Tag Archives: information security

Errata: Megacity Fighting, EU Citizenship, Georgia v. DHS, South Korea,

Military Contingencies in Megacities and Sub-Megacities – “After elucidating the nature of urbanization and developing a typology in terms of smart, fragile, and feral cities, we give consideration to the kinds of contingencies that the U.S. military, especially the Army, needs to think about and prepare for. Understanding the city as a complex system or organism is critical and provides the basis for changes in intelligence, recruitment, training, equipment, operations, and tactics.” – I’m reading this later today.

EU negotiators will offer Brits an individual opt-in to remain EU citizens, chief negotiator confirms – As @ManMadeMoon said, “Step 1 to a new, non-geographical nationhood! This is getting really interesting.”

Georgia Secretary of State aggressively confronting DHS over a “penetration of [Georgia’s] firewall.”

Finally seeing a bill to impeach the South Korean president (this whole saga is fascinating to me).

From the International Spectator, the world’s most frequent flight paths.

NASA finally has its own Giphy page.

Via Karen James: “Hey neuroscientists & neuroscience-inspired artists, check out this pattern around a rock in a pond in @AcadiaNPS as it begins to freeze.”

And finally, via ars technica: Millions exposed to malvertising that hid attack code in banner pixels – “The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn’t running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.”

Errata: iPhone hack bounty, Unclaimed Dead, Fire Ant Swarms, Nanoparticles, Cancer-killing Viruses, more

Million-dollar bounty paid out for iPhone hack.

Fascinating article from the Journal of Forensic Sciences: “Who are the Unclaimed Dead?

Fascinating Motherboard article on the liquid properties of fire ant swarms.

Emergent Futures relaying studies on the neurological aspects of mystical and mysterious experiences.

The runaway billion-dollar JLENS blimp was finally downed thanks to hundreds of shotgun blasts from Pennsylvania police.

Engadget: HTC has begun refusing to offer guidance on its corporate future. Also, Seattle cop who developed transparency-oriented software has left the force, apparently due to departmental politics.

Also Engadget: how medicine-covered nanoparticles could help stroke victims.

Ars Technica on cancer-killing viruses.

Errata from today

Great few days of random stuff on the internet. A gourmet sampling for you:

Great Salon piece by Mary Elizabeth Williams on the new Star Wars film showing an aged Carrie Fisher as an aged Princess Leia, and how much of a departure that is for Hollywood.

The most breathtaking moment in the new trailer for “Star Wars: The Force Awakens” trailer doesn’t involve explosions or lightsabers or ominous references to the Dark Side. It’s an eyeblink-long shot of Princess Leia herself, Carrie Fisher, in the embrace of Harrison Ford’s Han Solo. It’s a moment of a weary-looking woman with graying hair and lines on her face. Holy science fiction, Hollywood — somewhere, in a galaxy far, far away, a grown woman has been given permission to look like a grown woman. I want to go to that planet!

Lots more quotable passages in that piece, but go read it yourself.

That porn playing over the PA systems in Target? Was a result of both a technological and personnel weakness where pranksters called stores and requested a specific extension that gave them complete control over the PA remotely.

Insecure wifi-enabled tea kettles allow researchers to crack the password of the networks they’re connected to.

A hummus joint in Israel is offering a 50% discount to tables with Arabs and Jews sitting together.

Incredible TEDtalk by Martin Pistorius on his experience with locked-in syndrome. His early experiences are as close to hell as I can imagine. Tremendous respect for the person he is.

And via Jamie Ford’s facebook, “Ursula K. Le Guin’s reaction, when asked to blurb a short story collection with no female authors.”


A Chrysler Rolling Botnet In Three Steps

Chrysler’s mailing out USB sticks to customers who want to fix a vulnerability in their car by themselves. It took about four seconds for me to realize how bad this idea is.

1. Scrape DMV info for owners of relevant Chrysler models – you can use public RMV portals and just automate the attack. Or if you want something a little less obvious you can fall further down the rabbit hole and hack a police department – most local PDs have terrible information security, and there exist a few specific, mandatory weaknesses that’d be easy to exploit by something as simple as dropping a malware-laden USB drive in the parking lot. Trust me, they’ll plug it in. From there you just use their dedicated connection to CJIS.

2. Find a Print-On-Demand merchandise company and order hundreds of official-looking Chrysler USB drives. Easy to portray yourself as a local Chrysler dealership to allay suspicions of the POD firm – pop-up domain, letterhead, IP voicemails, etc.

3. Drop malware onto your official-looking Chrysler USBs, mock up some letterhead and mail them out to the car owners.

Suddenly you’ve got a rolling botnet – dozens, hundreds, even thousands of cars not only vulnerable to attack but thanks to the fact that most cars are internet-connected and IP-enabled, cars that can take part in other attacks, such as a distributed denial of service attack.

The biggest question is whether Chrysler cryptographically signs the update and phones home to verify it before opening and installing – and my guess is no. In the unlikely event I’m wrong, pivot this attack from the cars to the computers of vehicle owners and you’ve got a convincing way into the computers of thousands of Chrysler customers.

Security & Tech Briefs: Chrome, Trump, Smartwatches, Mac Exploit

Detectify Labs shared a clever way to deactivate security (or any) chrome plugins with a simple ping.

Donald Trump’s website was hacked, likely due to a CMS that hadn’t been patched in five years.

The insurance industry is concerned about smartwatches, the Internet of Things, big data and information security.

Ars Technica on a major 0day Mac exploit that’s already being seen in the wild.

Security and Technology Briefs: Nucleus Explosion, Threat Intelligence, Security Feeds, More

It’s always interesting to me to watch the reaction to dark net drug markets fold and likely abscond with the bitcoin of everyone involved. Looks like Nucleus either exit-scammed or got hacked.

A good introduction to threat intelligence by Farsight Security. Also a good intro to reputation systems.

SwiftOnSecurity is one of the most delightful and knowledgeable accounts on twitter, and they’ve recently shared their OPML of security feeds. Go through and add relevant ones to your RSS reader.

New York Magazine was hit with a DDoS attack and taken offline after publishing a story involving 3/4 of the Cosby accusers.

Not new, but amusing: erroring trashcan.

And, apropos of nothing, a federal officer was injured in an explosion when the meth lab he was apparently building in an empty National Institute of Standards and Technology facility blew up (via Reddit).

Security & Tech Briefs: Routers, Dockets, Pita Pockets and more

Brian Krebs on appearances of hacked routers in the delivery of malware as well as a roundup of recent cases involving cybercriminals.

Delightfully pun-filled piece on a new, smaller and non-contact way to use radio emissions from a CPU to capture and derive cryptographic keys. Amused at the “can fit in a pita bread” metric.

Motherboard on a researcher working to identify malicious exit nodes in the Tor network by determining which ones are harvesting and using juicy-looking login credentials.

Hacker News on an unknown vulnerability being used to steal credit card information from sites using the e-commerce solution Magento.

Expert Rob Graham on why the new “Government Cyber Underwriter Lab” is a bad idea. I pretty thoroughly disagree but that’s no reason to not ponder some of the truths Graham laid out.

Great news, everyone: the ridiculously expensive, over-budget, behind-schedule, plagued-with-problems F35 just got bested in a dogfight with an F16 designed over 40 years ago.

Security and Technology Briefs: Flash, Machine Learning, Navy Sticks With XP, More

Busy morning of writing and reading.

Brian Krebs on an emergency software patch for Adobe Flash – this is a must read.

Neat, short video from SethBling explaining how he taught an AI, or rather it taught itself, how to play a video game. (YouTube)

IT World: The US Navy’s warfare systems command just paid millions to stay on Windows XP. Sigh. I feel like when AI turns sentient the thing it will judge us for first is staying on Win XP and Server 2k3.

EFF’s “Who Has Your Back” chart on how companies protect your data (or don’t).

RubyGems exploit looks like it makes vulnerable a million-plus Ruby installs.

NextGov reports that the OPM hack showed up at the National Archives.

*GREAT* Washington Post article on L0pht and the warnings they issued about the internet quite a while ago.

Good Reddit thread on a user’s concern about Bitcoin (I’ve got piece-in-production about bitcoin at the moment but needed to sit on it a few days thanks to events that happened yesterday).

TNW reporting that music app Tidal just fired their second CEO in two months. Not looking good for them.

Security and Technology Briefs: Spamtraps, OPM, Apple Password Flaw, more

Farsight Security’s Senior Program Manager Kelly Molloy provided a so-far three part series on creating “spamtrap” email addresses that has proved fascinating: Part 1: Demistifying Spamtraps, Part 2: Keeping It Confidential, Part 3: Creating and Seeding.

Ars Technica provided a great, damning article on the sad state of affairs at the Office of Personnel Management that led to it being hacked. Twenty year old COBOL-coded apps running on Oracle frameworks and IT outsourcing to a systems administrator in China who was given root access. Unreal.

9-to-5 Mac among others published about a major security flaw in iOS and OS X which Apple sat on for six months that exposed two different password applications (Apple’s Keychain and 1Password) to exploits. Here’s Brian Krebs on the iOS/OS X vulnerability as well as one affecting Samsung devices.

Lots of talk on an FBI investigation into the St. Louis Cardinals “hacking” the Houston Astros; it appears they just used a password list from a previous employee at this point, leading Motherboard to criticize the terminology employed by the NYT and others.

The Sunday Times put out an article this weekend suggesting that Russia had decrypted all of the Snowden documents and Britain subsequently had to burn quite a bit of its foreign intelligence structure. The story seemed pretty weak at the outset and was made all the weaker by this interview with the author on CNN who seems to literally know nothing about his own story.

The Hill reports that the head of the US Marshals is resigning rather than dealing with increased scrutiny about their surveillance techniques, which is a bit of a tell.

Norse had several posts of note this week; the US Navy’s bold announcement (now retracted) seeking zero-day exploit contractors, an uptick in Cryptowall infections and some numbers showing a 1400% return on investment in malware.

Panel from last year with writer Warren Ellis, technologist Ben Hammersley and journalist and political analyst Edie Lush talking about whether IT has changed how we think at the Institute of Art and Ideas. (YouTube)

Sanguine IT: Donating Blood and Information Security Incentives

Busy thinking about this rather fantastic bit of ingenuity from Sweden:

People who donate initially receive a ‘thank you’ text when they give blood, but they get another message when their blood makes it into somebody else’s veins.

Swedish blood donors receive a text message when their blood is actually used. That’s a masterful way to leverage a handful of different cognitive mechanisms to incentivize donation. We’re primed for donation anyway, I would hope; doing a bit of civic good for people in dire circumstances. But the donation is so removed from the utility that it’s hard to achieve buy-in. That is, it’s hard to get people to own and engage with the process, to feel invested in the institution and manifestation, rather than just doing it for the principle.

But a text message when the blood gets used is a tiny and wonderful behavioral nudge crafted through being recognized not just for doing good but by being notified of the tangible good when it came to fruition. Knowing that you received recognition timely to the actual good you did reinforces it in memory – it’s the same principle that tells us that punishing kids needs to be done around the time of the transgression, rather than some arbitrary moment (except in this case we’re obviously talking positive reinforcement instead). The synchronous nature of the notification with the dopaminergic reward feelings in your brain cements the positive nature of giving blood and, I would guess, easily and drastically raises returning donor rates. And it encourages buy-in not just to blood donation but a system that recognizes you like that. It provides a certain amount of commitment to and faith in an organization and its digital systems.

Of course the blood donation is cognitively reinforced in another way: the system also feeds into the slot machine-esque dopaminergic nudge that we’re thoroughly primed for already, the text message notification. That goes off and our brains light up.

The entire experience incentivizes people to donate blood on a number of levels: neurochemically, cognitively and institutionally.

The federal government proclaims security principles often and loudly (though not always, as their emphasis on weakening encryption systems shows). But the feds don’t incentivize stakeholders in the bureaucratic or IT systems and without that buy-in you get things like the OPM hack. Looking at the structure and operations of government agencies and IT issues you find a series of disincentives that leave principal parties avoiding any kind of buy-in.

-Government IT security is offered irregular, initiative-based funding for anything more than the obscenely bare minimum. So it’s not funded as a necessary principle and the irregularity of it means stakeholders will wait for the next initiative rather than use their own precious funds.

-Plausible deniability means stakeholders are disincentivized to hire highly competent, motivated security personnel so they’re not confronted by the scope of security problems and forced to fix it with their own departmental budget.

-Seeming lack of consequences for government compromises versus, say, private sector (in which not just IT heads but often CEOs are washed out with the post-breach bathwater).

-Buy-in is about as far from likely as possible with stakeholders on multiple levels. Disenfranchisement runs rampant and especially in IT situations the constant slapping on of band-aid solutions rather than systemic reform and rehabilitation means that it’s no longer about safeguarding the institution you’re part of but just holding a job.

The question becomes – how do you incentivize system administrators and higher-level stakeholders to do their fucking jobs? The answer could be that you turn it into an incentivized civic duty. Which is damn hard with the burnouts and the disenfranchised, and it’s damn hard in an environment that caters to the lowest bidder and motivating contractors to do the most mediocre job possible.

The whole situation is further complicated by the government’s hardening stance on security research. Financing bug bounties and encouraging independent security researchers is crucial. The most eyes on the system that know they’ll be appreciated and compensated for finding and disclosing holes, the more secure the system. It’s not hard to imagine a genuinely productive partnership between the public sector and private security experts but that’s impossible in the current climate. Mostly thanks to the government.

Achieving institutional buy-in for government technologist positions will be damn hard to accomplish as well as hideously expensive. But compared to the prospect of our entire federal background investigation and SF-86 application system getting lifted, it’s peanuts.