thewayne: (Default)
A proof of concept of this was revealed some months ago when a Burger King TV commercial said "Siri, tell me about the Whopper". Maybe it was Hey Google, I don't remember. Anyway, it was rapidly blocked, then BK came out with another commercial and they had a little war back and forth. And BBC apparently tries it with "Hey Siri, remind me to watch Doctor Who on BBC America." I was particularly amused at "Hey Siri, remind me to watch Broadchurch on BBC America" during the final episode of the series. I burst out laughing when that ad aired and had to explain it to the spousal unit. And as Sam Clemens said, or is alleged to have said, 'Analyzing humor is like dissecting a frog: you can do it, but the frog isn't good for much afterwards.'

Well, the Chinese have found another way: pitch the audio above the range of human hearing. The microphones can still catch it, and the command works. Now, I don't have voice-activated Siri on my iPhone, I have to hold down the button because I find that, for me, for the most part Siri is garbage. I don't think it's my enunciation, but maybe it is.

Makes me wonder if they'll put in a filter to cap mic input to 18-20 kHz or so to prevent this sort of abuse.

I read about this last week, perhaps on the day that I went down to help out that medical practice with their ransomware attack. The clinic was handling their last patients of the day, and the office manager was running the front desk, and was using his iPhone with Siri voice commands. He looked a little shocked when I told him about this attack.

Here's the Slashdot summary:

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
thewayne: (Default)
Recently, hackers stole the first ten episodes of the new season of Orange is the New Black from Netflix and demanded a ransom in bitcoin or they'd post the episodes on Pirate Bay. Netflix didn't pay, the hackers were true to their word, the episodes were posted.

Now Disney has been hit. Hackers have demanded a "large" ransom or an unnamed film will be released, the name of the film is unknown but the two big named upcoming releases are the new Cars and the Pirates of the Caribbean movies, neither of which am I particularly interested in seeing. Bob Iger, CEO of The Mouse, is refusing to pay and is working with Federal investigators.

What I'm wondering: (A) is this the same same group that hit Netflix, demonstrating some pretty good skills to hit deep in two different megacorps, and (B) is this a new business model for the criminal hacking community? It could certainly be profitable, I wonder if it could also encourage entertainment megacorps to create a consortium to build a big network of bitcoin mining machines so they have a ready supply available if they decide that they need to start paying. Of course, the better solution is to beef up their IT infrastructure and rid themselves of the mindset that it's cheaper to absorb the cost of the occasional hack than to maintain up to date security postures.
thewayne: (Cyranose)
First, if you've upgraded to the latest iOS, v9, go to Settings/Cellular, and scroll all the way down. You'll see an option called Wi-Fi Assist. You'll probably want to turn it off. Last week I received a text that I was 3/4ths through my 10 gig monthly data plan, and I couldn't remember doing anything that could account for a huge spike in my plan usage. It was quite likely this option.

Obviously this only affects iPhone users and not iPad users, though it might if you have a cellular-enabled iPad.

The next is two bona fide malware packages for iPhones from China. It involves falling for porn banner ads that add a certificate manager that bypasses Apple's heretofore strong walled garden. The interesting thing about this particular exploit was that you didn't have to had jailbroken your phone for it to be vulnerable! Phones running iOS 8.3 or older are most vulnerable.

But that's just one of the two. And if you limit your porn viewing to browser-based sites, you're probably fine.

The second one is a lot more serious: some people found a way to hack the Xcode development system which is used to write most iOS programs. The issue is mainly Chinese: because of poor international internet speeds, lots of Chinese developers download the free Xcode development system from Chinese servers rather than from Apple direct, and those copies have been subverted.

Currently the tainted applications have been purged from the app store, and Apple is setting up more servers in China to better control the distribution of the Xcode system, which will improve things.

There was little that could be done to avoid this particular attack because the apps passed inspection by Apple and were allowed in to the app store. So the normal prohibition of only installing apps from trusted sources was subverted in a very clever way, and now defenses are being ramped up to prevent a similar exploit again.

But the perpetual problem is that it's not too difficult to defend against previous attacks. It's the next attack coming that's going to get through at least once.
thewayne: (Cyranose)
Yes, yes they can.

An idiot teen in Texas (I'm not being redundant, am I?) called in bomb threats and SWATted people in other states, while bragging that there was nothing they could do because he was a hacker. He even had 'leet' in his email/Twitter handles.

Unlike skilled hackers and security analysts, he didn't use lots and lots of proxy servers. He directly made threats from his home computer, the FBI had no problem linking the IP address to subpoenaed logs and arresting the 19 year old.

"... among several of the handles and e-mail addresses that the 19-year-old used was and the Twitter handle @RIURichHomie. The FBI simply filed a subpoena to Google for the records associated with that account and another to Twitter. They both showed that they had been accessed by the same IP address from a Comcast account served to a home in Cypress, Texas.

Authorities also found through a simple Google search that Morgenstern had previously controlled the Twitter account @ZackL337H4X0R."

He pled guilty and faces ten years in prison.
thewayne: (Cyranose)
The FBI is saying that the Sony hack was definitely the work of North Korea, based on evidence of NK attacks on South Korea, such as samples of the code that was preserved, encryption techniques, etc. So I guess I have to revise my previous opinion.

Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.

The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.

The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.

The full article:
thewayne: (Cyranose)
Well, probably not North Korea per se, I doubt they have the expertise but they could have hired a hacker army.

Here's the premise. Little Kim's mad at a movie coming out on 12/25 called The Interview, a Seth Rogen movie, where two guys run a popular TV talk show and score an interview with the leader of North Korea. And are then recruited by the CIA to assassinate said leader.

For some reason this made some people unhappy.

Regardless of who did it, the attackers got deep in to Sony Pictures corporate network, pulling out all sorts of employee information, including health care info, salary info, etc. and posted it all online. Researchers have confirmed that the data looks real by referencing people in the files with Linkedin job descriptions. More than enough to do some pretty serious identity theft. And they dumped it all online. Apparently the hack was so bad that Sony IT advised everyone to turn off WiFi on all devices and don't use any corporate computers.

At least this time it wasn't Sony Online.
thewayne: (Cyranose)
and responds in exactly the way they shouldn't have.

First, apparently some employes got spearphished and some employee accounts were compromised, which allowed some of Ebay's 145 million auction accounts to get compromised. So everyone should change their password. Except I have an Ebay account and haven't received an email saying that I should do it. And honestly, since Ebay owns PayPal, it would probably be a good idea to change your password over there, too, we don't know how tightly their networks are mingled.

To quote Krebs, "The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.

Krebs goes on to point out that PayPal now offers two-factor security authentication, which is a dongle (for $30) or a smartphone app (free) to give you a second, changing, password that must also be entered to access your account. The dongle has to be replaced for $30 when the battery eventually fails.

I think I'll go with the smartphone app.

The problem is that Ebay initially posted news of the hack on a part of their web site that most people never see instead of blasting out emails to all of their customers telling them that their accounts may have been compromised. Very bad form. The attack occurred in February or March, so it's taken them almost two months to notify anybody. VERY bad form. It'll be interesting to see how many lawsuits result from this one. There's been no known criminal activity thus far, compared to the Target breech, but still, there should be some corporate head rolling. And no one knows, because Ebay won't tell, as to what encryption system Ebay used to encrypt the passwords, so no one can estimate how long it'll take to break them. My bet is they used double-ROT13. ;-)

Now's an amusing thing about it: criminals are scamming criminals! Someone's is "selling" Ebay customer lists for 1.453 bitcoins. The problem: the list is fake. The actual thieves may or may not have decrypted the user accounts yet, we don't know, but people have verified that the list for sale is most likely not from Ebay. The reason, as tested by Krebs and others, is that you can have only one email address per account, so they took some of the email addresses and tried to create Ebay accounts with them, and they could.

The same thing happened when LinkedIn was compromised, I missed the news on that one.

This isn't the only security vulnerability for Ebay. A security researcher found that they were vulnerable to cross-site scripting (XSS) attacks, notified Ebay, and was ignored. He recently found that they were still vulnerable to the same exploit. While this was probably not involved in this most recent attack, it's still something that should have been addressed.

While it's fun to poke fun at major corps like this when they fall down, it's not easy doing web site security. As a case in point, also from Krebs, there's an organization called "the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam. It would seem that these people who certify people who want to be viewed as security professionals also had an exploitable web site. One such security professional was renewing his membership to keep his certification active, and noticed that the URL contained the dollar amount of his payment. So he decided to test the system and change the URL to zero, and the system accepted his free renewal. He re-paid his membership, notified ISC^2, and was thanked for his spotting the vulnerability. It has since been fixed.
thewayne: (Cyranose)
First up, real estate and title companies are getting hit, it sounds like malware performing a man in the middle attack. Clients who are transferring earnest money electronically where the destination bank info to where the money is being sent is changed, and said earnest money is being sent directly to the criminals: do not pass go, crooks collect $20,000. The key to preventing this would be to get the money guy to send the bank information via hard copy, take said hard copy to your bank, then have them verify the target account before transmitting.

Next up: I've written about fraudulently-filed tax returns before. Well, it's hit doctors and clinicians pretty bad, several hundred have had their returns usurped. It looks like a big data aggregater was probably compromised, resulting in the lose of a lot of professional's information, probably someone on par with the American Medical Association, not that I'm saying it's the AMA, I don't see the AMA collecting things like SSNs and dependent info. Could have been some state boards that were hit, or maybe lots of clinics are using the same clinic management software and they got compromised at the vendor level. Time will tell what happened.
thewayne: (Cyranose)
Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

thewayne: (Cyranose)
RTF was a standardized document format almost before Word existed, it was developed by the U.S. Navy as a way to give vendors a standard to code for to ensure the ability for documents to move between computers. It has the advantage of the document being pure text with internal formatting codes.

Well, trust Microsoft to screw it up. Their implementation allowed malicious code to be imbedded so that attackers could gain system access equal to the that of the poor sap who opened the document. If said poor sap was a system administrator, guess what.... Even if they aren't an admin, the malware could phone home and pull down exploit packages that might let them escalate privileges to gain admin access.

One technique would be to ban all RTF file extensions, but it is a valid extension and Word knows to look at the header codes rather than rely on the file extension to determine how to read the doc, so that wouldn't work.

Fortunately the problem doesn't seem to affect any other word processing programs except Microsoft Word.

In an ideal environment in the Real World, those who have the need to be system administrators should not run the workstation that they use for day-to-day work at their admin account level. The best way, IMO, is give them dual big monitors and have a virtual machine that they can start up and sign on with their admin account, said machine does not have Microsoft Office or anything else not directly related to administering the network. If they can pull it off, the admin account should not even have internet access.
thewayne: (Cyranose)
Interesting article that expands on some of the recent hacks, including malware that sniffs data within computers before they go through the encryption/transmission process! I do overuse the word interesting, but this is interesting stuff. The article also goes on to say that Target and JC Penney were hit in 2007, so this isn't Target's first dance.

Unfortunately the article does not go on to list the others who got hit, I'm sure that'll be revealed in the next couple of months. Meanwhile, the people who shopped at those stores are very vulnerable.,0,257635,full.story
thewayne: (Cyranose)
First, Target. They revealed that the people who penetrated their network security, or lack thereof, also made off with the names, email and street addresses, and phone numbers of 70 million people. So we could be seeing some interestingly targeted scams. A commenter said that the zip code revealed was that of the store, I tend to doubt that. Anyway, if they made off with your street address and city, it would be easy to look up the zip. This is in addition to the 40 million credit cards compromised, though I'm sure there's significant overlap between the two groups.

Second, Neiman. They revealed that their credit card processor told them in mid December that a compromise happened. They have not announced how many cards were compromised or how it happened pending a report from a forensic investigation company. Like Target, only the brick & mortar side was hit.
thewayne: (Cyranose)
And they're already up for sale on criminal underground carder forums. Apparently some banks actually buy their customer's cards from these markets.
thewayne: (Cyranose)
There's not a lot of firm data, but it looks like they were hacked for the period of Thanksgiving 2013 to December 15th. Originally it was thought to be a week, but it expanded. No really solid information has been released as to methods, but it looks like over a million cards were compromised and that it only affected in-store purchases, not online purchases.

It is anticipated that this could become one of the biggest hacks when everything is analyzed, which I find kind of noteworthy for one of such short duration.
thewayne: (Cyranose)
A security exploit was explained and demonstrated at the DefCon conference in 2008, and this year a security research firm found it operating in the wild.

The vulnerability involves something called BGP, Border Gateway Protocol. If you're an internet backbone provider, you mainly move packets between networks, not within networks. You maintain and advertise BGP lists that announce what networks are tied to you and what networks you know about, so if you receive a packet destined for network X and you don't know X, but you know W and it's near X, you send the packet to W.

The way the hack works is that it sends a BGP announcement that it services networks X, Y, Z and sends it in such a way that packets destined for those networks instead go to the hackers. And this has happened before: someone screws up a BGP list, it propagates, and all of a sudden some servers go dark. This happened not too long ago when Pakistan tried to filter YouTube so that certain videos were not viewable within Pakistan, instead it sucked all requests for YouTube vids in to a black hole that took a couple of hours to fix.

Through some clever engineering, these hackers have done a two-part hack. They propagate the poisoned BGP lists to select backbone providers, so the traffic gets diverted to the crooks, then they propagate different manipulated BGP lists to other backbone providers so the traffic eventually gets to where it was supposed to go in the first place. The only way that you'd notice is if you did a traceroute or had some sort of real-time chat going on, with the traceroute you'd see the traffic that should have gone from, say, Los Angeles to New York going all over Europe before coming back to North America. A person in a real-time activity would notice a delay, but unless they did a traceroute, might think it was just normal internet occasional slowdown. Web sites might be a little slow responding, and if you were sending email, you wouldn't notice a thing since it is never instantaneous delivery.

But while the packets are in the hands of the middleman, they can be copied and altered. Any non-encrypted traffic is open to their eyes: email attachments, spreadsheets, PowerPoint presentations of corporate strategies, banking information, VoIP traffic, etc.

Lovely, eh? The article goes on to describe how organizations can monitor for this, but the easiest step is quite simple: encrypt ALL internet traffic.
thewayne: (Cyranose)
It happened early this month and the crooks got a lot of good stuff: 38 million user accounts with hashed passwords and what appears to be the source code to Photoshop. Not a bad day's work, or however long it took them. And a lot of the user accounts contained credit card information! Yay! So if you've EVER bought a product directly from Adobe, particularly using a credit card that is still live, you might have an issue.

But not to worry! Adobe is offering to pay for a year of credit monitoring for you! There's only one slight problem: it's through Experian. The same people who sold the information needed to open credit in your name to criminals in Vietnam.

I think all of the Adobe products that I've bought recently I did through Amazon.

thewayne: (Cyranose)
There are forums on the internet called Carder sites where people post 'I have 3,000 clean American cards for sale' and such information is bought and sold. Such sites come and go, within the last few weeks a big one was taken down. They also move drugs and identity theft information. Some of the information is gained through card skimmers installed on point of sale terminals, such as what happened to Barns & Noble and to Nordstroms, but also at gas pumps and ATMs. Some is obtained through server compromises, such as happened to TJ Maxx a few years ago where criminals roamed their network with impunity and undetected for months, sniffing credit card information by the bucketful.

Then there's the criminals that get it directly from Experian and Lexis/Nexis.

There are three major credit bureaus in the U.S., Experian is one of them. Through a third-party vendor connected to their data, criminals paid for an account with Experian, posing as U.S. private investigators, while they were based in Vietnam and they paid for the account with wire transfers from Singapore. No red flags there, nosiree!

The criminals had an Experian account for a year. So clearly Experian was doing zero due diligence to make sure their systems were only being accessed by the people who should be accessing them. As long as the checks came in, they didn't care. The criminals had everything on people that would allow them to do a full impersonation: name, address, social security number, mother's maiden name, job info, bank account info including routing numbers, etc. The indictment of the head of the operation alleges that they bought and sold information on half a million people. Secret Service lured him out of Vietnam to Guam where he was arrested and moved to New Hampshire where he's facing 15 criminal counts that could amount to basically a life sentence if he's convicted on all counts.

The ultimate irony is that Experian claims that they are data breach experts and sell credit monitoring services to watch to see if your information is compromised.

Last month Krebs broke a story of how LexisNexis, Dunn & Bradstreet, and a service called Kroll were compromised by identity theft criminals. LexisNexis is an invaluable tool for attorneys, but also for crooks. It's also a pay-for service, but apparently free accounts are given to law students all over the country, and one such inactive account was compromised to gain access to the service for criminals. Again, all the information that you'd need to impersonate someone or get credit issued in their name was available through their service.

The way this compromise was discovered is kind of interesting. The information was found on a criminal web site called SSNDOB which sold the info, their site got hacked and plundered by other hackers, and their database was posted publicly, the records had a field that showed where it came from, with codes such as DNB, LX, etc. Quickly a botnet was discovered and everything was unraveled.
thewayne: (Cyranose)
This is awesome. Guy in Austria built a robot using Lego Mindstorm that presses the Next page on the Kindle, then presses the space bar on his Mac to take a picture of the screen. The image is run through a cloud-based OCR package and a text file is returned.

Totally impractical since you can download software that'll strip the DRM in moments, but still pretty awesome cool.

The creator has a great comment on the Vimeo page quoting Jeff Bezos in an O'Reilly interview talking about people should have the right to share, trade, or sell ebooks, he then turns around and takes that right away from his customers.
thewayne: (Cyranose)
The SEA has been pulling off some high-profile hacks, including: The New York Times, The Washington Post, Twitter, Associated Press, etc. Mainly they do defacement of web sites with pro-Assad messages, but with getting in to newspaper's sites its wondered if they got deeper and stole reporter credential information. I expect their attack frequency to increase over the next few weeks with the debates as to whether or not to attack Syria over the chemical weapons use increases.

And they have some pretty skilled people working for them, otherwise they couldn't pull off the hacks that they have. My favorite hack of theirs has to be their attack on The Onion. Other non-English speaking countries *cough*Iran*cough* have cited The Onion as an actual, reliable, news source. Maybe that's why the SEA took it over. And the owners/editors of The Onion took it totally in stride.

As a part of international trade sanctions against Syria, several hundred domain names were seized, including those of the SEA. So they moved their domain registration and apparently its hosting to Russia. But something happened which the SEA vehemently denies: they themselves were hacked. They were totally pwn'd and their servers were copied and posted to 'darknet' Tor sites that can only be accessed through Tor browsers, said copies are now being gleefully analyzed by security professionals.

The SEA, of course, totally denies that this happened, claims their servers are 100% secure. Well, they've proven that very few servers are as secure as people would like to think that they are.

I find it quite amusing, the uber hackers getting hacked, then denying it could ever possibly happen. This word you keep using: I do not think it means what you think it means.
thewayne: (Cyranose)
Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV's chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day's experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn't so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems before malicious hackers get under the hoods of unsuspecting drivers."

I doubt anyone is surprised. If it's a computer, chances are that eventually it will be hacked. Disabling the brakes? Not good. And I believe it's Infiniti is developing a car that has drive-by-wire steering, where the steering wheel is not physically coupled to the front wheels, which means a computer is translating your input (turning the steering wheel) into orders to turn the wheels.

Ford is a little unique in that they have an interface to their car's computer systems that people are allowed to tap in to, someone developed a vibrating shifter for manual transmissions that tells you when to shift, intended for people who are new to stick-shifts. Supposedly this is port doesn't let you in to a modifiable portion of the computer, but still....

In other DefCon news, a hack was demonstrated that easily and totally bypassed Volkswagon's security systems, making it really easy to steal their cars and with leaving no trace, giving the insurance companies a potential out by saying there was no evidence of theft. Volkswagon sued in court to keep the information from being disclosed at DefCon and surprisingly won, so they're going to get a little bit of time to cover their butts before more information on this hack gets in to the wild.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:32 pm
Powered by Dreamwidth Studios