The Null Device

Bruce Schneier has an essay about what IT security will look like in 10 years' time:

There’s really no such thing as security in the abstract. Security can only be defined in relation to something else. You’re secure from something or against something. In the next 10 years, the traditional definition of IT security— that it protects you from hackers, criminals, and other bad guys— will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.

Cory Doctorow rightly pointed out that all complex ecosystems have parasites. Society’s traditional parasites are criminals, but a broader definition makes more sense here. As we users lose control of those systems and IT providers gain control for their own purposes, the definition of “parasite” will shift. Whether they’re criminals trying to drain your bank account, movie watchers trying to bypass whatever copy protection studios are using to protect their profits, or Facebook users trying to use the service without giving up their privacy or being forced to watch ads, parasites will continue to try to take advantage of IT systems. They'll exist, just as they always have existed, and like today security is going to have a hard time keeping up with them.

¶ attention rights management copyfight drm security 0 Share

Elaborate disguise of the day: a young Hong Kong Chinese man boarded an Air Canada flight to Vancouver disguised as an elderly Caucasian man, by virtue of a latex mask:

The mask in question may be purchased from here, for US$689; it's said to be in low stock due to "extremely high demand".

¶ air travel bizarre canada china deception hong kong security 0 Share

A security researcher in Israel has predicted that the next generation of malware may, rather than stealing passwords or card numbers, steal users' behaviour patterns. The malware will infect the networks of devices people use, monitor their behaviour and send the models to bad guys who can use it to impersonate the victim for nefarious purposes. And if it happens to you, you have no recourse, short of forcing yourself to become a completely different person.

Of course, the question remains of whether the malware could build a sufficiently sophisticated model of an individual's behaviour patterns to sneak past (necessarily paranoid) software systems designed to check these things, or to convincingly persuade your Facebook friends that it's really you who urgently needs money to get out of a Nigerian gaol. Perhaps the Singularity will arrive, not when a spambot becomes smart enough to evade anti-spam software, but when a malware-generated behavioural model of a user becomes sufficiently complex to effectively model that user's consciousness.

(via /.) ¶ crime future scifi security singularity 0 Share

Recently, there was an election in Sweden in which the votes were electronically counted. Write-in entries had to be hand-written, but that didn't stop wiseguys trying to pwn the election by pulling a Bobby Tables-style attack:

R;13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1

R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1

(via Schneier) ¶ election security sweden 1 Share

Bruce Schneier has a writeup of the facts we know about the Stuxnet worm, the sophisticated and unusual-looking Windows worm that has been speculated to have been designed by the intelligence agencies of the USA/Israel/Germany (delete as appropriate) to attack Iran's nuclear facilities. Or possibly not:

Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.

Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.

None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Lagner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Basically, all that's definitely known is that Stuxnet was elaborately expensive to create (containing not only zero-day vulnerabilities but stolen driver certificates) and was designed to attack Siemens plant control computers. It also has been around for a while, possibly having gone undetected for a year, and has updated itself remotely during that time.

¶ bruce schneier iran israel security stuxnet windows 1 Share

Security ninja Bruce Schneier was recently recognised by an airport screener who presumably reads his blog:

TSA Officer: A beloved name from the blogosphere.
Me: And I always thought that I slipped through these lines anonymously.
TSA Officer: Don't worry. No one will notice. This isn't the sort of job that rewards competence, you know.

¶ amusing bruce schneier security 0 Share

The street finds its own uses for things: entrepreneurs in China are selling WiFi adapters with network key-cracking tools for breaking into secure WiFi networks. Currently, the key-cracking tools consist of a bootable Linux CD-ROM, but give it a few months and they'll integrate the cracking tools into silicon on the USB stick itself.

The existence of such tools promises to make a mockery of laws like the UK's Digital Economy Act, which are predicated on the assumption that it is possible to securely lock down a network well enough for the owner to bear legal liability for any offenses committed by anyone using the network. Of course, such tools will probably be illegal to possess or import into the UK, but then again, so are the Baikal starter pistols used by gangbangers.

In other news, an Israeli company is selling a portable device for intercepting GSM phone communications. The euphoniously titled Dominator I consists of several boxes containing custom hardware (presumably cipher-cracking FPGAs or similar), is controlled from a laptop, and can transparently impersonate a mobile base station, crack the cryptography used and record all communications from up to four phones. The makers, Meganet, say that it is undetectable.

¶ gibson's law gsm security 0 Share

Security researchers are now working on ways of generating machine code that looks like English-language text (PDF).

In this paper we revisit the assumption that shellcode need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shellcode that is superficially similar to English prose. We argue that this new development poses significant challenges for inline payloadbased inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shellcode injection attacks altogether.

(via Schneier) ¶ hacks language security steganography tech 0 Share

Recently, the annual Pwn2Own contest took place; in it, participants try to take over a computer by exploiting security holes in a web browser, and capture the flag (in this case, a file on the computer's hard drive). This year, all the browsers but one fell; Firefox 3.6.2 (though it's not clear whether NoScript would have mitigated this), IE8 and Safari all fell; one of the hackers even pwned an (un-jailbroken) iPhone and made off with the SMS database. The one browser that remained standing: Google Chrome, not because it's bug-free, but because the sandbox mechanism makes exploiting bugs impractical:

"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."

¶ chrome firefox iphone security 0 Share

An unemployed sysadmin in Russia hacked into a video billboard and reprogrammed it to show a pornographic video, causing a traffic jam as drivers on a nearby road stopped to gape at the video and record it with their mobile phones.

The hacker, from Novorossiisk, used a server in Chechnya in an attempt to cover his tracks, though was unsuccessful; the Interior Ministry managed to track him down. (I wonder whether he'd have had more luck had he chosen a less politically fraught staging point.) He is now facing two years imprisonment; meanwhile, security rules for video billboards have been tightened.

I'm thinking something like this would make a good plot device; imagine a gang of assassins/bank robbers planting logic bombs in a few strategically placed billboards; at a preset time, they start showing porn, causing instant traffic jams and trapping their victim/blocking their pursuers. Or international jewel thieves hack video screens in an exclusive reception to show Goatse-style shock porn; as the attendees are momentarily stunned by the shock, unable to react, the bandits (dressed as waiters, naturally) act quickly, snatching the valuables and making their escape. Police have a hard time piecing together what happened afterward.

(via Boing Boing) ¶ crime détournement hacks porn pranks russia security 2 Share

Please Rob Me is a web site which aggregates Foursquare location data shared by Twitter users and presents it as "new opportunities" and announcements of users having "left home", to demonstrate the risks of sharing location data with strangers.

While Please Rob Me is a proof of concept, and not particularly useful to burglars (you'd have to map Twitter IDs to names and addresses, and also work out whether there was anybody else living at the premises), there is speculation that social web sites offer a wealth of information to burglars, from users' locations to party photos set inside homes and showing off stealable goods. Of course, these days, the dominant web site is Facebook, which, by default, hides users' posts from people outside of their friend list; however, a significant proportion of Facebook users will gladly friend people they don't actually know, undermining this common-sense measure. (Intuitively, the risk of being burgled or spammed must seem insubstantial to them next to the promise of meeting hot chicks or getting invited to cool parties.) An even larger proportion use Windows PCs which are susceptible to viruses. There is already malware which spams Facebook with phishing links; malware which harvests useful information about all of a user's contacts (real names/identifying details, addresses, links to other social sites, &c.) and uploads them to a criminal-owned server could be just as plausible.

Of course, this makes little economic sense if one imagines one team of burglars going to all this effort to identify easily reachable places likely to house unattended PlayStations or plasma screens. However, if one follows the advice of Adam Smith and introduces division of labour (a practice seen in other criminal enterprises, such as phishing gangs and Nigerian 419 scam operations), it becomes more plausible.

Imagine, if you will, a criminal business intelligence service, much like the ones serving marketers, only specialising in selling leads on potential targets to burglars. This business would have a server somewhere with lax law enforcement, algorithms for harvesting and unifying information from a range of sources (possibly supplemented by human intelligence) and a site for offering bundles of this information to prospective burglars, searchable by geographic location, likely richness of pickings (determinable from the target's employment information, credit ratings and such) and likelihood of them being out of town. The algorithms would pick through a number of public sites, such as Twitter, Foursquare and others (photo sharing sites could be useful; if someone's address is in New York and they just uploaded a fresh photo geotagged in Gran Canaria, they're probably not home), and use them to pick out the likelihood of a target matching various criteria. (The algorithms could be fairly advanced, but as we have seen from the botnet arms race, there's no shortage of ingeniously talented coders of, shall we say, above-average moral flexibility.)

Of course, the real rich pickings are in walled gardens such as Facebook, where people have a sense of security and post their real names, locations and photos; while this is not public, a criminal site could harvest it by using malware (in which case, it'd get not just the details of the owner of the infected PC, but of all their friends), rogue viral Facebook apps or by hiring humans to set up profiles and, using a specially modified browser, friend random strangers ("MAKE MONEY AT HOME SURFING THE WEB!", the recruitment ads could read). The data would go into the criminals' data centre and would come out the other end as searchable packages offered for sale ("Your search of current vacationers making $50k+ near ___ has yielded 37 results, for $100 each. How many would you like to buy?")

Given precedents both in computer crime (credit-card fraud is a big one, having both black-market web sites and highly specialised economies with divisions of labour) and social software, I would be surprised if nobody tries setting something like this up.

¶ a modest proposal crime facebook security social software twitter 1 Share

An Armenian-born programmer recounts how, during his childhood in the USSR, he stumbled across the KGB's technique for listening in on conversations in any home.

Some time in 1981, I think, a relative from the U.S. comes to visit us for the first time since he left the country many years before that. He was going to stay in our house for a couple of weeks. My parents told me that such visits were always "monitored" by KGB, and so I should be careful with expressing any kind of anti-soviet ideas (which I was known for in the school). In the end though, nobody was going to take this seriously: neither the possibility of KGB agents freezing in cold outside watching us through the windows, nor any kind of bugs installed in our house.

Something strange, however, had happened when our relative had finally arrived. Our phone went crazy. First of all, it was practically impossible to call or to take calls during that period. And besides, the phone's ringer started giving a single "ding" twice a day, exactly at 9 in the morning and 9 in the evening.

(via Schneier) ¶ hacks security surveillance tech ussr 0 Share

A Russian CCTV surveillance company has allegedly stumbled along an ingenious way of reducing operating costs and boosting profits: by replacing surveillance camera feeds with prerecorded video. The alleged fraud was uncovered during a routine check of cameras in Moscow; the director of the surveillance company, who has been detained by police, denies the claims, claiming it's a setup by rivals.

(via /.) ¶ cctv crime fraud hacks russia security 0 Share

US troops in Iraq now have an iPhone app for tracking insurgents; well, for displaying tactical maps in real time. Meanwhile, the insurgents have found a Russian-designed program which can be bought for $26 and which allows them to watch the video feeds of Predator drones, which happen to be unencrypted. (Oops!) The military is planning to fix this, though it's harder to do than it sounds due to the expensive proprietary design of the aging drones.

¶ fail hacks iphone security tech war 0 Share

In the UK, they have the Shipping Forecast; in Israel, they have text message alerts of incoming missiles:

"The rocket sensor will create a virtual ellipse (of the predicted impact zone) and all phones in that area will receive a warning," the Jerusalem Post quoted Chilik Soffer, a senior official at the Israeli Home Front Command, as saying.

(via HuffPo) ¶ gibson's law israel mobile phones security tech 0 Share

The New South Wales Police's Computer Crime Investigation Unit has some advice for people who do their banking online: don't use Windows.

The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.

"If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppylinux is a nice small distribution that boots up fairly quickly.

"It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing internet banking," van der Graaf said.

Chris: Found out Windows 7 not available on 5.25" floppy.
Kevin: I'll be over as soon as I shut down my laptop. XP still has 72 updates to go.
Mike: I was going to come to your launch party but then a girl called.
Ira: Sorry, my guild has a raid.

¶ ebay fail microsoft security windows 0 Share

In the US, someone has been anonymously sending laptops to state governors. Laptops have been sent, in some cases multiple times, to the governors of states including West Virginia and Wyoming. The computers have been handed over to the FBI for investigation, on the suspicion that they might be Trojan horses intended to pwn the apparatus of government on behalf of whoever sent them.

(via /.) ¶ paranoia security usa wtf 0 Share

Regarding the last post about last.fm: one of last.fm's staff has posted a rebuttal on their web forums, to wit:

* Nobody at Last.fm had any knowledge of our user data being fed to the RIAA (or any labels directly), before or after the alleged incident, or at any other point in the history of the company.
* Last.fm has never given data linking IP addresses and scrobbles to any third party. * Last.fm has never given data linking IP addresses and scrobbles to CBS (who, by the way, we don't consider a third party, but who do have to uphold our privacy policy).
* We've been in communication with CBS and they deny that they gave any third party any of our user data.
If TechCrunch have any evidence which contradicts any of the statements I've made here, I'd love to see it, but I think someone is taking them for a ride. I'm not sure why, though.

Nonetheless, even if this isn't true, the possibilities it raises are thought-provoking:

• Last.fm's scrobbling software originally sent over only the title, artist and length of tracks as they were played. More recently, it was extended to send a fingerprint of each track. The difference between these two is crucial; it is the difference between hearsay and admissible evidence. In short, when you scrobble a track using the last.fm client, it sends over cryptographic proof of your possession of the recording. You can disable the fingerprinting function in the last.fm client software, assuming that you trust it, of course:
• How much you trust last.fm's closed-source client software is another matter. Assuming that last.fm had been compromised by the MAFIAA, what's to say that the software didn't trawl your hard drive for things that looked like MP3s (slowly, as not to arouse suspicion), fingerprint them, and then send the list over to MediaSentry or someone, along with some juicy forensic information about your machine (serial numbers, MAC addresses, &c.)?
• Of course, this would be totally illegal and even more unethical. But, then again, so would waiving the EU's privacy laws to send user identifying information to CBS (as is alleged). And it's not like the RIAA haven't been known to use underhanded tactics in their dirty war against music fans.
• Even assuming that last.fm are 100% above board and CBS are sufficiently law-abiding to not undermine them, handing over potentially compromising information imples a trust that the information will be kept secure; i.e., that there are no weak links. Given the fact that everybody from TK Maxx to Her Majesty's Government seems to leak personal information left, right and centre, this may not be a safe assumption.

¶ copyfight last.fm paranoia riaa security 1 Share

An interesting interview with a former Windows adware author, by all accounts a very smart guy (albeit of, shall we say, above-average ethical flexibility), exposing both the security exploits used by Windows malware, the arms races in the malware underground and the dodgy business models of the industry:

The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.

So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

The author's advice to anyone wanting to avoid adware is "um, run UNIX".

(via /.) ¶ evil hacks malware security windows 0 Share

The latest experimental technology to emerge from Google's labs is something called Native Client. This is an experimental means of running web content in native machine code in a web browser. It's X86-specific (so users of PowerPC Macs and the numerous ARM-based portable devices are out of luck here), though other than that, completely portable; the binaries are in a special format, and get a limited number of system calls standardised across Linux, OSX and Windows. There is even a version of Quake which will run in a browser, in any of these systems, should you have the plugin enabled.

Of course, by now, you're probably thinking "Are they crazy? That's the worst idea since nuclear-powered airliners". Google, though, claim that they have a robust security model. The instruction set available is restricted, with constraints placed on the format of the code, allowing a code inspection process to detect any dangerous instructions. Google argue their case in a research paper; I'm not sufficiently familiar with recent x86 assembly language to verify their claims, but it looks like they certainly put some thought into it. Of course, there are a lot of very bright people in places like Russia, Romania and China who would also put a lot of thought into it, to entirely different ends, so there are reasons to be concerned.

Why are Google doing this? Well, firstly, it must be said that this is an experimental project, and not a finished product. However, I doubt that this is to allow better animated web ads. For most user interface content (video, animation, &c.), Flash and such are sufficient. Where this is a big win is in CPU-intensive processing tasks, which are too expensive to do in JavaScript (even if compiled to native code through Google Chrome's V8 just-in-time compiler) or Flash. (At the moment, with fast machines, one can just about do audio synthesis/processing like Hobnox Audiotool in ActionScript; however, this is quite expensive in terms of resources.)

Where something like Native Client would really come in useful would be for coding web-based applications that do real heavy lifting without handing tasks off to a well-resourced server or relying on them being coded into Flash; for example, image editing or video editing as a web service. Google's paper presents a diagram of how such services would look; the front end would be written in JavaScript and/or Flash, whilst the native x86 code would sit in a separate, sandboxed Native Client process, performing the gruntwork on demand: rendering graphics, processing video, synthesising sound, animating the exploding heads of zombies or whatever is required. C/C++, in this case, is kept firmly under the stairs, with the UI code being left to higher-level languages.

Of course, such an idea opens all sorts of strategic possibilities for Google; if it works, it would reduce the desktop operating system to a commodity. If any kind of application can be used as a web service, why buy a copy of Windows (or a PC with the Microsoft Tax in the price)? In fact, why bother installing a full-scale Linux? They're already starting to make PCs with cut-down instant-on operating systems (typically Linux-based) in the ROM, so that if you can't wait for your Vista box to finish booting, you can boot into the instant OS and get a web browser. Now, imagine a box like this, only with the OS being able to run web apps at native speed, perhaps in an application-oriented browser like Chrome. Could this be the much talked about "Google OS"?

¶ cs google native client security tech web 1 Share

Several researchers at UIUC have written a paper on how one could insert general-purpose back doors into a CPU, allowing those in the know to pwn any machine running on it, almost undetectably:

We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one specific attack, can instead design hardware to support attacks. Such flexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more flexible, and harder to detect than an initial analysis would suggest.

Our memory access mechanism provides hardware support for unprivileged malicious software by allowing access to privileged memory regions. Malicious software triggers the attack by forcing a sequence of bytes on the data bus to enable the memory access circuits. This sequence can be arbitrarily long to avoid false positives, and the particular sequence must be agreed upon before deployment. Once the sequence is observed, the MMU in the data cache ignores CPU privilege levels for memory accesses, thus granting unprivileged software access to all memory, including privileged memory regions like the operating system’s internal memory. In other words, loading a magic value on the data bus will disable protection checking. We implement this technique by modifying the data cache of our processor to include a small state machine that looks for the special sequence of bytes, plus some additional logic in the MMU to ignore privilege levels when malicious software enables the attack.

Using the shadow mode mechanism, we implement a malicious service that acts as a permanent backdoor into a system (Figure 2). To initiate the attack, an attacker sends an unsolicited network packet to the target system and the target OS inspects the packet to verify the UDP checksum. The act of inspecting the packet (necessary to decide if it should be dropped) triggers the trojaned hardware, and the malicious service interprets the contents of the packet as new firmware that it loads into the processor invisibly. The target operating system then drops the unsolicited packet and continues operation, oblivious to the attack.

And if civilian security researchers have just discovered this, it's not unlikely that ones in intelligence agencies have had such techniques for a while. I wouldn't be surprised if the NSA had similar back doors in all US-designed CPUs likely to end up on the export market, just in case, or if the Chinese government had similarly altered CPUs (or other strategic components) being manufactured on Chinese production lines, or indeed if other intelligence agencies had managed to get their own hooks into the silicon.

(via Schneier) ¶ hacks security skulduggery tech 1 Share

It has emerged that organised crime gangs modified hundreds of credit/debit card terminals at the Chinese factory they were made at, installing a GSM module and SIM card, which was then used to send stolen credit card data to a number in Pakistan, and also receive instructions on what to target. The terminals, which were distributed across Europe, remained undetected for a long time, stealing only small numbers of details, only arousing suspicion when a security guard noticed mobile phone interference near the checkout area.

The corrupted devices are an extra three to four ounces heavier because of the additional parts they contain, and the simplest way to identify them has been to weigh them. A MasterCard International investigator said: "As recently as a month ago, there were several teams of people roaming around Europe putting the machines on scales and weighing them. It sounds kind of old school, but the only other way would be to tear them apart."

The illicit transactions took place at least two months after the information had been stolen, making it difficult for investigators to work out what had happened.

But after six months of fruitless investigation, investigators spotted an attempt at a similar fraud on a card which had only been used in one location in Britain. The chip and pin machine from the particular store was passed to MasterCard's international fraud lab in Manchester for inspection.

(via Schneier) ¶ credit cards crime fraud gibson's law ingenuity mobile phones pakistan security 0 Share

Academic paper of the day: The Dining Freemasons, or a look at the mechanics and problems unique to secret societies from the perspective of (computer) security protocols:

To a first approximation, a secret society has three functions:

• to recruit the worthy,
• to pass on a secret doctrine,
• and to reward its members.

Each area presents intriguing challenges, but crucial to each aspect is membership testing – society members must be able to identify each other in order to pass on the doctrine, to confer rewards and to consider new applicants.

Also from the same authors: A Pact With The Devil, or a hypothetical outline of how a genuinely nasty form of malware could use various forms of persuasion and blackmail to spread itself.

(via hairyears) ¶ cs deception secret societies security 0 Share

A Pentagon researcher has laid out a chilling possibilities: that terrorists could be using online role-playing games to plan attacks, disguised as raids in the virtual world:

In it, two World of Warcraft players discuss a raid on the "White Keep" inside the "Stonetalon Mountains." The major objective is to set off a "Dragon Fire spell" inside, and make off with "110 Gold and 234 Silver" in treasure. "No one will dance there for a hundred years after this spell is cast," one player, "war_monger," crows.

Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. "Dragon Fire" is an unconventional weapon. And "110 Gold and 234 Silver" tells the plotters how to align the game's map with one of Washington, D.C.

Of course, the terrorists could even eschew the internet altogether, using other means of communicating their plans, such as, say, public art. Who's to say that a terrorist sleeper agent hasn't been quietly making a name for himself as an artist, getting lucrative commissions, and waiting for the order to encode doomsday plans in a public sculpture (plenty of opportunity there) or a semi-abstract mural. (Avant-garde art itself is too easy.) Or architecture, or urban planning (if there are Masonic symbols in the layout of Washington DC's streets, there could be other things elsewhere.) The possibilities are infinite.

Perhaps Bruce Schneier could make his next Movie Plot Threat Contest hinge on coming up with creative ways in which evildoers could go to elaborate lengths to encode the message "nuke the Whitehouse at 11:00" in innocuous-looking environments. Because, as we all know, supervillains love complexity in and of itself, and the ideal terrorist plan would look more baroque than a steampunk laptop on Boing Boing.

¶ deception paedoterrorists paranoia security terrorism the long siege videogames wtf 1 Share

The Times goes to DEFCON, interviews some hax0rs:

He tells me about one of his cases involving Symbolic Motors in La Jolla, California. Symbolic, which supplies Ferraris, Lotuses, Aston Martins and Bentleys to the stars, is arguably the most lucrative dealership in the States. It wanted to find out just how good its multi-million dollar security system was, so Pyr0 and his friends Ryan Jones and Chris Nickerson, who call themselves ethical hackers, went to work.

“First we did a bit of dumpster-diving, looking in their trash, to find out who their computer company was,” says the spiky-haired Pyr0. “Then I paid a visit, posing as one of their technicians and got access to the company's servers. I secretly installed a wireless network behind a desk while I was there, which allowed Ryan, who was in a car outside, to begin hacking into their computer system remotely.” While Jones was downloading Symbolic's files - details of sales, prices, film-star customers and so on - Pyr0 was wandering around the building taking pictures. There was no alarm security above the ground-floor showroom and the roof skylights were not alarmed. In the showroom, he worked out the blind spots in an array of motion sensors.

That night, they broke in through the unalarmed skylights, exploited the motion sensors' blind spots, crawled to the alarm keypad and switched off the system. They opened the showroom doors, drove out a Lotus and returned it, parking it the wrong way round.

¶ defcon hacking security tech 0 Share

With the iPhone, Apple have been expanding the boundaries of how much control a consumer electronics company can exercise over its products and their users. Much has been said about the iPhone's locked-down software distribution model, which has more in common with proprietary gaming consoles than with mobile phones (let alone Apple's wide-open OSX computers), and strict enforcement of carrier contracts. Now iPhone hacker Jonathan Zdziarski has discovered that Apple seem to have a central blacklist of banned iPhone applications. This is presumably to allow them to remotely kill any applications that made it through the approval process by mistake. (Apple could also use it to remotely kill applications that never were approved in the first place, installed on jailbroken iPhones—that is, assuming that the hacks for jailbreaking these phones don't start blocking the blacklist.)

(via Engadget) ¶ apple architectures of control iphone security tech 0 Share

A Dutch cyclist group has come up with a novel way of cutting bike theft: by teaching cyclists how to steal bicycles. The lessons in lockpicking and defeating common security mechanisms serve to instill what Bruce Schneier calls a security mindset, making the cyclists more conscious of their vulnerabilities, and better able to mitigate them.

¶ bicycles crime paradox security 0 Share

An outfit named Sweet Dreams Security is making designed objects for a more paranoid age; from spiked railings, barbed wire and CCTV camera covers in the shape of cute animals to heart-shaped chains and (perhaps more practically) lace curtains shaped like anti-burglar grilles.

It's not clear how much of this is sincerely intended to fill a gap in the market and how much is critiquing or poking fun at of the siege mentality of contemporary society and its normalisation as a banal aspect of consumer capitalism. The pieces shown are said to be actual manufactured items which may be ordered or bought in various designy shops, though they have mostly been exhibited in art galleries.

(via Schneier) ¶ design paranoia security the long siege 0 Share

Could this be the worst security hole ever? The Oklahoma Department of Corrections' sex offender database site allowed users to issue arbitrary SQL queries on their database (which contained the complete details of anyone who has ever been on the wrong side of the law). The "print friendly link" took, as its argument, a SQL query, which it would then execute. Which, of course, means that not only could someone get enough details about anyone in the database to steal their identity, but could quite possibly insert arbitrary data into the government's official sex offender database. You can probably imagine the kinds of fun that someone could have with that.

(via Schneier) ¶ privacy security sql stupidity tech 0 Share

Someone is sending pro-Tibet groups documents infected with keylogging malware, configured to send back keystrokes to a server in China. The documents are sent from addresses forged to resemble human rights groups, and purport to be details of Chinese massacres in Tibet and similar information.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.

(via Schneier) ¶ china cyberwar deception espionage malware security skulduggery tibet 2 Share