.

And aside from auditors not looking thoroughly and trying to do penetration tests, any configuration change or network change or replacing the firewall or router on an otherwise compliant and safe network can introduce a host of vulnerabilities.

IT security is a moving target, and there is no easy solution. Visa/MC forcing merchants and vendors to replace their equipment with chip and PIN systems by October 2015 is a step in the right direction, but it's going to be expensive and while transitioning, bring in a host of vulnerabilities all on their own.

http://www.wired.com/threatlevel/2014/03/trustwave-target-audit/
thewayne: (Cyranose)
Turns out Target was using a network management system from BMC Software (a major player in network management) to keep an eye on their infrastructure, and said software had a canned admin account and password, and that was very helpful for the attackers.

And it is now believed that everything came through a SQL injection attack, an attack vector that's been known for years, if not a decade, and can be defended against.

Interestingly, the article also gives a little more info on the Albert Gonzalez hack, he's the one who stole 160 million cards from TJ Maxx et al. Gonzalez and an associate would travel to stores, identify the make and model of the point of sale terminals, then report it back to his hacker crew who would customize the hack software for that type of POS.

Barnes & Noble took their POS terminals off the counter when they were hacked, but they specifically were target through their POS terminals being replaced with hacked counterfeits. Now you have to hand your card to the clerk. The problem is, that if the POS terminal is compromised, such as it was by the Target memory scraper, it doesn't matter where the POS terminal is located or who swipes your card, your card has been swiped.

And the FBI just said that it's going to be a growth industry and there's little that can be done to stop it at this time.

Time to start writing checks, where you're vulnerable to compromise at the upstream check processing clearing house (my checking account was compromised this way) or stopping at an ATM before shopping and paying with cash.

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
thewayne: (Cyranose)
Both from Bruce Schneier.

The paper purports that you can read a 4096 bit GnuPG RSA key through acoustic monitoring of the computer that's doing a decryption. It also talks about measuring the electrical potential of the actual computer chassis as a low-bandwidth attack. Strange stuff.

https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html


The other day a Harvard student emailed in multiple bomb threats to avoid taking a final exam. Idiot. He was mildly clever in that he used an anonymous email account and used Tor, his epic fail was that he used Tor within the Harvard campus network, so they could easily identify IP addresses and locations of people using Tor and at what time, so it wasn't difficult to nab him.

If he had used Tor from coffee shops off-campus, they would have had a much tougher time tracking him down.

Schneier has a great comment: "This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess."

I think this might adversely affect his academic standing.

https://www.schneier.com/blog/archives/2013/12/tor_user_identi.html
thewayne: (Cyranose)
A security exploit was explained and demonstrated at the DefCon conference in 2008, and this year a security research firm found it operating in the wild.

The vulnerability involves something called BGP, Border Gateway Protocol. If you're an internet backbone provider, you mainly move packets between networks, not within networks. You maintain and advertise BGP lists that announce what networks are tied to you and what networks you know about, so if you receive a packet destined for network X and you don't know X, but you know W and it's near X, you send the packet to W.

The way the hack works is that it sends a BGP announcement that it services networks X, Y, Z and sends it in such a way that packets destined for those networks instead go to the hackers. And this has happened before: someone screws up a BGP list, it propagates, and all of a sudden some servers go dark. This happened not too long ago when Pakistan tried to filter YouTube so that certain videos were not viewable within Pakistan, instead it sucked all requests for YouTube vids in to a black hole that took a couple of hours to fix.

Through some clever engineering, these hackers have done a two-part hack. They propagate the poisoned BGP lists to select backbone providers, so the traffic gets diverted to the crooks, then they propagate different manipulated BGP lists to other backbone providers so the traffic eventually gets to where it was supposed to go in the first place. The only way that you'd notice is if you did a traceroute or had some sort of real-time chat going on, with the traceroute you'd see the traffic that should have gone from, say, Los Angeles to New York going all over Europe before coming back to North America. A person in a real-time activity would notice a delay, but unless they did a traceroute, might think it was just normal internet occasional slowdown. Web sites might be a little slow responding, and if you were sending email, you wouldn't notice a thing since it is never instantaneous delivery.

But while the packets are in the hands of the middleman, they can be copied and altered. Any non-encrypted traffic is open to their eyes: email attachments, spreadsheets, PowerPoint presentations of corporate strategies, banking information, VoIP traffic, etc.

Lovely, eh? The article goes on to describe how organizations can monitor for this, but the easiest step is quite simple: encrypt ALL internet traffic.

http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
thewayne: (Cyranose)
Bruce Schneier, as I've written many times before, is quite a practical expert on computer security. He's run an experiment recently where he bought a new computer from a big box store and configured it for no external connections: no internet, no WiFi, very carefully controlled transfers on and off it. And this article offers his opinions on how practical this is.

And that's the nut of the matter: it isn't really practical. We live in a connected society, the last time I worked on a computer in a work situation that wasn't networked was probably around 1985, and we started networking them not long after that. If you absolutely must have security, an air gap is the only way to go, but then you have to worry about the physical security of such a system and other spying techniques such as recording your keystrokes from your smart phone sitting on the same desk or an electronic technique whose name I can't remember that can read your monitor remotely.

Schneier also points out that the Iranian nuclear program that was compromised by Stuxnet was airgapped, as was the American military computers that were compromised by a worm that was believed to be Chinese in origin.

http://www.wired.com/opinion/2013/10/149481/
thewayne: (Cyranose)
There's an annual contest held as part of a Canadian computer security conference called CanSecWest. They will publish a list of browsers and operating systems, and people will try to create exploits that will let them bypass the browser's security and get malware on to the host system. The browser is the latest version and the computer operating systems are fully-patched, so they are as secure as you and I can easily make our personal systems.

Every browser failed. Internet Explorer 9 and 10 on Windows 7 and 8, Safari on OS-X, Chrome, Adobe Reader and Flash, Oracle Java, etc.

If you successfully break one, you get the computer and a cash reward. Which is a cool prize.

You also have to disclose the exact process that you used to break the browser to the software companies, you'll always see a flood of patches a couple of weeks after the conference ends.


While this does demonstrate vulnerabilities in your system, these are carefully-controlled zero-day hacks that may not be in general circulation. And they will be patched. The problem is that whenever a hole is patched, another hole will be found. Guaranteed. It's a never-ending game of whack-a-mole.


http://www.h-online.com/security/news/item/All-major-browsers-and-Java-fall-at-Pwn2Own-1818268.html

http://www.scmagazine.com.au/News/335750,chrome-firefox-ie-10-java-win-8-fall-at-pwn2own-hackfest.aspx

http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013
thewayne: (Default)
Interesting (LONG!) article by Mat Honan. You might remember his name as the reporter whose Twitter, Google, Amazon, and Apple accounts were hacked a couple of months ago and his MacBook Air was remotely erased and both his Air and iPhone were bricked, clobbering all of the photos of his 18 month old daughter which he had not backed up.

Mat's accounts were hacked via social engineering because of multiple security failures, and I'm not going to get in to how, if you're interested just search for his name and 'hacked' and you'll probably find plenty of articles. He wrote at least two stories for Wired about the event, it all started with an underage vandal who was envious of Mat's three letter Twitter handle, @Mat and he destroyed Mat's digital life for the lulz. Mat screwed up in two main ways. First, he used the same passwords for multiple critical services. Second, he had no backups of his Air, he was just begging for a failure wiping everything out. Fortunately, at very high cost, a data recovery company was able to recover the photos and videos of his daughter.

I'm certain he's going to be diligent about his backups in the future.


ANYWAY, this article argues that passwords are worthless for truly protecting you, and he has a number of valid points. A lot of exploits totally bypass password account security through keystroke logging, unencrypted man in the middle attacks, or stealing poorly salted password hash files directly from servers and running them against rainbow tables. Just ask Sony, they were out on the order of $170+ million for their Playstation network hack.

Mat offers a few suggestions. For example, if you're traveling and need to access your bank account, the system sends your picture and has to get three friends to say "Yes, this is Bob" before you can be granted access. I find this concept interesting, but also potentially subvertable.

It boils down to computer security being an eternal game of whack-a-mole against bad guys, and to paraphrase Ronald Regan, the price of computer security is eternal vigilance.

http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
thewayne: (Default)
It's basically the same sort of stuff that the Pennsylvania school district was doing with it's MacBooks last year, except there may be a hardware component that has to be deactivated with a wand.

In this particular story, a couple was visited by an Aaron's store manager who claimed they had not paid for their computer and he was going to repo it. He showed them a picture of the husband working on the laptop taken with the built-in web cam. The couple freaked and called the police. They picked up the computer for the wife to use in college, made two payments, then decided to pay for the whole thing. Turns out a clerk at Aaron's was arrested for stealing money from the store, which could account for why their records showed the agreement was in default. Presumably the couple had the receipt showing final payment.

The couple is suing Aaron's and seeking class action status. There's some wonderful quotes in the story that the wife will frequently check email before/after showering, and that their 5 year old boy sometimes runs around naked as such kids are sometimes wont to do. So now Aaron's could be in possession of kiddie porn.

http://news.yahoo.com/s/ap/20110503/ap_on_re_us/us_rental_computer_spyware

http://yro.slashdot.org/story/11/05/04/0111229/Aaron-Computer-Rental-Firm-Spies-On-Users
thewayne: (Default)
Scientists have been working on ways to hack car security systems. Increasingly, lots of things in new cars tie in to a central bus: engine control unit, anti-lock brakes, air bags, transmission, door locks. And the car stereo. The scientists have found a way to create a specially-crafted MP3 which, if played on certain models, lets them take control of the car, potentially by bluetooth or the car's celllular system.

Older cars without centralized buses would be immune, as would installing your own stereo. The sad thing is that car makers do not seem to be doing much to create a reasonably secure system, you'd think they'd learn with the news of all the systems being exploited out in the world.

(Speaking of which, my favorite recent hack is HB Gary Federal going against Anonymous: they totally pwnd their CEO, up to and including remote-wiping the guy's iPad!)

http://www.itworld.com/print/139794

http://it.slashdot.org/story/11/03/12/0114219/Hacking-a-Car-With-Music
thewayne: (Default)
Australian ISPs are implementing a system where, if your connection is detected as being infected by a zombie, you're put in to a 'walled garden' where you have limited internet connectivity or throttled bandwidth until your computer is remediated. They can detect certain types of traffic that shouldn't normally be coming from a workstation, or a flood of email, or other things. Finally the US is taking notice and talking about implementing such code.

About bloody time. It will be interesting to see how much spam email traffic drops once this is widely adopted.

We've had the technology. Cisco has had software that's done something like this for years, when you try to connect to one of their protected networks it will inspect your computer for current anti-virus and updates, and if it doesn't have them, it'll put you in the walled garden where you can only update your computer, and you're kept there until you're updated.

http://www.zdnet.com.au/us-interested-in-aussie-zombie-code-339304063.htm


This second article about the Australian zombie code has a curious statement. The code will remain voluntary for ISPs to adopt. and The code is to be implemented by ISPs before December. So is it voluntary or mandatory?

But I really like this quote: Asked today what internet users could do if they didn't want to act on protecting themselves if they were quarantined and put into a walled garden, Coroneos said that the time had come for internet users to be responsible for their actions online.

"I'm sure there are people around that resent having to put new tyres on their car when they're unroadworthy, or have their breaks done," Coroneos said. "But the reality is that we have argued that internet users have a responsibility not only to themselves, but also to other users on the internet."

Having your computer fixed was "no different" than when your washing machine broke down, according to Coroneos. "You've got to call someone in to fix it," he said. "You don't like paying the money, unless you can do it yourself, and many users will be able to do this themselves."


http://www.zdnet.com.au/new-zombie-code-in-effect-by-december-339303681.htm


http://yro.slashdot.org/story/10/06/26/0253250/US-Shows-Interest-In-Zombie-Quarantine-Code


I really like this idea, but I wonder how many ISPs have Terms of Service that state that they can limit your connection if your computer is compromised by a virus or trojan.

September 2017

S M T W T F S
     12
3 4 5678 9
101112 1314 15 16
1718 19 20212223
24252627282930

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:19 pm
Powered by Dreamwidth Studios