Security Sausage Spectacular
96 views | +0 today
Follow
Your new post is loading...
Your new post is loading...
Scooped by Aaron Gilliland
Scoop.it!

Dear Electronic Eye Stuck To My Head: Don't Spy On Me, K?

Dear Electronic Eye Stuck To My Head: Don't Spy On Me, K? | Security Sausage Spectacular | Scoop.it

His team's video recognition software can spot passcodes even when the screen is unreadable, based on its understanding of an iPad's geometry and the position of the user's fingers. It maps its image of the angled iPad onto a "reference" image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers' shadows.

Aaron Gilliland's insight:

Not really a shocker: a video camera strapped to your head can watch you (and anyone nearby) entering passwords. The camera doesn't even need to record the actual characters on the screen; the characters and sequence can be inferred from bumps, slides, speed of movement, etc. Google Glass isn't unique in making this attack possible, but it does have an excellent vantage point. 

 

Two-factor authentication provides some protection against this, especially for the people who aren't wearing the Glass.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Beaming Bureau Boasts Bountiful Bitcoin Booty

Beaming Bureau Boasts Bountiful Bitcoin Booty | Security Sausage Spectacular | Scoop.it
When the FBI arrested Silk Road boss Ross William Ulbricht and took his site down, they seized the site's assets, which were mainly the currency of choice on the anonymous online drug bazaar: Bitcoins.
Aaron Gilliland's insight:

So far, they've only managed to seize 26,000 BTC ($142 USD each, at Mt.Gox right now) from the Silk Road accounts. This is peanuts compared to the owner's private accounts - an estimated $80 million USD - which the FBI has been unable to grab due to encryption on the owner's wallet. 

 

What's really lolworthy in this story: because Bitcoin transactions are publicly viewable, you can see where the seized funds went and (by transferring fractions of a penny to that same account) send the FBI's bagman all sorts of messages... which is exactly what people have been doing.

 

Good luck on decrypting the wallet, fellas. Remember: it's all about the Benjamins.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

UK's 'Decency Firewall' Over-reach Proceeding At Full Steam

UK's 'Decency Firewall' Over-reach Proceeding At Full Steam | Security Sausage Spectacular | Scoop.it

In the UK, where ISPs are now being forced to impose Internet filters to block everything from BitTorrent websites to porn, some carriers are going the extra mile and taking this mandate to mean they should block VPNs as well.  

 

After ISPs signed a voluntary code of conduct requiring they block all porn by default (unless you're in Parliament, where viewing porn is apparently all the rage during free time), some UK ISPs have started blocking tools allowing users to bypass those filters...

Aaron Gilliland's insight:

Hilarious. Let's avoid discussing the many flaws of this filter campaign - the false premises on which it was based, the jaw-droppingly bad implementations, the easily foreseeable yet somehow unforeseen consequences, the inept management - and focus on one particular fruit of this idiocy tree: the war on VPNs. 

 

As reported in the linked article, some mobile Internet providers are blocking access to 3rd-party VPN services. For a fee, these services will make a tunnel between your device and an exit point somewhere else in the World. The upshot of this is that the tunnel can shield you from the prying eyes (and filtering, and traffic shaping) of your ISP, and can even make you appear to be in a different country. Because of this ability to bypass the UK's voluntary-mandatory filters, the services are being tarred verboten - all of the many legal, moral, and ethical uses be damned. This is a lovely idea that works well in many other situations, like classifying something as a weapon if it can be used as a weapon... Which is why cars, pencils, fingernails, and bits of string have been outlawed.

 

Much like the decency filter itself, this VPN-war will be of little consequence to anyone and will fail to achieve its stated objective. The blocks can be easily evaded and it is doubtful that the administration and the ISPs themselves have the stomach for the endless game of Whack-A-Mole ahead of them.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Bitcoin Birth Boxes' Biases Betray Benefactor's Bailiwick

Bitcoin Birth Boxes' Biases Betray Benefactor's Bailiwick | Security Sausage Spectacular | Scoop.it
Some time ago, I received an e-mail from my friend Timo Hanke. If you don’t know Timo, then you should, because he is, apart from a respected mathematician and Bitcoin enthusiast, an excellent person. The e-mail suggested that I looked into the nonce field to see if I could find out the endianess of Satoshi’s original mining machine.
Aaron Gilliland's insight:

Interesting shtuffs. The article isn't security-focused, per se, but it demonstrates how meaningful de-anonymizing data can be extracted from the strangest of places. In this case, various people have found clues about Satoshi, the creator of Bitcoin. Each block of Bitcoins contains a nonce - a special (but not unique) value which, when plugged into the block and run through a hashing algorithm, produces a hash with consecutive zeros. The nonce is hard to produce but very easy to check. The usual method of producing a nonce is to make a random guess and check to see if it works; this is what bitcoin miners do. This is where things get interesting. If Satoshi's block hashes were made from random guesses, then the distribution of least-significant bytes of all nonces should be random - the distribution in the image should be flat. But it isn't. The image shows that there is a strong bias at work. Satoshi may have used a mining algorithm that didn't make random guesses, OR the non-randomness of the guesses may be an artifact of the hardware he was using... Some educated guesses peg Satoshi's mining hardware anywhere from 6-58 machines, or even some bespoke ASIC rigs. This is by no means unmasks the creator, but the list of candidates can be winnowed down by asking, for example, "Could this person have wrangled access to 58 similar machines simultaneously?"

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Clueless Currency-Craving Crooks Conduct Clumsy Code Caper

Clueless Currency-Craving Crooks Conduct Clumsy Code Caper | Security Sausage Spectacular | Scoop.it

Three men have been charged with pilfering trade secrets from a Wall Street firm after two of them emailed themselves computer code belonging to their former employer from their company email accounts.

 

Glen Cressman and Jason Vuu, both former employees of Wall Street firm Flow Traders, were each charged with unlawful duplication of computer related material and unauthorized use of secret scientific material after making off with sensitive documents, the Wall Street Journal reports.

Aaron Gilliland's insight:

CRIMINAL MASTERMINDS! They cleverly avoided any briefcase searches or questions about strange USB drives... by using the company's own email servers to move the stolen code. Good job, lads. No company bothers to archive its email, right? No company IT department maintains access logs, right? I guess it was the merest chance of fate that they were caught.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

"ZOMG EMP WILL EAT US ALL!" Say Newt Gingrich and Scooter Libby... Wait, what?

"ZOMG EMP WILL EAT US ALL!" Say Newt Gingrich and Scooter Libby... Wait, what? | Security Sausage Spectacular | Scoop.it

The lights went out in the House Judiciary subcommittee hearing room Tuesday and the crowd of congressional aides, journalists, and doomsday preppers watched as a video warned of a world without electricity. Naturally, it opened with a rotating globe that suddenly went dark. Then came the piano and synthesizer mood music, and a list of things that would cease to function (health care! finance! and, even worse, sewers!).

 

No, this was not an episode of some futuristic TV show. This was a prophecy, one that former House Speaker Newt Gingrich has been warning us all about for years. The fear: Could a nuclear explosion high above the United States send an electronic pulse on a Shermanesque march through our electronic grid, laying it all to waste?

Aaron Gilliland's insight:

Remember those guys? Mr. Contract With America and Mr. Outed A CIA Operative For Political Purposes And Then Committed Perjury? Ya. They're on a misguided quest for relevance (cf. Gingrich and his "handheld computer" video). 

 

These Titans of wisdom and good judgement are banging-on about the existential threat of alcoh- er Electromagnetic Pulse: no electricity for our toothbrushes and garage doors! Okay, the concerns are a bit more serious than hygiene and paint can protection, but the story they're slinging is just as ridiculous as an electric toothbrush alarmist.

 

True to its name, an Electromagnetic Pulse is a really big pulse of electromagnetic energy, generated by nuclear detonations and by some types of non-nuclear devices, capable of disabling electronics and electronic distribution networks to various degrees. It's actually composed of 3 different phases with very different effects, but everyone just calls it EMP. It isn't a new thing that Newty and Scooty discovered during the Case of the Ribald Radium Rustlers; war planners have been chewing on it since the 50s at the latest. The big worry is this: Joe Warmonger detonates a large thermonuclear device high above the USA, generating an EMP; first phase, E1, destroys most consumer, commercial, and industrial electronics in America instantly; yadda yadda yadda; E3 phase induces massive currents in electrical distribution networks and destroys transformers and other equipment, requiring massive repairs or replacement.

 

That scenario is real and entirely possible, but it's not the end of civilization like Newty and Scooty would suggest. Even if such a scenario occurred -- a big "if", since the number of actors capable of placing a large thermonuclear device at altitude is very very small and the payoff for them would be even smaller -- the pulse would have no direct effect on people, animals, crops, structures, many types of machinery and vehicles, etc. The E1 phase lasts nanoseconds, the E3 phase less than an hour; after that, there is no further direct effect. Allies and the very large amount of American military resources around the world would then safely deliver assistance in the rebuilding process and the ass-kicking-Mr.-Warmonger process...

 

Newty and Scooty aren't so good at the reality business. Maybe they should try politics.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Canuck Communication Captures Confirmed; Conservative Cleared COMINT Collection

Canuck Communication Captures Confirmed; Conservative Cleared COMINT Collection | Security Sausage Spectacular | Scoop.it
This morning, the Globe and Mail reports that Canada indeed has its own secret surveillance program that similarly targets telephone records and Internet data.  The Globe report indicates that Defence Minister Peter MacKay granted approval to the program in November 2011.  The program is unsurprisingly operated by the Communications Security Establishment Canada (CSEC) and the records feature much of the same language found in the U.S., focusing on meta-data rather than content (see here and here for why meta-data may be more revealing) as well as focusing on foreign communications (but acknowledging that Canadians may be swept up in the process).
Aaron Gilliland's insight:

An update from Michael Geist about PRISM's Canadian cousin. We have confirmation that our friend Peter MacKay authorized this maple-syruppy surveillance program in late 2011 and that it is run by CSEC, formerly CSE, our version of the NSA. Oh look at you, Canada... all grown up. Today you're a big boy. No no, that's unfair; this is just the latest program to be unearthed. 

more...
No comment yet.
Rescooped by Aaron Gilliland from Surfing the Broadband Bit Stream
Scoop.it!

Tech Companies Prudish While Telcos Give It Away - What's THAT All About?

Tech Companies Prudish While Telcos Give It Away - What's THAT All About? | Security Sausage Spectacular | Scoop.it

Verizon may not have been able to fight a secret Foreign Intelligence Surveillance Court order, revealed last night by the Guardian, to hand over subscribers’ call data to the National Security Administration. But over the past decade, the phone company—and its competitors—haven’t tried very hard to resist such government surveillance.


Via Chuck Sherwood, Senior Associate, TeleDimensions, Inc
Aaron Gilliland's insight:

New Republic's article offers an answer to the question "Why are phone companies willing to give up my info, but Google and Apple ask for a warrant?" The author, Lydia Depillis, suggests that it comes down to money, history, and attitude. The attitude argument ("social media pplz r libertarian coolgais, amirite") is weak. The money angle makes basic sense; phone companies make money by screwing people over with contracts and monopoly, whereas tech companies depend on loyal owners and users. Even the people who use Google for free become a product to be sold to other companies; if users don't trust you and stop looking at your ads, you don't get paid.

 

The most convincing argument of the three, and the one most easily verified, is that phone companies have been giving your data to the government for decades upon decades, enough time for a quiet arrangement to become an engrained way of life. Whether the arrangement is ethical or legal is less worrisome (to the stakeholders) than the logistics and implications of ending it. The younger companies are free to weigh the proposition ("give us some info, even though it might not legal and we can't compel you to do it") on its true merit. 

 

But I could be totally wrong and hallucinating after a strong dose of Tylenol. You be the judge.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Government Spies on Citizens and Everyone Else? Shockingly Old News!

Government Spies on Citizens and Everyone Else? Shockingly Old News! | Security Sausage Spectacular | Scoop.it
The federal government has secretly taken information on foreigners overseas for years from companies like Google, Facebook and Apple in search of security threats, the director of national intelligence confirmed Thursday night.
Aaron Gilliland's insight:

When it comes to state-sanctioned surveillance activities, the general public (and mass media that should know better) has slightly worse long-term memory than an alcoholic goldfish from Roofieland. "The Feds are running a massive worldwide dragnet, tapping just about anything?" Yes, Virginia; you're the last to know about it. If you sent a telegram in to or out of the USA any time after 1945, AFSA/NSA had a microfilm or electronic copy. If you made an international phone call or telex that was routed through satellite ground stations in the USA (circa late 1960s/early 70s and beyond), it would have been captured by a twin ground station operated by the NSA.

 

Those are just the -old- American programs; ECHELON is a whole other ball of wax. And we've only talked about domestic American programs. The British government's snooping predates even World War I. 

 

The interception acknowledged by the current administration is certainly an infringement upon privacy, but it needs to be viewed in the context of history. The public acknowledgment of an active program is really something unique, as is the relatively limited scope of metadata being collected (assuming DNI was being honest). Quite frankly, the data being collected via the telcos could be collected without telco involvement, even on a national scale, by domestic or foreign powers. I'm not advocating that anyone stand up and cheer their government's ethically suspect activities, but it shows a level of respect for one's citizenry that they will at least say "Ya, you got me."

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Bad Boys Borrow Bulletproof Bygone Boris Brand

Bad Boys Borrow Bulletproof Bygone Boris Brand | Security Sausage Spectacular | Scoop.it

via The Guardian
"Hack in the USSR: cybercriminals find haven in .su domain space"

The Soviet Union disappeared from the map more than two decades ago, but online an "evil empire" is thriving.

Aaron Gilliland's insight:

The Soviet Union lives on! Yes comrades, the spirit of Joey Stalin's "screw everybody else" policy is manifest in the USSR's top-level domain, ".su". The TLD was created one year before Gorbachev's Holiday and, despite Russia's switch to totally-not-like-the-Soviet-Union Putinism, patriotic businessmen won't let it go. What better way to remember Khrushchev's Shoe than handling DNS for spammers, phishers, fraudsters, and thieves?

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Germany is not Happy with Potential Xbox One Spying - ZeroPaid.com

Germany is not Happy with Potential Xbox One Spying - ZeroPaid.com | Security Sausage Spectacular | Scoop.it
Microsoft's Xbox One and its Kinect camera have caused concerns for one major German government minister.
Aaron Gilliland's insight:

What's so sinister about a mandatory all-seeing eye installed in your home? Guffaw guffaw. Most of the concerns aren't new -- webcams installed in monitors and laptops can be hijacked, of course -- but Xbox One and its required Kinect2 sensor are taking things to another level. As the article points out, the Kinect2 monitors ambient sounds ostensibly for command words, but that implicitly means it is always listening. The command word filtering, as well as video filtering for command gestures, is surely done onboard the Xbox One, but subsets of the Kinect2 data will be stored in Microsoft's cloud for QA purposes and for backup. How much data, what type of data, and how securely that data will be stored are open questions.

 

More to come on this issue...

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Quantum Crypto's Weaknesses... Probable Probabilities

Quantum Crypto's Weaknesses... Probable Probabilities | Security Sausage Spectacular | Scoop.it

Theorists report novel ways to calculate failure probability at CLEO: 2013

Aaron Gilliland's insight:

Computer security pundits (such things exist, I assure you) put a lot of stock in Quantum Cryptography as a sort of Holy Grail; a tool that can make our communications un-tappable. In the face of such utopian promises, it's nice to know that someone is keeping a sober head. The fact is, Quantum Cryptography refers to more than one possible scheme, and not all schemes are equally robust. Check the article for some physics nitty-gritty mixed with talk of exploits and hacks.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Prudently Pointless: Avoiding US Data centers Does Nothing

Prudently Pointless: Avoiding US Data centers Does Nothing | Security Sausage Spectacular | Scoop.it
Firms in the UK and Canada are reportedly updating their cloud contracts to demand that their data be kept out of the US. The report doesn’t contain enough details, however, to say if this is a trend or an isolated incident.
Aaron Gilliland's insight:

Assuming that the claims are true - that corporations are specifically prohibiting their "cloud providers", whatever that means, from storing their data in the US - we can conclude that it is either an attempt to pacify shareholders, or just an old-fashioned bad idea.

 

The idea makes sense as a protective reflex - media reports have said that data and networks in the US have been compromised by intelligence services, therefore it would be unwise to put your data in such a place - but a sober analysis of the situation shows that there is no net benefit to information security... Possibly a net reduction.

 

An interesting topic is the specific wording of the contracts. The amount of detail and care with which they are written largely determines their utility... The meaning of "stored", for example, can be interpreted as: on physical media; in RAM; in cache; in CPU registers; in logical data structures; in a transmission buffer; etc. Unless these possibilities are specially identified and prohibited, one could effectively store the company's data in the US without being in technical violation of the contract. It would also be odd for the company to specifically prohibit data storage without also prohibiting data transit across US networks, although that would be a difficult thing to enforce.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

NSA Was Tapping Stuff Before 9/11? Shocking. We're out of milk? Shocking.

NSA Was Tapping Stuff Before 9/11? Shocking. We're out of milk? Shocking. | Security Sausage Spectacular | Scoop.it
The National Security Agency was conducting massive unconstitutional surveillance efforts before the Sept. 11 attacks in 2001, says top executive.
Aaron Gilliland's insight:

Ugh. Found this "revelation" while perusing scoops. Good old Joe Nacchio, the bowel irritation who ran Qwest into the ground, spilled some dope on government bullying of the telecom sector... during his trial for insider trading, but don't let that prejudice the information (ha). According to Joey, a PRISM-like program was ramping-up in early 2001, and Uncle Sam was suggesting, ever so gently, that some rather large contracts depended on participation. 

 

Oh? NSA involved in massive data collection? Before 9/11, you say? Founded roughly 50 years ago, you say? Shocking. Domestic interception has been a fact of life in America for decades; anyone who suggests otherwise is uninformed or malingering. Interception doesn't imply targetted interception, of course, nor does it imply a bunch of other things, but that's moot. Give it a read.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Chinese Feds' Big Challenge: Bemoan State-Sponsored Intelligence Ops Without Laughing

Chinese Feds' Big Challenge: Bemoan State-Sponsored Intelligence Ops Without Laughing | Security Sausage Spectacular | Scoop.it

The Chinese government reacted at first with loud indignation to the Snowden revelations. But that has given way to internal discussions on how to beef up domestic security.

 

In recent weeks, key Chinese ministries held a meeting with leading tech companies to probe the impact from U.S. surveillance and begin formulating a response, according to reports in a handful of tech-focused Chinese media outlets and cybersecurity experts with knowledge of the session.

Aaron Gilliland's insight:

An article that should be read ONLY while sitting down, lest your endless laughter rob your brain of oxygen. The article itself is fine; it gives a brief outline of Chinese domestic computer and communications security (punch me if I ever use the word 'cybersecurity'... except for this), the common weaknesses of client devices and the reasons behind them, and some overly optimistic notes about China's security industry.

 

The REAL comedy gold is that the Snowden affair is being used to justify a push for greater security throughout the country; in government, the private sector, and even on the level of individual citizens. I can accept that the man in the street would be naive about the capabilities of foreign intelligence services; that's completely understandable. What I personally find hilarious is that for all the talk of the NSA's evil doings, there is no real mention of the Chinese government's domestic surveillance and comint capabilities. There is mention of a growing concern about Western tech firms' "seamless penetration" of China, but the article fails to note that much of the telecom gear from Cisco et al. was purchased in support of Golden Shield, aka The Great Firewall of China. However deeply the NSA may be able to penetrate, China's government bought the equipment to spy on its own citizenry and limit access to information. 

 

If someone can legitimately - and without laughing - argue that the NSA is the big threat to Chinese individual privacy and security, I will award that person a spirited thumbs-up.

 

 

Sourced from The Washington Post, via Matthew Aid.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Slapdash Spook Security Standards Simplified Snowden's Scavenging

Slapdash Spook Security Standards Simplified Snowden's Scavenging | Security Sausage Spectacular | Scoop.it
  When Edward Snowden stole the crown jewels of the National Security Agency, he didn’t need to use any sophisticated devices or software or go around any computer firewall.
Aaron Gilliland's insight:

A middling article from NBC about NSA security, the security of its contractors, and how Eddie Snow managed to load up his thumbdrive with the precious. I say "middling" because some of the assertions and generalizations are laughable. For example, the article says that Snowden's access to NSANet was via thin client, which is an 'antiquated' setup. Excuse me? Thin client vs. thick client is not the issue. A thin client, conceptually, can be massively more secure than a thick client. But it gets better. The next assertion is that because Snowden was a sysadmin, he had carte blanche to access any file he wished, and that "his actions were largely unaudited." This may have been true, but a record would have/should have been generated for each action he performed on the system; all actions must leave an audit trail, regardless of a user/admin's status. What's more, that audit tracking system should be simplex-receive in relation to the main system; it only listens for new data it should write, it won't be controllable via the main system, it will be immutable, and, ideally, it would only be accessible to an oversight team that doesn't include the sysadmin members. 

 

Also from the article is the assertion that being in Hawaii allowed his activities to go unnoticed by Fort Meade owing to the time zone difference. Again, it's possible, but only if the system and the auditing policies were ridiculously mismanaged. It's not as though there's a guy sitting in the basement of Fort Meade watching file system events scrolling down a monitor - keeping an eye out for hijinks - who goes home at 5pm and keeps his fingers crossed that nothing happens until 8am the next morning. A proper auditing system would log actions 24/7, independent of human operators, and any number of triggers would be set for immediate investigation. Even if no triggers were activated in the short term, per-user audits should be done periodically.

 

Bah.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

How To Ruin Someone's Day, The "Truth About Security" Way!

How To Ruin Someone's Day, The "Truth About Security" Way! | Security Sausage Spectacular | Scoop.it

Sysadmin blog I've written a recent spate of articles channelling the tinfoil hat industry that triggered some interesting conversations.

Most interesting was a debate about whether or not an organisation like the National Security Agency could take over my home network if it so chose. I suspect any decent hacker with access to the right information could cut through my home network like a hot knife through butter.

Aaron Gilliland's insight:

The Register's Trevor Pott gives us a sober evaluation of his own insecurity. No no, nothing about clowns or public speaking - T-Pott is talking about computer security; encryption, exploits, access restriction, and other fun stuff. The article is a two-page list of vulnerabilities he (a seasoned sysadmin) identified in his own home setup, but his list works just as well for most homes in the Western world. What T-Pott finds is that many weakpoints in his security have nothing to do with strong passwords, virus definition updates, or email attachments. The low-hanging fruit of vulnerabilities (bad passwords, old virus definitions, etc.) are easy to exploit and relatively easy to fix... But if your WiFi router's firmware is a year old, how would you know whether an identified exploit exists? How would you patch it? How many devices in your home contain wireless or wired networking hardware? And so on, and so forth.

 

A good read for some honest perspective.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Feds' Flash Fumble Foretold; Sensitive Student Data Storage Security Sadly Sub-par

Feds' Flash Fumble Foretold; Sensitive Student Data Storage Security Sadly Sub-par | Security Sausage Spectacular | Scoop.it
Human Resources and Skills Development Canada was alerted to several security concerns months before breaches last November in which the department lost data belonging to more 500,000 recipients of student loans, CPP and disability benefits, CBC News has learned.
Aaron Gilliland's insight:

Well, that's not good. HRSDC, the federal department tasked with administering Canada's Student Loan program, got a "Dear John: OH CRAP!" message about 5 months before two security SNAFUs. A security review had found numerous large holes in the floor through which USB sticks and drives could fall and be carried off by mischievous mice (unconfirmed). Despite sending a department-wide email telling people not to leave the personal data of hundreds of thousands of Canadians unencrypted on a portable storage device along with their cat photos and Avril Lavigne MP3s, the mice managed to steal a flash drive and a USB hard drive. The hard drive contained over half a million cleartext loan records and a rare Carly Rae Jepsen bootleg that would make your ears bleed. Ouch.

 

A more thorough risk assessment is in progress, and early reports have identified "Not doing the stuff you were told to do if you want to avoid losing important junk" as a major risk. I've heard that encryption is pretty cool, too, for what it's worth.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Decoding Dubious Denials: PRISM Participant's Pretend Protest

Decoding Dubious Denials: PRISM Participant's Pretend Protest | Security Sausage Spectacular | Scoop.it

Today, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems.

 

Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data.

Aaron Gilliland's insight:

A decent overview of the non-denial denials about PRISM involvement. The content of most "we aren't participating in PRISM" statements can be broken down into categories like: rewording an accusation to make a denial technically true but disingenuous; righteous indignation; denial of an accusation that was not made; semantic gymnastics to cloud context.

 

I'd like to point out that I'm not trying to feed the fire about PRISM or the surveillance hullabaloo. I make no judgment about the ethical or political questions it raises; I'm merely interested in reality. To the people who started a petition asking Obama to step down over this "scandal", I say "Untwist your underwear and read a book."

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Derp. Get Your Password From A Pill. Stupid idea? You Betcha

Derp. Get Your Password From A Pill. Stupid idea? You Betcha | Security Sausage Spectacular | Scoop.it
Passwords: They’re everywhere, and most of us manage a half-dozen or so, at least. They’re also the weakest link in the authentication chain because humans aren’t great at creat...
Aaron Gilliland's insight:

What a stupid idea. No, really. I know it's just a "wouldn't it be cool if?" idea that came out of a spit-balling session, but it's still really, really stupid. Let's see how many simple flaws we can suss out of this sickly sliced stilton:

 

- if the token only changes once per pill, and not once per authentication attempt, it can be captured and replayed for at least a day

- where the hell did they come up with 18 bits? Why would you build a device with such a small keyspace in 2013?

- if the token is captured, and you want to revoke it, do you have to break out the Ex-Lax?

- why would the digestive tract be a good place to store a security token? It would provide shielding against RF intercept, but you've already said that it communicates via conduction rather than radiation

- by excreting the authenticator, I have marked it with my own DNA. Depending on the solubility of the device, an attacker could recover a token, the specific manufacturer and model of the device (which could be cross-referenced with customer data to determine who I work for or what I work on), where I store my unused password pills, etc...

 

Go on, find some more flaws.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

Cash Card Crews Resolve Ransom Remittance Requests

Cash Card Crews Resolve Ransom Remittance Requests | Security Sausage Spectacular | Scoop.it

A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Aaron Gilliland's insight:

Great article from Brian Krebs about cashout logistics for ransomware entrepreneurs... Say that three times, fast. Ransomware is like mugging someone at an ATM machine, but without the need to run fast or wear clothes; you just need a a victim and a way to get a payload onto that person's device. Once there, the payload threatens to do something horrible unless the victim buys a cash card and sends the card's info back to the thief...

 

As shown in the article, the thief only takes home anywhere from 25-40% of the ransom. The rest is taken by a middleman who arranges to launder the money through various business and an army of foot soldiers. Fascinating stuff.

more...
No comment yet.
Rescooped by Aaron Gilliland from Intercultural
Scoop.it!

Are Faces the New Fingerprints? - PBS NewsHour

Are Faces the New Fingerprints? - PBS NewsHour | Security Sausage Spectacular | Scoop.it

Last night, science correspondent Miles O'Brien traveled to an explosives testing facility to learn more about the bomb itself. Tonight, as part of his work for a special NOVA program, he reports on the facial recognition software that allowed investigators to identify the bombing suspects.


Via Instituto Mexicano de Comunicación Intercultural
Aaron Gilliland's insight:

Meh. The answer to the title question is: Ask a better question. The report/documentary/obrienscope is about forensics and how facial recognition was used in That Whole Boston Thing. In that limited context, faces certainly are fingerprints; we all have 'em, they're easy to collect (Dr. Lecter), and people believe a lot of nonsense about how useful they are. In the video, an interviewee refers to fingerprints as a "definitive science"... Slow down. Fingerprint forensic tools are more scientific than they were in the Columbo days, but we're fundamentally dealing with smeared lines of oil and sandwich molecules I haven't washed off (yet). Forensic facial recognition isn't even at the Dragnet 1952 level of utility or sophistication, ma'am.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

STOP: Twitter two-factor verification can be hacked in less than 140 characters

STOP: Twitter two-factor verification can be hacked in less than 140 characters | Security Sausage Spectacular | Scoop.it
Fans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers.
Aaron Gilliland's insight:

Derp. The betanews headline is crappy and kinda-sorta-wrong, but the same goes for Twitter's 2-factor authentication scheme. The basic idea is sound and Twitter's implementation is mostly the same as everyone else's (MS, El G00G, etc.); you enter login details via the Interlulz, the site sends an SMS message containing a code to your mobile phone, you send the code back to the site via the Interlulz, and voila...

Here's the problem: in Twitter's implementation, the scheme can be COMPLETELY DISABLED without having to authenticate. Yes, anyone who can spoof an SMS message (anyone with a net connection) can send a message to Twitter's server saying "OMG HAI TAKE THIS NUMBER OFF UR LISTS, K". Without a mobile phone to receive the SMS code, the 2-factor authentication scheme can't be used, so it's disabled.

Shorter version: Derp.

more...
No comment yet.
Scooped by Aaron Gilliland
Scoop.it!

TSA random secondary screening is trivial to dodge

TSA random secondary screening is trivial to dodge | Security Sausage Spectacular | Scoop.it

An anonymous reader of Dave Farber's Interesting People list has discovered a glaring flaw in the TSA's protocol for secondary screening:

 

today at newark airport i used a paperless electronic boarding pass on my cell phone (as i usually do).

Aaron Gilliland's insight:

Oh BRAAaaaa-vo. America, your very expensive security theater is looking shabbier than usual. Either the TSA procedures team didn't plan for this situation, or existing procedures aren't being followed by front-line staff.

 

Here's the issue:

- you can have a paper boarding pass or an electronic pass that can only be viewed on your phone

- both passes will have the letters "SSSS" if you have been assigned for random screening

- only the PAPER pass can be taken through a magnetometer (metal) scan, since the phone would set off the scanner

- if TSA staff want to check your pass for the SSSS mark, you can say "it's on my phone" even if you have a paper pass, and you won't be challenged

 

Security screening is now on the Honor System.

more...
No comment yet.