2019/04/03: Security researchers in Israel dupe real doctors into misdiagnosing patients by hacking hospital X-ray-scanning machines and altering the images they produced.
Hackers trying to steal your data is one thing, but what if they tried to trick your doctors into thinking you had cancer? Or fooled them into ignoring it?
It's a ruse that's not as far-fetched as you might think. Security researchers in Israel recently duped real doctors into misdiagnosing patients by hacking a hospital X-ray scanning machine and altering the images it produced.
"In particular, we show how easily an attacker can access a hospital's network, and then inject or remove lung cancers from a patient's CT scan,"
2019/01/29: Stingrays (AKA IMSI catchers) are a widespread class of surveillance devices that target cellular phones by impersonating cellular towers to them (they're also called "cell-site simulators").
IMSI catchers are so easy to build and operate that they have leapt from police agencies to criminals, and foreign and corporate spies, exposing us all to potential surveillance from all quarters.
That's why it was so important that the new 5G mobile protocol be designed to foil IMSI catchers, and why the 3rd Generation Partnership Project, or 3GPP (the body standardizing 5G) updated the Authentication and Key Agreement (AKA) to resist IMSI catching techniques.
But new research from ETH Zurich and Technische Universität Berlin has revealed a critical flaw in AKA, a defect that not only allows attackers to track the number of calls and texts being sent while a user is connected to the fake tower, but also a count of calls and texts from before the device was compromised. More importantly, the attack allows for fine-grained location tracking.
In addition we're concerned with WhatsApp's web app. WhatsApp provides an HTTPS-secured web interface for users to send and receive messages. However, as with all websites, the resources needed to load the application are delivered each and every time you visit that site. So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party.
2017/02/06: all this encryption breaks Deep Packet Inspection. All the IDS's, IPS's and NGFW's that we bought are becoming obsolete. They can't inspect the encrypted packets. Of course they try to hold onto this technology by introducing technologies like SSL inspection (aka SSLbump). This technology basically breaks the trust model of Internet encryption by acting as a man-in-the-middle. The place where you work spoofs itself as the encrypted site you are going to. Because they control your computer, you don't even know it is happening. Then they decrypt your Internet traffic to use DPI on it and then re-encrypt it back to the Internet.
Instead of holding onto deep packet inspection, I think we need to transition to new methodologies for detecting bad things on the network. Telemetry data is one of these ways through passive monitoring of netflows or DNS queries By looking at traffic on your network and determining what looks anomalous, you may be able to determine where the nefarious activity is happening. By looking at your DNS queries and investigating Passive DNS with Bind RPZor using OpenDNS you can cut down on a huge amount of bad sites on the Internet and interrupt phishing campaigns and malware.
2018/11/27: attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted.
The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now.
The value of these documents–especially in new and prospering industries such as renewable energy–have probably never been this high. All this makes it attractive for the more skilled cybercriminal groups to chip in: instead of spamming out millions of emails and waiting for people to fall for it, significantly more money can be realized by selling blueprints to the highest bidder.
2018/11/26: Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
2017/11/21: Do your friends and family rope you into providing tech support when you're home for #thanksgiving
etc? Use this opportunity to be a digital security hero and rescue your family
2018-10-04: technologists and U.S. trade hawks have a common but perhaps impossible mission: reverse decades of globalization in computing to try to prevent damaging attacks. Computer Networks Are Now Permanently Hackable. The web of parts makers, assemblers, testers and contractors is almost impossible to untangle.
The supply chain attack could have siphoned corporate secrets and government information while leaving few fingerprints. It’s the most insidious kind of digital spying imaginable, and some of the savviest tech minds in the world haven’t yet found a reliable way to sniff out the hardware-infiltration attacks, according to the Bloomberg Businessweek reporting. And worse, I’m not sure what, if anything, could be done to prevent this kind of snooping.
Perhaps the only surefire prevention is for Google, Apple, the U.S. government and others to build every circuit and computer chip by hand and make sure the parts and equipment never leave the sight of people they trust. This seems impossible. It would cost a fortune, of course, and it may not be practically possible at all. Over the decades, companies in China, Taiwan, the U.S., Vietnam and elsewhere in the world have developed specialization at discrete steps in manufacturing or assembly for computing equipment. It would takes years and support from the U.S. government to replicate that specialization entirely in the U.S. or other countries that American companies and the government trust.
1998/04/10: Good cryptography is an excellent and necessary tool for almost anyone. Many good cryptographic products are available commercially, as shareware, or free. However, there are also extremely bad cryptographic products which not only fail to provide security, but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.
One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report:rnIdentity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.rnrn"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.rnrnThe use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
A long time ago, I set up a WordPress blog for a family member. There are lots of options these days, but back then there were few decent choices if you needed a web-based CMS with a WYSIWYG editor. An unfortunate side effect of things working well is that the blog has generated a lot of content over time. That means I was also regularly updating WordPress to protect against the exploits that are constantly popping up.rnrnSo I decided to convince the family member that switching to Hugo would be relatively easy, and the blog could then be hosted on GitLab. But trying to extract all that content and convert it to Markdown turned into a huge hassle. There were automated scripts that got me 95% there, but nothing worked perfectly. Manually updating all the posts was not something I wanted to do, so eventually, I gave up trying to move the blog.rnrnRecently, I started thinking about this again and realized there was a solution I hadn't considered: I could continue maintaining the WordPress server but set it up to publish a static mirror and serve that with GitLab Pages (or GitHub Pages if you like). This would allow me to automate Let's Encrypt certificate renewals as well as eliminate the security concerns associated with hosting a WordPress site. This would, however, mean comments would stop working, but that feels like a minor loss in this case because the blog did not garner many comments.rnrnHere's the solution I came up with, which so far seems to be working well:rnrn Host WordPress site at URL that is not linked to or from anywhere else to reduce the odds of it being exploited. In this example, we'll use http://private.localconspiracy.com
(even though this site is actually built with Pelican).rn Set up hosting on GitLab Pages for the public URL https://www.localconspiracy.com.rn
Add a cron job that determines when the last-built date differs between the two URLs; if the build dates differ, mirror the WordPress version.rn After mirroring with wget, update all links from "private" version to "public" version.rn Do a git push to publish the new content.
Worried by US spying revelations, India has begun drawing up a new email policy to help secure government communications.
Saudi Aramco Oil Producer's 30,000 workstations victim of Cyber Attack - The Hacker News is a popular and trusted cybersecurity news source for researchers, hackers, technologists, enthusiasts and nerds.
(2010/02/01) Websense Security Labs has published its bi-annual State of Internet Security report for Q3/Q4 2009. Key findings:
13.7% of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) led to malware.
71% of Web sites with malicious code are legitimate sites that have been compromised.
95% of user-generated posts on Web sites are spam or malicious.
China remains second most popular malware hosting country
81% of emails during the second half of the year contained a malicious link.
Websense Security Labs identified that 85.8% of all emails were spam.
35% of malicious Web-based attacks included data-stealing code.
58% of all data-stealing attacks are conducted over the Web.
The biggest question that the Asia Times news story raises about the compromised enrollment software is - Why UIDAI cannot fix it? This post answers this question and the implication of this
Networked devices for your smart home are the modern way to manage your life, but the rush to sell shoddy smart products risks compromising security
Aadhaar enrollment was completely outsourced to private parties with the sole aim of building the world's largest biometric database.