Tag Archives: defcon

Paranoia Made Me a Better Computer User, at Defcon – a reporters perspective

Defcon hacked elevator image

Having awareness of fraud, scams, and mischief is generally enough to raise the bar of safety for all consumers of technology. Certainly there are attacks and actions that criminals can take against technology that an end consumer has little protection against, but this is the proverbial “higher hanging fruit”. These days all the hacks, breaches, and news headlines are basically the low hanging fruit – common error, poor development practices, and misconfiguration. Imagine when the consumer is armed the required effort for criminals to succeed.

An entertaining and honest article on Gizmodo (honest for all the feelings he shares, and if you have ever been in a hostile environment, you’ll be able to relate) on a reporter touring the best hacker convention in the world – DefCon.

He takes most things in stride until…

The hacked elevator bothered me quite a bit actually

Preparation had made the idea of having the phone and computer hacked beyond reasonable, but expected … the concept of hacking a physical machine, like an elevator, was not. Cars hacked don’t receive the same paranoia, while I bet if you were in that car when it was electronically shut down … the feeling of trappedness of an elevator will translate to the car quite easily.

There is a good takeaway in the article and I wanted to highlight it below … check out the top “hacks” of this reporter to really understand the challenge of being in such environments:

the weird glitches that had defined my day at DEF CON — the fake wifi network, the iPhone error, the weird TV channels, the scary elevator, the garbled headphones — weren’t as bizarre and terrifying as they’d seemed.

In fact, on any other day and in any other place, I’d take the glitches in stride. I’ve joined fake wifi networks before. My iPhone does weird stuff pretty often. Hotel TV is weird in general. All elevators are scary. And Bluetooth sucks on most headphones.

A realization flooded over me in the hot Las Vegas night. Despite my mounting paranoia and in spite of my own faults, I probably hadn’t been hacked at all. If anything I was a little bit safer at DEF CON, because I was paying closer attention to my security. Much more so than in my daily life in New York City, I was aware that I could be hacked at any moment at DEF CON. At that moment I saw these wily hackers as optimists, knights in nerd armor who believe that we can be safer — if only we truly understand the dangers out there, inside our machines. They’re the ones paying attention when you’re not.

via Paranoia Made Me a Better Computer User, Gizmodo

Good luck out there!

James

Copying access control cards is easier w/ $10 device being released at BlackHat 2015

Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.

While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article

I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio

The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …

Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.

James

p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!

Hacking Drones Close to Being Drawn up by Boeing and Hacking Team

Drone-HackedA high schooler could have done this, but these 2 didn’t get it done because of a NDA!?  Sad and shows sometimes progress can be derailed by the smallest of things. Passion is finicky and when pursuing the development of new ideas they need to be nurtured in and between organizations.

The technology already exists, and I’d bet for less than $2k it could be made operational. Perhaps we’ll see these at DefCon just to show how feasible and fun they can be in real life?

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

via Hacking Drones Close to Being Drawn up by Boeing and Hacking Team.

Ps.. I wrote a book to help Information Security professionals share Tips to the other 3.1 billion people in the world struggling to stay secure and safe online. I’d love for you to share the news and benefit from the book – How not to be hacked

Mobile ad fraud costs advertisers $1 billion a year, study says

Mobile devices are easy targets and when more dependency on wifi is enabled the conduct of fraud is easier to execute without detection. Also thinking this would be pretty to execute such advertising fraud, as described in the article, by installing similar tech onto all of the unsecured/patched/Internet of Things devices on the internet. Imagine this fraud with all of the consumer internet routers!

Details from the Fortune article:

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit…

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia.

Mobile ad fraud costs advertisers $1 billion a year, study says.

… My comments on this report (not posted on Fortune due requirement to link social media account):

It’d be valuable to know how those Apps identified for fraud were ranked in the ‘App stores’. This way we could identify the popularity and likely spread of these apps. The 12 million figure is large, but out of a possible 1.3 billion devices it is hard to understand the sampling effect.

I’d love more intelligence on the ‘what’, so that regular readers of the article and users of the devices could clean out these Apps off their devices.

Gotta love Blackhat and DefCon week! All the research docs are released.

James

Industrial Control Systems – the new security frontier, a call for Org change

Screen Shot 2012-12-28 at 10.42.40 AM

A quote similar stated that SCADA and basically systems controlling physical machines is the new attack surface.  It struck me as obvious and non-obvious upon reflection.  The security of these systems tends to be Facilities and not under the scope of concern of most CISO and certainly not the CIO.  That is unless the organization is structured where such operating roles are under the General Legal Counsel or the COO.  The structure of the organization as it relates to operational integrity, competitiveness, and ultimately compliance – security depends upon the organizational structures being adapted to the technology age. To often we forget the value of organizational strategy shifts, and this is one that will be necessary and provide valuable returns.

How can this trickle into the tactical operations of the business?

Consider this single example?

  • What controls do you have on checking the version of the HVAC units (software version) powering your data center and or corporate offices?
  • Is there a security control in place to have it; be sure it can handle the load, and testing to ensure it works?  I imagine yes to all 3, as these are ABC of operations

However ….

  • What is the version of the HVAC PLC / SCADA element that is being utilized by the vendor and monitoring teams that is accessible remotely?
  • When audits occur, do they check to be sure the device isn’t the Siemens or other manufacturer that was just highlighted at Defcon or on the news?

If this is the new frontier, we need to start structuring organizations in a manner that are designed to care for these considerations to allow for business to be agile and competitive.

Thoughts (a bit of latitude on the above terminology is requested, given I am simplifying the example to avoid to much technical specification and confusion)?

James