Tag Archives: something

[ISN] Someone could have stolen your Wi-Fi password from this Internet of Things doorbell

thenextweb.com/gadgets/2016/01/12/now-someone-can-steal-your-wi-fi-password-from-your-doorbell/ [I called this back around September 2013 when Jamie Siminoff went on ABC’s “Shark Tank” pitching DoorBot, later rebranded to Ring. https://twitter.com/c4i/status/401534203755765760 – WK] By Owen Williams thenextweb.com 01/14/16 Getting hacked sucks, but there’s something worse than that: getting hacked because of your own smart doorbell. Ring is a popular smart doorbell that allows you to unlock your door from your phone, as well as see and hear visitors via a webcam. Unfortunately for Ring, that same doorbell meant you could have had your Wi-Fi password stolen in a few minutes if someone cracked into the physical doorbell According to Pen Test Partners, the attack was relatively trivial. To steal the password, it took removing the doorbell from the door using two screws, flipping it over and pushing the orange set-up button. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A looming anniversary, and a special offer

www.cerias.purdue.edu/site/blog/post/a_looming_anniversary_and_a_special_offer/ [This was posted on Twitter Thursday by Gene Spafford – @TheRealSpaf and I figured I should share this with the list. Please check out the above link for complete details, history, and the special offer! – WK] Sunday, December 06, 2015 by spaf It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time. In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies! Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant! History In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic. I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then. […] Special Offer If you have someone (maybe yourself) who you’d like to provide with a special gift, here’s an offer of one that includes a donation to two worthwhile non-profit organizations. (This is in the spirit of my recent bow tie auction for charity.) You can make a difference as well as get something special! Over the years, Simson, Alan, and I have often been asked to autograph copies of the book. We know there is some continuing interest in this (I as asked again, last week). Furthermore, the 25th anniversary seems like a milestone worth noting with something special. Therefore, we are making this offer. For a contribution where everything after expenses will go to two worthwhile, non-profit organizations, you will get (at least) an autographed copy of an edition of Practical Unix & Internet Security!! Depending on the amount you include, I may throw in some extras. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] [CFP] Speak About Your Cyberwar at PHDays VI

Forwarded fFrom: Alexander Lashkov Positive Hack Days VI, the international forum on practical information security, opens Call for Papers. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited. In 2015, the forum brought together 3,500 participants. In 2016, it is expected to see 4,000 attendees: information security leaders, CIO and CISO of the world’s largest companies, top managers of giant banks, industrial and oil and gas producing enterprises, telecoms, and IT vendors, representatives from different government departments. Positive Hack Days featured a variety of distinguished participants including Bruce Schneier (the legendary cryptography expert), Whitfield Diffie (one of the inventors of asymmetric cryptography), Mohd Noor Amin (IMPACT, UN), Natalya Kasperskaya (CEO of InfoWatch), Travis Goodspeed (a reverse engineer and wireless enthusiast from the U.S.), Tao Wan (the founder of China Eagle Union), Nick Galbreath (Vice-President of IPONWEB), Mushtaq Ahmed (Emirates Airline), Marc Heuse (the developer of Hydra, Amap, and THC-IPV6), Karsten Nohl (a specialist in GSM engineering), Donato Ferrante and Luigi Auriemma (famous SCADA experts from Italy), and Alexander Peslyak (the creator of the password cracking tool John the Ripper). Find any details about the format, participation rules, and CFP instructions on the PHDays website: www.phdays.com/call_for_papers/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] US Still Doesn’t Know Who’s In Charge of What If Massive Cyber Attack Strikes Nation

www.defenseone.com/threats/2015/11/us-still-doesnt-know-whos-charge-if-massive-cyber-attack-strikes-nation/123377/ BY PATRICK TUCKER Defense One NOVEMBER 3, 2015 The threat of a massive cyber attack on civilian infrastructure, leading to loss of life and perhaps billions in damages, has kept lawmakers on edge since before former Defense Secretary Leon Panetta warned of it back in 2012 (or the fourth Die Hard movie in 2007). Many experts believe that a sneak attack would be highly unlikely. The Department of Homeland Security has the lead in responding to most cyber attacks. But if one were to occur today, DHS and the Defense Department wouldn’t know all the details of who is in charge of what. The Department of Defense Cyber Strategy, published in April, carves out a clear role for the military and Cyber Command in responding to any sort of cyber attack of “significant consequence,” supporting DHS. Specifically, the strategy tasks the 13 different National Mission Force teams, cyber teams set up to defend the the United States and its interests from attacks of significant consequence, with carrying out exercises with other agencies and setting up emergency procedures. It’s the third strategic goal in the strategy. It’s also “probably the one that’s the least developed at this – at this point,” Lt. Gen. James K. McLaughlin, the deputy commander of U.S. Cyber Command, said at a Center for Strategic and International Studies event last month. He went on to describe the role that the military would play in such an event as “building the quick reaction forces and the capacity to defend the broader United States against an attack.” It’s something that the Defense Department, the Department of Homeland Security and the FBI and other agency partners all train for together in events like the Cyber Guard exercises, the most recent of which took place in July. The Defense Department, DHS and others worked through a series of scenarios related to a major attack on infrastructure. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A New Material Promises NSA-Proof Wallpaper

www.defenseone.com/technology/2015/10/new-material-promises-nsa-proof-wallpaper/123066/ By PATRICK TUCKER defenseone.com OCTOBER 23, 2015 Your next tinfoil hat will won’t be made of tinfoil. A small company called Conductive Composites out of Utah has developed a flexible material — thin and tough enough for wallpaper or woven fabric — that can keep electronic emissions in and electromagnetic pulses out. There are a few ways to snoop on electronic communications. You can hack into a network or you can sniff out radio emissions. If you want to defend against the latter, you can enclose your electronic device or devices within a structure of electrically conductive, (probably metallic) material. The result is something like a force field. The conductive material distributes the electromagnetic energy away from the target in every direction — think of the *splat* you get when you hurl a tomato at a wall. These enclosures are sometimes called Faraday cages after the 18th-century British scientist who discovered electrolysis. Today, Faraday cages are all over the place. In 2013, as the College of Cardinals convened to elect a new Pope, the Vatican’s Sistine Chapel was converted into a Faraday cage so that news of the election couldn’t leak out, no matter how hard the paparazzi tried, and how eager the cardinals were to tweet the proceedings. The military also uses Faraday cages for secure communications: Sensitive Compartmented Information Facilities or SCIFs are Faraday cages. You’ll need to be in one to access the Joint Worldwide Intelligence Communication System, or JWICS, the Defense Department’s top-secret internet. Conductive Composites has created a method to layer nickel on carbon to form a material that’s light and moldable like plastic yet can disperse energy like a traditional metal cage. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Real-life James Bonds: Actual spooks reveal what a job in MI6 is really like

www.telegraph.co.uk/culture/film/jamesbond/11874457/Real-life-James-Bonds-Actual-spooks-reveal-what-a-job-in-MI6-is-really-like.html By Frank Gardner telegraph.co.uk 25 Oct 2015 It’s slick, it’s fast-paced and it’s sexy. But that’s the cinema. SPECTRE, the latest James Bond thriller starring Daniel Craig opens in cinemas on Monday to critical acclaim. Pure fantasy? Or are there any similarities with the work of a real-life operative in Britain’s Secret Intelligence Service (SIS), better known as MI6? I’ve gone to meet two serving SIS officers to find out. I don’t notice them at first, there are so many people in the room. Are they part of the camera crew? A couple of people sent up from hotel reception perhaps, to check we have everything we need? But then we are introduced. “Kamal” – and I’m going to go out on a limb here and guess that is probably not his real name – is 30-something, unshaven, quietly confident. “Kirsty” is only slightly older. Neatly dressed, she looks like she could be running a medium-sized IT company. In fact, she is in recruiting, having already done the hard yards in the field overseas. Kamal speaks first. “I’m what people would classify as an agent-runner,” he tells me. “Our job is to find individuals with access to secret intelligence of value to the UK government. My job [within MI6] is to build a relationship with these individuals and work with them to obtain the secrets they have access to, securely.” And bang, up in smoke goes one of the biggest misnomers about espionage and spies. James Bond, and all the true-life men and women who work inside those sandstone and emerald-coloured headquarters at Vauxhall Cross on the banks of the Thames are not “secret agents”. They are intelligence officers. The people overseas who they persuade to spy for them are the actual agents. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] OPM to Fully Do Away with Passwords for Network Access

www.nextgov.com/cybersecurity/2015/10/opm-fully-do-away-passwords-network-access-2-years/122768/ By Aliya Sternstein Nextgov.com October 13, 2015 Following one of the most devastating government data breaches ever revealed, the Office of Personnel Management is on track to replace password logins with two-step identification for accessing agency networks in two years, according to new goals set by the Obama administration. Suspected Chinese espionage artists allegedly used a contractor’s passcode to break into records on 21.5 million current and prospective national security employees, along with their relatives. While mandated to control network access with digital smart cards since 2004, only 1 percent of OPM computer users needed something more than a password to sign on as of September 2014, according to the White House. Meanwhile, hackers gnawed at OPM’s networks from 2013 until the agency discovered the breach in April. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Report finds many nuclear power plant systems “insecure by design”

arstechnica.com/security/2015/10/report-finds-many-nuclear-power-plant-systems-insecure-by-design/ By Sean Gallagher Ars Technica Oct 8, 2015 A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems—potentially causing interruptions in electrical power or even damage to the reactors themselves. The study, undertaken by Caroline Baylon, David Livingstone, and Roger Brunt of the UK international affairs think tank Chatham House, found that many nuclear power plants’ systems were “insecure by design” and vulnerable to attacks that could have wide-ranging impacts in the physical world—including the disruption of the electrical power grid and the release of “significant quantities of ionizing radiation.” It would not require an attack with the sophistication of Stuxnet to do significant damage, the researchers suggested, based on the poor security present at many plants and the track record of incidents already caused by software. The researchers found that many nuclear power plant systems were not “air gapped” from the Internet and that they had virtual private network access that operators were “sometimes unaware of.” And in facilities that did have physical partitioning from the Internet, those measures could be circumvented with a flash drive or other portable media introduced into their onsite network—something that would be entirely too simple given the security posture of many civilian nuclear operators. The use of personal devices on plant networks and other gaps in security could easily introduce malware into nuclear plants’ networks, the researchers warned. The security strategies of many operators examined in the report were “reactive rather than proactive,” the Chatham House researchers noted, meaning that there was little in the way of monitoring of systems for anomalies that might warn of a cyber-attack on a facility. An attack could be well underway before it was detected. And because of poor training around information sec […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail