Real-World
“Hooker” approach to break-in!
Interesting post on cost/benefit analysis of hacker and hooker attacks…. behrang
Sarah Palin, a yahoo email account, and something more shocking…
By now everyone knows that John McCain’s running mate Sarah Palin had her yahoo email account hacked. I guess a presidential candidate using yahoo for govt. related email was about as shocking as Sarah Palins nomination as possible future president ((unless of course you have ever heard of other govt. officials using yahoo/gmail/hotmail for serious business)(inside joke for south africans!)).
People have been talking about secure password resets for a long time [1] and this was pretty shocking all around..
Enter Google Chrome…
Google have thrown their hat in the browser-ring, which many have predicted. [Chrome] should be coming soon to downloads near u.
It’s based on [webkit], which you might [recall] was impressive in many ways.. It has a few other interesting promises, like a brand new javascript engine [which sounds like an excellent target for future hackery] and a simple but sweet isolation concept [tabs are independent processes].
Like anything released from google, people expect it to change the world (now thats some heavy expectation-anxiety) but if nothing else it will be interesting to watch. Their comic intro is fairly comprehensive, and mixes healthy amounts of “eureka” with “this is still a hard problem“.
rethinking ye old truths
since forever, i’ve been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases).
So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary:
Mind Control, Big Cats, Feynman && kiosks…
Aka… A good weekend..
The weekend got off to a slow start, when Amazon claimed it would take a little longer than planned to ship us the “Web Application Hackers Handbook”. Fortunately it picked up after that..
The first ray of light was finding a new strange bug on a huge application that smells a lot like full remote code execution.. Then the office had a power-outage and i felt the rage building.. drove to the office to collect my stuff mumbling statements related to 3rd world and feeling sorry for myself, but.. i needed to complete a report and needed to be in JHB later that night, so decided to stop off in Sandton City where i could work for a bit (exclusive books: coffee + gprs + deels could enjoy herself too)
Alas.. i could have made squillions (aka – Amazon MTURK)
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up a network of street=kids with basic education to handle tasks computers still struggled with. At the time we were concerned with low-false positive, agentless remote detection of defaced web-sites, but also ran into the idea when we first built e-or, our early web application scanner. I suspect i didnt broach the subject with enough sensitivity (and in retrospect suggesting that remote controls for automatic gates could be replaced by 2 low cost street-kids (one as a spare)) might not have helped my cause..
On vulnerability, root cause, white-listing and compliance
Many years ago, when we first released ‘Setiri’ one of the controls
that we preached was website white-listing. As talk-back trojans
would connect back to arbitrary web servers on the Internet, we
argued that companies should create shortlists of the sites employees
are allowed to visit. This, we argued, was much more feasible than
trying to identify and block known ‘bad’ sites. Of course, there are
a number of other compelling reasons for implementing this kind of
white-listing, and of course nobody does it (even though I’ve seen
fairly good technical implementations of this concept).
More Pentagon data leakage through Office files..
R J Hillhouse (who has a fascinating background) found that when she double clicked a graph on a slide deck belonging to the office of national intelligence (available from the DIA website), the linked spreadsheet popped up..
This effectively revealed “the dollar amounts in tens of millions spent by the US Intelligence Community on contractors”.
Aages ago lcamtuf highlighted info leakage through MS Office files, and it seems these days lots of folks are making lots of money selling blackbox, i will prevent data leakage in your organization type kit.. i haven’t looked in depth at too many of them but have to wonder how many of them would have caught the embedded spreadsheet at all..
Hotel Hacking
Check out http://hongkong.langhamplacehotels.com/accom/technology.htm in Hong Kong. They provide Cisco IP phones in the rooms, but with a difference. According to an article I read in TIME the hotel will collect your most frequently dialled numbers and load them onto the touchscreen phone when you return for your next visit. Not only that, they also program the phone to show stock quotes or news and weather from your home town, AND if you forward them snapshots of your loved ones they’ll pre-load those onto the phone’s interface also.
Second Life land grab case moves into U.S federal courts..
Ars Technica is reporting on the law suit filed in 2006 by Martin Bragg who accused Linden labs of wrongfully seizing his virtual land.
-snip-
Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.
-snip-
A few things about this are super interesting..
Linden Labs (creators of Second Life) literally sells online assets for real world money.. Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1) Bragg apparently invested thousands planning to buy low and sell high We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..
Prev
Page 2 of 2